From fb0418e6dc90d0d65ac437fa144c01e259e2f923 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Tue, 14 Nov 2017 22:23:50 +0100 Subject: [PATCH 204/325] umass: Prevent nullpointer dereference in xpt_freeze_devq() Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x28 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff802a2ed2 stack pointer = 0x28:0xfffffe023416b900 frame pointer = 0x28:0xfffffe023416b920 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 96046 (usbus1) trap number = 12 panic: page fault cpuid = 0 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe023416b4e0 vpanic() at vpanic+0x186/frame 0xfffffe023416b560 panic() at panic+0x43/frame 0xfffffe023416b5c0 trap_fatal() at trap_fatal+0x322/frame 0xfffffe023416b610 trap_pfault() at trap_pfault+0x49/frame 0xfffffe023416b670 trap() at trap+0x298/frame 0xfffffe023416b830 calltrap() at calltrap+0x8/frame 0xfffffe023416b830 --- trap 0xc, rip = 0xffffffff802a2ed2, rsp = 0xfffffe023416b900, rbp = 0xfffffe023416b920 --- xpt_freeze_devq() at xpt_freeze_devq+0x12/frame 0xfffffe023416b920 umass_cam_cb() at umass_cam_cb+0x163/frame 0xfffffe023416b940 umass_t_bbb_status_callback() at umass_t_bbb_status_callback+0x527/frame 0xfffffe023416b9a0 usbd_callback_wrapper() at usbd_callback_wrapper+0x63f/frame 0xfffffe023416b9f0 usb_command_wrapper() at usb_command_wrapper+0x10c/frame 0xfffffe023416ba10 usb_callback_proc() at usb_callback_proc+0x76/frame 0xfffffe023416ba30 usb_process() at usb_process+0xd9/frame 0xfffffe023416ba70 fork_exit() at fork_exit+0x85/frame 0xfffffe023416bab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe023416bab0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- Uptime: 15h52m32s Dumping 1548 out of 8055 MB:..2%..11%..21%..31%..41%..51%..61%..71%..81%..91% [...] __curthread () at ./machine/pcpu.h:222 222 __asm("movq %%gs:%1,%0" : "=r" (td) (kgdb) where #0 __curthread () at ./machine/pcpu.h:222 #1 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:298 #2 0xffffffff80579b16 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:366 #3 0xffffffff80579ff0 in vpanic (fmt=, ap=0xfffffe023416b5a0) at /usr/src/sys/kern/kern_shutdown.c:759 #4 0xffffffff80579e23 in panic (fmt=) at /usr/src/sys/kern/kern_shutdown.c:690 #5 0xffffffff80853172 in trap_fatal (frame=0xfffffe023416b840, eva=40) at /usr/src/sys/amd64/amd64/trap.c:799 #6 0xffffffff808531c9 in trap_pfault (frame=0xfffffe023416b840, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:653 #7 0xffffffff80852a48 in trap (frame=0xfffffe023416b840) at /usr/src/sys/amd64/amd64/trap.c:420 #8 #9 xpt_freeze_devq (path=0xfffff80002fbac80, count=1) at /usr/src/sys/cam/cam_xpt.c:4340 #10 0xffffffff816649f3 in umass_cam_cb (sc=0xfffff800b8a28800, ccb=0xfffff80114f5d800, residue=0, status=3 '\003') at /usr/src/sys/dev/usb/storage/umass.c:2519 #11 0xffffffff816633c7 in umass_cancel_ccb (sc=) at /usr/src/sys/dev/usb/storage/umass.c:1151 #12 umass_tr_error (xfer=, error=) at /usr/src/sys/dev/usb/storage/umass.c:1167 #13 umass_t_bbb_status_callback (xfer=, error=) at /usr/src/sys/dev/usb/storage/umass.c:1568 #14 0xffffffff8163cf9f in usbd_callback_wrapper (pq=) at /usr/src/sys/dev/usb/usb_transfer.c:2408 #15 0xffffffff8163e06c in usb_command_wrapper (pq=0xfffffe002e97d060, xfer=) at /usr/src/sys/dev/usb/usb_transfer.c:3062 #16 0xffffffff8163d1d6 in usb_callback_proc (_pm=) at /usr/src/sys/dev/usb/usb_transfer.c:2269 #17 0xffffffff81638359 in usb_process (arg=0xfffffe0008596db0) at /usr/src/sys/dev/usb/usb_process.c:176 #18 0xffffffff8053cc05 in fork_exit (callout=0xffffffff81638280 , arg=0xfffffe0008596db0, frame=0xfffffe023416bac0) at /usr/src/sys/kern/kern_fork.c:1043 #19 (kgdb) f 9 #9 xpt_freeze_devq (path=0xfffff80002fbac80, count=1) at /usr/src/sys/cam/cam_xpt.c:4340 warning: Source file is more recent than executable. 4340 devq = dev->sim->devq; (kgdb) p dev->sim Cannot access memory at address 0x28 (kgdb) p dev $1 = (struct cam_ed *) 0x0 (kgdb) f 10 #10 0xffffffff816649f3 in umass_cam_cb (sc=0xfffff800b8a28800, ccb=0xfffff80114f5d800, residue=0, status=3 '\003') at /usr/src/sys/dev/usb/storage/umass.c:2519 2519 xpt_freeze_devq(ccb->ccb_h.path, 1); (kgdb) p ccb->ccb_h.path $2 = (struct cam_path *) 0xfffff80002fbac80 (kgdb) p *ccb->ccb_h.path $3 = {periph = 0xfffff8019bbcb100, bus = 0x0, target = 0x0, device = 0x0} (kgdb) p *ccb->ccb_h.path.dev There is no member named dev. (kgdb) p *ccb->ccb_h.path->device Cannot access memory at address 0x0 (kgdb) p *ccb->ccb_h.path.device Cannot access memory at address 0x0 (kgdb) p ccb->ccb_h.path.device $4 = (struct cam_ed *) 0x0 (kgdb) p ccb->ccb_h.path->device $5 = (struct cam_ed *) 0x0 Obtained from: ElectroBSD --- sys/dev/usb/storage/umass.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/dev/usb/storage/umass.c b/sys/dev/usb/storage/umass.c index 8a9657a5fb34..3b9d0420c769 100644 --- a/sys/dev/usb/storage/umass.c +++ b/sys/dev/usb/storage/umass.c @@ -2528,7 +2528,8 @@ umass_cam_cb(struct umass_softc *sc, union ccb *ccb, uint32_t residue, * recovered. We return an error to CAM and let CAM * retry the command if necessary. */ - xpt_freeze_devq(ccb->ccb_h.path, 1); + if (ccb->ccb_h.path != NULL) + xpt_freeze_devq(ccb->ccb_h.path, 1); ccb->ccb_h.status = CAM_REQ_CMP_ERR | CAM_DEV_QFRZN; xpt_done(ccb); break; -- 2.32.0