From patchwork Sat Oct 20 12:00:52 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: bugzilla-daemon@bugzilla.kernel.org X-Patchwork-Id: 192915 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 6EE402C0287 for ; Sat, 20 Oct 2012 23:00:59 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755332Ab2JTMA5 (ORCPT ); Sat, 20 Oct 2012 08:00:57 -0400 Received: from mail.kernel.org ([198.145.19.201]:40567 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755244Ab2JTMA4 convert rfc822-to-8bit (ORCPT ); Sat, 20 Oct 2012 08:00:56 -0400 Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 9686E20193 for ; Sat, 20 Oct 2012 12:00:55 +0000 (UTC) Received: from bugzilla.kernel.org (bugzilla.kernel.org [198.145.19.217]) by mail.kernel.org (Postfix) with ESMTP id 548902019C for ; Sat, 20 Oct 2012 12:00:53 +0000 (UTC) Received: by bugzilla.kernel.org (Postfix, from userid 1000) id 536F511FC39; Sat, 20 Oct 2012 12:00:52 +0000 (UTC) From: bugzilla-daemon@bugzilla.kernel.org To: linux-ide@vger.kernel.org Subject: [Bug 49151] NULL pointer dereference in pata_acpi X-Bugzilla-Reason: None X-Bugzilla-Type: newchanged X-Bugzilla-Watch-Reason: AssignedTo io_ide@kernel-bugs.osdl.org X-Bugzilla-Product: IO/Storage X-Bugzilla-Component: IDE X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: bp@alien8.de X-Bugzilla-Status: NEW X-Bugzilla-Priority: P1 X-Bugzilla-Assigned-To: io_ide@kernel-bugs.osdl.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: In-Reply-To: References: Auto-Submitted: auto-generated MIME-Version: 1.0 Message-Id: <20121020120052.536F511FC39@bugzilla.kernel.org> Date: Sat, 20 Oct 2012 12:00:52 +0000 (UTC) X-Spam-Status: No, score=-2.3 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-ide-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ide@vger.kernel.org https://bugzilla.kernel.org/show_bug.cgi?id=49151 --- Comment #3 from Borislav Petkov 2012-10-20 12:00:52 --- On Sat, Oct 20, 2012 at 10:19:22AM +0000, bugzilla-daemon@bugzilla.kernel.org wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=49151 > > Summary: NULL pointer dereference in pata_acpi > Product: IO/Storage > Version: 2.5 > Kernel Version: 3.6.2 > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: IDE > AssignedTo: io_ide@kernel-bugs.osdl.org > ReportedBy: phillip.wood@dunelm.org.uk > Regression: No > > > Just upgraded from 3.2.20 to 3.6.2 and when I try to boot a get > > BUG unable to handle kernel NULL pointer dereference at 00000010 > IP [] pacpi_set_dmamode+0x50/0xa0 [pata_acpi] > > and it wont find my hard disc. I'm using the standard arch linux kernel config > available at > https://projects.archlinux.org/svntogit/packages.git/tree/trunk/config?h=packages/linux > > I've attached a couple of photos of the message and backtrace Ok, let's first switch to mail. FWIW, there's another report of this http://marc.info/?l=linux-ide&m=134995465614435&w=2 and it is on 64-bit while Phillip's is 32-bit. Adding Anton and a couple more people to CC. From Anton's disassembly I get: Ä 2.703078Ü Code: 01 00 00 00 f6 43 10 10 74 0a 41 89 c7 43 8d 0c 3f 41 d3 e6 41 0f b6 bd e1 02 00 00 e8 ce 74 0f 00 41 80 bd e1 02 00 00 3f 77 44 <0f> b7 40 10 41 f7 d6 44 21 73 10 4d 63 ff 42 89 44 fb 04 48 89 All code acpi->gtm.flags |= (1 << (2 * unit)); --- Thanks. ======== 0: 01 00 add %eax,(%rax) 2: 00 00 add %al,(%rax) 4: f6 43 10 10 testb $0x10,0x10(%rbx) 8: 74 0a je 0x14 a: 41 89 c7 mov %eax,%r15d d: 43 8d 0c 3f lea (%r15,%r15,1),%ecx 11: 41 d3 e6 shl %cl,%r14d 14: 41 0f b6 bd e1 02 00 movzbl 0x2e1(%r13),%edi 1b: 00 1c: e8 ce 74 0f 00 callq 0xf74ef 21: 41 80 bd e1 02 00 00 cmpb $0x3f,0x2e1(%r13) 28: 3f 29: 77 44 ja 0x6f 2b:* 0f b7 40 10 movzwl 0x10(%rax),%eax <-- trapping instruction 2f: 41 f7 d6 not %r14d 32: 44 21 73 10 and %r14d,0x10(%rbx) 36: 4d 63 ff movslq %r15d,%r15 39: 42 89 44 fb 04 mov %eax,0x4(%rbx,%r15,8) 3e: 48 rex.W 3f: 89 .byte 0x89 And although I cannot generate the exact code here, building drivers/ata/pata_acpi.c locally gives only one instruction like the trapping one (thankfully, function is short enough): sall %cl, %eax # tmp92, tmp93 orl %eax, 16(%rbx) # tmp93, acpi_6->gtm.flags jmp .L30 # .LVL46: .L29: .loc 1 151 0 movzwl 16(%rax), %eax # t_12->cycle, t_12->cycle <--- .LVL47: .loc 1 152 0 leal (%r12,%r12), %ecx #, tmp97 which could mean that ata_timing_find_mode() might be returning NULL on those systems (t is in %(r|e)ax in both oopses and the 0x10 offset points to ata_timing->cycle). So, Anton, Phillip, can you guys try the following debugging patch to confirm (it is against mainline but should apply cleanly ontop of 3.6-stable): --- diff --git a/drivers/ata/pata_acpi.c b/drivers/ata/pata_acpi.c index 09723b76beac..c5a54faecb98 100644 --- a/drivers/ata/pata_acpi.c +++ b/drivers/ata/pata_acpi.c @@ -144,6 +144,12 @@ static void pacpi_set_dmamode(struct ata_port *ap, struct ata_device *adev) /* Now stuff the nS values into the structure */ t = ata_timing_find_mode(adev->dma_mode); + + if (!t) { + WARN(1, "%s: ata_timing_find_mode gives NULL\n", __func__); + return; + } + if (adev->dma_mode >= XFER_UDMA_0) { acpi->gtm.drive[unit].dma = t->udma;