kern/61165: kernel page fault after calling cam_send_ccb

Heiner h.eichmann at gmx.de
Sat Jan 10 01:10:23 PST 2004 

>Number:         61165
>Category:       kern
>Synopsis:       kernel page fault after calling cam_send_ccb
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 10 01:10:20 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Heiner Eichmann <h.eichmann at gmx.de>
>Release:        FreeBSD 4.9-STABLE i386
>Organization:
Sirius Cybernetics Corp.
>Environment:
=46reeBSD 7of9.unimatrix-zero.borg 4.9-STABLE FreeBSD 4.9-STABLE #0: Tue De=
c 30=20
09:19:53 CET 2003 =A0 =A0=20
root at 7of9.unimatrix-zero.borg:/usr/obj/usr/src/sys/MYKERNEL =A0i386
CAM is compiled into the kernel.
>Description:
=46reeBSD dies immediately, if the attached program is executed. Note, that=
 it=20
contains a bug in line 36: a wrong constant (1) is used. If the correct one=
=20
(CAM_DIR_IN) is used instead, everything is fine. Nevertheless the kernel=20
should not crash.

Note: all it needs to perform this crash is the read/write access to pass0!
>How-To-Repeat:
Compile and run the attached program. Make sure, that the user has read/wri=
te=20
access to pass0.

WARNING: BSD dies immediately!
>Fix:




--Boundary-00=_CG8//He5c/0aNz1
Content-Type: text/x-c++src;
  charset="iso-8859-1";
  name="main2.cpp"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="main2.cpp"

#include <fcntl.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <camlib.h>
#include <cam/scsi/scsi_message.h>
#include <cam/scsi/scsi_pass.h>
#include <errno.h>

int main(int)
{
   char pass[32] = "/dev/pass0";
   union ccb		ccb;
   memset (&ccb,0,sizeof(ccb));
   ccb.ccb_h.func_code = XPT_GDEVLIST;
   struct cam_device  *cam = cam_open_pass (pass,O_RDWR,NULL);
   if (!cam)
   {
      printf("result: %s\n", cam_errbuf);
      return -1;
   }
   int len = 8;
   unsigned char header[len];
   ::memset( header, 0, len );
   memset(&ccb,0,sizeof(ccb));
   ccb.ccb_h.path_id    = cam->path_id;
   ccb.ccb_h.target_id  = cam->target_id;
   ccb.ccb_h.target_lun = cam->target_lun;
   cam_fill_csio (&(ccb.csio), 1, NULL, CAM_DEV_QFRZDIS, MSG_SIMPLE_Q_TAG, NULL, 0, sizeof(ccb.csio.sense_data), 0, 30*1000);
   ccb.csio.cdb_len = 1;
   ccb.csio.cdb_io.cdb_bytes[0] = 0x46;	// GET CONFIGURATION
   ccb.csio.cdb_len = 9;
   ccb.csio.cdb_io.cdb_bytes[8] = 8;
   
   ccb.csio.ccb_h.flags |= 1;//CAM_DIR_IN;
   ccb.csio.data_ptr  = (u_int8_t *)header;
   ccb.csio.dxfer_len = len;
   printf("cam_send_ccb\n");
   int ret;
   if ((ret = cam_send_ccb(cam, &ccb)) < 0)
   {
      printf("cam_send_ccb: failed\n");
      cam_close_device(cam);
      return -1;
   }
   printf("cam_send_ccb: succeeded\n");
   cam_close_device(cam);
   return 0;
}

--Boundary-00=_CG8//He5c/0aNz1--

>Release-Note:
>Audit-Trail:
>Unformatted:
 --Boundary-00=_CG8//He5c/0aNz1
 Content-Type: text/plain;
   charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline

More information about the freebsd-bugs mailing list