kern/61165: kernel page fault after calling cam_send_ccb
Heiner
h.eichmann at gmx.de
Sat Jan 10 01:10:23 PST 2004
>Number: 61165
>Category: kern
>Synopsis: kernel page fault after calling cam_send_ccb
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jan 10 01:10:20 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Heiner Eichmann <h.eichmann at gmx.de>
>Release: FreeBSD 4.9-STABLE i386
>Organization:
Sirius Cybernetics Corp.
>Environment:
=46reeBSD 7of9.unimatrix-zero.borg 4.9-STABLE FreeBSD 4.9-STABLE #0: Tue De=
c 30=20
09:19:53 CET 2003 =A0 =A0=20
root at 7of9.unimatrix-zero.borg:/usr/obj/usr/src/sys/MYKERNEL =A0i386
CAM is compiled into the kernel.
>Description:
=46reeBSD dies immediately, if the attached program is executed. Note, that=
it=20
contains a bug in line 36: a wrong constant (1) is used. If the correct one=
=20
(CAM_DIR_IN) is used instead, everything is fine. Nevertheless the kernel=20
should not crash.
Note: all it needs to perform this crash is the read/write access to pass0!
>How-To-Repeat:
Compile and run the attached program. Make sure, that the user has read/wri=
te=20
access to pass0.
WARNING: BSD dies immediately!
>Fix:
--Boundary-00=_CG8//He5c/0aNz1
Content-Type: text/x-c++src;
charset="iso-8859-1";
name="main2.cpp"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="main2.cpp"
#include <fcntl.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <camlib.h>
#include <cam/scsi/scsi_message.h>
#include <cam/scsi/scsi_pass.h>
#include <errno.h>
int main(int)
{
char pass[32] = "/dev/pass0";
union ccb ccb;
memset (&ccb,0,sizeof(ccb));
ccb.ccb_h.func_code = XPT_GDEVLIST;
struct cam_device *cam = cam_open_pass (pass,O_RDWR,NULL);
if (!cam)
{
printf("result: %s\n", cam_errbuf);
return -1;
}
int len = 8;
unsigned char header[len];
::memset( header, 0, len );
memset(&ccb,0,sizeof(ccb));
ccb.ccb_h.path_id = cam->path_id;
ccb.ccb_h.target_id = cam->target_id;
ccb.ccb_h.target_lun = cam->target_lun;
cam_fill_csio (&(ccb.csio), 1, NULL, CAM_DEV_QFRZDIS, MSG_SIMPLE_Q_TAG, NULL, 0, sizeof(ccb.csio.sense_data), 0, 30*1000);
ccb.csio.cdb_len = 1;
ccb.csio.cdb_io.cdb_bytes[0] = 0x46; // GET CONFIGURATION
ccb.csio.cdb_len = 9;
ccb.csio.cdb_io.cdb_bytes[8] = 8;
ccb.csio.ccb_h.flags |= 1;//CAM_DIR_IN;
ccb.csio.data_ptr = (u_int8_t *)header;
ccb.csio.dxfer_len = len;
printf("cam_send_ccb\n");
int ret;
if ((ret = cam_send_ccb(cam, &ccb)) < 0)
{
printf("cam_send_ccb: failed\n");
cam_close_device(cam);
return -1;
}
printf("cam_send_ccb: succeeded\n");
cam_close_device(cam);
return 0;
}
--Boundary-00=_CG8//He5c/0aNz1--
>Release-Note:
>Audit-Trail:
>Unformatted:
--Boundary-00=_CG8//He5c/0aNz1
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
More information about the freebsd-bugs
mailing list