lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <64bb37e0711040653r5591c3eaj286b06f124d073f9@mail.gmail.com>
Date:	Sun, 4 Nov 2007 15:53:44 +0100
From:	"Torsten Kaiser" <just.for.lkml@...glemail.com>
To:	"Jens Axboe" <jens.axboe@...cle.com>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: 2.6.24-rc1-54866f032307063776b4eff7eadb131d47f9f9b4 fails to boot: kernel BUG at include/linux/scatterlist.h:49!

[removing ieee1394 related cc's]

On 11/4/07, Jens Axboe <jens.axboe@...cle.com> wrote:
> Chained sg lists will only be feed to a scsi host controller that
> enables chaining in its host template.
>
> The fix looks fine though, it's just not a requirement or bug fix :-)

I just searched backwards to where the list came from
(scsi_alloc_sgtable()) and did not see any limit there. Also it's
caller did not limit it, but took the value from
req->nr_phys_segments, but then I got lazy and did not check how this
is generated by block/ll_rw_blk.c...

> > As yesterday my md1_raid5-thread oopsed with the same bug from the
> > thread "kernel NULL pointer dereference in blk_rq_map_sg with
> > v2.6.23-6815-g0895e91" I'm rather suspicious of anything sg related
> > right now. (At least I think its the same bug, as 2.6.23-mm1 does not
> > contain the fix from that thread)
>
> Can you post that oops please?

No problem.
I was just doing dd if=/dev/zero of=/home/image bs=1M count=45k and
the the oops took to root filesystem down.

[28241.180000] Unable to handle kernel paging request at ffff810120000000 RIP:

[28241.180000]  [<ffffffff8039ca00>] blk_rq_map_sg+0x70/0x180

[28241.180000] PGD 8063 PUD d063 PMD 0

[28241.180000] Oops: 0000 [1] SMP

[28241.210000] last sysfs file: /block/sdd/stat

[28241.210000] CPU 3

[28241.210000] Modules linked in: nls_iso8859_1 vfat fat ext3 jbd ext2
mbcache radeon drm nfsd exportfs ipv6 w83792d tuner tea5767 tda8290
tuner_simple mt20xx tvaudio msp3400 bttv ir_common compat_ioctl32
videobuf_dma_sg videobuf_core btcx_risc tveeprom videodev usbhid
v4l2_common v4l1_compat hid pata_amd sg i2c_nforce2

[28241.210000] Pid: 946, comm: md1_raid5 Not tainted 2.6.23-mm1 #8

[28241.210000] RIP: 0010:[<ffffffff8039ca00>]  [<ffffffff8039ca00>]
blk_rq_map_sg+0x70/0x180

[28241.210000] RSP: 0018:ffff81000613fc90  EFLAGS: 00010006

[28241.210000] RAX: 000000010151b000 RBX: ffff81011fffffc0 RCX: 00000001018eb000

[28241.210000] RDX: 0000000000000000 RSI: ffff8101014c88d0 RDI: ffff8101014c8868

[28241.210000] RBP: 0000000000002000 R08: ffff81011fffffe0 R09: 0000000000001000

[28241.210000] R10: 0000000000000000 R11: 00000001018ec000 R12: ffff810005e04000

[28241.210000] R13: 0000000000000001 R14: 000000000000007f R15: 00001e0000000000

[28241.210000] FS:  00007f6e752d96f0(0000) GS:ffff810100314700(0000)
knlGS:0000000000000000

[28241.210000] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b

[28241.210000] CR2: ffff810120000000 CR3: 00000000061b5000 CR4: 00000000000006e0

[28241.210000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

[28241.210000] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400

[28241.210000] Process md1_raid5 (pid: 946, threadinfo
ffff81000613e000, task ffff8100060c7530)

[28241.210000] last branch before last exception/interrupt

[28241.210000]  from  [<ffffffff8039cab6>] blk_rq_map_sg+0x126/0x180

[28241.210000]  to  [<ffffffff8039ca00>] blk_rq_map_sg+0x70/0x180

[28241.210000] Stack:  0000000100000000 ffff810105616e00
ffff810101187800 ffff810102e6d7e0

[28241.210000]  0000000000000400 0000000002a46b89 ffff810005e04000
ffffffff804385b5

[28241.210000]  ffff810102e6d7e0 ffff810101187800 ffff810005d3c600
ffffffff80440b98

[28241.210000] Call Trace:

[28241.210000]  [<ffffffff804385b5>] scsi_init_io+0x75/0x100

[28241.210000]  [<ffffffff80440b98>] sd_prep_fn+0x98/0x400

[28241.210000]  [<ffffffff8039b7e5>] elv_next_request+0xf5/0x1f0

[28241.210000]  [<ffffffff8022c8ea>] __wake_up_common+0x5a/0x90

[28241.210000]  [<ffffffff80439229>] scsi_request_fn+0x69/0x360

[28241.210000]  [<ffffffff803a06b8>] generic_unplug_device+0x18/0x30

[28241.210000]  [<ffffffff804b6feb>] unplug_slaves+0x6b/0xc0

[28241.210000]  [<ffffffff804cabd0>] md_thread+0x0/0x100

[28241.210000]  [<ffffffff804bf7bd>] raid5d+0x44d/0x490

[28241.210000]  [<ffffffff805b01d7>] schedule_timeout+0x67/0xd0

[28241.210000]  [<ffffffff805b01ca>] schedule_timeout+0x5a/0xd0

[28241.210000]  [<ffffffff804cabd0>] md_thread+0x0/0x100

[28241.210000]  [<ffffffff804cac00>] md_thread+0x30/0x100

[28241.210000]  [<ffffffff8024a710>] autoremove_wake_function+0x0/0x30

[28241.210000]  [<ffffffff804cabd0>] md_thread+0x0/0x100

[28241.210000]  [<ffffffff8024a32b>] kthread+0x4b/0x80

[28241.210000]  [<ffffffff8020c9d8>] child_rip+0xa/0x12

[28241.210000]  [<ffffffff8024a2e0>] kthread+0x0/0x80

[28241.210000]  [<ffffffff8020c9ce>] child_rip+0x0/0x12

[28241.210000]

[28241.210000]

[28241.210000] Code: 49 8b 40 20 49 8d 48 20 4c 89 c3 48 89 c2 48 83
e2 fe a8 01

[28241.210000] RIP  [<ffffffff8039ca00>] blk_rq_map_sg+0x70/0x180

[28241.210000]  RSP <ffff81000613fc90>

[28241.210000] CR2: ffff810120000000


gdb says:
(gdb) list *0xffffffff8039ca00
0xffffffff8039ca00 is in blk_rq_map_sg (include/linux/scatterlist.h:48).
43       */
44      static inline struct scatterlist *sg_next(struct scatterlist *sg)
45      {
46              sg++;
47
48              if (unlikely(sg_is_chain(sg)))
49                      sg = sg_chain_ptr(sg);
50
51              return sg;
52      }

Torsten
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ