| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <64bb37e0711040653r5591c3eaj286b06f124d073f9@mail.gmail.com>
Date: Sun, 4 Nov 2007 15:53:44 +0100
From: "Torsten Kaiser" <just.for.lkml@...glemail.com>
To: "Jens Axboe" <jens.axboe@...cle.com>
Cc: linux-kernel@...r.kernel.org
Subject: Re: 2.6.24-rc1-54866f032307063776b4eff7eadb131d47f9f9b4 fails to boot: kernel BUG at include/linux/scatterlist.h:49!
[removing ieee1394 related cc's]
On 11/4/07, Jens Axboe <jens.axboe@...cle.com> wrote:
> Chained sg lists will only be feed to a scsi host controller that
> enables chaining in its host template.
>
> The fix looks fine though, it's just not a requirement or bug fix :-)
I just searched backwards to where the list came from
(scsi_alloc_sgtable()) and did not see any limit there. Also it's
caller did not limit it, but took the value from
req->nr_phys_segments, but then I got lazy and did not check how this
is generated by block/ll_rw_blk.c...
> > As yesterday my md1_raid5-thread oopsed with the same bug from the
> > thread "kernel NULL pointer dereference in blk_rq_map_sg with
> > v2.6.23-6815-g0895e91" I'm rather suspicious of anything sg related
> > right now. (At least I think its the same bug, as 2.6.23-mm1 does not
> > contain the fix from that thread)
>
> Can you post that oops please?
No problem.
I was just doing dd if=/dev/zero of=/home/image bs=1M count=45k and
the the oops took to root filesystem down.
[28241.180000] Unable to handle kernel paging request at ffff810120000000 RIP:
[28241.180000] [<ffffffff8039ca00>] blk_rq_map_sg+0x70/0x180
[28241.180000] PGD 8063 PUD d063 PMD 0
[28241.180000] Oops: 0000 [1] SMP
[28241.210000] last sysfs file: /block/sdd/stat
[28241.210000] CPU 3
[28241.210000] Modules linked in: nls_iso8859_1 vfat fat ext3 jbd ext2
mbcache radeon drm nfsd exportfs ipv6 w83792d tuner tea5767 tda8290
tuner_simple mt20xx tvaudio msp3400 bttv ir_common compat_ioctl32
videobuf_dma_sg videobuf_core btcx_risc tveeprom videodev usbhid
v4l2_common v4l1_compat hid pata_amd sg i2c_nforce2
[28241.210000] Pid: 946, comm: md1_raid5 Not tainted 2.6.23-mm1 #8
[28241.210000] RIP: 0010:[<ffffffff8039ca00>] [<ffffffff8039ca00>]
blk_rq_map_sg+0x70/0x180
[28241.210000] RSP: 0018:ffff81000613fc90 EFLAGS: 00010006
[28241.210000] RAX: 000000010151b000 RBX: ffff81011fffffc0 RCX: 00000001018eb000
[28241.210000] RDX: 0000000000000000 RSI: ffff8101014c88d0 RDI: ffff8101014c8868
[28241.210000] RBP: 0000000000002000 R08: ffff81011fffffe0 R09: 0000000000001000
[28241.210000] R10: 0000000000000000 R11: 00000001018ec000 R12: ffff810005e04000
[28241.210000] R13: 0000000000000001 R14: 000000000000007f R15: 00001e0000000000
[28241.210000] FS: 00007f6e752d96f0(0000) GS:ffff810100314700(0000)
knlGS:0000000000000000
[28241.210000] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
[28241.210000] CR2: ffff810120000000 CR3: 00000000061b5000 CR4: 00000000000006e0
[28241.210000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[28241.210000] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[28241.210000] Process md1_raid5 (pid: 946, threadinfo
ffff81000613e000, task ffff8100060c7530)
[28241.210000] last branch before last exception/interrupt
[28241.210000] from [<ffffffff8039cab6>] blk_rq_map_sg+0x126/0x180
[28241.210000] to [<ffffffff8039ca00>] blk_rq_map_sg+0x70/0x180
[28241.210000] Stack: 0000000100000000 ffff810105616e00
ffff810101187800 ffff810102e6d7e0
[28241.210000] 0000000000000400 0000000002a46b89 ffff810005e04000
ffffffff804385b5
[28241.210000] ffff810102e6d7e0 ffff810101187800 ffff810005d3c600
ffffffff80440b98
[28241.210000] Call Trace:
[28241.210000] [<ffffffff804385b5>] scsi_init_io+0x75/0x100
[28241.210000] [<ffffffff80440b98>] sd_prep_fn+0x98/0x400
[28241.210000] [<ffffffff8039b7e5>] elv_next_request+0xf5/0x1f0
[28241.210000] [<ffffffff8022c8ea>] __wake_up_common+0x5a/0x90
[28241.210000] [<ffffffff80439229>] scsi_request_fn+0x69/0x360
[28241.210000] [<ffffffff803a06b8>] generic_unplug_device+0x18/0x30
[28241.210000] [<ffffffff804b6feb>] unplug_slaves+0x6b/0xc0
[28241.210000] [<ffffffff804cabd0>] md_thread+0x0/0x100
[28241.210000] [<ffffffff804bf7bd>] raid5d+0x44d/0x490
[28241.210000] [<ffffffff805b01d7>] schedule_timeout+0x67/0xd0
[28241.210000] [<ffffffff805b01ca>] schedule_timeout+0x5a/0xd0
[28241.210000] [<ffffffff804cabd0>] md_thread+0x0/0x100
[28241.210000] [<ffffffff804cac00>] md_thread+0x30/0x100
[28241.210000] [<ffffffff8024a710>] autoremove_wake_function+0x0/0x30
[28241.210000] [<ffffffff804cabd0>] md_thread+0x0/0x100
[28241.210000] [<ffffffff8024a32b>] kthread+0x4b/0x80
[28241.210000] [<ffffffff8020c9d8>] child_rip+0xa/0x12
[28241.210000] [<ffffffff8024a2e0>] kthread+0x0/0x80
[28241.210000] [<ffffffff8020c9ce>] child_rip+0x0/0x12
[28241.210000]
[28241.210000]
[28241.210000] Code: 49 8b 40 20 49 8d 48 20 4c 89 c3 48 89 c2 48 83
e2 fe a8 01
[28241.210000] RIP [<ffffffff8039ca00>] blk_rq_map_sg+0x70/0x180
[28241.210000] RSP <ffff81000613fc90>
[28241.210000] CR2: ffff810120000000
gdb says:
(gdb) list *0xffffffff8039ca00
0xffffffff8039ca00 is in blk_rq_map_sg (include/linux/scatterlist.h:48).
43 */
44 static inline struct scatterlist *sg_next(struct scatterlist *sg)
45 {
46 sg++;
47
48 if (unlikely(sg_is_chain(sg)))
49 sg = sg_chain_ptr(sg);
50
51 return sg;
52 }
Torsten
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists