Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp744681imm; Fri, 3 Aug 2018 10:45:37 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeQbwveLwECYT3sPzvUiWjRXptHJuVojwtGUSfPU4salAVX3DBYZqIYtFLxeRsJ4gQzPFTG X-Received: by 2002:a63:614d:: with SMTP id v74-v6mr4713970pgb.328.1533318337513; Fri, 03 Aug 2018 10:45:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533318337; cv=none; d=google.com; s=arc-20160816; b=SHmSOJoPjPice+JL+xCC2Vvvbb+tbwsyX7FS18dAmJkW0QkbCSH+Qlo0u2RQh4sVii 8q1nyBaYvEyBOamYIWBKUIb26c2PvyCOsXMVmPmgnZAKVK7Vx4wvBAVgrZQh+5kRQhr4 IXY67kF2AhHdFtstZfAq45e7VA2b49Yi/IM6YEO9/yuGXYFDz1pli5321WcVnWnLHQEH /0dywA+/2SbzDzfdjTkHb6gMAEzbY/mQ2R1kGe8tNeGmfVxMOjCT9ldh0Pa1AS8T2s2p TMhQMAVTrHUvObDktFkNflzQ22MRivK5P9JjcOD8UbltETYui7MfjRNFZPqTh3XKcdfM gAMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:from:subject:reply-to :arc-authentication-results; bh=ZLBncJY/6gMaZREM5WucrUhR0WYkyPqfyJD3JDJ5+wk=; b=JfV1AAWZKwpIOe2YVRuqE0qLGc7Z2fl3hRyrU0TGlqERriw4eToFo/B+43X32aDAWw LHYFUZRvwL0Guy2lLOMUr/thSQZ4gMgV+WPGsiNH+gC3aCCg7AHZ/FMbEnRJJVChWNrU xIDxcY1dhXeALaNH0igIfT+HlSxkYcuHHa5AwusvbcX8xS2hn3b30CB91BgrRpx2r3mv oRZjw3PDw8Qa9mDtlTCfxo3y6cWtjCz6cVRH3TuTUKka4jUZC9hUPIETkvHqpa3ZL9gn hHA6IEiTKRHFRChYIS7WQiofFzPKdFFWIIf//nOKgCqc+DHpwZ04Kog1d0/EJqKA3lRj vijQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 25-v6si5590629pgk.438.2018.08.03.10.45.22; Fri, 03 Aug 2018 10:45:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727953AbeHCTlv (ORCPT + 99 others); Fri, 3 Aug 2018 15:41:51 -0400 Received: from smtp.infotech.no ([82.134.31.41]:52971 "EHLO smtp.infotech.no" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727362AbeHCTlv (ORCPT ); Fri, 3 Aug 2018 15:41:51 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp.infotech.no (Postfix) with ESMTP id 1E354204188; Fri, 3 Aug 2018 19:44:32 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.6.6 (20110518) (Debian) at infotech.no Received: from smtp.infotech.no ([127.0.0.1]) by localhost (smtp.infotech.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t0WOa0v4SyK9; Fri, 3 Aug 2018 19:44:29 +0200 (CEST) Received: from [192.168.48.23] (host-45-58-245-67.dyn.295.ca [45.58.245.67]) by smtp.infotech.no (Postfix) with ESMTPA id 7259220416A; Fri, 3 Aug 2018 19:44:28 +0200 (CEST) Reply-To: dgilbert@interlog.com Subject: Re: [bug report] memory corruption panic caused by SG_IO ioctl() From: Douglas Gilbert To: gaowanlong , "Martin K. Petersen" , "linux-scsi@vger.kernel.org" , "linux-kernel@vger.kernel.org" Cc: "Wencongyang (UVP)" , "Wanghui (John)" , guijianfeng , "lipengfei (Y)" , qiaonuohan References: <93359d1a-930f-5279-3ca8-800d5930562d@interlog.com> Message-ID: <94815265-6db3-35b3-b027-47819b963d4a@interlog.com> Date: Fri, 3 Aug 2018 13:44:27 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-08-03 12:17 PM, Douglas Gilbert wrote: > On 2018-08-03 11:47 AM, gaowanlong wrote: >> Doug, >> >> On 2018-08-03 04:46 AM, Wanlong Gao wrote: >>> Hi Martinand all folks, >>> >>> >>>> Recently we find a kernel panic with memory corruption caused by SG_IO ioctl(), >>>> and it can be easily reproduced by running following reproducer about >>>> minutes,any idea? >> >>> Which kernel? >> >> We've tested with 4.17.11 and 4.18.rc7 and both reproduced. >> >>> And what are the underlying devices (e.g. does /dev/sg0 refer to a SATA disk, >>> a real SCSI disk (SAS for example), USB mass storage, etc)? >> >> We tested in a qemu-kvm guest and the sg0 refer to a virtual SATA disk. > > Thanks for the prompt reply. > > The first test I am doing, and you can also do, is to replace the virtual > SATA disk with a scsi_debug pseudo SCSI disk(s). This will tell us > whether libata has a hand in this (as that was the case in a previous > syzkaller report on the SG_IO ioctl()). > >>> Also can you get a copy of the kernel panic? >> >> Since the call traces are different every time it reproduced, that I didn't >> paste the >> call trace or the vmcore, but this reproducer is very useful and I believe you >> can reproduce >> it easily using the following code. > > Okay. > > As I write I'm running your reproducer with lk 4.18.0-rc6 against pseudo > scsi_debug "disks". So far no problems (5 minutes) with no noise in syslog. Ran for an hour before I stopped it. Before that I did a echo 1 > /sys/bus/pseudo/drivers/scsi_debug/opts which causes a lot of noise in syslog. Then I could see every command was being rejected with "LBA out of range". So I restarted scsi_debug with this: modprobe scsi_debug max_luns=8 sector_size=4096 virtual_gb=2000 ndelay=5000 To give 8 pseudo scsi disks of 2 TB size. Then it worked, this from syslog: sd 0:0:0:0: scsi_debug: tag=0x7e, cmd 08 f0 a8 77 d3 be 87 5d da 65 79 3f c7 That is certainly strange, a READ(6) [deprecated] with 13 bytes in the command! But it doesn't seem to hurt scsi_debug. Still running 15 minutes later ... Doug Gilbert