Return-Path: <linux-kernel-owner+w=401wt.eu-S1757805AbXKDOxz@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757805AbXKDOxz (ORCPT <rfc822;w@1wt.eu>);
	Sun, 4 Nov 2007 09:53:55 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1755503AbXKDOxr
	(ORCPT <rfc822;linux-kernel-outgoing>);
	Sun, 4 Nov 2007 09:53:47 -0500
Received: from py-out-1112.google.com ([64.233.166.176]:64778 "EHLO
	py-out-1112.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754498AbXKDOxq (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 4 Nov 2007 09:53:46 -0500
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=googlemail.com; s=beta;
        h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=Wn+jTzLTU/bXyTRiHFE9DJAawowPCBpPubhybtmbAutwFy00IEty15TtjsaRiT8ay0rdvlk5XLMw1oE0kJ6TG0WMXDCWPuUFpBGL4xEW8T6LnK7Z7nSH7phbe/JVgHkQILkwGAUBxdrASBITrF2qQlM320SC5eiHhUWthn1Hwoo=
Message-ID: <64bb37e0711040653r5591c3eaj286b06f124d073f9@mail.gmail.com>
Date: Sun, 4 Nov 2007 15:53:44 +0100
From: "Torsten Kaiser" <just.for.lkml@googlemail.com>
To: "Jens Axboe" <jens.axboe@oracle.com>
Subject: Re: 2.6.24-rc1-54866f032307063776b4eff7eadb131d47f9f9b4 fails to boot: kernel BUG at include/linux/scatterlist.h:49!
Cc: linux-kernel@vger.kernel.org
In-Reply-To: <20071104130315.GL28340@kernel.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <64bb37e0711021503x4844b905yba1e9a681c4e788a@mail.gmail.com>
	 <472BA567.8040301@s5r6.in-berlin.de>
	 <64bb37e0711030614q4be3a2b6j5d3c55b26cb07030@mail.gmail.com>
	 <472C88E9.60103@s5r6.in-berlin.de> <20071103160404.GH28340@kernel.dk>
	 <20071104084456.GJ28340@kernel.dk>
	 <64bb37e0711040251w4d08ac83n1e090a8fab19d3d8@mail.gmail.com>
	 <20071104130315.GL28340@kernel.dk>
Sender: linux-kernel-owner@vger.kernel.org
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 5313
Lines: 164

[removing ieee1394 related cc's]

On 11/4/07, Jens Axboe <jens.axboe@oracle.com> wrote:
> Chained sg lists will only be feed to a scsi host controller that
> enables chaining in its host template.
>
> The fix looks fine though, it's just not a requirement or bug fix :-)

I just searched backwards to where the list came from
(scsi_alloc_sgtable()) and did not see any limit there. Also it's
caller did not limit it, but took the value from
req->nr_phys_segments, but then I got lazy and did not check how this
is generated by block/ll_rw_blk.c...

> > As yesterday my md1_raid5-thread oopsed with the same bug from the
> > thread "kernel NULL pointer dereference in blk_rq_map_sg with
> > v2.6.23-6815-g0895e91" I'm rather suspicious of anything sg related
> > right now. (At least I think its the same bug, as 2.6.23-mm1 does not
> > contain the fix from that thread)
>
> Can you post that oops please?

No problem.
I was just doing dd if=/dev/zero of=/home/image bs=1M count=45k and
the the oops took to root filesystem down.

[28241.180000] Unable to handle kernel paging request at ffff810120000000 RIP:

[28241.180000]  [<ffffffff8039ca00>] blk_rq_map_sg+0x70/0x180

[28241.180000] PGD 8063 PUD d063 PMD 0

[28241.180000] Oops: 0000 [1] SMP

[28241.210000] last sysfs file: /block/sdd/stat

[28241.210000] CPU 3

[28241.210000] Modules linked in: nls_iso8859_1 vfat fat ext3 jbd ext2
mbcache radeon drm nfsd exportfs ipv6 w83792d tuner tea5767 tda8290
tuner_simple mt20xx tvaudio msp3400 bttv ir_common compat_ioctl32
videobuf_dma_sg videobuf_core btcx_risc tveeprom videodev usbhid
v4l2_common v4l1_compat hid pata_amd sg i2c_nforce2

[28241.210000] Pid: 946, comm: md1_raid5 Not tainted 2.6.23-mm1 #8

[28241.210000] RIP: 0010:[<ffffffff8039ca00>]  [<ffffffff8039ca00>]
blk_rq_map_sg+0x70/0x180

[28241.210000] RSP: 0018:ffff81000613fc90  EFLAGS: 00010006

[28241.210000] RAX: 000000010151b000 RBX: ffff81011fffffc0 RCX: 00000001018eb000

[28241.210000] RDX: 0000000000000000 RSI: ffff8101014c88d0 RDI: ffff8101014c8868

[28241.210000] RBP: 0000000000002000 R08: ffff81011fffffe0 R09: 0000000000001000

[28241.210000] R10: 0000000000000000 R11: 00000001018ec000 R12: ffff810005e04000

[28241.210000] R13: 0000000000000001 R14: 000000000000007f R15: 00001e0000000000

[28241.210000] FS:  00007f6e752d96f0(0000) GS:ffff810100314700(0000)
knlGS:0000000000000000

[28241.210000] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b

[28241.210000] CR2: ffff810120000000 CR3: 00000000061b5000 CR4: 00000000000006e0

[28241.210000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

[28241.210000] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400

[28241.210000] Process md1_raid5 (pid: 946, threadinfo
ffff81000613e000, task ffff8100060c7530)

[28241.210000] last branch before last exception/interrupt

[28241.210000]  from  [<ffffffff8039cab6>] blk_rq_map_sg+0x126/0x180

[28241.210000]  to  [<ffffffff8039ca00>] blk_rq_map_sg+0x70/0x180

[28241.210000] Stack:  0000000100000000 ffff810105616e00
ffff810101187800 ffff810102e6d7e0

[28241.210000]  0000000000000400 0000000002a46b89 ffff810005e04000
ffffffff804385b5

[28241.210000]  ffff810102e6d7e0 ffff810101187800 ffff810005d3c600
ffffffff80440b98

[28241.210000] Call Trace:

[28241.210000]  [<ffffffff804385b5>] scsi_init_io+0x75/0x100

[28241.210000]  [<ffffffff80440b98>] sd_prep_fn+0x98/0x400

[28241.210000]  [<ffffffff8039b7e5>] elv_next_request+0xf5/0x1f0

[28241.210000]  [<ffffffff8022c8ea>] __wake_up_common+0x5a/0x90

[28241.210000]  [<ffffffff80439229>] scsi_request_fn+0x69/0x360

[28241.210000]  [<ffffffff803a06b8>] generic_unplug_device+0x18/0x30

[28241.210000]  [<ffffffff804b6feb>] unplug_slaves+0x6b/0xc0

[28241.210000]  [<ffffffff804cabd0>] md_thread+0x0/0x100

[28241.210000]  [<ffffffff804bf7bd>] raid5d+0x44d/0x490

[28241.210000]  [<ffffffff805b01d7>] schedule_timeout+0x67/0xd0

[28241.210000]  [<ffffffff805b01ca>] schedule_timeout+0x5a/0xd0

[28241.210000]  [<ffffffff804cabd0>] md_thread+0x0/0x100

[28241.210000]  [<ffffffff804cac00>] md_thread+0x30/0x100

[28241.210000]  [<ffffffff8024a710>] autoremove_wake_function+0x0/0x30

[28241.210000]  [<ffffffff804cabd0>] md_thread+0x0/0x100

[28241.210000]  [<ffffffff8024a32b>] kthread+0x4b/0x80

[28241.210000]  [<ffffffff8020c9d8>] child_rip+0xa/0x12

[28241.210000]  [<ffffffff8024a2e0>] kthread+0x0/0x80

[28241.210000]  [<ffffffff8020c9ce>] child_rip+0x0/0x12

[28241.210000]

[28241.210000]

[28241.210000] Code: 49 8b 40 20 49 8d 48 20 4c 89 c3 48 89 c2 48 83
e2 fe a8 01

[28241.210000] RIP  [<ffffffff8039ca00>] blk_rq_map_sg+0x70/0x180

[28241.210000]  RSP <ffff81000613fc90>

[28241.210000] CR2: ffff810120000000


gdb says:
(gdb) list *0xffffffff8039ca00
0xffffffff8039ca00 is in blk_rq_map_sg (include/linux/scatterlist.h:48).
43       */
44      static inline struct scatterlist *sg_next(struct scatterlist *sg)
45      {
46              sg++;
47
48              if (unlikely(sg_is_chain(sg)))
49                      sg = sg_chain_ptr(sg);
50
51              return sg;
52      }

Torsten
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/