LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* kernel NULL pointer dereference in blk_rq_map_sg with v2.6.23-6815-g0895e91
@ 2007-10-23 12:46 Florin Iucha
  2007-10-23 12:47 ` Jens Axboe
  2007-10-23 12:50 ` Florin Iucha
  0 siblings, 2 replies; 6+ messages in thread
From: Florin Iucha @ 2007-10-23 12:46 UTC (permalink / raw)
  To: Jens Axboe, Linux Kernel Mailing List

[-- Attachment #1: Type: text/plain, Size: 4525 bytes --]

Jens,

This is freshly after booting into this morning's kernel:

[   60.656136] Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 
[   60.656143]  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
[   60.656151] PGD 4640067 PUD 46d4067 PMD 0 
[   60.656154] Oops: 0000 [1] SMP 
[   60.656157] CPU 1 
[   60.656159] Modules linked in: sbp2 lp dvb_pll lgdt330x cx88_dvb cx88_vp3054_i2c videobuf_dvb tuner tea5767 td
a8290 tuner_simple mt20xx cx88_alsa cx8802 cx8800 cx88xx ir_common tveeprom videobuf_dma_sg videobuf_core btcx_ri
sc i2c_nforce2 evdev rtc forcedeth ehci_hcd fuse
[   60.656176] Pid: 4250, comm: hald-probe-stor Not tainted 2.6.24-rc0-5 #1
[   60.656178] RIP: 0010:[<ffffffff80375553>]  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
[   60.656182] RSP: 0018:ffff810004791930  EFLAGS: 00010246
[   60.656184] RAX: 000000000403b000 RBX: 0000000000001000 RCX: 6db6db6db6db6db7
[   60.656187] RDX: 0000000000000000 RSI: ffff810001000000 RDI: 0000000005701000
[   60.656189] RBP: ffff810004791968 R08: 0000000005700000 R09: ffff8100044aa060
[   60.656191] R10: 0000000000000000 R11: ffff8100050dea00 R12: 0000000000002000
[   60.656193] R13: ffff8100060d2700 R14: 0000000000000000 R15: ffffffff807f0000
[   60.656196] FS:  00002b5da088e6e0(0000) GS:ffff810003011500(0000) knlGS:0000000000000000
[   60.656198] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   60.656200] CR2: 0000000000000000 CR3: 0000000004568000 CR4: 00000000000006e0
[   60.656202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   60.656204] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   60.656207] Process hald-probe-stor (pid: 4250, threadinfo ffff810004790000, task ffff810006312000)
[   60.656208] Stack:  ffff81000607a000 0000000100000001 ffff8100040fa120 ffffffff807fe2c0
[   60.656213]  ffff81000607a000 ffff81000607a000 ffffffff807fe2c0 ffff8100047919a8
[   60.656217]  ffffffff8041bb58 ffff8100047919a8 ffff8100040fa120 ffffffff807fe2c0
[   60.656220] Call Trace:
[   60.656226]  [<ffffffff8041bb58>] ide_map_sg+0x38/0xb0
[   60.656231]  [<ffffffff8042952b>] cdrom_start_read_continuation+0x0/0xb5
[   60.656234]  [<ffffffff80423806>] ide_build_sglist+0x38/0x88
[   60.656238]  [<ffffffff80423885>] ide_build_dmatable+0x2f/0x172
[   60.656241]  [<ffffffff804239fc>] ide_dma_setup+0x34/0xaa
[   60.656245]  [<ffffffff804277e5>] cdrom_start_packet_command+0x5a/0x177
[   60.656249]  [<ffffffff8037fac4>] cfq_dispatch_insert+0x38/0x50
[   60.656253]  [<ffffffff80428339>] ide_do_rw_cdrom+0x423/0x57c
[   60.656257]  [<ffffffff8041c56c>] ide_do_request+0x7a7/0xa74
[   60.656263]  [<ffffffff8023c097>] del_timer+0x52/0x5d
[   60.656267]  [<ffffffff8025d343>] sync_page+0x0/0x45
[   60.656269]  [<ffffffff8041cba0>] do_ide_request+0x1b/0x1d
[   60.656273]  [<ffffffff803778a7>] __generic_unplug_device+0x28/0x2c
[   60.656276]  [<ffffffff80377c6e>] generic_unplug_device+0x20/0x31
[   60.656279]  [<ffffffff803751b1>] blk_backing_dev_unplug+0x16/0x18
[   60.656283]  [<ffffffff8029decc>] block_sync_page+0x42/0x44
[   60.656285]  [<ffffffff8025d37f>] sync_page+0x3c/0x45
[   60.656290]  [<ffffffff805589b8>] __wait_on_bit_lock+0x42/0x79
[   60.656294]  [<ffffffff8025d32f>] __lock_page+0x64/0x6b
[   60.656298]  [<ffffffff8024664b>] wake_bit_function+0x0/0x2a
[   60.656301]  [<ffffffff8025da95>] do_generic_mapping_read+0x1da/0x383
[   60.656304]  [<ffffffff8025d08d>] file_read_actor+0x0/0x137
[   60.656309]  [<ffffffff8025f1af>] generic_file_aio_read+0x11e/0x15d
[   60.656315]  [<ffffffff8027ee59>] do_sync_read+0xe2/0x126
[   60.656318]  [<ffffffff8026b15a>] handle_mm_fault+0x62e/0x65e
[   60.656324]  [<ffffffff80386fcc>] __up_read+0x8f/0x97
[   60.656327]  [<ffffffff80246613>] autoremove_wake_function+0x0/0x38
[   60.656331]  [<ffffffff80559233>] __mutex_lock_slowpath+0x22f/0x23c
[   60.656337]  [<ffffffff8027f5f0>] vfs_read+0xab/0x134
[   60.656341]  [<ffffffff8027f9b5>] sys_read+0x47/0x6f
[   60.656345]  [<ffffffff8020b77e>] system_call+0x7e/0x83
[   60.656349] 
[   60.656350] 
[   60.656350] Code: 49 8b 02 41 c7 42 18 00 00 00 00 49 c7 42 10 00 00 00 00 83 
[   60.656359] RIP  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
[   60.656362]  RSP <ffff810004791930>
[   60.656363] CR2: 0000000000000000

Platform is AMD64 and the userspace is Ubuntu 7/10 Gutsy Gibbon.

florin

-- 
Bruce Schneier expects the Spanish Inquisition.
      http://geekz.co.uk/schneierfacts/fact/163

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: kernel NULL pointer dereference in blk_rq_map_sg with v2.6.23-6815-g0895e91
  2007-10-23 12:46 kernel NULL pointer dereference in blk_rq_map_sg with v2.6.23-6815-g0895e91 Florin Iucha
@ 2007-10-23 12:47 ` Jens Axboe
  2007-10-23 14:28   ` Jean Delvare
  2007-10-23 12:50 ` Florin Iucha
  1 sibling, 1 reply; 6+ messages in thread
From: Jens Axboe @ 2007-10-23 12:47 UTC (permalink / raw)
  To: Florin Iucha; +Cc: Linux Kernel Mailing List

On Tue, Oct 23 2007, Florin Iucha wrote:
> Jens,
> 
> This is freshly after booting into this morning's kernel:
> 
> [   60.656136] Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 
> [   60.656143]  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> [   60.656151] PGD 4640067 PUD 46d4067 PMD 0 
> [   60.656154] Oops: 0000 [1] SMP 
> [   60.656157] CPU 1 
> [   60.656159] Modules linked in: sbp2 lp dvb_pll lgdt330x cx88_dvb cx88_vp3054_i2c videobuf_dvb tuner tea5767 td
> a8290 tuner_simple mt20xx cx88_alsa cx8802 cx8800 cx88xx ir_common tveeprom videobuf_dma_sg videobuf_core btcx_ri
> sc i2c_nforce2 evdev rtc forcedeth ehci_hcd fuse
> [   60.656176] Pid: 4250, comm: hald-probe-stor Not tainted 2.6.24-rc0-5 #1
> [   60.656178] RIP: 0010:[<ffffffff80375553>]  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> [   60.656182] RSP: 0018:ffff810004791930  EFLAGS: 00010246
> [   60.656184] RAX: 000000000403b000 RBX: 0000000000001000 RCX: 6db6db6db6db6db7
> [   60.656187] RDX: 0000000000000000 RSI: ffff810001000000 RDI: 0000000005701000
> [   60.656189] RBP: ffff810004791968 R08: 0000000005700000 R09: ffff8100044aa060
> [   60.656191] R10: 0000000000000000 R11: ffff8100050dea00 R12: 0000000000002000
> [   60.656193] R13: ffff8100060d2700 R14: 0000000000000000 R15: ffffffff807f0000
> [   60.656196] FS:  00002b5da088e6e0(0000) GS:ffff810003011500(0000) knlGS:0000000000000000
> [   60.656198] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [   60.656200] CR2: 0000000000000000 CR3: 0000000004568000 CR4: 00000000000006e0
> [   60.656202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   60.656204] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [   60.656207] Process hald-probe-stor (pid: 4250, threadinfo ffff810004790000, task ffff810006312000)
> [   60.656208] Stack:  ffff81000607a000 0000000100000001 ffff8100040fa120 ffffffff807fe2c0
> [   60.656213]  ffff81000607a000 ffff81000607a000 ffffffff807fe2c0 ffff8100047919a8
> [   60.656217]  ffffffff8041bb58 ffff8100047919a8 ffff8100040fa120 ffffffff807fe2c0
> [   60.656220] Call Trace:
> [   60.656226]  [<ffffffff8041bb58>] ide_map_sg+0x38/0xb0
> [   60.656231]  [<ffffffff8042952b>] cdrom_start_read_continuation+0x0/0xb5
> [   60.656234]  [<ffffffff80423806>] ide_build_sglist+0x38/0x88
> [   60.656238]  [<ffffffff80423885>] ide_build_dmatable+0x2f/0x172
> [   60.656241]  [<ffffffff804239fc>] ide_dma_setup+0x34/0xaa
> [   60.656245]  [<ffffffff804277e5>] cdrom_start_packet_command+0x5a/0x177
> [   60.656249]  [<ffffffff8037fac4>] cfq_dispatch_insert+0x38/0x50
> [   60.656253]  [<ffffffff80428339>] ide_do_rw_cdrom+0x423/0x57c
> [   60.656257]  [<ffffffff8041c56c>] ide_do_request+0x7a7/0xa74
> [   60.656263]  [<ffffffff8023c097>] del_timer+0x52/0x5d
> [   60.656267]  [<ffffffff8025d343>] sync_page+0x0/0x45
> [   60.656269]  [<ffffffff8041cba0>] do_ide_request+0x1b/0x1d
> [   60.656273]  [<ffffffff803778a7>] __generic_unplug_device+0x28/0x2c
> [   60.656276]  [<ffffffff80377c6e>] generic_unplug_device+0x20/0x31
> [   60.656279]  [<ffffffff803751b1>] blk_backing_dev_unplug+0x16/0x18
> [   60.656283]  [<ffffffff8029decc>] block_sync_page+0x42/0x44
> [   60.656285]  [<ffffffff8025d37f>] sync_page+0x3c/0x45
> [   60.656290]  [<ffffffff805589b8>] __wait_on_bit_lock+0x42/0x79
> [   60.656294]  [<ffffffff8025d32f>] __lock_page+0x64/0x6b
> [   60.656298]  [<ffffffff8024664b>] wake_bit_function+0x0/0x2a
> [   60.656301]  [<ffffffff8025da95>] do_generic_mapping_read+0x1da/0x383
> [   60.656304]  [<ffffffff8025d08d>] file_read_actor+0x0/0x137
> [   60.656309]  [<ffffffff8025f1af>] generic_file_aio_read+0x11e/0x15d
> [   60.656315]  [<ffffffff8027ee59>] do_sync_read+0xe2/0x126
> [   60.656318]  [<ffffffff8026b15a>] handle_mm_fault+0x62e/0x65e
> [   60.656324]  [<ffffffff80386fcc>] __up_read+0x8f/0x97
> [   60.656327]  [<ffffffff80246613>] autoremove_wake_function+0x0/0x38
> [   60.656331]  [<ffffffff80559233>] __mutex_lock_slowpath+0x22f/0x23c
> [   60.656337]  [<ffffffff8027f5f0>] vfs_read+0xab/0x134
> [   60.656341]  [<ffffffff8027f9b5>] sys_read+0x47/0x6f
> [   60.656345]  [<ffffffff8020b77e>] system_call+0x7e/0x83
> [   60.656349] 
> [   60.656350] 
> [   60.656350] Code: 49 8b 02 41 c7 42 18 00 00 00 00 49 c7 42 10 00 00 00 00 83 
> [   60.656359] RIP  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> [   60.656362]  RSP <ffff810004791930>
> [   60.656363] CR2: 0000000000000000
> 
> Platform is AMD64 and the userspace is Ubuntu 7/10 Gutsy Gibbon.

This should fix it, sorry about that.

diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c
index 61c2e39..de5ba47 100644
--- a/block/ll_rw_blk.c
+++ b/block/ll_rw_blk.c
@@ -1351,11 +1351,21 @@ int blk_rq_map_sg(struct request_queue *q, struct request *rq,
 new_segment:
 			if (!sg)
 				sg = sglist;
-			else
+			else {
+				/*
+				 * If the driver previously mapped a shorter
+				 * list, we could see a termination bit
+				 * prematurely unless it fully inits the sg
+				 * table on each mapping. We KNOW that there
+				 * must be more entries here or the driver
+				 * would be buggy, so force clear the
+				 * termination bit to avoid doing a full
+				 * sg_init_table() in drivers for each command.
+				 */
+				sg->page_link &= ~0x02;
 				sg = sg_next(sg);
+			}
 
-			sg_dma_len(sg) = 0;
-			sg_dma_address(sg) = 0;
 			sg_set_page(sg, bvec->bv_page);
 			sg->length = nbytes;
 			sg->offset = bvec->bv_offset;


-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: kernel NULL pointer dereference in blk_rq_map_sg with v2.6.23-6815-g0895e91
  2007-10-23 12:46 kernel NULL pointer dereference in blk_rq_map_sg with v2.6.23-6815-g0895e91 Florin Iucha
  2007-10-23 12:47 ` Jens Axboe
@ 2007-10-23 12:50 ` Florin Iucha
  2007-10-23 12:53   ` Jens Axboe
  1 sibling, 1 reply; 6+ messages in thread
From: Florin Iucha @ 2007-10-23 12:50 UTC (permalink / raw)
  To: Jens Axboe, Linux Kernel Mailing List

[-- Attachment #1: Type: text/plain, Size: 1744 bytes --]

On Tue, Oct 23, 2007 at 07:46:37AM -0500, Florin Iucha wrote:
> [   60.656136] Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 
> [   60.656143]  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> [   60.656151] PGD 4640067 PUD 46d4067 PMD 0 
> [   60.656154] Oops: 0000 [1] SMP 
> [   60.656157] CPU 1 
> ...

There was a DVD in the drive.  After the OOPS, I cannot eject it
via the button, and the "eject" command is stuck in "D" state:

[  436.308282] eject         D ffffffff80571760     0  5336   5324
[  436.308285]  ffff810007c35d08 0000000000000082 0000000000000000 ffff810007c35ca8
[  436.308288]  ffff810006fb15f0 ffff810003062000 ffff810006fb17f8 0000000122222222
[  436.308292]  0000000000000003 ffff8100057e1070 0000000000000000 0000000000000000
[  436.308295] Call Trace:
[  436.308301]  [<ffffffff80559137>] __mutex_lock_slowpath+0x133/0x23c
[  436.308306]  [<ffffffff80559259>] mutex_lock+0x19/0x1d
[  436.308309]  [<ffffffff802a35a0>] do_open+0x74/0x2d1
[  436.308313]  [<ffffffff802a3a02>] blkdev_open+0x0/0x69
[  436.308315]  [<ffffffff802a3a39>] blkdev_open+0x37/0x69
[  436.308319]  [<ffffffff8027d68e>] __dentry_open+0xe6/0x1bd
[  436.308323]  [<ffffffff8027d7fd>] nameidata_to_filp+0x2d/0x3f
[  436.308326]  [<ffffffff8027d848>] do_filp_open+0x39/0x4b
[  436.308330]  [<ffffffff8055a16d>] _spin_unlock+0x9/0xb
[  436.308333]  [<ffffffff8027d58d>] get_unused_fd_flags+0x113/0x121
[  436.308337]  [<ffffffff8027d8ab>] do_sys_open+0x51/0xd9
[  436.308341]  [<ffffffff8027d95c>] sys_open+0x1b/0x1d
[  436.308343]  [<ffffffff8020b77e>] system_call+0x7e/0x83

florin

-- 
Bruce Schneier expects the Spanish Inquisition.
      http://geekz.co.uk/schneierfacts/fact/163

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: kernel NULL pointer dereference in blk_rq_map_sg with v2.6.23-6815-g0895e91
  2007-10-23 12:50 ` Florin Iucha
@ 2007-10-23 12:53   ` Jens Axboe
  0 siblings, 0 replies; 6+ messages in thread
From: Jens Axboe @ 2007-10-23 12:53 UTC (permalink / raw)
  To: Florin Iucha; +Cc: Linux Kernel Mailing List

On Tue, Oct 23 2007, Florin Iucha wrote:
> On Tue, Oct 23, 2007 at 07:46:37AM -0500, Florin Iucha wrote:
> > [   60.656136] Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 
> > [   60.656143]  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> > [   60.656151] PGD 4640067 PUD 46d4067 PMD 0 
> > [   60.656154] Oops: 0000 [1] SMP 
> > [   60.656157] CPU 1 
> > ...
> 
> There was a DVD in the drive.  After the OOPS, I cannot eject it
> via the button, and the "eject" command is stuck in "D" state:
> 
> [  436.308282] eject         D ffffffff80571760     0  5336   5324
> [  436.308285]  ffff810007c35d08 0000000000000082 0000000000000000 ffff810007c35ca8
> [  436.308288]  ffff810006fb15f0 ffff810003062000 ffff810006fb17f8 0000000122222222
> [  436.308292]  0000000000000003 ffff8100057e1070 0000000000000000 0000000000000000
> [  436.308295] Call Trace:
> [  436.308301]  [<ffffffff80559137>] __mutex_lock_slowpath+0x133/0x23c
> [  436.308306]  [<ffffffff80559259>] mutex_lock+0x19/0x1d
> [  436.308309]  [<ffffffff802a35a0>] do_open+0x74/0x2d1
> [  436.308313]  [<ffffffff802a3a02>] blkdev_open+0x0/0x69
> [  436.308315]  [<ffffffff802a3a39>] blkdev_open+0x37/0x69
> [  436.308319]  [<ffffffff8027d68e>] __dentry_open+0xe6/0x1bd
> [  436.308323]  [<ffffffff8027d7fd>] nameidata_to_filp+0x2d/0x3f
> [  436.308326]  [<ffffffff8027d848>] do_filp_open+0x39/0x4b
> [  436.308330]  [<ffffffff8055a16d>] _spin_unlock+0x9/0xb
> [  436.308333]  [<ffffffff8027d58d>] get_unused_fd_flags+0x113/0x121
> [  436.308337]  [<ffffffff8027d8ab>] do_sys_open+0x51/0xd9
> [  436.308341]  [<ffffffff8027d95c>] sys_open+0x1b/0x1d
> [  436.308343]  [<ffffffff8020b77e>] system_call+0x7e/0x83

That's expected, the queue is hosed at that point.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: kernel NULL pointer dereference in blk_rq_map_sg with v2.6.23-6815-g0895e91
  2007-10-23 12:47 ` Jens Axboe
@ 2007-10-23 14:28   ` Jean Delvare
  2007-10-23 18:45     ` Jens Axboe
  0 siblings, 1 reply; 6+ messages in thread
From: Jean Delvare @ 2007-10-23 14:28 UTC (permalink / raw)
  To: Jens Axboe; +Cc: Florin Iucha, Linux Kernel Mailing List

Hi Jens,

On Tue, 23 Oct 2007 14:47:38 +0200, Jens Axboe wrote:
> On Tue, Oct 23 2007, Florin Iucha wrote:
> > Jens,
> > 
> > This is freshly after booting into this morning's kernel:
> > 
> > [   60.656136] Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 
> > [   60.656143]  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> > [   60.656151] PGD 4640067 PUD 46d4067 PMD 0 
> > [   60.656154] Oops: 0000 [1] SMP 
> > [   60.656157] CPU 1 
> > [   60.656159] Modules linked in: sbp2 lp dvb_pll lgdt330x cx88_dvb cx88_vp3054_i2c videobuf_dvb tuner tea5767 td
> > a8290 tuner_simple mt20xx cx88_alsa cx8802 cx8800 cx88xx ir_common tveeprom videobuf_dma_sg videobuf_core btcx_ri
> > sc i2c_nforce2 evdev rtc forcedeth ehci_hcd fuse
> > [   60.656176] Pid: 4250, comm: hald-probe-stor Not tainted 2.6.24-rc0-5 #1
> > [   60.656178] RIP: 0010:[<ffffffff80375553>]  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> > [   60.656182] RSP: 0018:ffff810004791930  EFLAGS: 00010246
> > [   60.656184] RAX: 000000000403b000 RBX: 0000000000001000 RCX: 6db6db6db6db6db7
> > [   60.656187] RDX: 0000000000000000 RSI: ffff810001000000 RDI: 0000000005701000
> > [   60.656189] RBP: ffff810004791968 R08: 0000000005700000 R09: ffff8100044aa060
> > [   60.656191] R10: 0000000000000000 R11: ffff8100050dea00 R12: 0000000000002000
> > [   60.656193] R13: ffff8100060d2700 R14: 0000000000000000 R15: ffffffff807f0000
> > [   60.656196] FS:  00002b5da088e6e0(0000) GS:ffff810003011500(0000) knlGS:0000000000000000
> > [   60.656198] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> > [   60.656200] CR2: 0000000000000000 CR3: 0000000004568000 CR4: 00000000000006e0
> > [   60.656202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > [   60.656204] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > [   60.656207] Process hald-probe-stor (pid: 4250, threadinfo ffff810004790000, task ffff810006312000)
> > [   60.656208] Stack:  ffff81000607a000 0000000100000001 ffff8100040fa120 ffffffff807fe2c0
> > [   60.656213]  ffff81000607a000 ffff81000607a000 ffffffff807fe2c0 ffff8100047919a8
> > [   60.656217]  ffffffff8041bb58 ffff8100047919a8 ffff8100040fa120 ffffffff807fe2c0
> > [   60.656220] Call Trace:
> > [   60.656226]  [<ffffffff8041bb58>] ide_map_sg+0x38/0xb0
> > [   60.656231]  [<ffffffff8042952b>] cdrom_start_read_continuation+0x0/0xb5
> > [   60.656234]  [<ffffffff80423806>] ide_build_sglist+0x38/0x88
> > [   60.656238]  [<ffffffff80423885>] ide_build_dmatable+0x2f/0x172
> > [   60.656241]  [<ffffffff804239fc>] ide_dma_setup+0x34/0xaa
> > [   60.656245]  [<ffffffff804277e5>] cdrom_start_packet_command+0x5a/0x177
> > [   60.656249]  [<ffffffff8037fac4>] cfq_dispatch_insert+0x38/0x50
> > [   60.656253]  [<ffffffff80428339>] ide_do_rw_cdrom+0x423/0x57c
> > [   60.656257]  [<ffffffff8041c56c>] ide_do_request+0x7a7/0xa74
> > [   60.656263]  [<ffffffff8023c097>] del_timer+0x52/0x5d
> > [   60.656267]  [<ffffffff8025d343>] sync_page+0x0/0x45
> > [   60.656269]  [<ffffffff8041cba0>] do_ide_request+0x1b/0x1d
> > [   60.656273]  [<ffffffff803778a7>] __generic_unplug_device+0x28/0x2c
> > [   60.656276]  [<ffffffff80377c6e>] generic_unplug_device+0x20/0x31
> > [   60.656279]  [<ffffffff803751b1>] blk_backing_dev_unplug+0x16/0x18
> > [   60.656283]  [<ffffffff8029decc>] block_sync_page+0x42/0x44
> > [   60.656285]  [<ffffffff8025d37f>] sync_page+0x3c/0x45
> > [   60.656290]  [<ffffffff805589b8>] __wait_on_bit_lock+0x42/0x79
> > [   60.656294]  [<ffffffff8025d32f>] __lock_page+0x64/0x6b
> > [   60.656298]  [<ffffffff8024664b>] wake_bit_function+0x0/0x2a
> > [   60.656301]  [<ffffffff8025da95>] do_generic_mapping_read+0x1da/0x383
> > [   60.656304]  [<ffffffff8025d08d>] file_read_actor+0x0/0x137
> > [   60.656309]  [<ffffffff8025f1af>] generic_file_aio_read+0x11e/0x15d
> > [   60.656315]  [<ffffffff8027ee59>] do_sync_read+0xe2/0x126
> > [   60.656318]  [<ffffffff8026b15a>] handle_mm_fault+0x62e/0x65e
> > [   60.656324]  [<ffffffff80386fcc>] __up_read+0x8f/0x97
> > [   60.656327]  [<ffffffff80246613>] autoremove_wake_function+0x0/0x38
> > [   60.656331]  [<ffffffff80559233>] __mutex_lock_slowpath+0x22f/0x23c
> > [   60.656337]  [<ffffffff8027f5f0>] vfs_read+0xab/0x134
> > [   60.656341]  [<ffffffff8027f9b5>] sys_read+0x47/0x6f
> > [   60.656345]  [<ffffffff8020b77e>] system_call+0x7e/0x83
> > [   60.656349] 
> > [   60.656350] 
> > [   60.656350] Code: 49 8b 02 41 c7 42 18 00 00 00 00 49 c7 42 10 00 00 00 00 83 
> > [   60.656359] RIP  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> > [   60.656362]  RSP <ffff810004791930>
> > [   60.656363] CR2: 0000000000000000
> > 
> > Platform is AMD64 and the userspace is Ubuntu 7/10 Gutsy Gibbon.

I am seeing something similar with 2.6.23-git18 on x86_64 at boot time.
2.6.23-git16 was working fine.

> This should fix it, sorry about that.
> 
> diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c
> index 61c2e39..de5ba47 100644
> --- a/block/ll_rw_blk.c
> +++ b/block/ll_rw_blk.c
> @@ -1351,11 +1351,21 @@ int blk_rq_map_sg(struct request_queue *q, struct request *rq,
>  new_segment:
>  			if (!sg)
>  				sg = sglist;
> -			else
> +			else {
> +				/*
> +				 * If the driver previously mapped a shorter
> +				 * list, we could see a termination bit
> +				 * prematurely unless it fully inits the sg
> +				 * table on each mapping. We KNOW that there
> +				 * must be more entries here or the driver
> +				 * would be buggy, so force clear the
> +				 * termination bit to avoid doing a full
> +				 * sg_init_table() in drivers for each command.
> +				 */
> +				sg->page_link &= ~0x02;
>  				sg = sg_next(sg);
> +			}
>  
> -			sg_dma_len(sg) = 0;
> -			sg_dma_address(sg) = 0;
>  			sg_set_page(sg, bvec->bv_page);
>  			sg->length = nbytes;
>  			sg->offset = bvec->bv_offset;
> 
> 

The patch above indeed fixes the problem for me, as far as I can see.
Thanks Jens! Can you please push this fix to Linus quickly?

-- 
Jean Delvare

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: kernel NULL pointer dereference in blk_rq_map_sg with  v2.6.23-6815-g0895e91
  2007-10-23 14:28   ` Jean Delvare
@ 2007-10-23 18:45     ` Jens Axboe
  0 siblings, 0 replies; 6+ messages in thread
From: Jens Axboe @ 2007-10-23 18:45 UTC (permalink / raw)
  To: Jean Delvare; +Cc: Florin Iucha, Linux Kernel Mailing List

On Tue, Oct 23 2007, Jean Delvare wrote:
> Hi Jens,
> 
> On Tue, 23 Oct 2007 14:47:38 +0200, Jens Axboe wrote:
> > On Tue, Oct 23 2007, Florin Iucha wrote:
> > > Jens,
> > > 
> > > This is freshly after booting into this morning's kernel:
> > > 
> > > [   60.656136] Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 
> > > [   60.656143]  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> > > [   60.656151] PGD 4640067 PUD 46d4067 PMD 0 
> > > [   60.656154] Oops: 0000 [1] SMP 
> > > [   60.656157] CPU 1 
> > > [   60.656159] Modules linked in: sbp2 lp dvb_pll lgdt330x cx88_dvb cx88_vp3054_i2c videobuf_dvb tuner tea5767 td
> > > a8290 tuner_simple mt20xx cx88_alsa cx8802 cx8800 cx88xx ir_common tveeprom videobuf_dma_sg videobuf_core btcx_ri
> > > sc i2c_nforce2 evdev rtc forcedeth ehci_hcd fuse
> > > [   60.656176] Pid: 4250, comm: hald-probe-stor Not tainted 2.6.24-rc0-5 #1
> > > [   60.656178] RIP: 0010:[<ffffffff80375553>]  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> > > [   60.656182] RSP: 0018:ffff810004791930  EFLAGS: 00010246
> > > [   60.656184] RAX: 000000000403b000 RBX: 0000000000001000 RCX: 6db6db6db6db6db7
> > > [   60.656187] RDX: 0000000000000000 RSI: ffff810001000000 RDI: 0000000005701000
> > > [   60.656189] RBP: ffff810004791968 R08: 0000000005700000 R09: ffff8100044aa060
> > > [   60.656191] R10: 0000000000000000 R11: ffff8100050dea00 R12: 0000000000002000
> > > [   60.656193] R13: ffff8100060d2700 R14: 0000000000000000 R15: ffffffff807f0000
> > > [   60.656196] FS:  00002b5da088e6e0(0000) GS:ffff810003011500(0000) knlGS:0000000000000000
> > > [   60.656198] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> > > [   60.656200] CR2: 0000000000000000 CR3: 0000000004568000 CR4: 00000000000006e0
> > > [   60.656202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > [   60.656204] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > > [   60.656207] Process hald-probe-stor (pid: 4250, threadinfo ffff810004790000, task ffff810006312000)
> > > [   60.656208] Stack:  ffff81000607a000 0000000100000001 ffff8100040fa120 ffffffff807fe2c0
> > > [   60.656213]  ffff81000607a000 ffff81000607a000 ffffffff807fe2c0 ffff8100047919a8
> > > [   60.656217]  ffffffff8041bb58 ffff8100047919a8 ffff8100040fa120 ffffffff807fe2c0
> > > [   60.656220] Call Trace:
> > > [   60.656226]  [<ffffffff8041bb58>] ide_map_sg+0x38/0xb0
> > > [   60.656231]  [<ffffffff8042952b>] cdrom_start_read_continuation+0x0/0xb5
> > > [   60.656234]  [<ffffffff80423806>] ide_build_sglist+0x38/0x88
> > > [   60.656238]  [<ffffffff80423885>] ide_build_dmatable+0x2f/0x172
> > > [   60.656241]  [<ffffffff804239fc>] ide_dma_setup+0x34/0xaa
> > > [   60.656245]  [<ffffffff804277e5>] cdrom_start_packet_command+0x5a/0x177
> > > [   60.656249]  [<ffffffff8037fac4>] cfq_dispatch_insert+0x38/0x50
> > > [   60.656253]  [<ffffffff80428339>] ide_do_rw_cdrom+0x423/0x57c
> > > [   60.656257]  [<ffffffff8041c56c>] ide_do_request+0x7a7/0xa74
> > > [   60.656263]  [<ffffffff8023c097>] del_timer+0x52/0x5d
> > > [   60.656267]  [<ffffffff8025d343>] sync_page+0x0/0x45
> > > [   60.656269]  [<ffffffff8041cba0>] do_ide_request+0x1b/0x1d
> > > [   60.656273]  [<ffffffff803778a7>] __generic_unplug_device+0x28/0x2c
> > > [   60.656276]  [<ffffffff80377c6e>] generic_unplug_device+0x20/0x31
> > > [   60.656279]  [<ffffffff803751b1>] blk_backing_dev_unplug+0x16/0x18
> > > [   60.656283]  [<ffffffff8029decc>] block_sync_page+0x42/0x44
> > > [   60.656285]  [<ffffffff8025d37f>] sync_page+0x3c/0x45
> > > [   60.656290]  [<ffffffff805589b8>] __wait_on_bit_lock+0x42/0x79
> > > [   60.656294]  [<ffffffff8025d32f>] __lock_page+0x64/0x6b
> > > [   60.656298]  [<ffffffff8024664b>] wake_bit_function+0x0/0x2a
> > > [   60.656301]  [<ffffffff8025da95>] do_generic_mapping_read+0x1da/0x383
> > > [   60.656304]  [<ffffffff8025d08d>] file_read_actor+0x0/0x137
> > > [   60.656309]  [<ffffffff8025f1af>] generic_file_aio_read+0x11e/0x15d
> > > [   60.656315]  [<ffffffff8027ee59>] do_sync_read+0xe2/0x126
> > > [   60.656318]  [<ffffffff8026b15a>] handle_mm_fault+0x62e/0x65e
> > > [   60.656324]  [<ffffffff80386fcc>] __up_read+0x8f/0x97
> > > [   60.656327]  [<ffffffff80246613>] autoremove_wake_function+0x0/0x38
> > > [   60.656331]  [<ffffffff80559233>] __mutex_lock_slowpath+0x22f/0x23c
> > > [   60.656337]  [<ffffffff8027f5f0>] vfs_read+0xab/0x134
> > > [   60.656341]  [<ffffffff8027f9b5>] sys_read+0x47/0x6f
> > > [   60.656345]  [<ffffffff8020b77e>] system_call+0x7e/0x83
> > > [   60.656349] 
> > > [   60.656350] 
> > > [   60.656350] Code: 49 8b 02 41 c7 42 18 00 00 00 00 49 c7 42 10 00 00 00 00 83 
> > > [   60.656359] RIP  [<ffffffff80375553>] blk_rq_map_sg+0x10d/0x17c
> > > [   60.656362]  RSP <ffff810004791930>
> > > [   60.656363] CR2: 0000000000000000
> > > 
> > > Platform is AMD64 and the userspace is Ubuntu 7/10 Gutsy Gibbon.
> 
> I am seeing something similar with 2.6.23-git18 on x86_64 at boot time.
> 2.6.23-git16 was working fine.
> 
> > This should fix it, sorry about that.
> > 
> > diff --git a/block/ll_rw_blk.c b/block/ll_rw_blk.c
> > index 61c2e39..de5ba47 100644
> > --- a/block/ll_rw_blk.c
> > +++ b/block/ll_rw_blk.c
> > @@ -1351,11 +1351,21 @@ int blk_rq_map_sg(struct request_queue *q, struct request *rq,
> >  new_segment:
> >  			if (!sg)
> >  				sg = sglist;
> > -			else
> > +			else {
> > +				/*
> > +				 * If the driver previously mapped a shorter
> > +				 * list, we could see a termination bit
> > +				 * prematurely unless it fully inits the sg
> > +				 * table on each mapping. We KNOW that there
> > +				 * must be more entries here or the driver
> > +				 * would be buggy, so force clear the
> > +				 * termination bit to avoid doing a full
> > +				 * sg_init_table() in drivers for each command.
> > +				 */
> > +				sg->page_link &= ~0x02;
> >  				sg = sg_next(sg);
> > +			}
> >  
> > -			sg_dma_len(sg) = 0;
> > -			sg_dma_address(sg) = 0;
> >  			sg_set_page(sg, bvec->bv_page);
> >  			sg->length = nbytes;
> >  			sg->offset = bvec->bv_offset;
> > 
> > 
> 
> The patch above indeed fixes the problem for me, as far as I can see.
> Thanks Jens! Can you please push this fix to Linus quickly?

It's already pushed and pulled, so current git should work again...

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2007-10-23 18:45 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-10-23 12:46 kernel NULL pointer dereference in blk_rq_map_sg with v2.6.23-6815-g0895e91 Florin Iucha
2007-10-23 12:47 ` Jens Axboe
2007-10-23 14:28   ` Jean Delvare
2007-10-23 18:45     ` Jens Axboe
2007-10-23 12:50 ` Florin Iucha
2007-10-23 12:53   ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).