Re: Kernel Crash when datasn is skipped.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Santosh,

On Wed, 2014-03-26 at 17:55 +0530, santosh kulkarni wrote:
> Hi Nab,
> 
> I am encountering kernel oops when datasn is skipped for Dataouts sent 
> out for a Write issued.
> Scenario - I send out a Write,after i receive all the R2ts when i send 
> out Dataouts to satisfy each of the R2Ts. If in this run a datasn is 
> skipped.It results in a crash.
> 
> 
> 
> Here's the kernel core dump.
> 
> 
> [root@wfsc ~]# uname -a
> Linux wfsc 3.14.0-rc6 #1 SMP Mon Mar 17 09:07:33 EDT 2014 x86_64 x86_64
> x86_64 GNU/Linux
> [root@wfsc ~]#
> 
> [root@wfsc iscsi]# cat /sys/kernel/config/target/iscsi/lio_version
> Datera Inc. iSCSI Target v4.1.0
> [root@wfsc iscsi]#
> 
> crash> sys
>    SYSTEM MAP: /boot/System.map-3.14.0-rc6
> DEBUG KERNEL:
> /root/arshad/linux-source/linux.git.target.pending/target-pending/vmlinux
>      DUMPFILE: /var/crash/127.0.0.1-2014.03.26-07:17:28/vmcore [PARTIAL
> DUMP]
>          CPUS: 1
>          DATE: Wed Dec 31 19:00:00 1969
>        UPTIME: 00:06:14
> LOAD AVERAGE: 0.05, 0.21, 0.13
>         TASKS: 209
>      NODENAME: wfsc
>       RELEASE: 3.14.0-rc6
>       VERSION: #1 SMP Mon Mar 17 09:07:33 EDT 2014
>       MACHINE: x86_64  (3193 Mhz)
>        MEMORY: 1 GB
>         PANIC:
> sys: WARNING: log buf data structure(s) have changed
> ""
> crash>
> crash> bt
> PID: 1386   TASK: ffff880037094950  CPU: 0   COMMAND: "iscsi_trx"
>   #0 [ffff880036dab900] machine_kexec at ffffffff8103930f
> PID: 1386   TASK: ffff880037094950  CPU: 0   COMMAND: "iscsi_trx"
>   #0 [ffff880036dab900] machine_kexec at ffffffff8103930f
>   #1 [ffff880036dab950] crash_kexec at ffffffff810e9048
>   #2 [ffff880036daba20] oops_end at ffffffff81695fb0
>   #3 [ffff880036daba50] no_context at ffffffff81689954
>   #4 [ffff880036dabab0] __bad_area_nosemaphore at ffffffff81689b39
>   #5 [ffff880036dabb00] bad_area_nosemaphore at ffffffff81689b6b
>   #6 [ffff880036dabb10] __do_page_fault at ffffffff8169866f
>   #7 [ffff880036dabc20] do_page_fault at ffffffff81698aac
>   #8 [ffff880036dabc30] page_fault at ffffffff816954a2
>      [exception RIP: iscsit_allocate_cmd+39]
>      RIP: ffffffffa04b96c7  RSP: ffff880036dabce8  RFLAGS: 00010286
>      RAX: 0000000000000000  RBX: ffff88003bc34800  RCX: dead000000200200
>      RDX: ffff88003b1c0ad8  RSI: 0000000000000000  RDI: ffff88003b1c0628
>      RBP: ffff880036dabd08   R8: ffff88003bc34cb0   R9: ffff88003fc15d60
>      R10: ffffea0000db9600  R11: ffffffffa04b97f6  R12: ffff88003b1c0628
>      R13: ffff88003b1c0628  R14: ffff88003bc34be0  R15: ffff88003b1c0a00
>      ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
>   #9 [ffff880036dabd10] iscsit_close_connection at ffffffffa04c351f
> [iscsi_target_mod]
> #10 [ffff880036dabd70] iscsit_connection_recovery_transport_reset at
> ffffffffa04b2858 [iscsi_target_mod]
> #11 [ffff880036dabd80] iscsit_take_action_for_connection_exit at
> ffffffffa04b003c [iscsi_target_mod]
> #12 [ffff880036dabda0] iscsi_target_rx_thread at ffffffffa04c08cd
> [iscsi_target_mod]
> #13 [ffff880036dabec0] kthread at ffffffff8108fe79
> #14 [ffff880036dabf50] ret_from_fork at ffffffff8169d82c
> crash>
> 

This is the same bug ERL=2 connection recovery bug that Arshad (CC'ed)
reported a while back.

Unfortunately this patch didn't make it into v3.14, so I'm queuing it up
now for v3.15-rc1, with a CC' to stable.

Please verify.

Thanks!

--nab

>From 9ffed7876c6df5b9e778b60e12df050f0b272320 Mon Sep 17 00:00:00 2001
From: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
Date: Wed, 19 Feb 2014 23:32:14 +0000
Subject: [PATCH] iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bug

This patch fixes a long-standing bug in iscsit_build_conn_drop_async_message()
where during ERL=2 connection recovery, a bogus conn_p pointer could
end up being used to send the ISCSI_OP_ASYNC_EVENT + DROPPING_CONNECTION
notifying the initiator that cmd->logout_cid has failed.

The bug was manifesting itself as an OOPs in iscsit_allocate_cmd() with
a bogus conn_p pointer in iscsit_build_conn_drop_async_message().

Reported-by: Arshad Hussain <arshad.hussain@xxxxxxxxxxxxxx>
Reported-by: santosh kulkarni <santosh.kulkarni@xxxxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx> #3.1+
Signed-off-by: Nicholas Bellinger <nab@xxxxxxxxxxxxxxx>
---
 drivers/target/iscsi/iscsi_target.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 27f37c9..96aee43 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -2491,6 +2491,7 @@ static void iscsit_build_conn_drop_async_message(struct iscsi_conn *conn)
 {
 	struct iscsi_cmd *cmd;
 	struct iscsi_conn *conn_p;
+	bool found = false;
 
 	/*
 	 * Only send a Asynchronous Message on connections whos network
@@ -2499,11 +2500,12 @@ static void iscsit_build_conn_drop_async_message(struct iscsi_conn *conn)
 	list_for_each_entry(conn_p, &conn->sess->sess_conn_list, conn_list) {
 		if (conn_p->conn_state == TARG_CONN_STATE_LOGGED_IN) {
 			iscsit_inc_conn_usage_count(conn_p);
+			found = true;
 			break;
 		}
 	}
 
-	if (!conn_p)
+	if (!found)
 		return;
 
 	cmd = iscsit_allocate_cmd(conn_p, TASK_RUNNING);
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux SCSI]     [Kernel Newbies]     [Linux SCSI Target Infrastructure]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Device Mapper]

  Powered by Linux