From: Jesper Juhl <jesper.juhl@gmail.com>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@osdl.org>,
markhe@nextd.demon.co.uk, Andrea Arcangeli <andrea@suse.de>,
Mike Christie <michaelc@cs.wisc.edu>,
James Bottomley <James.Bottomley@steeleye.com>,
Jens Axboe <axboe@suse.de>
Subject: Re: Slab corruption in 2.6.16-rc5-mm2
Date: Mon, 6 Mar 2006 21:36:16 +0100 [thread overview]
Message-ID: <200603062136.17098.jesper.juhl@gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.64.0603061147260.13139@g5.osdl.org>
On Monday 06 March 2006 21:06, Linus Torvalds wrote:
>
> On Mon, 6 Mar 2006, Linus Torvalds wrote:
> >
> > So it's either an aic7xxx bug, or it's generic SCSI.
> >
> > Considering that we've had other slab corruption issues (the reason I was
> > looking closely at yours), generic SCSI isn't out of the question.
> >
> > If you were a git user, doing a bisection run would be useful since you
> > seem to be able to recreate it at will. Oh, well. Testign that one patch
> > would still help.
>
> Hmm.. This appended patch may or may not help.
>
> It overwrites the SCSI command "req" pointer when the request has been
> done. The request cannot be used afterwards, so anybody accessing it would
> be a bug. I think.
>
With the retry code removed and your req poisoning patch on top I just got this :
Slab corruption: start=f727c5a8, len=64
Redzone: 0x5a2cf071/0x5a2cf071.
Last user: [<c02934db>](sr_do_ioctl+0x11b/0x270)
000: 70 00 02 00 00 00 00 0a 00 00 00 00 3a 01 00 00
010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Prev obj: start=f727c55c, len=64
Redzone: 0x5a2cf071/0x5a2cf071.
Last user: [<c01813ee>](free_fdtable_rcu+0x6e/0x150)
000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Next obj: start=f727c5f4, len=64
Redzone: 0x5a2cf071/0x5a2cf071.
Last user: [<c01813ee>](free_fdtable_rcu+0x6e/0x150)
000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Slab corruption: start=f727c5a8, len=64
Redzone: 0x5a2cf071/0x5a2cf071.
Last user: [<c02934db>](sr_do_ioctl+0x11b/0x270)
000: 70 00 05 00 00 00 00 0a 00 00 00 00 24 00 00 00
010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Prev obj: start=f727c55c, len=64
Redzone: 0x5a2cf071/0x5a2cf071.
Last user: [<c01813ee>](free_fdtable_rcu+0x6e/0x150)
000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Next obj: start=f727c5f4, len=64
Redzone: 0x5a2cf071/0x5a2cf071.
Last user: [<c01813ee>](free_fdtable_rcu+0x6e/0x150)
000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
and another, probably unrelated, thing I just noticed in my dmesg output:
initcall at 0xc0428240: init_hpet_clocksource+0x0/0x90(): returned with error code -19
> HOWEVER. I noticed something else strange. Your slab corruption report
> says
>
> Slab corruption: start=f72948a0, len=64
> Redzone: 0x5a2cf071/0x5a2cf071.
> Last user: [<c02934eb>](sr_do_ioctl+0x11b/0x270)
> ...
>
> and the scary thing is that "len=64".
>
> The thing is, SCSI uses "SCSI_SENSE_BUFFERSIZE" to determine the maximum
> sense size to copy, and what do we have, if not
>
> include/scsi/scsi_cmnd.h:#define SCSI_SENSE_BUFFERSIZE 96
>
> ie a 64-byte buffer is simply TOO DAMN SMALL!
>
> Now, the thing is, the 64 comes from "sizeof(struct request_sense)", which
> is what "struct packet_command *" uses. We can change that sizeof() to
> just use SCSI_SENSE_BUFFERSIZE, but that still makes me worry about
Building a kernel with that change on top of the other ones atm.
/ Jesper
next prev parent reply other threads:[~2006-03-06 20:35 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-06 0:17 Slab corruption in 2.6.16-rc5-mm2 Jesper Juhl
2006-03-06 18:25 ` Linus Torvalds
2006-03-06 18:43 ` Jesper Juhl
2006-03-06 19:32 ` Linus Torvalds
2006-03-06 19:51 ` Jesper Juhl
2006-03-06 19:58 ` Jesper Juhl
2006-03-06 20:06 ` Linus Torvalds
2006-03-06 20:24 ` Jesper Juhl
2006-03-06 20:30 ` Jens Axboe
2006-03-06 20:33 ` Jens Axboe
2006-03-06 21:14 ` Jesper Juhl
2006-03-06 21:41 ` Jesper Juhl
2006-03-06 21:55 ` Dave Jones
2006-03-06 21:57 ` Jesper Juhl
2006-03-09 15:50 ` Martin J. Bligh
2006-03-09 15:54 ` Martin J. Bligh
2006-03-09 15:54 ` Benjamin LaHaise
2006-03-09 16:04 ` Martin J. Bligh
2006-03-09 16:08 ` Linus Torvalds
2006-03-09 16:41 ` Dave Jones
2006-03-06 20:36 ` Jesper Juhl [this message]
2006-03-06 20:53 ` Jesper Juhl
2006-03-06 20:56 ` Jesper Juhl
2006-03-06 21:07 ` Linus Torvalds
2006-03-06 21:16 ` Jesper Juhl
2006-03-06 21:54 ` Jesper Juhl
2006-03-06 22:05 ` Andrew Morton
2006-03-06 22:08 ` Jesper Juhl
2006-03-06 22:27 ` Jesper Juhl
2006-03-06 22:17 ` Linus Torvalds
2006-03-06 22:34 ` Linus Torvalds
2006-03-06 22:52 ` Jesper Juhl
2006-03-06 22:54 ` Linus Torvalds
2006-03-06 23:01 ` Jesper Juhl
2006-03-06 23:06 ` Andrew Morton
2006-03-06 23:24 ` Jesper Juhl
2006-03-07 0:17 ` Linus Torvalds
2006-03-07 0:25 ` Jesper Juhl
2006-03-07 3:15 ` Mike Christie
2006-03-07 3:20 ` Linus Torvalds
2006-03-07 18:01 ` James Bottomley
2006-03-07 19:40 ` Jesper Juhl
2006-03-07 8:47 ` [PATCH] slab: fix offslab_limit in calculate_slab_order (Was: Slab corruption in 2.6.16-rc5-mm2) Pekka J Enberg
2006-03-07 17:12 ` Linus Torvalds
2006-03-07 19:21 ` Pekka Enberg
2006-03-07 19:28 ` Slab corruption in 2.6.16-rc5-mm2 Bill Davidsen
2006-03-06 22:44 ` Jesper Juhl
2006-03-06 18:48 ` Mike Christie
2006-03-06 18:49 ` Mike Christie
-- strict thread matches above, loose matches on Subject: below --
2006-03-08 6:25 Chuck Ebbert
2006-03-08 8:32 ` Nick Piggin
2006-03-08 8:46 ` Andrew Morton
2006-03-08 9:02 ` Nick Piggin
2006-03-08 9:12 ` Andrew Morton
2006-03-08 9:23 ` Nick Piggin
2006-03-08 14:35 ` Lee Schermerhorn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200603062136.17098.jesper.juhl@gmail.com \
--to=jesper.juhl@gmail.com \
--cc=James.Bottomley@steeleye.com \
--cc=akpm@osdl.org \
--cc=andrea@suse.de \
--cc=axboe@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=markhe@nextd.demon.co.uk \
--cc=michaelc@cs.wisc.edu \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.