From: bugme-daemon@bugzilla.kernel.org
To: linux-scsi@vger.kernel.org
Subject: [Bug 12020] scsi_times_out NULL pointer dereference
Date: Thu, 20 Nov 2008 07:12:24 -0800 (PST) [thread overview]
Message-ID: <20081120151224.EB880108042@picon.linux-foundation.org> (raw)
In-Reply-To: <bug-12020-11613@http.bugzilla.kernel.org/>
http://bugzilla.kernel.org/show_bug.cgi?id=12020
------- Comment #6 from git.user@gmail.com 2008-11-20 07:12 -------
looks very similar
[ 316.336654] BUG: unable to handle kernel NULL pointer dereference at
0000000000000000
[ 316.339972] IP: [<ffffffff803f84d3>] scsi_times_out+0x10/0x72
[ 316.339972] PGD 3e627067 PUD 3de0b067 PMD 0
[ 316.339972] Oops: 0000 [#1] PREEMPT SMP
[ 316.339972] last sysfs file:
/sys/devices/virtual/block/md0/md/metadata_version
[ 316.339972] Dumping ftrace buffer:
[ 316.339972] (ftrace buffer empty)
[ 316.339972] CPU 1
[ 316.339972] Modules linked in: floppy sg
[ 316.339972] Pid: 0, comm: swapper Not tainted 2.6.28-rc5 #1
[ 316.339972] RIP: 0010:[<ffffffff803f84d3>] [<ffffffff803f84d3>]
scsi_times_out+0x10/0x72
[ 316.339972] RSP: 0018:ffff88003fb53e20 EFLAGS: 00010082
[ 316.339972] RAX: ffff88003ef60000 RBX: 0000000000000000 RCX:
ffff88003ef60308
[ 316.339972] RDX: ffff88003ef60308 RSI: 0000000000006cb2 RDI:
ffff880033dae5c0
[ 316.339972] RBP: ffff88003fb53e30 R08: ffff880001019180 R09:
0000000000000010
[ 316.339972] R10: 0000000000000000 R11: 0000000000000001 R12:
ffff88003ef601c8
[ 316.339972] R13: ffff88003ef60308 R14: 0000000000000102 R15:
0000000000000000
[ 316.339972] FS: 0000000000000000(0000) GS:ffff88003fb23b00(0000)
knlGS:0000000000000000
[ 316.339972] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
[ 316.339972] CR2: 0000000000000000 CR3: 000000003e7e8000 CR4:
00000000000006e0
[ 316.339972] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 316.339972] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[ 316.339972] Process swapper (pid: 0, threadinfo ffff88003fb4e000, task
ffff88003f863500)
[ 316.339972] Stack:
[ 316.339972] ffff88000101f900 ffff880033dae5c0 ffff88003fb53e50
ffffffff803544ca
[ 316.339972] ffff88003ef60000 ffff880033dae5c0 ffff88003fb53ea0
ffffffff803545d8
[ 316.339972] ffff88003fb53ea0 ffff88003ef60000 0000000000000286
ffff88003ef60000
[ 316.339972] Call Trace:
[ 316.339972] <IRQ> <0> [<ffffffff803544ca>] blk_rq_timed_out+0x16/0x5c
[ 316.339972] [<ffffffff803545d8>] blk_rq_timed_out_timer+0xc8/0x138
[ 316.339972] [<ffffffff80354510>] ? blk_rq_timed_out_timer+0x0/0x138
[ 316.339972] [<ffffffff8023f8b7>] run_timer_softirq+0x183/0x1ec
[ 316.339972] [<ffffffff80254c0c>] ? tick_dev_program_event+0x6c/0xa4
[ 316.339972] [<ffffffff8023b326>] __do_softirq+0x72/0x128
[ 316.339972] [<ffffffff8020c8cc>] call_softirq+0x1c/0x30
[ 316.339972] [<ffffffff8020df2d>] do_softirq+0x3d/0x78
[ 316.339972] [<ffffffff8023b249>] irq_exit+0x8f/0x98
[ 316.339972] [<ffffffff8021d8e4>] smp_apic_timer_interrupt+0x8a/0xd6
[ 316.339972] [<ffffffff8020c31b>] apic_timer_interrupt+0x6b/0x70
[ 316.339972] <EOI> <0> [<ffffffff80212f22>] ? mwait_idle+0x45/0x4a
[ 316.339972] [<ffffffff80209deb>] ? enter_idle+0x22/0x24
[ 316.339972] [<ffffffff8020a386>] ? cpu_idle+0x41/0x80
[ 316.339972] Code: cb ff ff 85 c0 74 a0 45 31 e4 eb d2 45 31 e4 44 89 e0 5b
41 5c 41 5d 41 5e 5d c3 55 48 89 e5 53 48 83 ec 08 48 8b 9f e0 00 00 00 <48> 8b
03 48 8b 10 48 8b 82 b8 00 00 00 48 8b 80 60 01 00 00 48
[ 316.339972] RIP [<ffffffff803f84d3>] scsi_times_out+0x10/0x72
[ 316.339972] RSP <ffff88003fb53e20>
[ 316.339972] CR2: 0000000000000000
[ 316.339972] Kernel panic - not syncing: Fatal exception in interrupt
in my case easily be triggered by disk activity (i.g. rsync)
on rebuilding raid
On Thu, 2008-11-13 at 13:03 -0600, James Bottomley wrote:
> Actually, I think the trace is slightly off. I suspect this is the
> problem:
>
> struct scsi_cmnd *scmd = req->special;
>
> I bet req->special is NULL because the command timed out even before it
> was prepared by the subsystem.
>
> Does this fix it?
In my case it doesn't 'fix', but proof of concept.
With your patch [i just printk-ing the comment]
system remains locked printk-ing from time to time:
"nasty: command timed out before the mid layer
even prepared it"
> The fix is more of a bandaid than anything ... we can't really have
> commands timing out in the mid-layer because we expect we have full
> control of them. With this patch, if we run out of resets, block will
> complete a command we're still processing.
here is a dmesg:
http://sysadminday.org.ru/2.6.28-rc5-git3/scsi_times_out-NULL_pointer_dereference_dmesg
--
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
next prev parent reply other threads:[~2008-11-20 15:13 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-13 18:30 [Bug 12020] New: scsi_times_out NULL pointer dereference bugme-daemon
2008-11-13 18:40 ` [Bug 12020] " bugme-daemon
2008-11-13 19:03 ` [Bug 12020] New: " James Bottomley
2008-11-13 22:46 ` James Bottomley
2008-11-13 19:03 ` [Bug 12020] " bugme-daemon
2008-11-13 20:12 ` bugme-daemon
2008-11-13 20:22 ` James Bottomley
2008-11-13 20:23 ` bugme-daemon
2008-11-13 21:36 ` bugme-daemon
2008-11-13 22:47 ` bugme-daemon
2008-11-16 17:50 ` bugme-daemon
2008-11-20 15:12 ` bugme-daemon [this message]
2008-11-20 19:36 ` Mike Anderson
2008-11-20 19:36 ` bugme-daemon
2008-12-03 10:19 ` bugme-daemon
2008-12-07 20:21 ` bugme-daemon
2008-12-07 20:21 ` bugme-daemon
-- strict thread matches above, loose matches on Subject: below --
2008-11-16 16:24 2.6.28-rc5: Reported regressions from 2.6.27 Rafael J. Wysocki
2008-11-16 16:35 ` [Bug #12020] scsi_times_out NULL pointer dereference Rafael J. Wysocki
2008-11-16 16:35 ` Rafael J. Wysocki
2008-11-22 20:24 2.6.28-rc6-git1: Reported regressions from 2.6.27 Rafael J. Wysocki
2008-11-22 20:28 ` [Bug #12020] scsi_times_out NULL pointer dereference Rafael J. Wysocki
2008-11-22 20:28 ` Rafael J. Wysocki
2008-12-03 21:49 2.6.28-rc7-git2: Reported regressions from 2.6.27 Rafael J. Wysocki
2008-12-03 21:57 ` [Bug #12020] scsi_times_out NULL pointer dereference Rafael J. Wysocki
2008-12-03 21:57 ` Rafael J. Wysocki
2008-12-04 0:14 ` James Bottomley
2008-12-04 0:14 ` James Bottomley
[not found] ` <1228349648.5551.98.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2008-12-07 20:22 ` Rafael J. Wysocki
2008-12-07 20:22 ` Rafael J. Wysocki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081120151224.EB880108042@picon.linux-foundation.org \
--to=bugme-daemon@bugzilla.kernel.org \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.