From: Laszlo Ersek <lersek@redhat.com>
To: ronnie sahlberg <ronniesahlberg@gmail.com>
Cc: Bug 1191606 <1191606@bugs.launchpad.net>,
qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [Bug 1191606] Re: qemu crashes with iscsi initiator (libiscsi) when using virtio
Date: Thu, 20 Jun 2013 16:47:38 +0200 [thread overview]
Message-ID: <51C3160A.3030003@redhat.com> (raw)
In-Reply-To: <CAN05THQ8D6DyUJNAZga0KHj031GWLtZETYhBVBrBwVp2dZFmQw@mail.gmail.com>
On 06/20/13 15:33, ronnie sahlberg wrote:
> http://pastebin.com/EuwZPna1
>
> Last few thousand lines from the log with your patch.
>
>
> The crash happens immediately after qemu has called out to iscsi_ioctl
> with SG_IO to read the serial numbers vpd page.
> We get the reply back from the target but as soon as ioctl_cb returns we crash.
> If you comment out SG_IO in iscsi_ioctl then the crash does not happen
> (but the qemu does nto get serial number either)
>
>
> I will look more into it tonight.
virtqueue_map_sg: mapped gpa=00000000790a9000 at hva=0x7f0cb10a9000 for length=4, is_write=1 (out: data)
virtqueue_map_sg: mapped gpa=000000007726fc70 at hva=0x7f0caf26fc70 for length=96, is_write=1 (out: sense)
virtqueue_map_sg: mapped gpa=00000000764e5aa0 at hva=0x7f0cae4e5aa0 for length=16, is_write=1 (out: errors, data_len, sense_len, residual)
virtqueue_map_sg: mapped gpa=00000000764e5adc at hva=0x7f0cae4e5adc for length=1, is_write=1 (out: status)
virtqueue_map_sg: mapped gpa=00000000764e5a90 at hva=0x7f0cae4e5a90 for length=16, is_write=0 (in: type, ioprio, sector)
virtqueue_map_sg: mapped gpa=000000007ab80578 at hva=0x7f0cb2b80578 for length=6, is_write=0 (in: cmd)
virtio_blk_handle_request: type=0x00000002
virtqueue_fill: unmapping hva=0x7f0c24008000 for length=4, access_len=1, is_write=1
Bad ram pointer 0x7f0c24008000
This looks related, in virtio_blk_handle_scsi():
} else if (req->elem.in_num > 3) {
/*
* If we have more than 3 input segments the guest wants to actually
* read data.
*/
hdr.dxfer_direction = SG_DXFER_FROM_DEV;
hdr.iovec_count = req->elem.in_num - 3;
for (i = 0; i < hdr.iovec_count; i++)
hdr.dxfer_len += req->elem.in_sg[i].iov_len;
hdr.dxferp = req->elem.in_sg;
} else {
This sets
- "hdr.iovec_count" to 1,
- "hdr.dxfer_len" to 4,
- "hdr.dxferp" as shown above,
For "struct sg_io_hdr" (which is the type of "hdr"), the typedef &
documentation are in <include/scsi/sg.h>:
unsigned short iovec_count; /* [i] 0 implies no scatter gather */
void __user *dxferp; /* [i], [*io] points to data transfer memory
or scatter gather list */
Now what we're seeing is a corruption of "req->elem.in_sg[0].iov_base",
whose address equals that of "req->elem.in_sg" (it's at offset 0 in the
struct at subscript #0 in the array).
virtqueue_map_sg: mapped gpa=00000000790a9000 at hva=0x7f0cb10a9000 for length=4, is_write=1
[...]
virtio_blk_handle_request: type=0x00000002
virtqueue_fill: unmapping hva=0x7f0c24008000 for length=4, access_len=1, is_write=1
Bad ram pointer 0x7f0c24008000
First I don't understand how access_len can only be "1". But, in any
case, if the "req->elem.in_sg[0].iov_base" pointer is stored in
little-endian order, and the kernel (or iscsi_scsi_command_async()?) for
whatever reason misinterprets "hdr.dxferp" to point at an actual receive
buffer (instead of an iovec array), that would be consistent with the
symptoms:
0x7f0cb10a9000 <--- original value of req->elem.in_sg[0].iov_base
0x7f0c24008000 <--- corrupted value
^^^^^^^^ <--- 4 low bytes overwritten by SCSI data
Laszlo
next prev parent reply other threads:[~2013-06-20 14:45 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-16 23:48 [Qemu-devel] [Bug 1191606] [NEW] qemu crashes with iscsi initiator (libiscsi) when using virtio Klaus Hochlehnert
2013-06-16 23:54 ` [Qemu-devel] [Bug 1191606] " Klaus Hochlehnert
2013-06-17 13:02 ` [Qemu-devel] [Bug 1191606] [NEW] " Stefan Hajnoczi
2013-06-17 17:37 ` [Qemu-devel] [Bug 1191606] " Klaus Hochlehnert
2013-06-18 9:38 ` Stefan Hajnoczi
2013-06-18 12:26 ` Laszlo Ersek
2013-06-18 14:37 ` Stefan Hajnoczi
2013-06-18 18:01 ` Klaus Hochlehnert
2013-06-18 19:36 ` Laszlo Ersek
2013-06-19 4:34 ` ronnie sahlberg
2013-06-19 8:54 ` Stefan Hajnoczi
2013-06-19 9:17 ` Laszlo Ersek
2013-06-20 13:33 ` ronnie sahlberg
2013-06-20 14:47 ` Laszlo Ersek [this message]
2013-06-20 15:31 ` ronnie sahlberg
2013-06-20 15:47 ` Laszlo Ersek
2013-06-24 19:46 ` Laszlo Ersek (Red Hat)
2013-09-25 6:25 ` Klaus Hochlehnert
2013-09-25 7:30 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51C3160A.3030003@redhat.com \
--to=lersek@redhat.com \
--cc=1191606@bugs.launchpad.net \
--cc=qemu-devel@nongnu.org \
--cc=ronniesahlberg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.