From: Jens Axboe <axboe@fb.com>
To: Tony Battersby <tonyb@cybernetics.com>, Tejun Heo <tj@kernel.org>,
Shaohua Li <shli@fb.com>,
linux-ide@vger.kernel.org
Cc: Christoph Hellwig <hch@infradead.org>,
Dan Williams <dan.j.williams@intel.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] libata: revert "libata: use blk taging" et al.
Date: Wed, 11 Mar 2015 17:45:39 -0400 [thread overview]
Message-ID: <5500B783.20106@fb.com> (raw)
In-Reply-To: <5500863D.4070807@cybernetics.com>
On 03/11/2015 02:15 PM, Tony Battersby wrote:
> This reverts commits 12cb5ce101abfaf74421f8cc9f196e708209eb79 and
> 98bd4be1ba95f2fe7f543910792b7163a5de06eb.
>
> Commit 12cb5ce101ab ("libata: use blk taging") causes the following oops
> with scsi-mq enabled:
>
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
> IP: [<ffffffff804fd46e>] ata_qc_new_init+0x3e/0x120
> PGD 32adf0067 PUD 32adf1067 PMD 0
> Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
> Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi igb
> i2c_algo_bit ptp pps_core pm80xx libsas scsi_transport_sas sg coretemp
> eeprom w83795 i2c_i801
> CPU: 4 PID: 1450 Comm: cydiskbench Not tainted 4.0.0-rc3 #1
> Hardware name: Supermicro X8DTH-i/6/iF/6F/X8DTH, BIOS 2.1b 05/04/12
> task: ffff8800ba86d500 ti: ffff88032a064000 task.ti: ffff88032a064000
> RIP: 0010:[<ffffffff804fd46e>] [<ffffffff804fd46e>] ata_qc_new_init+0x3e/0x120
> RSP: 0018:ffff88032a067858 EFLAGS: 00010046
> RAX: 0000000000000000 RBX: ffff8800ba0d2230 RCX: 000000000000002a
> RDX: ffffffff80505ae0 RSI: 0000000000000020 RDI: ffff8800ba0d2230
> RBP: ffff88032a067868 R08: 0000000000000201 R09: 0000000000000001
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800ba0d0000
> R13: ffff8800ba0d2230 R14: ffffffff80505ae0 R15: ffff8800ba0d0000
> FS: 0000000041223950(0063) GS:ffff88033e480000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: 0000000000000058 CR3: 000000032a0a3000 CR4: 00000000000006e0
> Stack:
> ffff880329eee758 ffff880329eee758 ffff88032a0678a8 ffffffff80502dad
> ffff8800ba167978 ffff880329eee758 ffff88032bf9c520 ffff8800ba167978
> ffff88032bf9c520 ffff88032bf9a290 ffff88032a0678b8 ffffffff80506909
> Call Trace:
> [<ffffffff80502dad>] ata_scsi_translate+0x3d/0x1b0
> [<ffffffff80506909>] ata_sas_queuecmd+0x149/0x2a0
> [<ffffffffa0046650>] sas_queuecommand+0xa0/0x1f0 [libsas]
> [<ffffffff804ea544>] scsi_dispatch_cmd+0xd4/0x1a0
> [<ffffffff804eb50f>] scsi_queue_rq+0x66f/0x7f0
> [<ffffffff803e5098>] __blk_mq_run_hw_queue+0x208/0x3f0
> [<ffffffff803e54b8>] blk_mq_run_hw_queue+0x88/0xc0
> [<ffffffff803e5c74>] blk_mq_insert_request+0xc4/0x130
> [<ffffffff803e0b63>] blk_execute_rq_nowait+0x73/0x160
> [<ffffffffa0023fca>] sg_common_write+0x3da/0x720 [sg]
> [<ffffffff80308b8e>] ? might_fault+0x5e/0xb0
> [<ffffffffa0025100>] sg_new_write+0x250/0x360 [sg]
> [<ffffffff802a236c>] ? __lock_acquire+0x50c/0xc10
> [<ffffffff802a2b87>] ? lock_release_non_nested+0xa7/0x360
> [<ffffffff8068954b>] ? _raw_spin_unlock_irqrestore+0x3b/0x60
> [<ffffffff80308b8e>] ? might_fault+0x5e/0xb0
> [<ffffffff80308b8e>] ? might_fault+0x5e/0xb0
> [<ffffffffa0025feb>] sg_write+0x13b/0x450 [sg]
> [<ffffffff802a236c>] ? __lock_acquire+0x50c/0xc10
> [<ffffffff802cb1e9>] ? do_futex+0x109/0xbf0
> [<ffffffff80308b8e>] ? might_fault+0x5e/0xb0
> [<ffffffff8032ec91>] vfs_write+0xd1/0x1b0
> [<ffffffff8032ee54>] SyS_write+0x54/0xc0
> [<ffffffff80689932>] system_call_fastpath+0x12/0x17
> Code: 24 20 04 0f 85 ec 00 00 00 49 83 3c 24 00 0f 84 cf 00 00 00 83 fe 1f
> 0f 87 dc 00 00 00 89 f0 48 69 c0 f0 00 00 00 49 8d 44 04 40 <89> 70 58 48
> c7 40 10 00 00 00 00 4c 89 20 48 89 58 08 c7 40 64
> RIP [<ffffffff804fd46e>] ata_qc_new_init+0x3e/0x120
> RSP <ffff88032a067858>
> CR2: 0000000000000058
> ---[ end trace 43f5eefb64627eff ]---
>
>
> scsi-mq uses a host-wide tag map shared among all devices with some
> integer tag values >= ATA_MAX_QUEUE. These unexpectedly high tag values
> cause __ata_qc_from_tag() to return NULL, which is then dereferenced in
> ata_qc_new_init(), causing the oops above.
Wait, something is missing here. We should not be getting tag values
that are >= ATA_MAX_QUEUE. Instead of reverting this, we need to figure
out why this is happening, and fix it. That is correct way forward here.
What setup is this being reproduced on?
--
Jens Axboe
next prev parent reply other threads:[~2015-03-11 21:46 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-11 18:15 [PATCH] libata: revert "libata: use blk taging" et al Tony Battersby
2015-03-11 21:45 ` Jens Axboe [this message]
2015-03-11 22:19 ` Tony Battersby
2015-03-12 1:53 ` Shaohua Li
2015-03-12 2:31 ` Shaohua Li
2015-03-12 10:14 ` Dan Williams
2015-03-12 12:11 ` Tejun Heo
2015-03-12 12:46 ` Shaohua Li
2015-03-12 13:51 ` Tony Battersby
2015-03-12 13:59 ` Tejun Heo
2015-03-12 17:32 ` Shaohua Li
2015-03-19 18:17 ` [PATCH libata/for-4.0-fixes] ata: Add a new flag to destinguish sas controller Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5500B783.20106@fb.com \
--to=axboe@fb.com \
--cc=dan.j.williams@intel.com \
--cc=hch@infradead.org \
--cc=linux-ide@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=shli@fb.com \
--cc=tj@kernel.org \
--cc=tonyb@cybernetics.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).