Re: Fw: [Bugme-new] [Bug 6114] New: Initio sbp2 causes: "slab error in cache_free_debugcheck(): cache `size-512(DMA)': double free, or memory outside" object was overwritten

Re: Fw: [Bugme-new] [Bug 6114] New: Initio sbp2 causes: "slab error in cache_free_debugcheck(): cache `size-512(DMA)': double free, or memory outside" object was overwritten

[Douglas Gilbert]

Stefan Richter wrote:

> What I don't understand is why mode page 8 is still accessed in your
> log: http://bugzilla.kernel.org/attachment.cgi?id=7432&action=view
> (Log lines "command: Mode Sense (10): 5a 00 08 00 00 00 00 00 d9 00",
> "SCSI transfer size = 17d9" --- yeah, into a 512 Bytes big buffer, "sda:
> got wrong page".)

Stefan,
That sounds familiar. My guess is that a MODE SENSE (6)
response is being returned for a MODE SENSE (10) cdb.
"sdparm -f" can decode that in some contexts.

Doug Gilbert

P.S. I'm forced to use a broken smtp server hence my truncated reply.

Re: Fw: [Bugme-new] [Bug 6114] New: Initio sbp2 causes: "slab error in cache_free_debugcheck(): cache `size-512(DMA)': double free, or memory outside" object was overwritten

[Al Viro]

On Tue, Feb 21, 2006 at 07:53:28PM -0500, Douglas Gilbert wrote:
> Stefan Richter wrote:
> 
> > What I don't understand is why mode page 8 is still accessed in your
> > log: http://bugzilla.kernel.org/attachment.cgi?id=7432&action=view
> > (Log lines "command: Mode Sense (10): 5a 00 08 00 00 00 00 00 d9 00",
> > "SCSI transfer size = 17d9" --- yeah, into a 512 Bytes big buffer, "sda:
> > got wrong page".)
> 
> Stefan,
> That sounds familiar. My guess is that a MODE SENSE (6)
> response is being returned for a MODE SENSE (10) cdb.
> "sdparm -f" can decode that in some contexts.

No.  It's a broken bridge that replies to _everything_ with page 6 and
doesn't return a header at all - not 4 bytes for MODE SENSE(6), not
8 bytes for MODE SENSE(10), *zero* bytes.  Just the page 6 contents.

So in place of block descriptor length (offsets 6 and 7) you get the
part of page 6 body.  Which is going to be bits 31..16 of size in blocks.
And that's going to be 0x17bd in his case (203928MB/0.5KB/65536).

Re: Fw: [Bugme-new] [Bug 6114] New: Initio sbp2 causes: "slab error in cache_free_debugcheck(): cache `size-512(DMA)': double free, or memory outside" object was overwritten

[Douglas Gilbert]

>>Stefan Richter wrote:
>>>What I don't understand is why mode page 8 is still accessed in your
>>>log: http://bugzilla.kernel.org/attachment.cgi?id=7432&action=view
>>>(Log lines "command: Mode Sense (10): 5a 00 08 00 00 00 00 00 d9 00",

Also apart from being a MODE SENSE (10) rather than the
required MODE SENSE (6), the DBD bit is not set as
required by: www.t10.org/ftp/t10/drafts/rbc/rbc-r10a.pdf
section 6.3 .

Perhaps someone could try setting DBD and see if
the bridge is any better behaved. The cdb would be:
  5a 08 08 00 ....   or
  1a 08 08 00 ....

Doug Gilbert


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Re: Fw: [Bugme-new] [Bug 6114] New: Initio sbp2 causes: "slab error in cache_free_debugcheck(): cache `size-512(DMA)': double free, or memory outside" object was overwritten

[Al Viro]

On Tue, Feb 21, 2006 at 09:39:44PM -0500, Douglas Gilbert wrote:
> >>Stefan Richter wrote:
> >>>What I don't understand is why mode page 8 is still accessed in your
> >>>log: http://bugzilla.kernel.org/attachment.cgi?id=7432&action=view
> >>>(Log lines "command: Mode Sense (10): 5a 00 08 00 00 00 00 00 d9 00",
> 
> Also apart from being a MODE SENSE (10) rather than the
> required MODE SENSE (6), the DBD bit is not set as
> required by: www.t10.org/ftp/t10/drafts/rbc/rbc-r10a.pdf
> section 6.3 .
> 
> Perhaps someone could try setting DBD and see if
> the bridge is any better behaved. The cdb would be:
>   5a 08 08 00 ....   or
>   1a 08 08 00 ....

DBD doesn't affect the result, MODE SENSE (6) is actually even worse -
you get the same page without header _and_ with the first byte missing.
BTW, the reason why we don't get DBD is that bridge lies, claiming to be
type 0.  Note that for _all_ values of modepage it returns (mutilated)
page 6, which isn't even defined for type 0.

And yes, the only chance that creators of that thing would ever
see the light is colonoscopy; what else is new?

Re: Fw: [Bugme-new] [Bug 6114] New: Initio sbp2 causes: "slab error in cache_free_debugcheck(): cache `size-512(DMA)': double free, or memory outside" object was overwritten

[Stefan Richter]

Bernhard Kaindl wrote:
> I tested the current ieee1394 cumulative patch in -mm1 from
> ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.16-rc4/2.6.16-rc4-mm1/broken-out/git-ieee1394.patch
> with my Initio and it still triggered the CONFIG_DEBUG_SLAB detector.

What I don't understand is why mode page 8 is still accessed in your 
log: http://bugzilla.kernel.org/attachment.cgi?id=7432&action=view
(Log lines "command: Mode Sense (10): 5a 00 08 00 00 00 00 00 d9 00", 
"SCSI transfer size = 17d9" --- yeah, into a 512 Bytes big buffer, "sda: 
got wrong page".) Could you please add a printk() or SBP2_INFO() within 
the if() clause of sbp2scsi_slave_alloc() to make sure it is entered? 
Could you also add the line
	SBP2_INFO("skip_ms_page_8 = %d", sdev->skip_ms_page_8);
before the return in sbp2scsi_slave_configure()? Not that your kernel 
looses the flag somewhere along the way...

> This patch from Al Viro fixed the slab message for me:
> 
> Re: TYPE_RBC cache fixes (sbp2.c affected)
> 2006-02-21 13:51
> http://sourceforge.net/mailarchive/message.php?msg_id=14879016
> 
> Bernhard
> --
> PS: My bug report for this was: http://bugzilla.kernel.org/show_bug.cgi?id=6114

Al's patch is certainly better since it adds checks to the actual 
affected code region, i.e. mode_sense handling in the SCSI layers. 
James, would you integrate this patch?

However sbp2 will keep some sort of skip_ms_page_8 blacklisting anyway 
because of different issues with other bridges.
-- 
Stefan Richter
-=====-=-==- --=- =-==-
http://arcgraph.de/sr/


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Re: Fw: [Bugme-new] [Bug 6114] New: Initio sbp2 causes: "slab error in cache_free_debugcheck(): cache `size-512(DMA)': double free, or memory outside" object was overwritten

[Al Viro]

On Wed, Feb 22, 2006 at 01:34:42AM +0100, Stefan Richter wrote:
> Al's patch is certainly better since it adds checks to the actual 
> affected code region, i.e. mode_sense handling in the SCSI layers. 
> James, would you integrate this patch?
> 
> However sbp2 will keep some sort of skip_ms_page_8 blacklisting anyway 
> because of different issues with other bridges.

Sure, but for this bridge it's not needed - with that fix we get the
right data out of bridge response.  Note
+sda: missing header in MODE_SENSE response
and
+SCSI device sda: drive cache: write back
in that diff.  The former is exactly what we get when we detect that
sort of breakage (bare page 6 without header) and the latter is where
we manage to get the cache type.

Re: Fw: [Bugme-new] [Bug 6114] New: Initio sbp2 causes: "slab error in cache_free_debugcheck(): cache `size-512(DMA)': double free, or memory outside" object was overwritten

[Stefan Richter]

Al Viro wrote:
> On Wed, Feb 22, 2006 at 01:34:42AM +0100, Stefan Richter wrote:
> 
>>Al's patch is certainly better since it adds checks to the actual 
>>affected code region, i.e. mode_sense handling in the SCSI layers. 
>>James, would you integrate this patch?
>>
>>However sbp2 will keep some sort of skip_ms_page_8 blacklisting anyway 
>>because of different issues with other bridges.
> 
> 
> Sure, but for this bridge it's not needed - with that fix we get the
> right data out of bridge response.  Note
> +sda: missing header in MODE_SENSE response
> and
> +SCSI device sda: drive cache: write back
> in that diff.  The former is exactly what we get when we detect that
> sort of breakage (bare page 6 without header) and the latter is where
> we manage to get the cache type.

Yes, you are definitly right about it.
-- 
Stefan Richter
-=====-=-==- --=- =-==-
http://arcgraph.de/sr/


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642