linux-scsi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [Bug 196191] New: NULL pointer dereference at beiscsi_process_cq+0x6f6
@ 2017-06-25 18:30 bugzilla-daemon
  0 siblings, 0 replies; only message in thread
From: bugzilla-daemon @ 2017-06-25 18:30 UTC (permalink / raw)
  To: linux-scsi

https://bugzilla.kernel.org/show_bug.cgi?id=196191

            Bug ID: 196191
           Summary: NULL pointer dereference at beiscsi_process_cq+0x6f6
           Product: SCSI Drivers
           Version: 2.5
    Kernel Version: 4.9.30-2~bpo8+1 (Debian)
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Other
          Assignee: scsi_drivers-other@kernel-bugs.osdl.org
          Reporter: wferi@niif.hu
        Regression: No

An iSCSI-booted server occasionally halts with following console log during
bootup:

    [  OK  ] Reached target Network is Online.
             Starting LSB: Starts and stops the iSCSI initiator s...ault
targets...
    [  214.044354] iscsi: registered transport (tcp)
    [  214.316086] iscsi: registered transport (iser)
    [  217.293303] hb: link status definitely up for interface enp5s0f5, 200
Mbps full duplex
    [  217.709239] cloud: link status definitely up for interface enp5s0f7,
10000 Mbps full duplex
    [  218.438152] BUG: unable to handle kernel NULL pointer dereference at    
      (null)
    [  218.463932] IP: [<ffffffffc05c5256>] beiscsi_process_cq+0x6f6/0xa00
[be2iscsi]
    [  218.487703] PGD 0 [  218.493722] 
    [  218.498607] Oops: 0000 [#1] SMP
    [  218.508917] Modules linked in: ib_iser rdma_cm iw_cm ib_cm ib_core
iscsi_tcp libiscsi_tcp bonding ext4 crc16 jbd2 crc32c_generic fscrypto ecb
mbcache intel_rapl sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp
coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel intel_cstate joydev iTCO_wdt iTCO_vendor_support evdev
intel_uncore mgag200 ttm drm_kms_helper pcspkr mei_me intel_rapl_perf drm
lpc_ich i2c_algo_bit mei mfd_core shpchp wmi ac button acpi_pad
acpi_power_meter ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 nf_conntrack_ipv6
nf_defrag_ipv6 ip6table_filter ipmi_watchdog ip6_tables ipt_REJECT
nf_reject_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_tcpudp nf_log_ipv4
nf_log_common xt_LOG xt_limit xt_recent xt_multiport xt_conntrack ipmi_si
nf_conntrack ipmi_poweroff iptable_filter ipmi_devintf ip_tables
ipmi_msghandler x_tables configfs autofs4 xfs libcrc32c dm_service_time
dm_multipath dm_mod sg sd_mod hid_generic usbhid hid be2iscsi crc32c_intel
libiscsi ehci_pci aesni_intel aes_x86_64 scsi_transport_iscsi glue_helper
ehci_hcd iscsi_boot_sysfs lrw gf128mul ablk_helper i2c_i801 cryptd usbcore
i2c_smbus usb_common scsi_mod be2net
    [  218.847642] CPU: 0 PID: 0 Comm: swapper/0 Not tainted
4.9.0-0.bpo.3-amd64 #1 Debian 4.9.30-2~bpo8+1
    [  218.877399] Hardware name: FUJITSU PRIMERGY BX924 S4/D3143-B1, BIOS
V4.6.5.4 R1.13.0 for D3143-B1x 07/16/2015
    [  218.910016] task: ffffffffb640e540 task.stack: ffffffffb6400000
    [  218.929476] RIP: 0010:[<ffffffffc05c5256>]  [<ffffffffc05c5256>]
beiscsi_process_cq+0x6f6/0xa00 [be2iscsi]
    [  218.961249] RSP: 0000:ffff95bfbfa03e48  EFLAGS: 00010297
    [  218.978707] RAX: ffff95bfb5100e00 RBX: 0000000000000001 RCX:
0000000000000005
    [  219.002171] RDX: 0000000000000001 RSI: 0000000000000000 RDI:
ffff95bfb532d504
    [  219.025636] RBP: 0000000000000001 R08: 0000000003fb0001 R09:
0000000000011bcd
    [  219.049097] R10: 00000000594e5a87 R11: ffff95bfb551fd18 R12:
ffff95bfb2822208
    [  219.072562] R13: 0000000000000005 R14: ffff95bfb2818810 R15:
ffff95bfb2557d40
    [  219.096026] FS:  0000000000000000(0000) GS:ffff95bfbfa00000(0000)
knlGS:0000000000000000
    [  219.122634] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  219.141521] CR2: 0000000000000000 CR3: 00000017c5a07000 CR4:
00000000001406f0
    [  219.164986] Stack:
    [  219.171579]  0000000080202f00 0000000ab86fc200 ffff95bfb2818d70
ffff95bfb87000e2
    [  219.195943]  ffff95bfb532d504 ffff95bfb5100e00 ffff95bfb551fd18
01ff95bf00011bcd
    [  219.220310]  00000000000000fe 0000000000000000 ffff95bf00008100
ffff95bfb86fa018
    [  219.244675] Call Trace:
    [  219.252699]  <IRQ> [  219.259008]  [<ffffffffc05c5628>] ?
be_iopoll+0xc8/0x170 [be2iscsi]
    [  219.279627]  [<ffffffffb5b58d64>] ? irq_poll_softirq+0xa4/0xd0
    [  219.298813]  [<ffffffffb5e0a2e6>] ? __do_softirq+0x106/0x292
    [  219.317430]  [<ffffffffb587dbe8>] ? irq_exit+0x98/0xa0
    [  219.334317]  [<ffffffffb5e0a02f>] ? do_IRQ+0x4f/0xd0
    [  219.334317]  [<ffffffffb5e0a02f>] ? do_IRQ+0x4f/0xd0
    [  219.350635]  [<ffffffffb5e08142>] ? common_interrupt+0x82/0x82
    [  219.369810]  <EOI> [  219.376123]  [<ffffffffb5ccce93>] ?
cpuidle_enter_state+0x113/0x260
    [  219.396741]  [<ffffffffb58bc09e>] ? cpu_startup_entry+0x17e/0x260
    [  219.416785]  [<ffffffffb6549f84>] ? start_kernel+0x46d/0x48d
    [  219.435392]  [<ffffffffb6549120>] ? early_idt_handler_array+0x120/0x120
    [  219.457141]  [<ffffffffb65495b9>] ? x86_64_start_kernel+0x152/0x176
    [  219.477745] Code: 00 0f b6 44 24 50 c6 06 22 88 56 01 88 46 02 44 89 c8
0f c8 89 46 1c 0f b6 44 24 40 41 8d 44 01 ff 0f c8 89 46 20 eb ac 48 8b 30 <f6>
06 3f 0f 85 bb 00 00 00 49 8b 3b e9 74 ff ff ff 41 f6 86 10 
    [  219.540521] RIP  [<ffffffffc05c5256>] beiscsi_process_cq+0x6f6/0xa00
[be2iscsi]
    [  219.564571]  RSP <ffff95bfbfa03e48>
    [  219.576023] CR2: 0000000000000000
    [  219.586917] ---[ end trace f9ec7ddab1cda260 ]---
    [  219.722293] Kernel panic - not syncing: Fatal exception in interrupt
    [  219.743253] Kernel Offset: 0x34800000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
    [  219.898801] ---[ end Kernel panic - not syncing: Fatal exception in
interrupt

This is what gdb has to say about the address:

    (gdb) list *(beiscsi_process_cq+0x6f6)
    0xa286 is in beiscsi_process_cq (./drivers/scsi/be2iscsi/be_main.c:1356).
    1351        
    1352                spin_lock_bh(&session->back_lock);
    1353                switch (type) {
    1354                case HWH_TYPE_IO:
    1355                case HWH_TYPE_IO_RD:
    1356                        if ((task->hdr->opcode & ISCSI_OPCODE_MASK) ==
    1357                             ISCSI_OP_NOOP_OUT)
    1358                                be_complete_nopin_resp(beiscsi_conn,
task, &csol_cqe);
    1359                        else
    1360                                be_complete_io(beiscsi_conn, task,
&csol_cqe);

and a disassembly around 0x6f6=1782:

    1354                case HWH_TYPE_IO:
    1355                case HWH_TYPE_IO_RD:
    1356                        if ((task->hdr->opcode & ISCSI_OPCODE_MASK) ==
       0x000000000000a283 <+1779>:      mov    (%rax),%rsi
       0x000000000000a286 <+1782>:      testb  $0x3f,(%rsi)
       0x000000000000a289 <+1785>:      jne    0xa34a <beiscsi_process_cq+1978>
       0x000000000000a28f <+1791>:      mov    (%r11),%rdi
       0x000000000000a292 <+1794>:      jmpq   0xa20b <beiscsi_process_cq+1659>

I guess `task->hdr` is NULL at this point.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2017-06-25 18:30 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-25 18:30 [Bug 196191] New: NULL pointer dereference at beiscsi_process_cq+0x6f6 bugzilla-daemon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).