248564 – RHEL5 crash due to scsi driver bug (fixed in linux 2.6.19 driver)

Bug 248564 - RHEL5 crash due to scsi driver bug (fixed in linux 2.6.19 driver)

Summary: RHEL5 crash due to scsi driver bug (fixed in linux 2.6.19 driver)

Keywords:
Status:	CLOSED DUPLICATE of bug 219838
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	5.0
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Doug Ledford
QA Contact:	Martin Jenner
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-07-17 14:57 UTC by Brian Parks (Quantum Corp)
Modified:	2007-11-30 22:07 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-11-30 16:41:02 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Brian Parks (Quantum Corp) 2007-07-17 14:57:00 UTC

Description of problem:
A system crash (backtrace below) consistently occurs on RHEL5 when using the 
scsi passthru/scatter gather driver. The same code works on RHEL4 (all updates).

THE PROBLEM WAS FIXED IN LINUX 2.6.19 IN THE sg_build_indirect ROUTINE IN THE 
FILE driver/scsi/sg.c. THE LINE 

              sg->length = ret_sz;
WAS CHANGED TO
              sg->length = (ret_sz > num) ? num : ret_sz;

We normally use kernels/drivers as provided by RedHat (not compiled from 
source). We built a kernel with the above change and the i/o completed rather 
than a system crash, essentially confirming the fix.


Version-Release number of selected component (if applicable):
# uname  -r
2.6.18-8.1.6.el5

# cat /proc/scsi/sg/version
30534   3.5.34 [20060920]


How reproducible:
Use the scsi passthru/scatter-gather driver to write data to tape when the last 
block is not a multiple of a page size.

Steps to Reproduce:
1. Write to tape using, for example, /dev/sg3
2. We wrote (op code 0A) 100,000,000 bytes (rather than 1024k, which works okay)
3. We used a block size of 512k. The data in the last block was 385280 bytes.
  
Actual results:
consistent crashes with the following backtrace:
PID: 12349  TASK: ffff81005398f080  CPU: 0   COMMAND: "fs_fmover"
 #0 [ffff810055921af0] die at ffffffff80069457
 #1 [ffff810055921b20] do_general_protection at ffffffff800632e5
 #2 [ffff810055921b60] error_exit at ffffffff8005be1d
    [exception RIP: kmem_cache_free+95]
    RIP: ffffffff800074ff  RSP: ffff810055921c18  RFLAGS: 00010286
    RAX: c3c031c3c031c3c0  RBX: ffff810057d42f40  RCX: 00000000000fe000
    RDX: c3c033804031c3c0  RSI: 000001bc80000000  RDI: 00000000000007f0
    RBP: ffff81007f5d6f40   R8: 0000000000000000   R9: 0000000000000400
    R10: 0000000000001000  R11: ffffffff80042baf  R12: ffff810037fa9100
    R13: 0000000000000000  R14: 0000000000001000  R15: ffff8100554cb5f8
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #3 [ffff810055921c50] bio_free at ffffffff80040046
 #4 [ffff810055921c70] scsi_execute_async at ffffffff88079310
 #5 [ffff810055921d20] sg_common_write at ffffffff881c6f5a
 #6 [ffff810055921e00] sg_new_write at ffffffff881c7216
 #7 [ffff810055921e60] sg_ioctl at ffffffff881c8c07
 #8 [ffff810055921ee0] do_ioctl at ffffffff8003fc73
 #9 [ffff810055921f00] vfs_ioctl at ffffffff8002fa45
#10 [ffff810055921f40] sys_ioctl at ffffffff8004a24b
#11 [ffff810055921f80] tracesys at ffffffff8005b2c1 (via system_call)

Expected results:
Data written to tape

Additional info:
A fix/hotfix is needed for our customers to use our product on RHEL5.

Comment 1 Brian Parks (Quantum Corp) 2007-09-24 19:56:01 UTC

It seems likely that this is a dup of BZ 219838, a fix in RHEL 5 update 1 beta. 
A hotfix for RHEL 5 original release would be most helpful. Please advise.

Brian Parks
Quantum Corp

Comment 2 Doug Ledford 2007-11-30 16:41:02 UTC


*** This bug has been marked as a duplicate of 219838 ***

Note You need to log in before you can comment on or make changes to this bug.