Bug 248564 - RHEL5 crash due to scsi driver bug (fixed in linux 2.6.19 driver)
RHEL5 crash due to scsi driver bug (fixed in linux 2.6.19 driver)
Status: CLOSED DUPLICATE of bug 219838
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
x86_64 Linux
low Severity urgent
: ---
: ---
Assigned To: Doug Ledford
Martin Jenner
Depends On:
  Show dependency treegraph
Reported: 2007-07-17 10:57 EDT by Brian Parks (Quantum Corp)
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-30 11:41:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Brian Parks (Quantum Corp) 2007-07-17 10:57:00 EDT
Description of problem:
A system crash (backtrace below) consistently occurs on RHEL5 when using the 
scsi passthru/scatter gather driver. The same code works on RHEL4 (all updates).

FILE driver/scsi/sg.c. THE LINE 

              sg->length = ret_sz;
              sg->length = (ret_sz > num) ? num : ret_sz;

We normally use kernels/drivers as provided by RedHat (not compiled from 
source). We built a kernel with the above change and the i/o completed rather 
than a system crash, essentially confirming the fix.

Version-Release number of selected component (if applicable):
# uname  -r

# cat /proc/scsi/sg/version
30534   3.5.34 [20060920]

How reproducible:
Use the scsi passthru/scatter-gather driver to write data to tape when the last 
block is not a multiple of a page size.

Steps to Reproduce:
1. Write to tape using, for example, /dev/sg3
2. We wrote (op code 0A) 100,000,000 bytes (rather than 1024k, which works okay)
3. We used a block size of 512k. The data in the last block was 385280 bytes.
Actual results:
consistent crashes with the following backtrace:
PID: 12349  TASK: ffff81005398f080  CPU: 0   COMMAND: "fs_fmover"
 #0 [ffff810055921af0] die at ffffffff80069457
 #1 [ffff810055921b20] do_general_protection at ffffffff800632e5
 #2 [ffff810055921b60] error_exit at ffffffff8005be1d
    [exception RIP: kmem_cache_free+95]
    RIP: ffffffff800074ff  RSP: ffff810055921c18  RFLAGS: 00010286
    RAX: c3c031c3c031c3c0  RBX: ffff810057d42f40  RCX: 00000000000fe000
    RDX: c3c033804031c3c0  RSI: 000001bc80000000  RDI: 00000000000007f0
    RBP: ffff81007f5d6f40   R8: 0000000000000000   R9: 0000000000000400
    R10: 0000000000001000  R11: ffffffff80042baf  R12: ffff810037fa9100
    R13: 0000000000000000  R14: 0000000000001000  R15: ffff8100554cb5f8
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #3 [ffff810055921c50] bio_free at ffffffff80040046
 #4 [ffff810055921c70] scsi_execute_async at ffffffff88079310
 #5 [ffff810055921d20] sg_common_write at ffffffff881c6f5a
 #6 [ffff810055921e00] sg_new_write at ffffffff881c7216
 #7 [ffff810055921e60] sg_ioctl at ffffffff881c8c07
 #8 [ffff810055921ee0] do_ioctl at ffffffff8003fc73
 #9 [ffff810055921f00] vfs_ioctl at ffffffff8002fa45
#10 [ffff810055921f40] sys_ioctl at ffffffff8004a24b
#11 [ffff810055921f80] tracesys at ffffffff8005b2c1 (via system_call)

Expected results:
Data written to tape

Additional info:
A fix/hotfix is needed for our customers to use our product on RHEL5.
Comment 1 Brian Parks (Quantum Corp) 2007-09-24 15:56:01 EDT
It seems likely that this is a dup of BZ 219838, a fix in RHEL 5 update 1 beta. 
A hotfix for RHEL 5 original release would be most helpful. Please advise.

Brian Parks
Quantum Corp
Comment 2 Doug Ledford 2007-11-30 11:41:02 EST

*** This bug has been marked as a duplicate of 219838 ***

Note You need to log in before you can comment on or make changes to this bug.