On Fri, 2019-01-11 at 13:01 -0500, Douglas Gilbert wrote:
> On 2019-01-10 6:22 p.m., Bart Van Assche wrote:
> > Hi Doug,
> >
> > Have you ever tried to run the libiscsi conformance tests against
> > the scsi_debug driver? I tried the following:
> >
> > modprobe scsi_debug delay=0 max_luns=3
> > dev=$(for f in
> > /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/[0-9]*/block/*;
> > do echo $f; break; done)
> > dev=/dev/$(basename $dev)
> > libiscsi/test-tool/iscsi-test-cu --dataloss --allow-sanitize "$dev"
> >
> > That test triggers the following output:
> >
> > BUG: unable to handle kernel paging request at ffffa8d741235e00
> > PGD 13b141067 P4D 13b141067 PUD 13b146067 PMD 6fc5a067 PTE 0
> > Oops: 0002 [#1] SMP PTI
> > CPU: 3 PID: 4967 Comm: iscsi-test-cu Not tainted 4.18.0-13-generic
> > #14-Ubuntu
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1
> > 04/01/2014
> > RIP: 0010:memcpy_erms+0x6/0x10
>
> Since memory corruption errors have been found elsewhere in
> lk 5.0-rc1 and a fix looks like it is pending, I will leave this
> one alone as I can't replicate it.
Hi Doug,
I can replicate this crash easily. I also noticed that this crash only occurs if
the scsi_debug driver is loaded with fake_rw=0. It does not occur with
fake_rw=1.
It seems like the following code in resp_write_same() assumes that fake_storep
!= NULL?
/* if ndob then zero 1 logical block, else fetch 1 logical block */
if (ndob) {
memset(fake_storep + lba_off, 0, sdebug_sector_size);
ret = 0;
} else
ret = fetch_to_dev_buffer(scp, fake_storep + lba_off,
sdebug_sector_size);
Bart.
