Crash in mptscsih_io_done() due to buffer overrun in sense_buf_pool

Solution Verified - Updated -

Issue

System crashes with console messages:

BUG: unable to handle kernel paging request at ffff880840000000
IP: [<ffffffffa019d32f>] mptscsih_io_done+0x68f/0xbe0 [mptscsih]
Kernel PGD 1a90063 PUD 0
User   PGD 83fe73067 PUD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/virtual/bdi/253:10/read_ahead_kb
CPU 3
Modules linked in: iptable_filter ip_tables vsock(U) vmci(U) nfs lockd fscache auth_rpcgss nfs_acl sunrpc ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr ipv6 ppdev parport_pc parport microcode vmware_balloon sg i2c_piix4 shpchp ext4 jbd2 mbcache sr_mod cdrom sd_mod crc_t10dif ahci vmxnet3 mptsas mptscsih mptbase scsi_transport_sas pata_acpi ata_generic ata_piix vmwgfx ttm drm_kms_helper drm i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan]

Pid: 11837, comm: smartctl Not tainted 2.6.32-754.23.1.el6.x86_64 #1 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
RIP: 0010:[<ffffffffa019d32f>]  [<ffffffffa019d32f>] mptscsih_io_done+0x68f/0xbe0 [mptscsih]
RSP: 0018:ffff8800460c3d78  EFLAGS: 00010286
RAX: ffff880832799740 RBX: ffff88082b480c80 RCX: ffff88083fffffc0
RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff88082d903000
RBP: ffff8800460c3de8 R08: 0000000000000040 R09: ffff88035cdbb918
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88082d903000
R13: ffff88082b486780 R14: ffff88083234a580 R15: ffff88082b43a920
FS:  00007f0c1eb9c7c0(0000) GS:ffff8800460c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff880840000000 CR3: 000000035cc1a000 CR4: 00000000000607e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process smartctl (pid: 11837, threadinfo ffff88035cdb8000, task ffff88082fe12ab0)
Stack:
 ffffffff813af42a 0000000000000000 ffff88083234a580 ffff88034a06c480
<d> 0000000000000000 ffff88083ffdf5e0 020101ff00000001 0000007f00000001
<d> 00004e2000000000 0000000000000000 ffff88082d903000 ffff88082b486780
Call Trace:
 <IRQ>
 [<ffffffff813af42a>] ? scsi_next_command+0x4a/0x60
 [<ffffffffa017e418>] mpt_interrupt+0x1b8/0xa70 [mptbase]
 [<ffffffff813a6340>] ? scsi_finish_command+0xd0/0x130
 [<ffffffff813b0757>] ? scsi_softirq_done+0x147/0x170
 [<ffffffff8128f70b>] ? blk_done_softirq+0x8b/0xa0
 [<ffffffff810f8546>] handle_IRQ_event+0x66/0x180
 [<ffffffff810fb098>] handle_fasteoi_irq+0x88/0x100
 [<ffffffff8100e56a>] handle_irq+0x6a/0x100
 [<ffffffff81089612>] ? irq_enter+0x22/0x80
 [<ffffffff8156678c>] do_IRQ+0x6c/0xf0
 [<ffffffff81564ed3>] ret_from_intr+0x0/0x11
 <EOI>
 [<ffffffff8155cb77>] ? _spin_unlock_irqrestore+0x17/0x20
 [<ffffffff813a66f5>] scsi_dispatch_cmd+0x1d5/0x320
 [<ffffffff813af07e>] scsi_request_fn+0x5be/0x750
 [<ffffffff8109355d>] ? del_timer+0x7d/0xe0
 [<ffffffff812870c4>] __blk_run_queue+0x54/0x70
 [<ffffffff81281616>] elv_insert+0x106/0x1a0
 [<ffffffff812816f0>] __elv_add_request+0x40/0x90
 [<ffffffff8128e6e7>] blk_execute_rq_nowait+0x77/0x110
 [<ffffffff811ddaf1>] ? bio_phys_segments+0x21/0x30
 [<ffffffff8128e804>] blk_execute_rq+0x84/0xf0
 [<ffffffff8128e550>] ? blk_rq_map_user+0x1a0/0x280
 [<ffffffff8106878e>] ? account_entity_enqueue+0x7e/0x90
 [<ffffffff81292e25>] sg_io+0x215/0x3d0
 [<ffffffff8103ed3e>] ? physflat_send_IPI_mask+0xe/0x10
 [<ffffffff81293820>] scsi_cmd_ioctl+0x400/0x470
 [<ffffffff8115fbea>] ? handle_pte_fault+0x9a/0xc80
 [<ffffffff812938e1>] scsi_cmd_blk_ioctl+0x51/0x70
 [<ffffffffa01e668f>] sd_ioctl+0xaf/0x110 [sd_mod]
 [<ffffffff812904e5>] __blkdev_driver_ioctl+0x75/0x90
 [<ffffffff8129096d>] blkdev_ioctl+0x1ed/0x6e0
 [<ffffffff811b75d9>] vfs_ioctl+0x29/0xc0
 [<ffffffff811b7794>] do_vfs_ioctl+0x84/0x590
 [<ffffffff810f1283>] ? audit_filter_syscall+0x93/0xf0
 [<ffffffff811b7d21>] sys_ioctl+0x81/0xa0
 [<ffffffff815643a7>] system_call_fastpath+0x35/0x3a

The kernel panic stack trace:

crash> bt
PID: 11837  TASK: ffff88082fe12ab0  CPU: 3   COMMAND: "smartctl"
 #0 [ffff8800460c3960] machine_kexec at ffffffff8104111b
 #1 [ffff8800460c39c0] crash_kexec at ffffffff810d6932
 #2 [ffff8800460c3a90] oops_end at ffffffff8155e310
 #3 [ffff8800460c3ac0] no_context at ffffffff810546bb
 #4 [ffff8800460c3b10] __bad_area_nosemaphore at ffffffff81054945
 #5 [ffff8800460c3b60] bad_area_nosemaphore at ffffffff81054a13
 #6 [ffff8800460c3b70] __do_page_fault at ffffffff810551d0
 #7 [ffff8800460c3c90] do_page_fault at ffffffff815602ce
 #8 [ffff8800460c3cc0] page_fault at ffffffff8155d265
    [exception RIP: mptscsih_io_done+0x68f]
    RIP: ffffffffa019d32f  RSP: ffff8800460c3d78  RFLAGS: 00010286
    RAX: ffff880832799740  RBX: ffff88082b480c80  RCX: ffff88083fffffc0
    RDX: 0000000000000000  RSI: 0000000000000202  RDI: ffff88082d903000
    RBP: ffff8800460c3de8   R8: 0000000000000040   R9: ffff88035cdbb918
    R10: 0000000000000000  R11: 0000000000000000  R12: ffff88082d903000
    R13: ffff88082b486780  R14: ffff88083234a580  R15: ffff88082b43a920
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
 #9 [ffff8800460c3df0] mpt_interrupt at ffffffffa017e418 [mptbase]
#10 [ffff8800460c3ed0] handle_IRQ_event at ffffffff810f8546
#11 [ffff8800460c3f20] handle_fasteoi_irq at ffffffff810fb098
#12 [ffff8800460c3f50] handle_irq at ffffffff8100e56a
#13 [ffff8800460c3f80] do_IRQ at ffffffff8156678c
--- <IRQ stack> ---
#14 [ffff88035cdbb868] ret_from_intr at ffffffff81564ed3
    [exception RIP: _spin_unlock_irqrestore+0x17]
    RIP: ffffffff8155cb77  RSP: ffff88035cdbb918  RFLAGS: 00000202
    RAX: ffffffffa01b5240  RBX: ffff88035cdbb918  RCX: 000000000000007f
    RDX: ffff88083ffdf050  RSI: 0000000000000202  RDI: 0000000000000202
    RBP: ffffffff81564ece   R8: 0000000000000002   R9: 0000000000000000
    R10: 0000000000000001  R11: 0000000000000000  R12: ffff88082d903188
    R13: 0000007f4a06c480  R14: ffff88082b486780  R15: 00000000000001fc
    ORIG_RAX: ffffffffffffff92  CS: 0010  SS: 0018
#15 [ffff88035cdbb920] scsi_dispatch_cmd at ffffffff813a66f5
#16 [ffff88035cdbb950] scsi_request_fn at ffffffff813af07e
#17 [ffff88035cdbb9c0] __blk_run_queue at ffffffff812870c4
#18 [ffff88035cdbb9e0] elv_insert at ffffffff81281616
#19 [ffff88035cdbba20] __elv_add_request at ffffffff812816f0
#20 [ffff88035cdbba50] blk_execute_rq_nowait at ffffffff8128e6e7
#21 [ffff88035cdbba90] blk_execute_rq at ffffffff8128e804
#22 [ffff88035cdbbb40] sg_io at ffffffff81292e25
#23 [ffff88035cdbbc10] scsi_cmd_ioctl at ffffffff81293820
#24 [ffff88035cdbbd10] scsi_cmd_blk_ioctl at ffffffff812938e1
#25 [ffff88035cdbbd40] sd_ioctl at ffffffffa01e668f [sd_mod]
#26 [ffff88035cdbbd90] __blkdev_driver_ioctl at ffffffff812904e5
#27 [ffff88035cdbbdd0] blkdev_ioctl at ffffffff8129096d
#28 [ffff88035cdbbe20] block_ioctl at ffffffff811ded2c
#29 [ffff88035cdbbe30] vfs_ioctl at ffffffff811b75d9
#30 [ffff88035cdbbe70] do_vfs_ioctl at ffffffff811b7794
#31 [ffff88035cdbbf00] sys_ioctl at ffffffff811b7d21
#32 [ffff88035cdbbf50] system_call_fastpath at ffffffff815643a7

Environment

  • Red Hat Enterprise Linux
    kernel: 2.6.32-754.23.1.el6.x86_6
  • Fusion MPT driver

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content