Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault in iSER discovery #277

Open
clicx opened this issue Oct 15, 2018 · 9 comments
Open

Segmentation fault in iSER discovery #277

clicx opened this issue Oct 15, 2018 · 9 comments

Comments

@clicx
Copy link

clicx commented Oct 15, 2018

iser discovery seems not fully implemented, I can't find an example for it. Therefor I simply modify from iscsi-ls, change iscsi:// to iser://
Then got segmentation fault after iscsi context free.
@sitsofe
Copy link
Contributor

sitsofe commented Oct 15, 2018

@clicx could you include a backtrace and confirm that you're on the latest git version of libiscsi?

@clicx
Copy link
Author

clicx commented Oct 16, 2018

I use git clone into a new machine to test this, therefor it is newest version of master branch.

diff --git a/utils/iscsi-ls.c b/utils/iscsi-ls.c
index 95ab1a6..25ec23f 100644
--- a/utils/iscsi-ls.c
+++ b/utils/iscsi-ls.c
@@ -383,6 +383,8 @@ int main(int argc, char *argv[])
useurls = 1;
} else if (!strncmp("iscsi://", argv[i], 8)) {
url = strdup(argv[i]);

  •            }else if (!strncmp("iser://", argv[i], 7)) {

  •                    url = strdup(argv[i]);
           }
   }

@sitsofe
Copy link
Contributor

sitsofe commented Oct 16, 2018

@clicx OK so latest git. In terms of backtrace I meant like the thread apply all bt output you get from GDB (e.g. see https://wiki.debian.org/HowToGetABacktrace ).

@sahlberg
Copy link
Owner

sahlberg commented Oct 16, 2018 via email

@bvanassche
Copy link
Collaborator

Hi Ronnie, have you considered to use the rdma_rxe driver and LIO to set up an iSER target stack?

@clicx
Copy link
Author

clicx commented Oct 16, 2018
edited
Loading

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bcbaf2 in ibv_poll_cq (wc=0x7fffffffded0, num_entries=16, cq=0x7ffff0004500) at /usr/include/infiniband/verbs.h:1458
1458 return cq->context->ops.poll_cq(cq, num_entries, wc);
Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 libgcc-4.8.5-28.el7_5.1.x86_64 libibverbs-41mlnx1-OFED.4.4.1.0.0.44100.x86_64 libmlx4-41mlnx1-OFED.4.1.0.1.0.44100.x86_64 libmlx5-41mlnx1-OFED.4.4.0.1.7.44100.x86_64 libnl3-3.2.21-10.el7.x86_64 librdmacm-41mlnx1-OFED.4.2.0.1.3.44100.x86_64 librxe-41mlnx1-OFED.4.1.0.1.7.44100.x86_64 numactl-libs-2.0.9-7.el7.x86_64
(gdb) bt full
#0 0x00007ffff7bcbaf2 in ibv_poll_cq (wc=0x7fffffffded0, num_entries=16, cq=0x7ffff0004500) at /usr/include/infiniband/verbs.h:1458
No locals.
#1 cq_event_handler (iser_conn=iser_conn@entry=0x607700) at iser.c:1188
wc = {{wr_id = 140737219946256, status = IBV_WC_SUCCESS, opcode = IBV_WC_RECV, vendor_err = 4294958848, byte_len = 76, imm_data = 4294958864, qp_num = 262801,
src_qp = 0, wc_flags = 0, pkey_index = 57, slid = 10, sl = 0 '\000', dlid_path_bits = 0 '\000'}, {wr_id = 140733193388032, status = 395, opcode = IBV_WC_SEND,
vendor_err = 3, byte_len = 32767, imm_data = 1, qp_num = 1, src_qp = 0, wc_flags = 0, pkey_index = 0, slid = 0, sl = 0 '\000', dlid_path_bits = 0 '\000'}, {
wr_id = 18159640801330593792, status = 4286513152, opcode = 1090191600, vendor_err = 2332098560, byte_len = 4228121368, imm_data = 4286513152, qp_num = 273088752,
src_qp = 0, wc_flags = 0, pkey_index = 0, slid = 0, sl = 0 '\000', dlid_path_bits = 0 '\000'}, {wr_id = 3620164524636529996, status = 875639350,
opcode = 1766195252, vendor_err = 1029796961, byte_len = 7562585, imm_data = 1115185485, qp_num = 1953722997, src_qp = 1312642098, wc_flags = 1833500783,
pkey_index = 25965, slid = 26980, sl = 97 'a', dlid_path_bits = 116 't'}, {wr_id = 28550396980851827, status = 1953066569, opcode = 1382834537, vendor_err = 0,
byte_len = 0, imm_data = 0, qp_num = 0, src_qp = 4294967295, wc_flags = 16777215, pkey_index = 65280, slid = 0, sl = 0 '\000', dlid_path_bits = 255 '\377'}, {
wr_id = 0, status = IBV_WC_SUCCESS, opcode = IBV_WC_SEND, vendor_err = 0, byte_len = 0, imm_data = 0, qp_num = 0, src_qp = 0, wc_flags = 0, pkey_index = 0,
slid = 0, sl = 0 '\000', dlid_path_bits = 0 '\000'}, {wr_id = 0, status = IBV_WC_SUCCESS, opcode = IBV_WC_SEND, vendor_err = 0, byte_len = 0, imm_data = 0,
qp_num = 0, src_qp = 0, wc_flags = 0, pkey_index = 0, slid = 0, sl = 0 '\000', dlid_path_bits = 0 '\000'}, {wr_id = 0, status = IBV_WC_SUCCESS,
opcode = IBV_WC_SEND, vendor_err = 0, byte_len = 0, imm_data = 0, qp_num = 0, src_qp = 0, wc_flags = 0, pkey_index = 0, slid = 0, sl = 0 '\000',
dlid_path_bits = 0 '\000'}, {wr_id = 0, status = IBV_WC_SUCCESS, opcode = IBV_WC_SEND, vendor_err = 4294959248, byte_len = 32767, imm_data = 6347584, qp_num = 0,
src_qp = 4200816, wc_flags = 0, pkey_index = 57984, slid = 65535, sl = 255 '\377', dlid_path_bits = 127 '\177'}, {wr_id = 2, status = IBV_WC_SUCCESS,
opcode = IBV_WC_SEND, vendor_err = 0, byte_len = 0, imm_data = 0, qp_num = 0, src_qp = 0, wc_flags = 0, pkey_index = 0, slid = 0, sl = 0 '\000',
dlid_path_bits = 0 '\000'}, {wr_id = 0, status = IBV_WC_SUCCESS, opcode = IBV_WC_SEND, vendor_err = 0, byte_len = 0, imm_data = 0, qp_num = 0, src_qp = 0,
wc_flags = 0, pkey_index = 0, slid = 0, sl = 0 '\000', dlid_path_bits = 0 '\000'}, {wr_id = 0, status = IBV_WC_SUCCESS, opcode = IBV_WC_SEND, vendor_err = 0,
byte_len = 0, imm_data = 0, qp_num = 0, src_qp = 0, wc_flags = 0, pkey_index = 0, slid = 0, sl = 0 '\000', dlid_path_bits = 0 '\000'}, {wr_id = 0,
status = IBV_WC_SUCCESS, opcode = IBV_WC_SEND, vendor_err = 0, byte_len = 0, imm_data = 0, qp_num = 0, src_qp = 0, wc_flags = 0, pkey_index = 0, slid = 0,
sl = 0 '\000', dlid_path_bits = 0 '\000'}, {wr_id = 0, status = IBV_WC_SUCCESS, opcode = IBV_WC_SEND, vendor_err = 0, byte_len = 0, imm_data = 0, qp_num = 0,
src_qp = 0, wc_flags = 0, pkey_index = 0, slid = 0, sl = 0 '\000', dlid_path_bits = 0 '\000'}, {wr_id = 0, status = IBV_WC_SUCCESS, opcode = IBV_WC_SEND,
vendor_err = 0, byte_len = 0, imm_data = 0, qp_num = 0, src_qp = 0, wc_flags = 0, pkey_index = 0, slid = 0, sl = 0 '\000', dlid_path_bits = 0 '\000'}, {wr_id = 0,
status = IBV_WC_SUCCESS, opcode = IBV_WC_SEND, vendor_err = 0, byte_len = 0, imm_data = 0, qp_num = 0, src_qp = 0, wc_flags = 0, pkey_index = 44185, slid = 63305,
sl = 255 '\377', dlid_path_bits = 127 '\177'}}
n =
completed = 1
#2 0x00007ffff7bcc0a0 in cq_handle (iser_conn=0x607700) at iser.c:1226
ev_ctx = 0x607700
ret =
iscsi = 0x605780
#3 iscsi_iser_service (iscsi=0x605780, revents=) at iser.c:103
ret = 0
iser_conn = 0x607700
#4 0x0000000000401aa3 in event_loop (iscsi=iscsi@entry=0x605780, state=state@entry=0x7fffffffe280) at iscsi-ls.c:79
pfd = {fd = 10, events = 1, revents = 1}
#5 0x0000000000401545 in main (argc=2, argv=) at iscsi-ls.c:444
iscsi = 0x605780
iscsi_url = 0x6070e0
state = {finished = 1, status = 0, lun = 0, type = 0, username = 0x6072e0 "", password = 0x6073e0 ""}
url =
i =
show_help = 0
show_usage = 0
debug = 0

@Ir1Ka
Copy link

Ir1Ka commented Oct 26, 2024
edited
Loading

My environment:
OS: Debian 12 (bookworm)
libscsi: 1.19.0-3
qemu: 1:7.2+dfsg-7+deb12u7

I had a similar problem locally, the backtrace is as follows, it looks like memory corruption, dangling pointer or access after free.

(gdb) bt
#0  0x00007f5569f7d53b in iscsi_iser_queue_pdu (iscsi=0x5654b07e3480, pdu=0x5654b114b980) at iser.c:704
#1  0x00007f5569f69452 in iscsi_nop_out_async (iscsi=0x5654b07e3480, cb=cb@entry=0x0, data=data@entry=0x0, len=len@entry=0, private_data=private_data@entry=0x0) at nop.c:80
#2  0x00007f556a174fe1 in iscsi_nop_timed_event (opaque=opaque@entry=0x5654b07e31f0) at ../../block/iscsi.c:1417
#3  0x0000565494eaf710 in timerlist_run_timers (timer_list=0x5654b057f460) at ../../util/qemu-timer.c:576
#4  0x0000565494eaf7ee in timerlist_run_timers (timer_list=<optimized out>) at ../../util/qemu-timer.c:509
#5  timerlistgroup_run_timers (tlg=0x5654b056b490) at ../../util/qemu-timer.c:615
#6  0x0000565494e96037 in aio_dispatch (ctx=<optimized out>) at ../../util/aio-posix.c:426
#7  0x0000565494ea9dde in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at ../../util/async.c:352
#8  0x00007f556c4dd7a9 in g_main_dispatch (context=0x5654b0578290) at ../../../glib/gmain.c:3454
#9  g_main_context_dispatch (context=context@entry=0x5654b0578290) at ../../../glib/gmain.c:4172
#10 0x0000565494eac3d8 in glib_pollfds_poll () at ../../util/main-loop.c:297
#11 os_host_main_loop_wait (timeout=429840) at ../../util/main-loop.c:320
#12 main_loop_wait (nonblocking=nonblocking@entry=0) at ../../util/main-loop.c:606
#13 0x0000565494b08957 in qemu_main_loop () at ../../softmmu/runstate.c:739
#14 0x0000565494d2c956 in qemu_default_main () at ../../softmmu/main.c:37
#15 0x00007f556bf2f24a in __libc_start_call_main (main=main@entry=0x56549493b570 <main>, argc=argc@entry=126, argv=argv@entry=0x7ffd72b6cd08) at ../sysdeps/nptl/libc_start_call_main.h:58
#16 0x00007f556bf2f305 in __libc_start_main_impl (main=0x56549493b570 <main>, argc=126, argv=0x7ffd72b6cd08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd72b6ccf8) at ../csu/libc-start.c:360
#17 0x000056549493ce51 in _start ()
(gdb) p iscsi->waitpdu
$11 = (struct iscsi_pdu *) 0x5654b0597c00
(gdb) p iscsi->waitpdu->next 
$12 = (struct iscsi_pdu *) 0x5651d41ead87
(gdb) p *(iscsi->waitpdu->next)
Cannot access memory at address 0x5651d41ead87
(gdb) p *(iscsi->waitpdu)
$10 = {next = 0x5651d41ead87, flags = 0, lun = 0, itt = 2975180832, cmdsn = 22100, datasn = 49, response_opcode = ISCSI_PDU_NOP_OUT, callback = 0x5651d4112d37, private_data = 0x0, 
  outdata = {size = 1, data = 0x1 <error: Cannot access memory at address 0x1>}, outdata_written = 0, payload_offset = 33, payload_len = 0, payload_written = 3571875879, indata = {
    size = 0, data = 0x0}, scsi_cbdata = {callback = 0x31, private_data = 0x5651d5127987, task = 0x0}, scsi_timeout = 1, expxferlen = 1}
(gdb) bt
#0  0x00007f9c855a853b in iscsi_iser_queue_pdu (iscsi=0x5590aa00a480, pdu=0x5590ab305090) at iser.c:704
#1  0x00007f9c855963f9 in iscsi_scsi_command_async (iscsi=iscsi@entry=0x5590aa00a480, lun=0, task=0x5590aa0a1410, cb=cb@entry=0x7f9c85a2e010 <iscsi_aio_ioctl_cb>, d=<optimized out>, private_data=private_data@entry=0x7f9c5800b080) at iscsi-command.c:282
#2  0x00007f9c85a2c7ed in iscsi_aio_ioctl (bs=<optimized out>, req=<optimized out>, buf=<optimized out>, cb=<optimized out>, opaque=<optimized out>) at ../../block/iscsi.c:1099
#3  0x0000559074619a16 in bdrv_co_ioctl (bs=0x5590aa002890, req=8837, buf=0x5590ab1b7180) at ../../block/io.c:3210
#4  0x00005590746199cd in bdrv_co_ioctl (bs=0x5590aa02d570, req=8837, buf=buf@entry=0x5590ab1b7180) at ../../block/io.c:3208
#5  0x0000559074608c74 in blk_co_do_ioctl (buf=0x5590ab1b7180, req=8837, blk=0x5590abe881c0) at ../../block/block-backend.c:1655
#6  blk_aio_ioctl_entry (opaque=0x5590aa0a49f0) at ../../block/block-backend.c:1676
#7  0x0000559074728ceb in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at ../../util/coroutine-ucontext.c:177
#8  0x00007f9c8757e9c0 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#9  0x00007f9c76ffba70 in ?? ()
#10 0x0000000000000000 in ?? ()
(gdb) p iscsi->waitpdu->next->next
$1 = (struct iscsi_pdu *) 0x3e6e6f69
(gdb) p *(iscsi->waitpdu->next->next)
Cannot access memory at address 0x3e6e6f69
(gdb) p *(iscsi->waitpdu->next)
$16 = {next = 0x3e6e6f69, flags = 161, lun = 0, itt = 2870404640, cmdsn = 21904, datasn = 2865212400, response_opcode = 21904, callback = 0x20, private_data = 0x30, outdata = {
    size = 94102499316027, data = 0x5590ab01fb10 "?\034\315\363\225U"}, outdata_written = 0, payload_offset = 0, payload_len = 0, payload_written = 0, indata = {size = 81, 
    data = 0x5590ab2ff5b0 "ion>"}, scsi_cbdata = {callback = 0x5590aac32c30, private_data = 0x20, task = 0x30}, scsi_timeout = 94102528558683, expxferlen = 0}

@Ir1Ka
Copy link

Ir1Ka commented Oct 26, 2024

It looks like the memory of the pdu struct is being stomped.

@Ir1Ka
Copy link

Ir1Ka commented Oct 26, 2024

I tried compiling version 1.20.0 of libiscsi, replacing version 1.19.0 in debian 12, and it looks like the problem is fixed.

My environment: OS: Debian 12 (bookworm) libscsi: 1.19.0-3 qemu: 1:7.2+dfsg-7+deb12u7

I had a similar problem locally, the backtrace is as follows, it looks like memory corruption, dangling pointer or access after free.

(gdb) bt
#0  0x00007f5569f7d53b in iscsi_iser_queue_pdu (iscsi=0x5654b07e3480, pdu=0x5654b114b980) at iser.c:704
#1  0x00007f5569f69452 in iscsi_nop_out_async (iscsi=0x5654b07e3480, cb=cb@entry=0x0, data=data@entry=0x0, len=len@entry=0, private_data=private_data@entry=0x0) at nop.c:80
#2  0x00007f556a174fe1 in iscsi_nop_timed_event (opaque=opaque@entry=0x5654b07e31f0) at ../../block/iscsi.c:1417
#3  0x0000565494eaf710 in timerlist_run_timers (timer_list=0x5654b057f460) at ../../util/qemu-timer.c:576
#4  0x0000565494eaf7ee in timerlist_run_timers (timer_list=<optimized out>) at ../../util/qemu-timer.c:509
#5  timerlistgroup_run_timers (tlg=0x5654b056b490) at ../../util/qemu-timer.c:615
#6  0x0000565494e96037 in aio_dispatch (ctx=<optimized out>) at ../../util/aio-posix.c:426
#7  0x0000565494ea9dde in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at ../../util/async.c:352
#8  0x00007f556c4dd7a9 in g_main_dispatch (context=0x5654b0578290) at ../../../glib/gmain.c:3454
#9  g_main_context_dispatch (context=context@entry=0x5654b0578290) at ../../../glib/gmain.c:4172
#10 0x0000565494eac3d8 in glib_pollfds_poll () at ../../util/main-loop.c:297
#11 os_host_main_loop_wait (timeout=429840) at ../../util/main-loop.c:320
#12 main_loop_wait (nonblocking=nonblocking@entry=0) at ../../util/main-loop.c:606
#13 0x0000565494b08957 in qemu_main_loop () at ../../softmmu/runstate.c:739
#14 0x0000565494d2c956 in qemu_default_main () at ../../softmmu/main.c:37
#15 0x00007f556bf2f24a in __libc_start_call_main (main=main@entry=0x56549493b570 <main>, argc=argc@entry=126, argv=argv@entry=0x7ffd72b6cd08) at ../sysdeps/nptl/libc_start_call_main.h:58
#16 0x00007f556bf2f305 in __libc_start_main_impl (main=0x56549493b570 <main>, argc=126, argv=0x7ffd72b6cd08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd72b6ccf8) at ../csu/libc-start.c:360
#17 0x000056549493ce51 in _start ()
(gdb) p iscsi->waitpdu
$11 = (struct iscsi_pdu *) 0x5654b0597c00
(gdb) p iscsi->waitpdu->next 
$12 = (struct iscsi_pdu *) 0x5651d41ead87
(gdb) p *(iscsi->waitpdu->next)
Cannot access memory at address 0x5651d41ead87
(gdb) p *(iscsi->waitpdu)
$10 = {next = 0x5651d41ead87, flags = 0, lun = 0, itt = 2975180832, cmdsn = 22100, datasn = 49, response_opcode = ISCSI_PDU_NOP_OUT, callback = 0x5651d4112d37, private_data = 0x0, 
  outdata = {size = 1, data = 0x1 <error: Cannot access memory at address 0x1>}, outdata_written = 0, payload_offset = 33, payload_len = 0, payload_written = 3571875879, indata = {
    size = 0, data = 0x0}, scsi_cbdata = {callback = 0x31, private_data = 0x5651d5127987, task = 0x0}, scsi_timeout = 1, expxferlen = 1}
(gdb) bt
#0  0x00007f9c855a853b in iscsi_iser_queue_pdu (iscsi=0x5590aa00a480, pdu=0x5590ab305090) at iser.c:704
#1  0x00007f9c855963f9 in iscsi_scsi_command_async (iscsi=iscsi@entry=0x5590aa00a480, lun=0, task=0x5590aa0a1410, cb=cb@entry=0x7f9c85a2e010 <iscsi_aio_ioctl_cb>, d=<optimized out>, private_data=private_data@entry=0x7f9c5800b080) at iscsi-command.c:282
#2  0x00007f9c85a2c7ed in iscsi_aio_ioctl (bs=<optimized out>, req=<optimized out>, buf=<optimized out>, cb=<optimized out>, opaque=<optimized out>) at ../../block/iscsi.c:1099
#3  0x0000559074619a16 in bdrv_co_ioctl (bs=0x5590aa002890, req=8837, buf=0x5590ab1b7180) at ../../block/io.c:3210
#4  0x00005590746199cd in bdrv_co_ioctl (bs=0x5590aa02d570, req=8837, buf=buf@entry=0x5590ab1b7180) at ../../block/io.c:3208
#5  0x0000559074608c74 in blk_co_do_ioctl (buf=0x5590ab1b7180, req=8837, blk=0x5590abe881c0) at ../../block/block-backend.c:1655
#6  blk_aio_ioctl_entry (opaque=0x5590aa0a49f0) at ../../block/block-backend.c:1676
#7  0x0000559074728ceb in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at ../../util/coroutine-ucontext.c:177
#8  0x00007f9c8757e9c0 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#9  0x00007f9c76ffba70 in ?? ()
#10 0x0000000000000000 in ?? ()
(gdb) p iscsi->waitpdu->next->next
$1 = (struct iscsi_pdu *) 0x3e6e6f69
(gdb) p *(iscsi->waitpdu->next->next)
Cannot access memory at address 0x3e6e6f69
(gdb) p *(iscsi->waitpdu->next)
$16 = {next = 0x3e6e6f69, flags = 161, lun = 0, itt = 2870404640, cmdsn = 21904, datasn = 2865212400, response_opcode = 21904, callback = 0x20, private_data = 0x30, outdata = {
    size = 94102499316027, data = 0x5590ab01fb10 "?\034\315\363\225U"}, outdata_written = 0, payload_offset = 0, payload_len = 0, payload_written = 0, indata = {size = 81, 
    data = 0x5590ab2ff5b0 "ion>"}, scsi_cbdata = {callback = 0x5590aac32c30, private_data = 0x20, task = 0x30}, scsi_timeout = 94102528558683, expxferlen = 0}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sahlberg @bvanassche @sitsofe @Ir1Ka @clicx