Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libiscsi test suite can cause double free in spdk iSCSI target #89

Closed
sitsofe opened this issue Dec 17, 2016 · 8 comments
Closed

libiscsi test suite can cause double free in spdk iSCSI target #89

sitsofe opened this issue Dec 17, 2016 · 8 comments

Comments

@sitsofe
Copy link

sitsofe commented Dec 17, 2016

Description of the problem
Repeatedly running libiscsi's test suite against a spdk memory based iSCSI target resulted in a double free.

Step to reproduce:

  1. Create an iSCSI configuration at app/iscsi_tgt/iscsi.conf that includes the following:
[Malloc]
  # Number of Malloc targets
  NumberOfLuns 1
  # Malloc targets are 128M
  LunSizeInMB 128
  # Block size. Default is 512 bytes.
  BlockSize 512

[InitiatorGroup1]
  InitiatorName ALL
  Netmask 127.0.0.1/16

[TargetNode1]
  TargetName disk1
  TargetAlias "Data Disk1"
  Mapping PortalGroup1 InitiatorGroup1
  UseDigest Auto
  # Use the first malloc target
  LUN0 Malloc0

  QueueDepth 128
  1. Run
    sudo app/iscsi_tgt/iscsi_tgt -c app/iscsi_tgt/iscsi.conf
  2. After the target is started run
    iscsi-test-cu -V -t SCSI.Read6 iscsi://127.0.0.1/iqn.2016-06.io.spdk:disk1/0
  3. When step 3 hangs press Ctrl-C.
  4. Run
    iscsi-test-cu -V -t SCSI.Read6 iscsi://127.0.0.1/iqn.2016-06.io.spdk:disk1/0

Expected result:
Test suite not to hang after 3? iSCSI target not to crash after 5?

Actual result:
After 3 libiscsi's test suite hangs on

    Send READ6 (Expecting CHECK_CONDITION) LBA:261985 blocks:160
    [FAILED] READ6 failed with wrong sense. Should have failed with ILLEGAL_REQUEST(0x05)/LBA_OUT_OF_RANGE(0x2100) but failed with Sense: (null)(0x00)/(0x0000)

    Send READ6 (Expecting CHECK_CONDITION) LBA:261984 blocks:161

After 5 the iSCSI target prints this:

iscsi.c:1540:spdk_iscsi_op_login_initialize_port: ***ERROR*** InitiatorName is empty
iscsi.c:4247:spdk_iscsi_execute: ***ERROR*** iscsi_op_login() failed
conn.c:1214:spdk_iscsi_conn_handle_incoming_pdus: ***ERROR*** spdk_iscsi_execute() fatal error on NULL(NULL)
iscsi_subsystem.c: 493:spdk_put_pdu: ***ERROR*** Negative PDU refcount: 0x7f7d825716c0
*** Error in `app/iscsi_tgt/iscsi_tgt': double free or corruption (!prev): 0x00000000024aaa50 ***

How reproducible is the problem?
The problem is reproducible every time.

Version information:
libiscsi commit 3a598ea8465c8204688c6ccbc6d74003342f6651
spdk commit b8da09b
dpdk-16.11
@optimistyzy
Copy link
Member

I have a question for Ctrl-c in step3, it kill the iSCSI target or the iscsi-test-cu?

@sitsofe
Copy link
Author

sitsofe commented Dec 19, 2016

@optimistyzy - do you mean Step 4? If so, the Ctrl-C should be only be done on iscsi-test-cu. The SPDK iscsi_tgt should be left running until it crashes.

@sitsofe
Copy link
Author

sitsofe commented Dec 19, 2016

Valgrind output:

==55224== Invalid free() / delete / delete[] / realloc()
==55224==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==55224==    by 0x420A74: spdk_put_pdu (iscsi_subsystem.c:502)
==55224==    by 0x411C14: spdk_iscsi_conn_flush_pdus_internal (conn.c:1125)
==55224==    by 0x412017: spdk_iscsi_conn_flush_pdus (conn.c:1176)
==55224==    by 0x412017: spdk_iscsi_conn_execute (conn.c:1260)
==55224==    by 0x4120D2: spdk_iscsi_conn_login_do_work (conn.c:1314)
==55224==    by 0x432725: _spdk_reactor_run (reactor.c:328)
==55224==    by 0x432B5D: spdk_reactors_start (reactor.c:541)
==55224==    by 0x431AD4: spdk_app_start (app.c:436)
==55224==    by 0x404831: main (iscsi_tgt.c:188)
==55224==  Address 0xf46d440 is 0 bytes inside a block of size 8,192 free'd
==55224==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==55224==    by 0x420A74: spdk_put_pdu (iscsi_subsystem.c:502)
==55224==    by 0x411E79: spdk_iscsi_conn_handle_incoming_pdus (conn.c:1210)
==55224==    by 0x411E79: spdk_iscsi_conn_execute (conn.c:1257)
==55224==    by 0x4120D2: spdk_iscsi_conn_login_do_work (conn.c:1314)
==55224==    by 0x432725: _spdk_reactor_run (reactor.c:328)
==55224==    by 0x432B5D: spdk_reactors_start (reactor.c:541)
==55224==    by 0x431AD4: spdk_app_start (app.c:436)
==55224==    by 0x404831: main (iscsi_tgt.c:188)
==55224==  Block was alloc'd at
==55224==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==55224==    by 0x41728A: spdk_iscsi_op_login_rsp_init (iscsi.c:1815)
==55224==    by 0x41728A: spdk_iscsi_op_login (iscsi.c:2172)
==55224==    by 0x419424: spdk_iscsi_execute (iscsi.c:4245)
==55224==    by 0x411E6D: spdk_iscsi_conn_handle_incoming_pdus (conn.c:1209)
==55224==    by 0x411E6D: spdk_iscsi_conn_execute (conn.c:1257)
==55224==    by 0x4120D2: spdk_iscsi_conn_login_do_work (conn.c:1314)
==55224==    by 0x432725: _spdk_reactor_run (reactor.c:328)
==55224==    by 0x432B5D: spdk_reactors_start (reactor.c:541)
==55224==    by 0x431AD4: spdk_app_start (app.c:436)
==55224==    by 0x404831: main (iscsi_tgt.c:188)

@jimharris
Copy link
Member

jimharris commented Dec 19, 2016 via email

@optimistyzy
Copy link
Member

The issue is solved, the related patches will be pushed later.

@sitsofe
Copy link
Author

sitsofe commented Dec 21, 2016

Thanks all!

@sitsofe sitsofe mentioned this issue Dec 23, 2016
Closed
@optimistyzy
Copy link
Member

@sitofe Can you retest this case, I think that this issue has been fixed.

@benlwalker
Copy link
Member

We believe this issue is fixed. If the original submitter can reproduce, please re-open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jimharris @sitsofe @optimistyzy @benlwalker