2.6.34-rc4 : OOPS in unmap_vma

Borislav Petkov bp at alien8.de
Wed Apr 14 11:22:31 EDT 2010 

From: Linus Torvalds <torvalds at linux-foundation.org>
Date: Wed, Apr 14, 2010 at 07:32:08AM -0700

Hi Linus,

> On Wed, 14 Apr 2010, Borislav Petkov wrote:
> > 
> > hmm, it doesn't look like it. Your code translates to something like
> > 
> >    0:   b8 00 00 00 00          mov    $0x0,%eax
> >    5:   80 ff ff                cmp    $0xff,%bh
> >    8:   ff 48 21                decl   0x21(%rax)
> >    b:   45 80 48 8b 45          rex.RB orb    $0x45,-0x75(%r8)
> >   10:   80 48 ff c8             orb    $0xc8,-0x1(%rax)
> 
> There's a large constant (0xffffff8000000000) in there at the beginning, 
> and the disassembly hasn't found the start of the next instruction very 
> cleanly. The same is true at the end: another large constant is cut off in 
> the middle. 
> 
> The byte just before the dumped instruction stream is almost certainly 
> '48h', and the last byte of the last constant is 0xff, and the disassembly 
> ends up being:
> 
>    0:	48 b8 00 00 00 00 80 	mov    $0xffffff8000000000,%rax
>    7:	ff ff ff 
>    a:	48 21 45 80          	and    %rax,-0x80(%rbp)
>    e:	48 8b 45 80          	mov    -0x80(%rbp),%rax
>   12:	48 ff c8             	dec    %rax
>   15:	48 3b 85 40 ff ff ff 	cmp    -0xc0(%rbp),%rax
>   1c:	48 8b 85 50 ff ff ff 	mov    -0xb0(%rbp),%rax
>   23:	48 0f 42 7d 80       	cmovb  -0x80(%rbp),%rdi
>   28:	48 89 7d 80          	mov    %rdi,-0x80(%rbp)
>   2c:*	48 8b 38             	mov    (%rax),%rdi     <-- trapping instruction
>   2f:	48 85 ff             	test   %rdi,%rdi
>   32:	0f 84 f5 04 00 00    	je     0x52d
>   38:	48 b8 fb 0f 00 00 00 	mov    $0xffffc00000000ffb,%rax
>   3f:	c0 ff ff 
> 
> But yes, you found the right spot (that 0xffffff8000000000 constant is 
> -549755813888 decimal):

Right, the decodecode output looked kinda strange to me and I tried
to match the instruction order and find the location. But yeah, now
that I'm looking at show_registers(), we don't start dumping on precise
instruction boundary but simply 64 bytes in the default case. No time
for an instruction decoder along that path :).

> > which I could correlate with what I get here (comments added):
> 
> Yup. Close enough. Btw, it's often good to look at both the *.s code _and_ 
> the *.lst code. If you do "make mm/memory.lst", you'll find those big 
> constants easily, and then you'll see the code this way:

[..]

ok, I can't say that I'm a linux newbie but the .lst code is new to me.
Damn, and I thought I knew it all :)

> > so it looks like it tries to find a page table rooted at that address
> > but the pointer value of 0000000000002203 is bogus.
> 
> Yes, it does look like some strange page table corruption, doesn't look 
> anon_vma related at all. It's intriguing that it started happening now, 
> though, so..

Well, Parag said something about kexec kernel so it is definitely
interesting what he means there - a kexec-enabled kernel or is this the
"second" kernel his machine kexec'd into after a previous failure. I
think this could clarify the situation a bit.

Thanks for looking over the asm.

-- 
Regards/Gruss,
Boris.

More information about the kexec mailing list