2.6.34-rc4 : OOPS in unmap_vma
Vivek Goyal
vgoyal at redhat.com
Wed Apr 14 12:07:10 EDT 2010
On Wed, Apr 14, 2010 at 05:22:31PM +0200, Borislav Petkov wrote:
> From: Linus Torvalds <torvalds at linux-foundation.org>
> Date: Wed, Apr 14, 2010 at 07:32:08AM -0700
>
> Hi Linus,
>
> > On Wed, 14 Apr 2010, Borislav Petkov wrote:
> > >
> > > hmm, it doesn't look like it. Your code translates to something like
> > >
> > > 0: b8 00 00 00 00 mov $0x0,%eax
> > > 5: 80 ff ff cmp $0xff,%bh
> > > 8: ff 48 21 decl 0x21(%rax)
> > > b: 45 80 48 8b 45 rex.RB orb $0x45,-0x75(%r8)
> > > 10: 80 48 ff c8 orb $0xc8,-0x1(%rax)
> >
> > There's a large constant (0xffffff8000000000) in there at the beginning,
> > and the disassembly hasn't found the start of the next instruction very
> > cleanly. The same is true at the end: another large constant is cut off in
> > the middle.
> >
> > The byte just before the dumped instruction stream is almost certainly
> > '48h', and the last byte of the last constant is 0xff, and the disassembly
> > ends up being:
> >
> > 0: 48 b8 00 00 00 00 80 mov $0xffffff8000000000,%rax
> > 7: ff ff ff
> > a: 48 21 45 80 and %rax,-0x80(%rbp)
> > e: 48 8b 45 80 mov -0x80(%rbp),%rax
> > 12: 48 ff c8 dec %rax
> > 15: 48 3b 85 40 ff ff ff cmp -0xc0(%rbp),%rax
> > 1c: 48 8b 85 50 ff ff ff mov -0xb0(%rbp),%rax
> > 23: 48 0f 42 7d 80 cmovb -0x80(%rbp),%rdi
> > 28: 48 89 7d 80 mov %rdi,-0x80(%rbp)
> > 2c:* 48 8b 38 mov (%rax),%rdi <-- trapping instruction
> > 2f: 48 85 ff test %rdi,%rdi
> > 32: 0f 84 f5 04 00 00 je 0x52d
> > 38: 48 b8 fb 0f 00 00 00 mov $0xffffc00000000ffb,%rax
> > 3f: c0 ff ff
> >
> > But yes, you found the right spot (that 0xffffff8000000000 constant is
> > -549755813888 decimal):
>
> Right, the decodecode output looked kinda strange to me and I tried
> to match the instruction order and find the location. But yeah, now
> that I'm looking at show_registers(), we don't start dumping on precise
> instruction boundary but simply 64 bytes in the default case. No time
> for an instruction decoder along that path :).
>
> > > which I could correlate with what I get here (comments added):
> >
> > Yup. Close enough. Btw, it's often good to look at both the *.s code _and_
> > the *.lst code. If you do "make mm/memory.lst", you'll find those big
> > constants easily, and then you'll see the code this way:
>
> [..]
>
> ok, I can't say that I'm a linux newbie but the .lst code is new to me.
> Damn, and I thought I knew it all :)
>
> > > so it looks like it tries to find a page table rooted at that address
> > > but the pointer value of 0000000000002203 is bogus.
> >
> > Yes, it does look like some strange page table corruption, doesn't look
> > anon_vma related at all. It's intriguing that it started happening now,
> > though, so..
>
> Well, Parag said something about kexec kernel so it is definitely
> interesting what he means there - a kexec-enabled kernel or is this the
> "second" kernel his machine kexec'd into after a previous failure. I
> think this could clarify the situation a bit.
FWIW, Just a data point. I pulled in latest kernel and I can boot it
through BIOS as well as kexec boot on my x86_64 box.
Vivek
More information about the kexec
mailing list