From: Borislav Petkov <bp@alien8.de>
To: Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Ugly rmap NULL ptr deref oopsie on hibernate (was Linux 2.6.34-rc3)
Date: Fri, 2 Apr 2010 19:59:37 +0200 [thread overview]
Message-ID: <20100402175937.GA19690@liondog.tnic> (raw)
In-Reply-To: <alpine.LFD.2.00.1003301029250.3707@i5.linux-foundation.org>
Hi,
I've got the following oopsie two times now when hibernating - this
means, I don't get it everytime I hibernate but only sometimes, say once
in a blue moon.
And yeah, I couldn't catch it over serial console so I had to make ugly
pictures. By the way, the numbers in the filenames increment as I scroll
down the whole oops (yep, it hadn't completely frozen and I still could
do Shift->PgUp or Shift->PgDn on the console):
http://www.kernel.org/pub/linux/kernel/people/bp/
So, here's what I could decipher from the oopsie, someone else who's
more knowledgeable in mm, rmap and anon_vma's list traversal should be
able to tell what goes wrong there.
EIP is at page_referenced+0xee
which is
<disasm>
10c4: 41 01 c4 add %eax,%r12d
10c7: 83 7d cc 00 cmpl $0x0,-0x34(%rbp)
10cb: 74 19 je 10e6 <page_referenced+0xff>
10cd: 4d 8b 6d 20 mov 0x20(%r13),%r13
10d1: 49 83 ed 20 sub $0x20,%r13
10d5: 49 8b 45 20 mov 0x20(%r13),%rax <--------------
10d9: 0f 18 08 prefetcht0 (%rax)
10dc: 49 8d 45 20 lea 0x20(%r13),%rax
10e0: 48 39 45 80 cmp %rax,-0x80(%rbp)
</disasm>
Corresponding asm:
<asm>
.loc 1 496 0
movq 32(%r13), %r13 # <variable>.same_anon_vma.next, __mptr.451
.LVL295:
subq $32, %r13 #, avc
.LVL296:
.L184:
.LBE1278:
movq 32(%r13), %rax # <variable>.same_anon_vma.next, <variable>.same_anon_vma.next <----------------
prefetcht0 (%rax) # <variable>.same_anon_vma.next
leaq 32(%r13), %rax #, tmp97
cmpq %rax, -128(%rbp) # tmp97, %sfp
jne .L187 #,
.L186:
.loc 1 514 0
movq %r14, %rdi # anon_vma,
call page_unlock_anon_vma #
</asm>
and the NULL pointer in question is being written into %r13 and then 32
is subtracted from it (I'm guessing container_of()). This is consistent
with the register snapshot - %r13 contains 0xffffffffffffffe0 which is
-32 and with the code dump in the oops, in CIMG1640.JPG code points to
opcode 49 8b 45 20.
Which is the following piece of code in <mm/rmap.c:page_referenced_anon()>.
<source>
mapcount = page_mapcount(page);
list_for_each_entry(avc, &anon_vma->head, same_anon_vma) {
struct vm_area_struct *vma = avc->vma;
unsigned long address = vma_address(page, vma);
if (address == -EFAULT)
continue;
</source>
which tells us that same_anon_vma.next is NULL. Hmm...
--
Regards/Gruss,
Boris.
next prev parent reply other threads:[~2010-04-02 18:07 UTC|newest]
Thread overview: 242+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-30 17:50 Linux 2.6.34-rc3 Linus Torvalds
2010-03-30 21:16 ` [Regression, post-rc2] Commit a5ee4eb7541 breaks OpenGL on RS780 (was: Re: Linux 2.6.34-rc3) Rafael J. Wysocki
2010-03-31 20:34 ` [stable] " Greg KH
2010-04-01 1:13 ` Rafael J. Wysocki
2010-04-01 2:19 ` Alex Deucher
2010-04-01 2:19 ` Alex Deucher
2010-04-01 6:36 ` Clemens Ladisch
2010-04-01 15:01 ` Alex Deucher
2010-04-01 15:01 ` Alex Deucher
2010-04-01 20:28 ` Rafael J. Wysocki
2010-04-01 20:28 ` Rafael J. Wysocki
2010-04-01 20:39 ` Alex Deucher
2010-04-01 20:39 ` Alex Deucher
2010-04-01 20:48 ` Rafael J. Wysocki
2010-04-01 21:00 ` Alex Deucher
2010-04-01 21:00 ` Alex Deucher
2010-04-01 21:01 ` Alex Deucher
2010-04-01 21:01 ` Alex Deucher
2010-04-01 21:08 ` Rafael J. Wysocki
2010-04-01 21:13 ` Alex Deucher
2010-04-01 21:13 ` Alex Deucher
2010-04-01 21:46 ` Rafael J. Wysocki
2010-04-01 22:07 ` Alex Deucher
2010-04-01 22:07 ` Alex Deucher
2010-04-01 23:20 ` Rafael J. Wysocki
2010-04-02 0:23 ` Linus Torvalds
2010-04-02 16:46 ` Rafael J. Wysocki
2010-04-03 18:08 ` Clemens Ladisch
2010-04-03 19:33 ` Rafael J. Wysocki
2010-04-01 16:29 ` Linus Torvalds
2010-04-01 17:07 ` Alex Deucher
2010-04-01 17:07 ` Alex Deucher
2010-04-01 17:24 ` Linus Torvalds
2010-04-01 17:50 ` [Regression, post-rc2] Commit a5ee4eb7541 breaks OpenGL on RS780 Clemens Ladisch
2010-04-01 17:53 ` [Regression, post-rc2] Commit a5ee4eb7541 breaks OpenGL on RS780 (was: Re: Linux 2.6.34-rc3) Alex Deucher
2010-04-01 17:53 ` Alex Deucher
2010-04-01 20:17 ` Linus Torvalds
2010-04-01 20:23 ` Alex Deucher
2010-04-01 20:23 ` Alex Deucher
2010-04-01 19:46 ` Rafael J. Wysocki
2010-04-01 22:48 ` Jesse Barnes
2010-04-01 23:23 ` Rafael J. Wysocki
2010-04-02 17:59 ` Borislav Petkov [this message]
2010-04-02 18:09 ` Ugly rmap NULL ptr deref oopsie on hibernate (was " Linus Torvalds
2010-04-02 15:24 ` Andrew Morton
2010-04-02 18:37 ` Linus Torvalds
2010-04-02 22:01 ` Rik van Riel
2010-04-03 0:19 ` Linus Torvalds
2010-04-04 16:12 ` Minchan Kim
2010-04-04 17:24 ` Rik van Riel
2010-04-04 23:09 ` [PATCH] rmap: fix anon_vma_fork() memory leak Rik van Riel
2010-04-04 23:56 ` Minchan Kim
2010-04-05 15:37 ` Linus Torvalds
2010-04-05 15:48 ` Minchan Kim
2010-04-05 16:04 ` Rik van Riel
2010-04-05 16:13 ` [PATCH -v2] " Rik van Riel
2010-04-06 8:53 ` Ugly rmap NULL ptr deref oopsie on hibernate (was Linux 2.6.34-rc3) KOSAKI Motohiro
2010-04-06 10:09 ` KOSAKI Motohiro
2010-04-06 14:34 ` Rik van Riel
2010-04-06 14:38 ` Rik van Riel
2010-04-06 15:34 ` Minchan Kim
2010-04-06 15:40 ` Rik van Riel
2010-04-06 15:58 ` Minchan Kim
2010-04-06 15:55 ` Linus Torvalds
2010-04-06 16:23 ` Minchan Kim
2010-04-06 16:28 ` Linus Torvalds
2010-04-06 16:45 ` Minchan Kim
2010-04-06 16:53 ` Linus Torvalds
2010-04-06 17:04 ` Rik van Riel
2010-04-06 18:28 ` Linus Torvalds
2010-04-06 19:03 ` Andrew Morton
2010-04-06 19:10 ` Steinar H. Gunderson
2010-04-06 19:10 ` Linus Torvalds
2010-04-06 19:35 ` Linus Torvalds
2010-04-06 19:42 ` Borislav Petkov
2010-04-06 20:02 ` Linus Torvalds
2010-04-06 20:46 ` Steinar H. Gunderson
2010-04-06 20:56 ` Linus Torvalds
2010-04-06 21:05 ` Steinar H. Gunderson
2010-04-06 20:51 ` Borislav Petkov
2010-04-06 21:27 ` Linus Torvalds
2010-04-06 22:59 ` Borislav Petkov
2010-04-06 23:27 ` Linus Torvalds
2010-04-06 23:54 ` [PATCH] rmap: make anon_vma_prepare link in all the anon_vmas of a mergeable VMA Rik van Riel
2010-04-07 7:00 ` KOSAKI Motohiro
2010-04-07 14:48 ` Rik van Riel
2010-04-07 14:54 ` [PATCH -v2] " Rik van Riel
2010-04-07 15:30 ` Linus Torvalds
2010-04-07 15:52 ` Rik van Riel
2010-04-07 16:56 ` Linus Torvalds
2010-04-07 21:19 ` Linus Torvalds
2010-04-07 21:52 ` Rik van Riel
2010-04-07 22:09 ` Linus Torvalds
2010-04-07 22:15 ` Linus Torvalds
2010-04-08 0:38 ` Rik van Riel
2010-04-07 23:37 ` Linus Torvalds
2010-04-08 2:03 ` KOSAKI Motohiro
2010-04-08 2:33 ` Linus Torvalds
2010-04-08 5:47 ` Borislav Petkov
2010-04-08 14:11 ` Linus Torvalds
2010-04-08 18:25 ` Rik van Riel
2010-04-08 18:32 ` Linus Torvalds
2010-04-08 20:31 ` Borislav Petkov
2010-04-08 21:00 ` Borislav Petkov
2010-04-08 23:16 ` Linus Torvalds
2010-04-08 23:47 ` Borislav Petkov
2010-04-09 0:50 ` Linus Torvalds
2010-04-09 1:30 ` Borislav Petkov
2010-04-09 9:21 ` Borislav Petkov
2010-04-09 16:35 ` Linus Torvalds
2010-04-09 17:40 ` Borislav Petkov
2010-04-09 17:50 ` Linus Torvalds
2010-04-09 19:14 ` Borislav Petkov
2010-04-09 19:32 ` Linus Torvalds
2010-04-09 20:03 ` Rik van Riel
2010-04-09 20:43 ` Johannes Weiner
2010-04-09 20:57 ` Rik van Riel
2010-04-09 21:33 ` Borislav Petkov
2010-04-09 23:22 ` Linus Torvalds
2010-04-09 23:45 ` Rik van Riel
2010-04-10 0:03 ` Linus Torvalds
2010-04-10 0:11 ` Rik van Riel
2010-04-09 23:54 ` Johannes Weiner
2010-04-09 23:56 ` Linus Torvalds
2010-04-10 0:19 ` Rik van Riel
2010-04-10 0:31 ` Johannes Weiner
2010-04-10 0:32 ` Linus Torvalds
2010-04-10 7:27 ` Borislav Petkov
2010-04-10 11:26 ` Borislav Petkov
2010-04-10 14:45 ` Rik van Riel
2010-04-10 15:24 ` Linus Torvalds
2010-04-10 16:38 ` Borislav Petkov
2010-04-10 17:05 ` Linus Torvalds
2010-04-10 18:21 ` Linus Torvalds
2010-04-10 18:26 ` Linus Torvalds
2010-04-10 18:51 ` Borislav Petkov
2010-04-10 18:58 ` Borislav Petkov
2010-04-10 20:05 ` Linus Torvalds
2010-04-10 20:12 ` Linus Torvalds
2010-04-10 20:36 ` Borislav Petkov
2010-04-10 20:40 ` Linus Torvalds
2010-04-10 21:25 ` Borislav Petkov
2010-04-10 21:30 ` Linus Torvalds
2010-04-10 21:51 ` Borislav Petkov
2010-04-11 13:08 ` Borislav Petkov
2010-04-11 13:19 ` [PATCH 1/3] mm: make page freeing path RCU-safe Borislav Petkov
2010-04-11 13:19 ` [PATCH 2/3] mm: cleanup find_mergeable_anon_vma complexity Borislav Petkov
2010-04-11 13:19 ` [PATCH 3/3] mm: fixup vma_adjust Borislav Petkov
2010-04-11 13:25 ` [PATCH 2/3] mm: cleanup find_mergeable_anon_vma complexity Borislav Petkov
2010-04-11 17:07 ` [PATCH -v2] rmap: make anon_vma_prepare link in all the anon_vmas of a mergeable VMA Linus Torvalds
2010-04-11 17:16 ` Linus Torvalds
2010-04-11 18:55 ` Borislav Petkov
2010-04-12 0:13 ` Linus Torvalds
2010-04-12 1:04 ` Linus Torvalds
2010-04-12 7:20 ` Borislav Petkov
2010-04-12 16:02 ` Linus Torvalds
2010-04-12 16:26 ` Linus Torvalds
2010-04-12 18:40 ` Rik van Riel
2010-04-12 19:00 ` Borislav Petkov
2010-04-12 19:17 ` Linus Torvalds
2010-04-12 20:22 ` [PATCH 1/4] Simplify and comment on anon_vma re-use for anon_vma_prepare() Linus Torvalds
2010-04-12 20:23 ` [PATCH 2/4] vma_adjust: fix the copying of anon_vma chains Linus Torvalds
2010-04-12 20:23 ` [PATCH 3/4] anon_vma: clone the anon_vma chain in the right order Linus Torvalds
2010-04-12 20:23 ` [PATCH 4/4] anonvma: when setting up page->mapping, we need to pick the _oldest_ anonvma Linus Torvalds
2010-04-12 21:03 ` Rik van Riel
2010-04-13 0:41 ` Johannes Weiner
2010-04-13 1:08 ` Linus Torvalds
2010-04-13 4:23 ` Minchan Kim
2010-04-13 4:26 ` Minchan Kim
2010-04-12 20:57 ` [PATCH 3/4] anon_vma: clone the anon_vma chain in the right order Rik van Riel
2010-04-13 0:18 ` Johannes Weiner
2010-04-13 4:16 ` Minchan Kim
2010-04-12 20:54 ` [PATCH 2/4] vma_adjust: fix the copying of anon_vma chains Rik van Riel
2010-04-12 23:59 ` Johannes Weiner
2010-04-13 4:15 ` Minchan Kim
2010-04-12 20:54 ` [PATCH 1/4] Simplify and comment on anon_vma re-use for anon_vma_prepare() Rik van Riel
2010-04-12 23:54 ` Johannes Weiner
2010-04-13 4:04 ` Minchan Kim
2010-04-13 9:51 ` Peter Zijlstra
2010-04-12 21:50 ` [PATCH -v2] rmap: make anon_vma_prepare link in all the anon_vmas of a mergeable VMA Borislav Petkov
2010-04-12 22:11 ` Linus Torvalds
2010-04-12 22:18 ` Linus Torvalds
2010-04-12 22:29 ` Borislav Petkov
2010-04-13 9:38 ` Borislav Petkov
2010-04-14 21:59 ` [PATCH] rmap: add exclusively owned pages to the newest anon_vma Rik van Riel
2010-04-14 23:20 ` Johannes Weiner
2010-04-15 8:34 ` Borislav Petkov
2010-04-15 16:02 ` Minchan Kim
2010-04-15 20:01 ` Linus Torvalds
2010-04-16 6:09 ` Felipe Balbi
2010-04-16 14:48 ` Linus Torvalds
2010-04-11 19:49 ` [PATCH -v2] rmap: make anon_vma_prepare link in all the anon_vmas of a mergeable VMA Rik van Riel
2010-04-12 15:44 ` Linus Torvalds
2010-04-12 15:51 ` Rik van Riel
2010-04-11 21:45 ` Rik van Riel
2010-04-12 15:51 ` Linus Torvalds
2010-04-13 10:36 ` KOSAKI Motohiro
2010-04-10 20:24 ` Rik van Riel
2010-04-10 20:34 ` Linus Torvalds
2010-04-10 20:43 ` Rik van Riel
2010-04-10 20:32 ` Rik van Riel
2010-04-10 19:36 ` Rik van Riel
2010-04-12 14:40 ` Peter Zijlstra
2010-04-12 15:17 ` Minchan Kim
2010-04-12 15:33 ` Peter Zijlstra
2010-04-12 15:19 ` Rik van Riel
2010-04-12 16:01 ` Peter Zijlstra
2010-04-12 16:06 ` Rik van Riel
2010-04-12 16:46 ` Linus Torvalds
2010-04-12 18:40 ` Peter Zijlstra
2010-04-12 19:30 ` Peter Zijlstra
2010-04-12 19:44 ` Peter Zijlstra
2010-04-13 10:53 ` KOSAKI Motohiro
2010-04-13 11:30 ` Peter Zijlstra
2010-04-13 12:00 ` KOSAKI Motohiro
2010-04-14 14:27 ` Peter Zijlstra
2010-04-10 17:07 ` Borislav Petkov
2010-04-10 16:41 ` Linus Torvalds
2010-04-10 22:49 ` Johannes Weiner
2010-04-10 23:31 ` Linus Torvalds
2010-04-09 1:45 ` KOSAKI Motohiro
2010-04-07 15:55 ` Minchan Kim
2010-04-07 7:29 ` Ugly rmap NULL ptr deref oopsie on hibernate (was Linux 2.6.34-rc3) Borislav Petkov
2010-04-07 14:05 ` Paulo Marques
2010-04-07 14:13 ` Borislav Petkov
2010-04-06 23:37 ` Linus Torvalds
2010-04-06 23:22 ` Rik van Riel
2010-04-07 0:10 ` Linus Torvalds
2010-04-07 1:18 ` Rik van Riel
2010-04-07 7:22 ` Borislav Petkov
2010-04-07 10:09 ` Pekka Enberg
2010-04-07 10:12 ` KOSAKI Motohiro
2010-04-07 8:41 ` Peter Zijlstra
2010-04-07 8:36 ` Peter Zijlstra
2010-04-07 9:16 ` Johannes Weiner
2010-04-07 9:37 ` Peter Zijlstra
2010-04-07 14:12 ` Rik van Riel
2010-04-07 15:46 ` Linus Torvalds
2010-04-06 16:32 ` Linus Torvalds
2010-04-06 16:54 ` Minchan Kim
2010-04-07 8:37 ` Peter Zijlstra
2010-04-06 17:05 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100402175937.GA19690@liondog.tnic \
--to=bp@alien8.de \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.