From: "H. Peter Anvin" <hpa@zytor.com>
To: George Spelvin <linux@horizon.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: 3.10.0 i386 uniprocessor panic
Date: Fri, 19 Jul 2013 15:25:13 -0700 [thread overview]
Message-ID: <51E9BCC9.7070909@zytor.com> (raw)
In-Reply-To: <20130719210036.5543.qmail@science.horizon.com>
On 07/19/2013 02:00 PM, George Spelvin wrote:
>>> EIP is at 0xc143a091
>>> EAX: c143a090 EBX: 00000100 ECX: f3150000 EDX: c143a090
>>> ESI: c143a090 EDI: c143a090 EBP: c143a090 ESP: f3151eec
>>> DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
>>> CR0: 80050033 CR2: a090c143 CR3: 331c6000 CR4: 000007d0
>>> DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
>>> DR6: ffff0ff0 DR7: 00000400
>
>>> (The CR2 value looks particularly odd.)
>
>> Indeed it does; it is a user space value, but it doesn't look like
>> either a normal user space value nor really as a trivially buggered-up
>> kernel pointer value, unless the 0xc143... at the bottom is the upper
>> half of a kernel pointer, in which case we probably obtained this value
>> from a corrupt, misaligned pointer.
>
> Er... I assumed you'd see instantly that it was the 0xc143a090 value
> that's in 5 registers (EAX/EDX/ESI/EDI/EBP), and IP-1, but with the
> halves swapped.
That would have requiring me to actually pay attention. I claim
undercaffeination.
> How the heck the halves got swapped is confusing me...
Disassembling the "code" (which is really data) makes it kind of obvious:
C143A090 90 nop
C143A091 A043C190A0 mov al,[0xa090c143] ; fault here
We jumped into data which contained a series of self-pointers
(presumably empty double-linked lists), and the first two bytes became
opcodes...
Unfortunately the disassembly of call_timer_fn.isra.37 doesn't really
tell us anything other than that the passed-in value of %eax was bogus.
It is *very* interesting, though, that that value is present in so many
registers (in fact, the ONLY GPRs which didn't have that value are %ebx
and %ecx, which are set by that function itself.)
A disassembly of the calling function, i.e.:
[<c1024524>] ? run_timer_softirq+0x150/0x165
... would be a good idea, at least.
-hpa
next prev parent reply other threads:[~2013-07-19 22:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-18 6:13 3.10.0 i386 uniprocessor panic George Spelvin
2013-07-18 8:18 ` Borislav Petkov
2013-07-19 13:21 ` Thomas Gleixner
2013-07-19 17:17 ` H. Peter Anvin
2013-07-19 21:00 ` George Spelvin
2013-07-19 22:25 ` H. Peter Anvin [this message]
2013-07-19 23:45 ` George Spelvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51E9BCC9.7070909@zytor.com \
--to=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@horizon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.