linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Fengguang Wu <fengguang.wu@intel.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Network Development <netdev@vger.kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [vlan_device_event] BUG: unable to handle kernel paging request at 6b6b6ccf
Date: Wed, 8 Nov 2017 00:46:42 +0800	[thread overview]
Message-ID: <20171107164642.3vtfmmahhmeshr6y@wfg-t540p.sh.intel.com> (raw)
In-Reply-To: <CA+55aFwqxZiN_XrZqvbtCsc8W=w895RaB1sjuVP1aTj8JStxzg@mail.gmail.com>

On Tue, Nov 07, 2017 at 08:25:03AM -0800, Linus Torvalds wrote:
>On Tue, Nov 7, 2017 at 2:21 AM, Fengguang Wu <fengguang.wu@intel.com> wrote:
>>
>> FYI this happens in v4.14-rc8 -- it's not necessarily a new bug.
>
>Probably not.
>
>Looks like a use-after-free bug in vlan_device_event() judging by the
>base pointer:
>
>    ECX: 6b6b6b6b
>
>this is one of those circumstances where having the faddr2line output
>for that EIP would make it much easier to see exactly which access it
>is that causes problems. There's lots of inlining going on, so without
>that it's a pain to figure out.
>
>The code is
>
>   0: 31 c0                xor    %eax,%eax
>   2: 8d 76 00              lea    0x0(%esi),%esi
>   5: 89 c2                mov    %eax,%edx
>   7: 89 c3                mov    %eax,%ebx
>   9: 81 e2 ff 0f 00 00    and    $0xfff,%edx
>   f: 89 d1                mov    %edx,%ecx
>  11: c1 fb 0c              sar    $0xc,%ebx
>  14: c1 e9 09              shr    $0x9,%ecx
>  17: 8d 0c d9              lea    (%ecx,%ebx,8),%ecx
>  1a: 8b 4c 8e 10          mov    0x10(%esi,%ecx,4),%ecx
>  1e: 85 c9                test   %ecx,%ecx
>  20: 74 34                je     0x56
>  22: 81 e2 ff 01 00 00    and    $0x1ff,%edx
>  28:* 8b 14 91              mov    (%ecx,%edx,4),%edx <-- trapping instruction
>  2b: 85 d2                test   %edx,%edx
>  2d: 74 27                je     0x56
>  2f: f6 82 30 01 00 00 01 testb  $0x1,0x130(%edx)
>  36: 74 1e                je     0x56
>
>and just by going by the constants in question (0xfff and 0x1ff), I
>can see that it's one of
>
>    vlan_group_for_each_dev(..) {
>        ...
>    }
>
>things, but that's pretty much all I can tell.
>
>Apparently we'll get that faddr2line output soon. In the meantime, I
>think this is a real bug report but I don't see enough information to
>really go on.

Got it. I should be able to get faddr2line output tomorrow.

>Of course, if it's bisectable, that would be great too.

It looks reproducible enough to be bisectable. I'll try.

Regards,
Fengguang

  reply	other threads:[~2017-11-07 16:46 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-07 10:21 [vlan_device_event] BUG: unable to handle kernel paging request at 6b6b6ccf Fengguang Wu
2017-11-07 16:25 ` Linus Torvalds
2017-11-07 16:46   ` Fengguang Wu [this message]
2017-11-08  9:48   ` Fengguang Wu
2017-11-08 16:20     ` Linus Torvalds
2017-11-08 17:12       ` Fengguang Wu
2017-11-08 17:18         ` Fengguang Wu
2017-11-08 18:05         ` Linus Torvalds
2017-11-08 18:36         ` Alexander Duyck
2017-11-09  3:12           ` Fengguang Wu
2017-11-09  4:09             ` Fengguang Wu
2017-11-09  7:22               ` Fengguang Wu
2017-11-09  6:34             ` Cong Wang
2017-11-09  6:55               ` Fengguang Wu
2017-11-09  7:43                 ` Fengguang Wu
2017-11-09 15:51               ` Girish Moodalbail
2017-11-10  0:16                 ` Cong Wang
2017-11-12 19:31         ` Linus Torvalds
2017-11-13  1:13           ` CONFIG_DEBUG_INFO_SPLIT impacts on faddr2line Fengguang Wu
2017-11-13  2:05             ` Zhang Rui
2017-11-13  2:22               ` Fengguang Wu
2017-11-13 18:52             ` Andi Kleen
2017-11-13 19:14               ` Linus Torvalds
2017-11-13 20:10                 ` Andi Kleen
2017-11-13 20:14                   ` H.J. Lu
2017-11-13 20:56                   ` Linus Torvalds
2017-11-13 21:41                     ` Andi Kleen
2017-11-13 21:57                       ` Linus Torvalds
2017-11-13 23:51                         ` Andi Kleen
2017-11-14  8:13               ` Fengguang Wu
2017-11-09  2:43     ` [vlan_device_event] BUG: unable to handle kernel paging request at 6b6b6ccf Fengguang Wu
2017-11-09  6:48       ` Fengguang Wu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171107164642.3vtfmmahhmeshr6y@wfg-t540p.sh.intel.com \
    --to=fengguang.wu@intel.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).