From: Brian Gerst <bgerst@didntduck.org>
To: stas.orel@mailcity.com
Cc: linux-kernel@vger.kernel.org
Subject: Re: Oops in 2.2.20, 100% reproduceable and fully tracked
Date: Tue, 11 Dec 2001 14:40:30 -0500 [thread overview]
Message-ID: <3C16612E.CEE55592@didntduck.org> (raw)
In-Reply-To: <01121121200600.00906@localhost.localdomain>
Stas Sergeev wrote:
>
> Hello.
>
> When I am trying to start one weird program under dosemu, I always get an Oops.
> I have tracked this Oops down to a line of a source code in the kernel, see
> below.
>
> At first, the Oops itself:
> ---
> ksymoops 2.4.3 on i686 2.2.20. Options used
> -V (default)
> -k /proc/ksyms (default)
> -l /proc/modules (default)
> -o /lib/modules/2.2.20/ (default)
> -m /boot/System.map (specified)
>
> Dec 2 21:04:05 localhost kernel: Unable to handle kernel paging request at virtual address 000078c3
> Dec 2 21:04:05 localhost kernel: current->tss.cr3 = 0ad2f000, %cr3 = 0ad2f000
> Dec 2 21:04:05 localhost kernel: *pde = 0b802067
> Dec 2 21:04:05 localhost kernel: Oops: 0003
> Dec 2 21:04:05 localhost kernel: CPU: 0
> Dec 2 21:04:05 localhost kernel: EIP: 0010:[handle_vm86_fault+1149/2212]
> Dec 2 21:04:05 localhost kernel: EFLAGS: 00010206
> Dec 2 21:04:05 localhost kernel: eax: 00000009 ebx: 00003013 ecx: 00000020 edx: 00000021
> Dec 2 21:04:05 localhost kernel: esi: 000000f3 edi: 000077d0 ebp: 000c39e0 esp: cad31ea8
> Dec 2 21:04:05 localhost kernel: ds: 0018 es: 0018 ss: 0018
> Dec 2 21:04:05 localhost kernel: Process xdos (pid: 872, process nr: 57, stackpage=cad31000)
> Dec 2 21:04:05 localhost kernel: Stack: 000077d0 000000f4 00003013 000c39e0 00002827 cad31f00 00000000 c010a8cc
> Dec 2 21:04:05 localhost kernel: 00009fff 00000000 00000000 cad30000 cad30000 00002827 c010a90f cad31f00
> Dec 2 21:04:05 localhost kernel: 00000000 cad30000 00000000 c010a05d cad31f00 00000000 00000001 00000005
> Dec 2 21:04:05 localhost kernel: Call Trace: [do_general_protection+0/116] [do_general_protection+67/116] [error_code+53/64] [system_call+52/56]
> Dec 2 21:04:06 localhost kernel: Code: 88 7c 37 00 66 4e 88 5c 37 00 68 9d eb 1b c0 e8 3f 8b 00 00
> Using defaults from ksymoops -t elf32-i386 -a i386
>
> Code; 00000000 Before first symbol
> 00000000 <_EIP>:
> Code; 00000000 Before first symbol
> 0: 88 7c 37 00 mov %bh,0x0(%edi,%esi,1)
> Code; 00000004 Before first symbol
> 4: 66 4e dec %si
> Code; 00000006 Before first symbol
> 6: 88 5c 37 00 mov %bl,0x0(%edi,%esi,1)
> Code; 0000000a Before first symbol
> a: 68 9d eb 1b c0 push $0xc01beb9d
> Code; 0000000e Before first symbol
> f: e8 3f 8b 00 00 call 8b53 <_EIP+0x8b53> 00008b52 Before first symbol
> ---
>
> The faulting code is here:
> arch/i386/kernel/vm86.c:341:
> ---
> #define pushw(base, ptr, val) \
> __asm__ __volatile__( \
> "decw %w0\n\t" \
> "movb %h2,0(%1,%0)\n\t" \ <-- fault is HERE!
> "decw %w0\n\t" \
> "movb %b2,0(%1,%0)" \
> : "=r" (ptr) \
> : "r" (base), "q" (val), "0" (ptr))
> ---
>
> It is executed here, when it GPFs:
> vm86.c:509:
> ---
> case 0x9c:
> SP(regs) -= 2;
> IP(regs)++;
> pushw(ssp, sp, get_vflags(regs)); <--handle_vm86_fault+1149/2212
> VM86_FAULT_RETURN;
> ---
>
> The registers:
> ebx contains 0x3013. This is the value returned by get_vflags(regs).
> edi=0x77d0 and esi=0xf3 contains dosemu's ss and sp.
> So virtual flags are going to be moved to ss:sp to simulate pushf.
> This all seems OK to me and I don't understand why the code
> mov %bh,0x0(%edi,%esi,1)
> can raise GPF with such values in regs.
>
> So, I have collected all the info I ever could from this Oops, but I still
> don't see a bug. I hope someone can help me.
> Any ideas such as how this code (atleast theoretically) can raise GPF?
> Any suggestions such as how can I collect more info on this subject?
>
> I am pretty shure I can reproduce this Oops at any kernel, atleast at any 2.2.x,
> but currently I am using 2.2.20.
Your virtual stack pointer went into a page that's not mapped. The bug
is that we're touching user space without a fault handler, causing an
oops instead of a seg fault. I'll look into cleaning that mess up to
use proper get/put_user macros.
--
Brian Gerst
prev parent reply other threads:[~2001-12-11 19:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-12-11 17:41 Oops in 2.2.20, 100% reproduceable and fully tracked Stas Sergeev
2001-12-11 19:40 ` Brian Gerst [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3C16612E.CEE55592@didntduck.org \
--to=bgerst@didntduck.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stas.orel@mailcity.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.