Re: pv_ops - 2.6.26 - unable to handle kernel paging request

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jeremy Fitzhardinge <jeremy@goop.org>
To: "Christopher S. Aker" <caker@theshore.net>
Cc: virtualization@lists.linux-foundation.org,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: pv_ops - 2.6.26 - unable to handle kernel paging request
Date: Tue, 22 Jul 2008 11:46:54 -0700	[thread overview]
Message-ID: <48862B1E.8080208@goop.org> (raw)
In-Reply-To: <4885DACE.30600@theshore.net>

Christopher S. Aker wrote:
> Xen: 3.1.2 (or thereabouts), 64bit
> dom0: 2.6.18.8, pae
> pv-ops, 2.6.26

What's the .config for this kernel?  Do you know what /proc file it's 
trying to access at the time?

> BUG: unable to handle kernel paging request at 69746174

This is address is ascii "tati".  Likely to be use-after-free, though it 
could be the result of a wild write.

The code seems to correspond to the line:

		list_add(&page->lru,
			&zone->free_area[order].free_list[migratetype]);

so it suggests that either the zone freelist or the page structure is 
corrupted.

> IP: [<c015e221>] move_freepages+0x61/0xc0
> *pdpt = 0000000204ed6007
> Oops: 0002 [#1] SMP
> Modules linked in:
>
> Pid: 6859, comm: sh Not tainted (2.6.26-linode13 #1)
> EIP: 0061:[<c015e221>] EFLAGS: 00010002 CPU: 2
> EIP is at move_freepages+0x61/0xc0
> EAX: 69746174 EBX: 25413325 ECX: c158e038 EDX: 732e316d

EBX="%31%"
EDX="m1.~"

EAX, EBX and EDX are all loaded from the page structure, so it's 
definitely been hit with something.  Or perhaps the page pointer was 
wrong in the first place.  If page_order() gets corrupted for the page, 
then it could cause that loop to march off into nowhere.

Could you try again with DEBUG_PAGEALLOC turned on?

Thanks,
    J

> ESI: c158e020 EDI: 00000000 EBP: c158ffe0 ESP: ec2cddf8
> DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0069
> Process sh (pid: 6859, ti=ec2cc000 task=ecd3f400 task.ti=ec2cc000)
> Stack: c0630200 00000008 0002c7ff c1588000 c0630200 c158ffe0 c015e2ea 
> 00000001
> 00000001 00000001 c158f6e0 00000000 c0630200 c015e5d9 c0630a84 00000000
> c0630a84 00000000 00000008 00000000 c1587418 c0630200 00000018 0000001f
> Call Trace:
> [<c015e2ea>] move_freepages_block+0x6a/0x80
> [<c015e5d9>] __rmqueue+0x1a9/0x1e0
> [<c015e651>] rmqueue_bulk+0x41/0x70
> [<c015eae4>] get_page_from_freelist+0x464/0x490
> [<c015ebba>] __alloc_pages_internal+0xaa/0x460
> [<c015ef8f>] __alloc_pages+0xf/0x20
> [<c015f4bf>] __get_free_pages+0xf/0x20
> [<c01c015f>] proc_file_read+0x8f/0x2a0
> [<c01c00d0>] proc_file_read+0x0/0x2a0
> [<c01bb7ca>] proc_reg_read+0x5a/0x90
> [<c01801f1>] vfs_read+0xa1/0x160
> [<c01bb770>] proc_reg_read+0x0/0x90
> [<c0180551>] sys_read+0x41/0x70
> [<c0107256>] syscall_call+0x7/0xb
> =======================
> Code: cb 77 6f 8b 44 24 1c 89 de c1 e0 03 89 44 24 04 eb 07 83 c6 20 
> 39 f5 72 59 f6 46 02 04 74 f3 8d 4e 18 8b 56 18 8b 41 04 8b 5e 0c <89> 
> 10 89 42 04 8d 04 9b c7 46 18 00 01 10 00 8d 04 43 8b 14 24
> EIP: [<c015e221>] move_freepages+0x61/0xc0 SS:ESP 0069:ec2cddf8
> ---[ end trace 628f7b31d5a52105 ]---
>
> Kernel binary is located here:
>
> http://www.theshore.net/~caker/kernels/2.6.26-linode13
>
> -Chris

     prev parent reply	other threads:[~2008-07-22 18:47 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-07-22 13:04 pv_ops - 2.6.26 - unable to handle kernel paging request Christopher S. Aker
2008-07-22 14:56 ` Jeremy Fitzhardinge
2008-07-22 18:46 ` Jeremy Fitzhardinge
2008-07-22 18:46 ` Jeremy Fitzhardinge [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48862B1E.8080208@goop.org \
    --to=jeremy@goop.org \
    --cc=caker@theshore.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=virtualization@lists.linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.