From: Sean <knife@toaster.net>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Andrew Morton <akpm@linux-foundation.org>,
bugzilla-daemon@bugzilla.kernel.org, linux-media@vger.kernel.org,
USB list <linux-usb@vger.kernel.org>, Ingo Molnar <mingo@elte.hu>,
Thomas Gleixner <tglx@linutronix.de>,
"H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [Bugme-new] [Bug 14564] New: capture-example sleeping function called from invalid context at arch/x86/mm/fault.c
Date: Wed, 02 Dec 2009 21:48:01 -0800 [thread overview]
Message-ID: <4B175111.9070800@toaster.net> (raw)
In-Reply-To: <Pine.LNX.4.44L0.0911121058210.3000-100000@iolanthe.rowland.org>
Is there anything I can do to help? This is a show stopping bug for me.
Thanks,
Sean Lazar
Alan Stern wrote:
> On Wed, 11 Nov 2009, Andrew Morton wrote:
>
>
>>> http://bugzilla.kernel.org/show_bug.cgi?id=14564
>>>
>>> Summary: capture-example sleeping function called from invalid
>>> context at arch/x86/mm/fault.c
>>>
>
>
>> We oopsed in td_free() (see below). But as part of that oops
>> processing the kernel entered do_page_fault() and emitted a
>> might_sleep() warning because we took a pagefault with local interrupts
>> disabled.
>>
>> This is undesirable behaviour from the low-level x86 fault code and I
>> don't think it normally happens.
>>
>> Did we break something in x86 land, or is this oops sufficiently weird
>> and whacky to bypass existing checks for this false positive?
>>
>
> No, what happened was a structure containing a linked-list entry got
> freed while it was still on the list. Then when the driver walked
> through the list, it attempted to dereference a list pointer that had
> been poisoned. More or less by coincidence, the poison value
> represented a paged-out address rather than an invalid address, so a
> page fault occurred. That's what caused the oops.
>
>
>>> BUG: unable to handle kernel paging request at a7a7a7c3
>>> IP: [<c11c5cef>] td_free+0x23/0x75
>>>
>
>
>>> [<c1155a42>] ? tty_ldisc_deref+0x8/0xa
>>> [<c1150c1c>] ? tty_write+0x1b1/0x1c2
>>> [<c1152d69>] ? n_tty_write+0x0/0x2e6
>>> [<c1150a6b>] ? tty_write+0x0/0x1c2
>>> [<c106431d>] ? vfs_write+0xe3/0xfa
>>> [<c1002858>] ? restore_all_notrace+0x0/0x18
>>> [<c106e3e2>] ? sys_ioctl+0x2c/0x45
>>> [<c1002825>] ? syscall_call+0x7/0xb
>>> Code: e5 e8 bf 7b e9 ff 5d c3 55 89 e5 57 89 c7 56 89 d6 53 8b 42 28 89 c2 c1
>>> ea 06 31 d0 83 e0 3f 8d 94 87 cc 00 00 00 eb 03 8d 50 1c <8b> 02 85 c0 74 0b 39
>>> EIP: [<c11c5cef>] td_free+0x23/0x75 SS:ESP 0068:c6785cb8
>>> CR2: 00000000a7a7a7c3
>>>
>> And here's the real oops. drivers/usb/host/ohci-mem.c:td_free()
>> dereferenced a7a7a7c3. Which looks like
>>
>> /********** drivers/base/dmapool.c **********/
>> #define POOL_POISON_FREED 0xa7 /* !inuse */
>> #define POOL_POISON_ALLOCATED 0xa9 /* !initted */
>>
>
> If I'm reading this correctly, the bad dereference occurred in the
> second source line:
>
> prev = &(*prev)->td_hash;
> if (*prev)
>
> The original value in *prev was 0xa7a7a7a7 and the offset of td_hash is
> 0x1c, causing the offending address to be 0xa7a7a7c3.
>
> I have no idea why a struct td would have been freed while it was still
> in use.
>
> Alan Stern
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-media" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
next prev parent reply other threads:[~2009-12-03 5:50 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-14564-10286@http.bugzilla.kernel.org/>
2009-11-11 23:21 ` [Bugme-new] [Bug 14564] New: capture-example sleeping function called from invalid context at arch/x86/mm/fault.c Andrew Morton
2009-11-12 16:20 ` Alan Stern
2009-12-03 5:48 ` Sean [this message]
2009-12-03 21:03 ` Alan Stern
2009-12-16 23:30 ` Sean
2009-12-17 15:22 ` Alan Stern
2009-12-29 9:19 ` Sean
2009-12-29 19:48 ` Sean
2009-12-29 21:23 ` Alan Stern
2009-12-30 0:37 ` Sean
2009-12-30 3:22 ` Alan Stern
2010-01-02 9:00 ` Sean
2010-01-02 20:43 ` Alan Stern
2010-01-03 1:56 ` Sean
2010-01-03 17:35 ` Alan Stern
2010-01-03 23:47 ` Sean
2010-01-04 16:06 ` Alan Stern
2010-01-04 20:02 ` Sean
2010-01-04 20:48 ` Alan Stern
2010-01-04 22:24 ` Sean
2010-01-05 2:40 ` Alan Stern
2010-01-05 3:32 ` Sean
2010-01-05 15:11 ` Alan Stern
2010-01-05 20:05 ` Sean
2010-01-05 21:06 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B175111.9070800@toaster.net \
--to=knife@toaster.net \
--cc=akpm@linux-foundation.org \
--cc=bugzilla-daemon@bugzilla.kernel.org \
--cc=hpa@zytor.com \
--cc=linux-media@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=stern@rowland.harvard.edu \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.