From: Carsten Emde <C.Emde@osadl.org>
To: Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Fernando Lopez-Lezcano <nando@ccrma.Stanford.EDU>
Cc: linux-rt-users <linux-rt-users@vger.kernel.org>,
Steven Rostedt <rostedt@goodmis.org>
Subject: Re: 3.10.20-rt17, BUG and Oops
Date: Sat, 30 Nov 2013 23:47:25 +0100 [thread overview]
Message-ID: <529A6AFD.9020308@osadl.org> (raw)
In-Reply-To: <20131130203920.GB24080@linutronix.de>
Sebastian,
>> # addr2line -e vmlinux 0xffffffff81298301
>> /usr/src/kernels/linux-3.12.0-rt2/drivers/acpi/ec.c:186
>>
>> if (t->wlen > t->wi) {
>> if ((status & ACPI_EC_FLAG_IBF) == 0)
>> acpi_ec_write_data(ec,
>> ----> t->wdata[t->wi++]);
>> else
>> goto err;
>
> based on the assembly, I *think* this is
> t->wdata[x]
>
> wher X is outside of wdata's range. But then the pointer is almost
> NULL.
Note the offensive addresses of the two crashes
2013-11-26-23.28
unable to handle kernel paging request at 000000000000809b
2013-11-12-08.15
unable to handle kernel NULL pointer dereference at 000000000000007a
it looks like the write data pointer t->wdata was overwritten - in the
first case by 0x8000 and in the second case by 0.
> Is this any help?
>
> diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
> index a06d983..d3add07 100644
> --- a/drivers/acpi/ec.c
> +++ b/drivers/acpi/ec.c
> @@ -175,16 +175,19 @@ static void start_transaction(struct acpi_ec *ec)
> static void advance_transaction(struct acpi_ec *ec, u8 status)
> {
> unsigned long flags;
> - struct transaction *t = ec->curr;
> + struct transaction *t;
>
> spin_lock_irqsave(&ec->lock, flags);
> + t = ec->curr;
Looks like a race - did you find a place where ec->curr->wdata could be
overwritten? The small size of the potential race window may explain why
it took a couple of days to trigger it.
Will apply the fix and the warning - let's see.
Thanks.
-Carsten.
next prev parent reply other threads:[~2013-11-30 22:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-30 7:56 3.10.20-rt17, BUG and Oops Fernando Lopez-Lezcano
2013-11-30 16:40 ` Carsten Emde
2013-11-30 20:39 ` Sebastian Andrzej Siewior
2013-11-30 22:47 ` Carsten Emde [this message]
2013-12-02 8:27 ` Sebastian Andrzej Siewior
2013-12-15 14:53 ` Sebastian Andrzej Siewior
2013-12-15 23:50 ` Carsten Emde
2013-12-16 8:09 ` Sebastian Andrzej Siewior
2013-12-21 21:23 ` Carsten Emde
2013-12-17 19:40 ` Fernando Lopez-Lezcano
2013-12-17 19:42 ` Sebastian Andrzej Siewior
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=529A6AFD.9020308@osadl.org \
--to=c.emde@osadl.org \
--cc=bigeasy@linutronix.de \
--cc=linux-rt-users@vger.kernel.org \
--cc=nando@ccrma.Stanford.EDU \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).