From: Jens Axboe <jens.axboe@oracle.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ingo Molnar <mingo@elte.hu>,
linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [bug] block subsystem related crash with latest -git
Date: Wed, 17 Oct 2007 18:59:53 +0200 [thread overview]
Message-ID: <20071017165949.GF15552@kernel.dk> (raw)
In-Reply-To: <alpine.LFD.0.999.0710170929270.26902@woody.linux-foundation.org>
On Wed, Oct 17 2007, Linus Torvalds wrote:
>
>
> On Wed, 17 Oct 2007, Ingo Molnar wrote:
> >
> > Jens, just got this crash on a testbox:
>
> The code in question is:
>
> mov %edx,0xc(%esp)
> mov (%ebx),%edi
> mov %edi,%edx
> sub %eax,%edx
> mov %edx,%eax
> sar $0x5,%eax
> shl $0xc,%eax
> add 0x8(%ebx),%eax
> cmp %eax,0xc(%esp)
> je +126
> mov 0x10(%esi),%eax <----- Oops
> lea 0x10(%esi),%edx
> test $0x1,%al
> jne +76
> mov %edi,(%esi)
> mov %ebp,0xc(%esi)
> mov 0x8(%ebx),%eax
> mov %eax,0x4(%esi)
>
>
> and it looks like %esi is overflowing from one page to the next one, ie:
>
> BUG: unable to handle kernel paging request at virtual address 7ca76000
> ESI: 7ca75ff0
>
> and you caught this thanks to page-alloc debugging again.
>
> I think I can match that up with the source code: that's "sg_next()". It's
> doing:
>
> sg++;
>
> if (unlikely(sg_is_chain(sg)))
> sg = sg_chain_ptr(sg);
>
> return sg;
>
> and the oopsing instruction is that load of "sg->page" in the assembly
> code:
>
> mov 0x10(%esi),%eax # %eax = sg->page
> lea 0x10(%esi),%edx # %edx = sg+1;
> test $0x1,%al # if (unlikely(sg_is_chain()))
> jne +76
>
> Jens?
Yep, that's what I came up with as well - I asked Ingo for a dump in
private, but ended up just using ksymoops to decode the line.
The way blk_rq_map_sg() operates is that it ends up doing a
next_sg = sg_next(sg);
even though sg may be the last entry. Perhaps this is crapping out,
although if sg is a valid address, then sg + 1 should be as well.
next_sg may end up being crap, in fact it will, but we'll never use that
unless there are more entries to fill. And if there is, then both sg and
next_sg were valid.
So nothing in for-linus should fix it, I'll try and come up with an
alternate way to assign next_sg so it's always valid.
--
Jens Axboe
next prev parent reply other threads:[~2007-10-17 17:00 UTC|newest]
Thread overview: 151+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-17 15:46 [bug] block subsystem related crash with latest -git Ingo Molnar
2007-10-17 15:50 ` Ingo Molnar
2007-10-17 16:32 ` Jens Axboe
2007-10-17 16:50 ` Linus Torvalds
2007-10-17 16:59 ` Jens Axboe [this message]
2007-10-17 17:08 ` Jens Axboe
2007-10-17 17:21 ` Jens Axboe
2007-10-17 17:29 ` Jens Axboe
2007-10-17 17:34 ` Ingo Molnar
2007-10-17 17:36 ` Jens Axboe
2007-10-17 17:45 ` [bug] ata " Ingo Molnar
2007-10-17 17:53 ` Jens Axboe
2007-10-17 17:55 ` Jens Axboe
2007-10-17 17:58 ` Ingo Molnar
2007-10-17 18:37 ` Jens Axboe
2007-10-17 19:04 ` Ingo Molnar
2007-10-17 19:08 ` Jens Axboe
2007-10-17 19:14 ` Ingo Molnar
2007-10-17 19:17 ` Ingo Molnar
2007-10-17 19:25 ` Jens Axboe
2007-10-17 19:25 ` Jens Axboe
2007-10-17 19:09 ` Ingo Molnar
2007-10-17 19:28 ` Linus Torvalds
2007-10-17 19:35 ` Jens Axboe
2007-10-17 19:45 ` Linus Torvalds
2007-10-17 19:56 ` Jens Axboe
2007-10-17 20:06 ` Jens Axboe
2007-10-17 20:24 ` Linus Torvalds
2007-10-17 20:31 ` Jens Axboe
2007-10-17 21:11 ` Linus Torvalds
2007-10-17 23:00 ` FUJITA Tomonori
2007-10-18 1:07 ` Linus Torvalds
2007-10-18 1:14 ` Jeff Garzik
2007-10-18 1:19 ` David Miller
2007-10-18 1:36 ` Linus Torvalds
2007-10-18 1:49 ` David Miller
2007-10-18 3:44 ` Mark Lord
2007-10-18 4:01 ` Linus Torvalds
2007-10-18 4:05 ` Mark Lord
2007-10-18 4:14 ` Jeff Garzik
2007-10-18 4:18 ` Mark Lord
2007-10-18 4:31 ` Jeff Garzik
2007-10-18 4:41 ` Mark Lord
2007-10-18 4:53 ` Linus Torvalds
2007-10-18 7:05 ` Jens Axboe
2007-10-18 13:13 ` Mark Lord
2007-10-18 13:23 ` Jens Axboe
2007-10-18 13:32 ` Mark Lord
2007-10-18 13:34 ` Jens Axboe
2007-10-18 13:59 ` Mark Lord
2007-10-18 14:04 ` Jens Axboe
2007-10-18 4:45 ` Linus Torvalds
2007-10-18 4:54 ` Mark Lord
2007-10-18 5:09 ` Mark Lord
2007-10-18 4:20 ` Linus Torvalds
2007-10-18 5:25 ` Mark Lord
2007-10-18 5:34 ` Mark Lord
2007-10-18 5:45 ` Jeff Garzik
2007-10-18 7:09 ` Jens Axboe
2007-10-18 7:30 ` Jeff Garzik
2007-10-18 8:21 ` Jens Axboe
2007-10-18 11:55 ` David Miller
2007-10-18 11:57 ` Jens Axboe
2007-10-18 12:05 ` David Miller
2007-10-18 12:09 ` Jens Axboe
2007-10-18 12:15 ` Jens Axboe
2007-10-18 12:36 ` David Miller
2007-10-18 12:39 ` Jens Axboe
2007-10-18 12:58 ` Benny Halevy
2007-10-18 13:56 ` Jens Axboe
2007-10-18 14:05 ` Jens Axboe
2007-10-18 14:16 ` Benny Halevy
2007-10-18 14:38 ` Jens Axboe
2007-10-18 14:58 ` Olof Johansson
2007-10-18 15:25 ` Jens Axboe
2007-10-18 12:58 ` Jens Axboe
2007-10-18 13:32 ` Jens Axboe
2007-10-18 13:49 ` Benny Halevy
2007-10-18 13:55 ` Jens Axboe
2007-10-18 13:51 ` Mark Lord
2007-10-18 13:58 ` Jens Axboe
2007-10-18 14:03 ` Mark Lord
2007-10-18 14:10 ` Mark Lord
2007-10-18 14:13 ` Mark Lord
2007-10-18 14:14 ` Jens Axboe
2007-10-18 16:55 ` Linus Torvalds
2007-10-18 17:01 ` Jens Axboe
2007-10-18 17:10 ` Jens Axboe
2007-10-18 17:10 ` Arjan van de Ven
2007-10-18 17:14 ` Jens Axboe
2007-10-19 8:59 ` FUJITA Tomonori
2007-10-18 19:20 ` Jeff Garzik
2007-10-17 20:51 ` Ingo Molnar
2007-10-17 19:49 ` Jens Axboe
2007-10-17 20:05 ` Ingo Molnar
2007-10-17 20:10 ` Linus Torvalds
2007-10-18 7:07 ` Ingo Molnar
2007-10-18 7:10 ` Jens Axboe
2007-10-18 8:22 ` Jeff Garzik
2007-10-18 8:32 ` Jens Axboe
2007-10-18 8:38 ` Jeff Garzik
2007-10-18 8:51 ` Jeff Garzik
2007-10-18 9:01 ` Jeff Garzik
[not found] ` <bd58e4af0710180210tcc0d31ep9d05a0f2e9d6df29@mail.gmail.com>
2007-10-18 9:14 ` Jeff Garzik
2007-10-18 9:17 ` Jens Axboe
2007-10-18 9:32 ` Jeff Garzik
2007-10-18 9:41 ` Jens Axboe
2007-10-18 10:04 ` Jeff Garzik
2007-10-18 10:10 ` Jens Axboe
2007-10-18 10:13 ` Ingo Molnar
2007-10-18 10:16 ` Jens Axboe
2007-10-18 10:17 ` Jens Axboe
2007-10-18 10:49 ` Ingo Molnar
2007-10-18 10:50 ` Jeff Garzik
2007-10-18 10:56 ` Jens Axboe
2007-10-18 10:42 ` [PATCH] " Jeff Garzik
2007-10-18 10:54 ` Ingo Molnar
2007-10-18 11:02 ` Jeff Garzik
2007-10-18 11:40 ` Ingo Molnar
2007-10-18 14:52 ` Olof Johansson
2007-10-20 11:55 ` Torsten Kaiser
2007-10-18 11:03 ` Ingo Molnar
2007-10-18 11:05 ` Jens Axboe
2007-10-17 19:42 ` Linus Torvalds
2007-10-17 19:55 ` Jens Axboe
2007-10-17 18:08 ` Linus Torvalds
2007-10-17 18:13 ` Ingo Molnar
2007-10-17 17:56 ` [bug] block " Linus Torvalds
2007-10-17 18:02 ` Jens Axboe
2007-10-17 18:13 ` Linus Torvalds
2007-10-17 18:20 ` Jens Axboe
2007-10-17 18:58 ` Linus Torvalds
2007-10-17 19:03 ` Jens Axboe
2007-10-17 19:15 ` Linus Torvalds
2007-10-17 18:02 ` Ingo Molnar
2007-10-17 18:14 ` Linus Torvalds
2007-10-17 20:15 ` Luca Tettamanti
2007-10-17 17:30 ` Ingo Molnar
2007-10-17 17:31 ` Jens Axboe
2007-10-17 17:28 ` Ingo Molnar
2007-10-17 17:52 ` Linus Torvalds
2007-10-17 18:00 ` Jens Axboe
2007-10-17 18:18 ` Linus Torvalds
2007-10-17 18:22 ` Jens Axboe
2007-10-18 10:52 ` Benny Halevy
2007-10-18 10:55 ` Jens Axboe
2007-10-18 12:03 ` David Miller
2007-10-18 12:28 ` Jens Axboe
2007-10-17 18:22 ` Linus Torvalds
2007-10-17 18:40 ` Jens Axboe
2007-10-17 17:11 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071017165949.GF15552@kernel.dk \
--to=jens.axboe@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox