OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Miles Lane]

mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
[drm:drm_unlock] *ERROR* Process 4470 using kernel context 0
mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
Unable to handle kernel paging request at virtual address 5f78735f
 printing eip:
c01abbf9
*pde = 00000000
Oops: 0002 [#1]
PREEMPT
Modules linked in: pcmcia container ipv6 af_packet ohci1394
yenta_socket rsrc_nonstatic pcmcia_core ipw2200 ieee80211
ieee80211_crypt 8139too mii snd_intel8x0 snd_ac97_codec snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc ehci_hcd
uhci_hcd usbcore rtc nls_cp437 sbp2 scsi_mod ieee1394 psmouse ide_cd
cdrom
CPU:    0
EIP:    0060:[<c01abbf9>]    Not tainted VLI
EFLAGS: 00010246   (2.6.13-rc1-mm1)
EIP is at sysfs_release+0x49/0xb0
eax: 5f78725f   ebx: 5f78725f   ecx: 00000001   edx: f7662000
esi: c19520a4   edi: f70b8a80   ebp: f7663f3c   esp: f7663f2c
ds: 007b   es: 007b   ss: 0068
Process hald (pid: 4736, threadinfo=f7662000 task=f7c97a80)
Stack: c19520a4 00000010 f70d2d80 f7703174 f7663f68 c0169a5a f7703174 f70d2d80
       00000000 00000000 c1894180 f7715c8c f70d2d80 c1bcd900 00000000 f7663f78
       c016985a f70d2d80 f70d2d80 f7663f94 c0167dcb f70d2d80 c1bcd900 00000010
Call Trace:
 [<c010415f>] show_stack+0x7f/0xa0
 [<c0104314>] show_registers+0x164/0x1d0
 [<c010452d>] die+0xed/0x180
 [<c0119314>] do_page_fault+0x344/0x68d
 [<c0103d6f>] error_code+0x4f/0x54
 [<c0169a5a>] __fput+0x1da/0x1f0
 [<c016985a>] fput+0x2a/0x50
 [<c0167dcb>] filp_close+0x4b/0x80
 [<c0167e7a>] sys_close+0x7a/0xb0
 [<c010326b>] sysenter_past_esp+0x54/0x75
Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 60 a3 07 00 85 db 74
38 b8 01 00 00 00 e8 b2 25 f7 ff e8 ed f2 07 00 c1 e0 07 8d 04 18 <ff>
88 00 01 00 00 83 3b 02 74 43 b8 01 00 00 00 e8 d2 25 f7 ff
 <6>note: hald[4736] exited with preempt_count 1
scheduling while atomic: hald/0x10000001/4736
 [<c010419e>] dump_stack+0x1e/0x30
 [<c0362052>] schedule+0x682/0x690
 [<c0362a5f>] cond_resched+0x2f/0x50
 [<c015738d>] unmap_vmas+0x16d/0x200
 [<c015c2c1>] exit_mmap+0x81/0x170
 [<c011f982>] mmput+0x42/0x110
 [<c0123f63>] exit_mm+0xe3/0x110
 [<c0124980>] do_exit+0x100/0x550
 [<c01045bf>] die+0x17f/0x180
 [<c0119314>] do_page_fault+0x344/0x68d
 [<c0103d6f>] error_code+0x4f/0x54
 [<c0169a5a>] __fput+0x1da/0x1f0
 [<c016985a>] fput+0x2a/0x50
 [<c0167dcb>] filp_close+0x4b/0x80
 [<c0167e7a>] sys_close+0x7a/0xb0
 [<c010326b>] sysenter_past_esp+0x54/0x75
eth1: no IPv6 routers present

CONFIG_PREEMPT=y
CONFIG_PREEMPT_BKL=y
CONFIG_X86_UP_APIC=y
CONFIG_X86_UP_IOAPIC=y
CONFIG_X86_LOCAL_APIC=y
CONFIG_X86_IO_APIC=y
CONFIG_X86_TSC=y
CONFIG_X86_MCE=y
CONFIG_X86_MCE_NONFATAL=y
CONFIG_X86_MCE_P4THERMAL=y
CONFIG_TOSHIBA=m
CONFIG_I8K=m
CONFIG_MICROCODE=m
CONFIG_X86_MSR=m
CONFIG_X86_CPUID=m

#
# Firmware Drivers
#
CONFIG_HIGHMEM4G=y
CONFIG_HIGHMEM=y
CONFIG_SELECT_MEMORY_MODEL=y
CONFIG_FLATMEM_MANUAL=y
CONFIG_FLATMEM=y
CONFIG_FLAT_NODE_MEM_MAP=y
CONFIG_HIGHPTE=y
CONFIG_MATH_EMULATION=y
CONFIG_MTRR=y
CONFIG_EFI=y
CONFIG_HAVE_DEC_LOCK=y
CONFIG_BOOT_IOREMAP=y

CONFIG_ACPI=y
CONFIG_ACPI_BOOT=y
CONFIG_ACPI_INTERPRETER=y
CONFIG_ACPI_SLEEP=y
CONFIG_ACPI_SLEEP_PROC_FS=y
CONFIG_ACPI_AC=y
CONFIG_ACPI_BATTERY=y
CONFIG_ACPI_BUTTON=y
CONFIG_ACPI_VIDEO=y
CONFIG_ACPI_HOTKEY=y
CONFIG_ACPI_FAN=y
CONFIG_ACPI_PROCESSOR=y
CONFIG_ACPI_THERMAL=y
CONFIG_ACPI_BLACKLIST_YEAR=0
CONFIG_ACPI_BUS=y
CONFIG_ACPI_EC=y
CONFIG_ACPI_POWER=y
CONFIG_ACPI_PCI=y
CONFIG_ACPI_SYSTEM=y
CONFIG_X86_PM_TIMER=y
CONFIG_ACPI_CONTAINER=m

CONFIG_AGP=y
CONFIG_AGP_INTEL=y
CONFIG_DRM=y
CONFIG_DRM_I830=y

CONFIG_I2C=y
CONFIG_I2C_CHARDEV=y

#
# I2C Algorithms
#
CONFIG_I2C_ALGOBIT=y
CONFIG_I2C_ALGOPCF=y
CONFIG_I2C_ALGOPCA=y

#
# I2C Hardware Bus support
#
CONFIG_I2C_I801=y
CONFIG_I2C_I810=y
CONFIG_I2C_ISA=m

CONFIG_FB=y
CONFIG_FB_CFB_FILLRECT=y
CONFIG_FB_CFB_COPYAREA=y
CONFIG_FB_CFB_IMAGEBLIT=y
CONFIG_FB_SOFT_CURSOR=y
CONFIG_FB_MODE_HELPERS=y
CONFIG_FB_TILEBLITTING=y
CONFIG_FB_VESA=y
CONFIG_VIDEO_SELECT=y

0000:00:00.0 Host bridge: Intel Corp. 82852/855GM Host Bridge (rev 02)
0000:00:00.1 System peripheral: Intel Corp. 855GM/GME GMCH Memory I/O
Control Registers (rev 02)
0000:00:00.3 System peripheral: Intel Corp. 855GM/GME GMCH
Configuration Process Registers (rev 02)
0000:00:02.0 VGA compatible controller: Intel Corp. 82852/855GM
Integrated Graphics Device (rev 02)
0000:00:02.1 Display controller: Intel Corp. 82852/855GM Integrated
Graphics Device (rev 02)
0000:00:1d.0 USB Controller: Intel Corp. 82801DB/DBL/DBM
(ICH4/ICH4-L/ICH4-M) USB UHCI Controller #1 (rev 03)
0000:00:1d.1 USB Controller: Intel Corp. 82801DB/DBL/DBM
(ICH4/ICH4-L/ICH4-M) USB UHCI Controller #2 (rev 03)
0000:00:1d.2 USB Controller: Intel Corp. 82801DB/DBL/DBM
(ICH4/ICH4-L/ICH4-M) USB UHCI Controller #3 (rev 03)
0000:00:1d.7 USB Controller: Intel Corp. 82801DB/DBM (ICH4/ICH4-M) USB
2.0 EHCI Controller (rev 03)
0000:00:1e.0 PCI bridge: Intel Corp. 82801 PCI Bridge (rev 83)
0000:00:1f.0 ISA bridge: Intel Corp. 82801DBM LPC Interface Controller (rev 03)
0000:00:1f.1 IDE interface: Intel Corp. 82801DBM (ICH4) Ultra ATA
Storage Controller (rev 03)
0000:00:1f.3 SMBus: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M)
SMBus Controller (rev 03)
0000:00:1f.5 Multimedia audio controller: Intel Corp. 82801DB/DBL/DBM
(ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 03)
0000:00:1f.6 Modem: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M)
AC'97 Modem Controller (rev 03)
0000:02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
0000:02:06.0 Network controller: Intel Corp. PRO/Wireless 2200BG (rev 05)
0000:02:09.0 CardBus bridge: Texas Instruments: Unknown device 8031
0000:02:09.2 FireWire (IEEE 1394): Texas Instruments: Unknown device 8032
0000:02:09.3 Unknown mass storage controller: Texas Instruments:
Unknown device 8033
0000:02:09.4 0805: Texas Instruments: Unknown device 8034

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Andrew Morton]

Miles Lane <miles.lane@gmail.com> wrote:
>
> mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
> [drm:drm_unlock] *ERROR* Process 4470 using kernel context 0
> mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
> Unable to handle kernel paging request at virtual address 5f78735f
>  printing eip:
> c01abbf9
> *pde = 00000000
> Oops: 0002 [#1]
> PREEMPT
> Modules linked in: pcmcia container ipv6 af_packet ohci1394
> yenta_socket rsrc_nonstatic pcmcia_core ipw2200 ieee80211
> ieee80211_crypt 8139too mii snd_intel8x0 snd_ac97_codec snd_pcm_oss
> snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc ehci_hcd
> uhci_hcd usbcore rtc nls_cp437 sbp2 scsi_mod ieee1394 psmouse ide_cd
> cdrom
> CPU:    0
> EIP:    0060:[<c01abbf9>]    Not tainted VLI
> EFLAGS: 00010246   (2.6.13-rc1-mm1)
> EIP is at sysfs_release+0x49/0xb0
> eax: 5f78725f   ebx: 5f78725f   ecx: 00000001   edx: f7662000
> esi: c19520a4   edi: f70b8a80   ebp: f7663f3c   esp: f7663f2c
> ds: 007b   es: 007b   ss: 0068
> Process hald (pid: 4736, threadinfo=f7662000 task=f7c97a80)
> Stack: c19520a4 00000010 f70d2d80 f7703174 f7663f68 c0169a5a f7703174 f70d2d80
>        00000000 00000000 c1894180 f7715c8c f70d2d80 c1bcd900 00000000 f7663f78
>        c016985a f70d2d80 f70d2d80 f7663f94 c0167dcb f70d2d80 c1bcd900 00000010
> Call Trace:
>  [<c010415f>] show_stack+0x7f/0xa0
>  [<c0104314>] show_registers+0x164/0x1d0
>  [<c010452d>] die+0xed/0x180
>  [<c0119314>] do_page_fault+0x344/0x68d
>  [<c0103d6f>] error_code+0x4f/0x54
>  [<c0169a5a>] __fput+0x1da/0x1f0
>  [<c016985a>] fput+0x2a/0x50
>  [<c0167dcb>] filp_close+0x4b/0x80
>  [<c0167e7a>] sys_close+0x7a/0xb0
>  [<c010326b>] sysenter_past_esp+0x54/0x75

It's irritating that when some driver screws up its sysfs handling, the
trace leaves no indication which driver it was.

One thing you could do is to disable `hald' (what is that anyway?) by
renaming it and try to get the system to boot.  Then run `hald' by hand,
under strace, work out which sysfs file it was trying to close.

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Schneelocke]

On 07/07/05, Andrew Morton <akpm@osdl.org> wrote:
> One thing you could do is to disable `hald' (what is that anyway?) by
> renaming it and try to get the system to boot.  Then run `hald' by hand,
> under strace, work out which sysfs file it was trying to close.

Probably the Hardware Abstraction Layer [1] daemon.

1. http://freedesktop.org/wiki/Software_2fhal
-- 
schnee

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Dave Airlie]

On 7/3/05, Miles Lane <miles.lane@gmail.com> wrote:
> mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
> [drm:drm_unlock] *ERROR* Process 4470 using kernel context 0
> mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
> Unable to handle kernel paging request at virtual address 5f78735f

That is a bit suspicious.. what distro/X are you using? if you are
running a newer X (I think anything after XFree86 4.3) you should be
using the i915 DRM not the i830..

Dave.

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Miles Lane]

Hmm, in my Xorg log I find this:

(II) I810(0): [drm] created "i915" driver at busid "pci:0000:00:02.0"
(WW) I810(0): i830 Kernel module detected, Use the i915 Kernel module
instead, aborting DRI init.

(II) I810(0): [drm] DRM interface version 1.2
(II) I810(0): [drm] created "i915" driver at busid "pci:0000:00:02.0"
(II) I810(0): [drm] added 8192 byte SAREA at 0xf916e000
(II) I810(0): [drm] mapped SAREA 0xf916e000 to 0xb7d38000
(II) I810(0): [drm] framebuffer handle = 0xe8020000
(II) I810(0): [drm] added 1 reserved context for kernel
(II) I810(0): [drm] removed 1 reserved context for kernel
(II) I810(0): [drm] unmapping 8192 bytes of SAREA 0xf916e000 at 0xb7d38000




On 7/7/05, Dave Airlie <airlied@gmail.com> wrote:
> On 7/3/05, Miles Lane <miles.lane@gmail.com> wrote:
> > mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
> > [drm:drm_unlock] *ERROR* Process 4470 using kernel context 0
> > mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
> > Unable to handle kernel paging request at virtual address 5f78735f
> 
> That is a bit suspicious.. what distro/X are you using? if you are
> running a newer X (I think anything after XFree86 4.3) you should be
> using the i915 DRM not the i830..
> 
> Dave.
>

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Miles Lane]

On Thu, 2005-07-07 at 20:31 +1000, Dave Airlie wrote:
> On 7/3/05, Miles Lane <miles.lane@gmail.com> wrote:
> > mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
> > [drm:drm_unlock] *ERROR* Process 4470 using kernel context 0
> > mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
> > Unable to handle kernel paging request at virtual address 5f78735f
> 
> That is a bit suspicious.. what distro/X are you using? if you are
> running a newer X (I think anything after XFree86 4.3) you should be
> using the i915 DRM not the i830..

Thanks Dave,

I switched to the i915 kernel driver and still got the OOPS.
I also continue to get the overlapping mtrr message.  I am currently
testing 2.6.13-rc2-git3.  I have tried to run strace with hald, but
cannot reproduce the problem this way.  I am not sure I am invoking the
command corrently.  I have written to the hal developers, but have not
received a response yet.  Here's the current output:

mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
apm: BIOS version 1.2 Flags 0x03 (Driver version 1.16ac)
apm: overridden by ACPI.
Unable to handle kernel paging request at virtual address 5f78735f
 printing eip:
c01e491a
*pde = 00000000
Oops: 0002 [#1]
PREEMPT
Modules linked in: pcmcia ipv6 af_packet ohci1394 yenta_socket
rsrc_nonstatic pcmcia_core ipw2200 firmware_class ieee80211
ieee80211_crypt 8139too mii snd_intel8x0 snd_ac97_codec snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc i2c_i801
uhci_hcd rtc nls_cp437 sbp2 ieee1394 psmouse ide_cd cdrom
CPU:    0
EIP:    0060:[<c01e491a>]    Not tainted VLI
EFLAGS: 00010206   (2.6.13-rc2-git3)
EIP is at sysfs_release+0x4e/0xa6
eax: 5f78735f   ebx: c1b0e268   ecx: 00000001   edx: c9138000
esi: 5f78725f   edi: c93dfde0   ebp: c9139f3c   esp: c9139f2c
ds: 007b   es: 007b   ss: 0068
Process hald (pid: 4615, threadinfo=c9138000 task=c9092a80)
Stack: c1b0e268 c90c6658 00000000 c18a4a70 c9139f60 c018c8cd c8c0f3d0
c90c6658
       c93f87b0 c8c0f3d0 c90c6658 00000000 f731dab0 c9139f68 c018c86b
c9139f84
       c018aca9 c90c6658 f731dab0 c90c6658 f731dab0 00000010 c9139fb4
c018addb
Call Trace:
 [<c0104bde>] show_stack+0x9c/0xd2
 [<c0104dce>] show_registers+0x19a/0x234
 [<c0105049>] die+0x152/0x2e2
 [<c011d740>] do_page_fault+0x250/0x6fa
 [<c01046b7>] error_code+0x4f/0x54
 [<c018c8cd>] __fput+0x5c/0x174
 [<c018c86b>] fput+0x18/0x1e
 [<c018aca9>] filp_close+0x4a/0x70
 [<c018addb>] sys_close+0x10c/0x266
 [<c0103bb3>] sysenter_past_esp+0x54/0x75
Code: 78 85 db 74 08 89 1c 24 e8 68 c8 08 00 85 f6 74 39 b8 01 00 00 00
e8 c8 e5 f3 ff e8 51 1a 09 00 c1 e0 07 05 00 01 00 00 8d 04 06 <ff> 08
83 3e 02 74 3c b8 01 00 00 00 e8 d9 e5 f3 ff b8 00 e0 ff
 <6>note: hald[4615] exited with preempt_count 1
Debug: sleeping function called from invalid context at
include/linux/rwsem.h:43in_atomic():1, irqs_disabled():0
 [<c0104c32>] dump_stack+0x1e/0x20
 [<c0124b69>] __might_sleep+0x9e/0xad
 [<c012bf0f>] exit_mm+0x3a/0x2b0
 [<c012cd0a>] do_exit+0xe0/0x83b
 [<c01051cf>] die+0x2d8/0x2e2
 [<c011d740>] do_page_fault+0x250/0x6fa
 [<c01046b7>] error_code+0x4f/0x54
 [<c018c8cd>] __fput+0x5c/0x174
 [<c018c86b>] fput+0x18/0x1e
 [<c018aca9>] filp_close+0x4a/0x70
 [<c018addb>] sys_close+0x10c/0x266
 [<c0103bb3>] sysenter_past_esp+0x54/0x75

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Dave Airlie]

> Thanks Dave,
> 
> I switched to the i915 kernel driver and still got the OOPS.
> I also continue to get the overlapping mtrr message.  I am currently
> testing 2.6.13-rc2-git3.  I have tried to run strace with hald, but
> cannot reproduce the problem this way.  I am not sure I am invoking the
> command corrently.  I have written to the hal developers, but have not
> received a response yet.  Here's the current output:
> 

Can you try and see if you apply the patch from

http://lkml.org/lkml/2005/7/8/257

It should apply to your kernel.. I cannot get this to happen on my
system... the mtrr overlaps are just vesafb setting up the mtrrs, you
might try without vesafb...

Dave.

> mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
> mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
> apm: BIOS version 1.2 Flags 0x03 (Driver version 1.16ac)
> apm: overridden by ACPI.
> Unable to handle kernel paging request at virtual address 5f78735f
>  printing eip:
> c01e491a
> *pde = 00000000
> Oops: 0002 [#1]
> PREEMPT
> Modules linked in: pcmcia ipv6 af_packet ohci1394 yenta_socket
> rsrc_nonstatic pcmcia_core ipw2200 firmware_class ieee80211
> ieee80211_crypt 8139too mii snd_intel8x0 snd_ac97_codec snd_pcm_oss
> snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc i2c_i801
> uhci_hcd rtc nls_cp437 sbp2 ieee1394 psmouse ide_cd cdrom
> CPU:    0
> EIP:    0060:[<c01e491a>]    Not tainted VLI
> EFLAGS: 00010206   (2.6.13-rc2-git3)
> EIP is at sysfs_release+0x4e/0xa6
> eax: 5f78735f   ebx: c1b0e268   ecx: 00000001   edx: c9138000
> esi: 5f78725f   edi: c93dfde0   ebp: c9139f3c   esp: c9139f2c
> ds: 007b   es: 007b   ss: 0068
> Process hald (pid: 4615, threadinfo=c9138000 task=c9092a80)
> Stack: c1b0e268 c90c6658 00000000 c18a4a70 c9139f60 c018c8cd c8c0f3d0
> c90c6658
>        c93f87b0 c8c0f3d0 c90c6658 00000000 f731dab0 c9139f68 c018c86b
> c9139f84
>        c018aca9 c90c6658 f731dab0 c90c6658 f731dab0 00000010 c9139fb4
> c018addb
> Call Trace:
>  [<c0104bde>] show_stack+0x9c/0xd2
>  [<c0104dce>] show_registers+0x19a/0x234
>  [<c0105049>] die+0x152/0x2e2
>  [<c011d740>] do_page_fault+0x250/0x6fa
>  [<c01046b7>] error_code+0x4f/0x54
>  [<c018c8cd>] __fput+0x5c/0x174
>  [<c018c86b>] fput+0x18/0x1e
>  [<c018aca9>] filp_close+0x4a/0x70
>  [<c018addb>] sys_close+0x10c/0x266
>  [<c0103bb3>] sysenter_past_esp+0x54/0x75
> Code: 78 85 db 74 08 89 1c 24 e8 68 c8 08 00 85 f6 74 39 b8 01 00 00 00
> e8 c8 e5 f3 ff e8 51 1a 09 00 c1 e0 07 05 00 01 00 00 8d 04 06 <ff> 08
> 83 3e 02 74 3c b8 01 00 00 00 e8 d9 e5 f3 ff b8 00 e0 ff
>  <6>note: hald[4615] exited with preempt_count 1
> Debug: sleeping function called from invalid context at
> include/linux/rwsem.h:43in_atomic():1, irqs_disabled():0
>  [<c0104c32>] dump_stack+0x1e/0x20
>  [<c0124b69>] __might_sleep+0x9e/0xad
>  [<c012bf0f>] exit_mm+0x3a/0x2b0
>  [<c012cd0a>] do_exit+0xe0/0x83b
>  [<c01051cf>] die+0x2d8/0x2e2
>  [<c011d740>] do_page_fault+0x250/0x6fa
>  [<c01046b7>] error_code+0x4f/0x54
>  [<c018c8cd>] __fput+0x5c/0x174
>  [<c018c86b>] fput+0x18/0x1e
>  [<c018aca9>] filp_close+0x4a/0x70
>  [<c018addb>] sys_close+0x10c/0x266
>  [<c0103bb3>] sysenter_past_esp+0x54/0x75
> 
> 
>

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Miles Lane]

On 7/13/05, Dave Airlie <airlied@gmail.com> wrote:
> > Thanks Dave,
> >
> > I switched to the i915 kernel driver and still got the OOPS.
> > I also continue to get the overlapping mtrr message.  I am currently
> > testing 2.6.13-rc2-git3.  I have tried to run strace with hald, but
> > cannot reproduce the problem this way.  I am not sure I am invoking the
> > command corrently.  I have written to the hal developers, but have not
> > received a response yet.  Here's the current output:
> >
> 
> Can you try and see if you apply the patch from
> 
> http://lkml.org/lkml/2005/7/8/257
> 
> It should apply to your kernel.. I cannot get this to happen on my
> system... the mtrr overlaps are just vesafb setting up the mtrrs, you
> might try without vesafb...

I will try booting without vesafb enabled.

I get an error building with the patch applied to 2.6.13-rc2-git3:

arch/i386/kernel/built-in.o(.text+0x4010): In function `die':
arch/i386/kernel/traps.c:343: undefined reference to `last_sysfs_name'
make: *** [.tmp_vmlinux1] Error 1

Thanks,
         Miles

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[randy_dunlap]

On Wed, 13 Jul 2005 09:54:10 -0500 Miles Lane wrote:

> On 7/13/05, Dave Airlie <airlied@gmail.com> wrote:
> > > Thanks Dave,
> > >
> > > I switched to the i915 kernel driver and still got the OOPS.
> > > I also continue to get the overlapping mtrr message.  I am currently
> > > testing 2.6.13-rc2-git3.  I have tried to run strace with hald, but
> > > cannot reproduce the problem this way.  I am not sure I am invoking the
> > > command corrently.  I have written to the hal developers, but have not
> > > received a response yet.  Here's the current output:
> > >
> > 
> > Can you try and see if you apply the patch from
> > 
> > http://lkml.org/lkml/2005/7/8/257
> > 
> > It should apply to your kernel.. I cannot get this to happen on my
> > system... the mtrr overlaps are just vesafb setting up the mtrrs, you
> > might try without vesafb...
> 
> I will try booting without vesafb enabled.
> 
> I get an error building with the patch applied to 2.6.13-rc2-git3:
> 
> arch/i386/kernel/built-in.o(.text+0x4010): In function `die':
> arch/i386/kernel/traps.c:343: undefined reference to `last_sysfs_name'
> make: *** [.tmp_vmlinux1] Error 1

Miles,
Here is an updated version of the patch that builds for me.
(uses last_sysfs_file instead of last_sysfs_name)

---
~Randy



Track and print last_sysfs_file on oops.
---

 arch/i386/kernel/traps.c |    6 ++++++
 fs/sysfs/file.c          |    7 +++++++
 2 files changed, 13 insertions(+)

diff -Naurp linux-2613-rc1-mm1/arch/i386/kernel/traps.c~last_sysfs_file linux-2613-rc1-mm1/arch/i386/kernel/traps.c
--- linux-2613-rc1-mm1/arch/i386/kernel/traps.c~last_sysfs_file	2005-07-13 12:28:25.000000000 -0700
+++ linux-2613-rc1-mm1/arch/i386/kernel/traps.c	2005-07-13 12:38:41.000000000 -0700
@@ -370,6 +370,12 @@ void die(const char * str, struct pt_reg
 #endif
 		if (nl)
 			printk("\n");
+		{
+			extern char last_sysfs_file[];
+
+			printk(KERN_ALERT "last sysfs file: %s\n",
+					last_sysfs_file);
+		}
 #ifdef CONFIG_KGDB
 	/* This is about the only place we want to go to kgdb even if in
 	 * user mode.  But we must go in via a trap so within kgdb we will
diff -Naurp linux-2613-rc1-mm1/fs/sysfs/file.c~last_sysfs_file linux-2613-rc1-mm1/fs/sysfs/file.c
--- linux-2613-rc1-mm1/fs/sysfs/file.c~last_sysfs_file	2005-07-13 12:13:35.000000000 -0700
+++ linux-2613-rc1-mm1/fs/sysfs/file.c	2005-07-13 12:26:26.000000000 -0700
@@ -6,6 +6,8 @@
 #include <linux/fsnotify.h>
 #include <linux/kobject.h>
 #include <linux/namei.h>
+#include <linux/limits.h>
+
 #include <asm/uaccess.h>
 #include <asm/semaphore.h>
 
@@ -324,8 +326,13 @@ static int check_perm(struct inode * ino
 	return error;
 }
 
+char last_sysfs_file[PATH_MAX];
+
 static int sysfs_open_file(struct inode * inode, struct file * filp)
 {
+	d_path(filp->f_dentry, sysfs_mount, last_sysfs_file,
+			sizeof(last_sysfs_file));
+
 	return check_perm(inode,filp);
 }
 

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Sonny Rao]

On Wed, Jul 13, 2005 at 12:42:15PM -0700, randy_dunlap wrote:
> On Wed, 13 Jul 2005 09:54:10 -0500 Miles Lane wrote:
> 
> > On 7/13/05, Dave Airlie <airlied@gmail.com> wrote:
> > > > Thanks Dave,
> > > >
> > > > I switched to the i915 kernel driver and still got the OOPS.
> > > > I also continue to get the overlapping mtrr message.  I am currently
> > > > testing 2.6.13-rc2-git3.  I have tried to run strace with hald, but
> > > > cannot reproduce the problem this way.  I am not sure I am invoking the
> > > > command corrently.  I have written to the hal developers, but have not
> > > > received a response yet.  Here's the current output:
> > > >
> > > 
> > > Can you try and see if you apply the patch from
> > > 
> > > http://lkml.org/lkml/2005/7/8/257
> > > 
> > > It should apply to your kernel.. I cannot get this to happen on my
> > > system... the mtrr overlaps are just vesafb setting up the mtrrs, you
> > > might try without vesafb...
> > 
> > I will try booting without vesafb enabled.
> > 
> > I get an error building with the patch applied to 2.6.13-rc2-git3:
> > 
> > arch/i386/kernel/built-in.o(.text+0x4010): In function `die':
> > arch/i386/kernel/traps.c:343: undefined reference to `last_sysfs_name'
> > make: *** [.tmp_vmlinux1] Error 1
> 
> Miles,
> Here is an updated version of the patch that builds for me.
> (uses last_sysfs_file instead of last_sysfs_name)

I think I was able to reproduce this same bug on 2.6.13-rc4-mm1,
here's the output (w/ apologies for long lines):

Unable to handle kernel paging request at virtual address 762f7473
 printing eip:
c01a8bcc
*pde = 00000000
Oops: 0002 [#1]
PREEMPT SMP DEBUG_PAGEALLOC
last sysfs file: /class/vc/vcs5/dev
Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave 
cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co
ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi
c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m
od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix
CPU:    0
EIP:    0060:[<c01a8bcc>]    Not tainted VLI
EFLAGS: 00010246   (2.6.13-rc4-mm1) 
EIP is at sysfs_release+0x4c/0xb0
eax: 762f7373   ebx: 762f7373   ecx: 00000001   edx: ef3c5000
esi: f596a188   edi: f21fecc0   ebp: ef3c5f3c   esp: ef3c5f2c
ds: 007b   es: 007b   ss: 0068
Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550)
Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580 
       00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78 
       c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300 
Call Trace:
 [<c010401f>] show_stack+0x7f/0xa0
 [<c01041d4>] show_registers+0x164/0x1d0
 [<c0104422>] die+0x122/0x1c0
 [<c030db1e>] do_page_fault+0x2ce/0x600
 [<c0103ccb>] error_code+0x4f/0x54
 [<c0166cea>] __fput+0x1da/0x1f0
 [<c0166aeb>] fput+0x2b/0x50
 [<c01650ab>] filp_close+0x4b/0x80
 [<c016514e>] sys_close+0x6e/0x90
 [<c010312f>] sysenter_past_esp+0x54/0x75
Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00
 00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 <ff> 88 00 01 00 00 83 3b
 02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff 
 <6>note: udev[11843] exited with preempt_count 1
Using generic hotkey driver
ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097
ibm_acpi: `enable,0xffff' invalid for parameter `hotkey'
toshiba_acpi: Unknown parameter `hotkeys_over_acpi'
apm: BIOS not found.

Let me see if I can reproduce this on either 2.6.13-rc4 or  2.6.13-rc6 

Machine is an IBM x335 (dual P4), and I'm not using any framebuffer
stuff. 

Sonny

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Andrew Morton]

Sonny Rao <sonny@burdell.org> wrote:
>
> On Wed, Jul 13, 2005 at 12:42:15PM -0700, randy_dunlap wrote:
> > On Wed, 13 Jul 2005 09:54:10 -0500 Miles Lane wrote:
> > 
> > > On 7/13/05, Dave Airlie <airlied@gmail.com> wrote:
> > > > > Thanks Dave,
> > > > >
> > > > > I switched to the i915 kernel driver and still got the OOPS.
> > > > > I also continue to get the overlapping mtrr message.  I am currently
> > > > > testing 2.6.13-rc2-git3.  I have tried to run strace with hald, but
> > > > > cannot reproduce the problem this way.  I am not sure I am invoking the
> > > > > command corrently.  I have written to the hal developers, but have not
> > > > > received a response yet.  Here's the current output:
> > > > >
> > > > 
> > > > Can you try and see if you apply the patch from
> > > > 
> > > > http://lkml.org/lkml/2005/7/8/257
> > > > 
> > > > It should apply to your kernel.. I cannot get this to happen on my
> > > > system... the mtrr overlaps are just vesafb setting up the mtrrs, you
> > > > might try without vesafb...
> > > 
> > > I will try booting without vesafb enabled.
> > > 
> > > I get an error building with the patch applied to 2.6.13-rc2-git3:
> > > 
> > > arch/i386/kernel/built-in.o(.text+0x4010): In function `die':
> > > arch/i386/kernel/traps.c:343: undefined reference to `last_sysfs_name'
> > > make: *** [.tmp_vmlinux1] Error 1
> > 
> > Miles,
> > Here is an updated version of the patch that builds for me.
> > (uses last_sysfs_file instead of last_sysfs_name)
> 
> I think I was able to reproduce this same bug on 2.6.13-rc4-mm1,
> here's the output (w/ apologies for long lines):
> 
> Unable to handle kernel paging request at virtual address 762f7473
>  printing eip:
> c01a8bcc
> *pde = 00000000
> Oops: 0002 [#1]
> PREEMPT SMP DEBUG_PAGEALLOC
> last sysfs file: /class/vc/vcs5/dev

gotcha.

> Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave 
> cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co
> ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi
> c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m
> od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix
> CPU:    0
> EIP:    0060:[<c01a8bcc>]    Not tainted VLI
> EFLAGS: 00010246   (2.6.13-rc4-mm1) 
> EIP is at sysfs_release+0x4c/0xb0
> eax: 762f7373   ebx: 762f7373   ecx: 00000001   edx: ef3c5000
> esi: f596a188   edi: f21fecc0   ebp: ef3c5f3c   esp: ef3c5f2c
> ds: 007b   es: 007b   ss: 0068
> Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550)
> Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580 
>        00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78 
>        c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300 
> Call Trace:
>  [<c010401f>] show_stack+0x7f/0xa0
>  [<c01041d4>] show_registers+0x164/0x1d0
>  [<c0104422>] die+0x122/0x1c0
>  [<c030db1e>] do_page_fault+0x2ce/0x600
>  [<c0103ccb>] error_code+0x4f/0x54
>  [<c0166cea>] __fput+0x1da/0x1f0
>  [<c0166aeb>] fput+0x2b/0x50
>  [<c01650ab>] filp_close+0x4b/0x80
>  [<c016514e>] sys_close+0x6e/0x90
>  [<c010312f>] sysenter_past_esp+0x54/0x75
> Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00
>  00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 <ff> 88 00 01 00 00 83 3b
>  02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff 
>  <6>note: udev[11843] exited with preempt_count 1
> Using generic hotkey driver
> ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097
> ibm_acpi: `enable,0xffff' invalid for parameter `hotkey'
> toshiba_acpi: Unknown parameter `hotkeys_over_acpi'
> apm: BIOS not found.
> 
> Let me see if I can reproduce this on either 2.6.13-rc4 or  2.6.13-rc6 
> 
> Machine is an IBM x335 (dual P4), and I'm not using any framebuffer
> stuff. 
> 

Keith, does this look like the use-after-free which you've been hitting?

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Sonny Rao]

On Mon, Aug 08, 2005 at 10:44:04AM -0700, Andrew Morton wrote:
> Sonny Rao <sonny@burdell.org> wrote:
> >
> > On Wed, Jul 13, 2005 at 12:42:15PM -0700, randy_dunlap wrote:
> > > On Wed, 13 Jul 2005 09:54:10 -0500 Miles Lane wrote:
> > > 
> > > > On 7/13/05, Dave Airlie <airlied@gmail.com> wrote:
> > > > > > Thanks Dave,
> > > > > >
> > > > > > I switched to the i915 kernel driver and still got the OOPS.
> > > > > > I also continue to get the overlapping mtrr message.  I am currently
> > > > > > testing 2.6.13-rc2-git3.  I have tried to run strace with hald, but
> > > > > > cannot reproduce the problem this way.  I am not sure I am invoking the
> > > > > > command corrently.  I have written to the hal developers, but have not
> > > > > > received a response yet.  Here's the current output:
> > > > > >
> > > > > 
> > > > > Can you try and see if you apply the patch from
> > > > > 
> > > > > http://lkml.org/lkml/2005/7/8/257
> > > > > 
> > > > > It should apply to your kernel.. I cannot get this to happen on my
> > > > > system... the mtrr overlaps are just vesafb setting up the mtrrs, you
> > > > > might try without vesafb...
> > > > 
> > > > I will try booting without vesafb enabled.
> > > > 
> > > > I get an error building with the patch applied to 2.6.13-rc2-git3:
> > > > 
> > > > arch/i386/kernel/built-in.o(.text+0x4010): In function `die':
> > > > arch/i386/kernel/traps.c:343: undefined reference to `last_sysfs_name'
> > > > make: *** [.tmp_vmlinux1] Error 1
> > > 
> > > Miles,
> > > Here is an updated version of the patch that builds for me.
> > > (uses last_sysfs_file instead of last_sysfs_name)
> > 
> > I think I was able to reproduce this same bug on 2.6.13-rc4-mm1,
> > here's the output (w/ apologies for long lines):
> > 
> > Unable to handle kernel paging request at virtual address 762f7473
> >  printing eip:
> > c01a8bcc
> > *pde = 00000000
> > Oops: 0002 [#1]
> > PREEMPT SMP DEBUG_PAGEALLOC
> > last sysfs file: /class/vc/vcs5/dev
> 
> gotcha.
> 
> > Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave 
> > cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co
> > ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi
> > c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m
> > od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix
> > CPU:    0
> > EIP:    0060:[<c01a8bcc>]    Not tainted VLI
> > EFLAGS: 00010246   (2.6.13-rc4-mm1) 
> > EIP is at sysfs_release+0x4c/0xb0
> > eax: 762f7373   ebx: 762f7373   ecx: 00000001   edx: ef3c5000
> > esi: f596a188   edi: f21fecc0   ebp: ef3c5f3c   esp: ef3c5f2c
> > ds: 007b   es: 007b   ss: 0068
> > Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550)
> > Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580 
> >        00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78 
> >        c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300 
> > Call Trace:
> >  [<c010401f>] show_stack+0x7f/0xa0
> >  [<c01041d4>] show_registers+0x164/0x1d0
> >  [<c0104422>] die+0x122/0x1c0
> >  [<c030db1e>] do_page_fault+0x2ce/0x600
> >  [<c0103ccb>] error_code+0x4f/0x54
> >  [<c0166cea>] __fput+0x1da/0x1f0
> >  [<c0166aeb>] fput+0x2b/0x50
> >  [<c01650ab>] filp_close+0x4b/0x80
> >  [<c016514e>] sys_close+0x6e/0x90
> >  [<c010312f>] sysenter_past_esp+0x54/0x75
> > Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00
> >  00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 <ff> 88 00 01 00 00 83 3b
> >  02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff 
> >  <6>note: udev[11843] exited with preempt_count 1
> > Using generic hotkey driver
> > ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097
> > ibm_acpi: `enable,0xffff' invalid for parameter `hotkey'
> > toshiba_acpi: Unknown parameter `hotkeys_over_acpi'
> > apm: BIOS not found.
> > 
> > Let me see if I can reproduce this on either 2.6.13-rc4 or  2.6.13-rc6 
> > 
> > Machine is an IBM x335 (dual P4), and I'm not using any framebuffer
> > stuff. 
> > 
> 
> Keith, does this look like the use-after-free which you've been hitting?

So, I've tried reproducing on 2.6.13-rc6, 2.6.13-rc5-mm1, and (the
original kernel where I hit this) 2.6.13-rc4-mm1 

I haven't been able to reproduce at all, unfortunately... 
As Keith noted before, this one is pretty elusive.  I'm still up for
trying patches and rebooting a million times if someone has an idea.

Sonny

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Keith Owens]

On Mon, 8 Aug 2005 10:44:04 -0700, 
Andrew Morton <akpm@osdl.org> wrote:
>Sonny Rao <sonny@burdell.org> wrote:
>> Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave 
>> cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co
>> ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi
>> c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m
>> od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix
>> CPU:    0
>> EIP:    0060:[<c01a8bcc>]    Not tainted VLI
>> EFLAGS: 00010246   (2.6.13-rc4-mm1) 
>> EIP is at sysfs_release+0x4c/0xb0
>> eax: 762f7373   ebx: 762f7373   ecx: 00000001   edx: ef3c5000
>> esi: f596a188   edi: f21fecc0   ebp: ef3c5f3c   esp: ef3c5f2c
>> ds: 007b   es: 007b   ss: 0068
>> Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550)
>> Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580 
>>        00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78 
>>        c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300 
>> Call Trace:
>>  [<c010401f>] show_stack+0x7f/0xa0
>>  [<c01041d4>] show_registers+0x164/0x1d0
>>  [<c0104422>] die+0x122/0x1c0
>>  [<c030db1e>] do_page_fault+0x2ce/0x600
>>  [<c0103ccb>] error_code+0x4f/0x54
>>  [<c0166cea>] __fput+0x1da/0x1f0
>>  [<c0166aeb>] fput+0x2b/0x50
>>  [<c01650ab>] filp_close+0x4b/0x80
>>  [<c016514e>] sys_close+0x6e/0x90
>>  [<c010312f>] sysenter_past_esp+0x54/0x75
>> Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00
>>  00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 <ff> 88 00 01 00 00 83 3b
>>  02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff 
>>  <6>note: udev[11843] exited with preempt_count 1
>> Using generic hotkey driver
>> ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097
>> ibm_acpi: `enable,0xffff' invalid for parameter `hotkey'
>> toshiba_acpi: Unknown parameter `hotkeys_over_acpi'
>> apm: BIOS not found.
>> 
>> Let me see if I can reproduce this on either 2.6.13-rc4 or  2.6.13-rc6 
>> 
>> Machine is an IBM x335 (dual P4), and I'm not using any framebuffer
>> stuff. 
>> 
>
>Keith, does this look like the use-after-free which you've been hitting?

It is certainly in the same place, freeing the data that is chained off
sd->s_element.  This oops does not show any memory poisoning, but I am
guessing that the kernel was not compiled with slab debugging.  On
balance, it looks like the same problem.

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

[Sonny Rao]

On Tue, Aug 09, 2005 at 09:09:57AM +1000, Keith Owens wrote:
> On Mon, 8 Aug 2005 10:44:04 -0700, 
> Andrew Morton <akpm@osdl.org> wrote:
> >Sonny Rao <sonny@burdell.org> wrote:
> >> Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave 
> >> cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co
> >> ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi
> >> c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m
> >> od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix
> >> CPU:    0
> >> EIP:    0060:[<c01a8bcc>]    Not tainted VLI
> >> EFLAGS: 00010246   (2.6.13-rc4-mm1) 
> >> EIP is at sysfs_release+0x4c/0xb0
> >> eax: 762f7373   ebx: 762f7373   ecx: 00000001   edx: ef3c5000
> >> esi: f596a188   edi: f21fecc0   ebp: ef3c5f3c   esp: ef3c5f2c
> >> ds: 007b   es: 007b   ss: 0068
> >> Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550)
> >> Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580 
> >>        00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78 
> >>        c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300 
> >> Call Trace:
> >>  [<c010401f>] show_stack+0x7f/0xa0
> >>  [<c01041d4>] show_registers+0x164/0x1d0
> >>  [<c0104422>] die+0x122/0x1c0
> >>  [<c030db1e>] do_page_fault+0x2ce/0x600
> >>  [<c0103ccb>] error_code+0x4f/0x54
> >>  [<c0166cea>] __fput+0x1da/0x1f0
> >>  [<c0166aeb>] fput+0x2b/0x50
> >>  [<c01650ab>] filp_close+0x4b/0x80
> >>  [<c016514e>] sys_close+0x6e/0x90
> >>  [<c010312f>] sysenter_past_esp+0x54/0x75
> >> Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00
> >>  00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 <ff> 88 00 01 00 00 83 3b
> >>  02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff 
> >>  <6>note: udev[11843] exited with preempt_count 1
> >> Using generic hotkey driver
> >> ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097
> >> ibm_acpi: `enable,0xffff' invalid for parameter `hotkey'
> >> toshiba_acpi: Unknown parameter `hotkeys_over_acpi'
> >> apm: BIOS not found.
> >> 
> >> Let me see if I can reproduce this on either 2.6.13-rc4 or  2.6.13-rc6 
> >> 
> >> Machine is an IBM x335 (dual P4), and I'm not using any framebuffer
> >> stuff. 
> >> 
> >
> >Keith, does this look like the use-after-free which you've been hitting?
> 
> It is certainly in the same place, freeing the data that is chained off
> sd->s_element.  This oops does not show any memory poisoning, but I am
> guessing that the kernel was not compiled with slab debugging.  On
> balance, it looks like the same problem.

You are correct; I didn't have slab debugging on.