From: Christian Mayrhuber (christian.mayrhuber_at_gmx.net)
Date: Tue 12 Oct 2004 - 13:29:06 BST
On Tuesday 12 October 2004 13:45, Herbert Poetzl wrote:
> On Tue, Oct 12, 2004 at 01:22:11PM +0200, Christian Mayrhuber wrote:
> > Hi,
> >
> > caspeng strikes again...
> >
> > $ cat /proc/version
> > Linux version 2.4.27-piv-smp-vs1.29-rc2 (root_at_build) (gcc version 3.3.4
> > (Debian 1:3.3.4-6sarge1)) #1 SMP Tue Sep 21 13:33:16 CEST 2004
> >
> > $ lsmod
> > Module Size Used by Not tainted
> > nfs 74040 1 (autoclean)
> > lockd 50288 1 (autoclean) [nfs]
> > sunrpc 74304 1 (autoclean) [nfs lockd]
> > autofs 10388 1 (autoclean)
> > loop 9496 0 (autoclean)
> > e1000 68364 1
> > rtc 7080 0 (autoclean)
> >
> > Reiserfs with chris masons data logging patch, scsi, scsi-disk and
> > the megaraid2 driver are compiled into the kernel.
> >
> > $ ksymoops -o /lib/modules/2.4.27-piv-smp-vs1.29-rc2/
> > -m /boot/System.map-2.4.27-piv-smp-vs1.29-rc2 oops1.txt
> > ksymoops 2.4.5 on i686 2.4.27-piv-smp-vs1.29-rc2. Options used
> > -V (default)
> > -k /proc/ksyms (default)
> > -l /proc/modules (default)
> > -o /lib/modules/2.4.27-piv-smp-vs1.29-rc2/ (specified)
> > -m /boot/System.map-2.4.27-piv-smp-vs1.29-rc2 (specified)
> >
> > Oct 12 02:11:34 aton kernel: Unable to handle kernel paging request at
virtual
> > address 4c4d3760
> > Oct 12 02:11:34 aton kernel: c015a00b
> > Oct 12 02:11:34 aton kernel: *pde = 00000000
> > Oct 12 02:11:34 aton kernel: Oops: 0000
> > Oct 12 02:11:34 aton kernel: CPU: 3
> > Oct 12 02:11:34 aton kernel: EIP: 0010:[do_select+379/576] Not
tainted
> > Oct 12 02:11:34 aton kernel: EFLAGS: 00010202
> > Oct 12 02:11:34 aton kernel: eax: 4c4d374c ebx: 00000000 ecx: 00000145
> > edx: ef741d00
> > Oct 12 02:11:34 aton kernel: esi: d0f9d600 edi: 00000015 ebp: 00200000
> > esp: f1b83f20
> > Oct 12 02:11:34 aton kernel: ds: 0018 es: 0018 ss: 0018
> > Oct 12 02:11:34 aton kernel: Process caspeng (pid: 1022,
stackpage=f1b83000)
> > Oct 12 02:11:34 aton kernel: Stack: c8218380 00000000 00000145 f1b82000
> > 00000000 00000000 00000000 00000000
> > Oct 12 02:11:34 aton kernel: c4bcb000 00000000 00000400 c429b300
> > bf7ff95c c015a449 00000020 f1b83f90
> > Oct 12 02:11:34 aton kernel: f1b83f8c 00000000 00000080 00000080
> > 0000041f c0380a08 fffffffd 00000020
> > Warning (Oops_read): Code line not seen, dumping what data is available
> >
> >
> > >>eax; 4c4d374c Before first symbol
> > >>edx; ef741d00 <_end+2f346ca8/38891008>
> > >>esi; d0f9d600 <_end+10ba25a8/38891008>
> > >>ebp; 00200000 Before first symbol
> > >>esp; f1b83f20 <_end+31788ec8/38891008>
> >
> > I don't have any more lines of oops output.
> >
> > $ addr2line -f -e vmlinux1 c015a00b
> > do_select
> > /usr/src/2.4.27/linux-2.4.27/fs/select.c:197
> >
> > mask = POLLNVAL;
> > if (file) {
> > mask = DEFAULT_POLLMASK;
> > OOPS--> if (file->f_op && file->f_op->poll)
> > mask = file->f_op->poll(file,
wait);
> > fput(file);
> > }
>
> hmm, file is checked above, so file->f_op should be
> fine ergo file->f_op->poll must be bad ... question
> is, why ...
>
> could you disasm (objdump) the relevant function
> to see how the deref is coded?
$ objdump -d --start-address=0xC0159E90 --stop-address=0xc015a0d2 vmlinux1
vmlinux1: file format elf32-i386
Disassembly of section .text:
c0159e90 <do_select>:
c0159e90: 55 push %ebp
c0159e91: 57 push %edi
c0159e92: 56 push %esi
c0159e93: 53 push %ebx
c0159e94: 83 ec 24 sub $0x24,%esp
c0159e97: bb 00 e0 ff ff mov $0xffffe000,%ebx
c0159e9c: 8b 44 24 40 mov 0x40(%esp,1),%eax
c0159ea0: 21 e3 and %esp,%ebx
c0159ea2: 8b 00 mov (%eax),%eax
c0159ea4: 89 44 24 10 mov %eax,0x10(%esp,1)
c0159ea8: 8b 83 54 06 00 00 mov 0x654(%ebx),%eax
c0159eae: 83 c0 04 add $0x4,%eax
c0159eb1: f0 83 28 01 lock subl $0x1,(%eax)
c0159eb5: 0f 88 53 0c 00 00 js c015ab0e <.text.lock.select>
c0159ebb: 8b 54 24 3c mov 0x3c(%esp,1),%edx
c0159ebf: 8b 4c 24 38 mov 0x38(%esp,1),%ecx
c0159ec3: 89 54 24 04 mov %edx,0x4(%esp,1)
c0159ec7: 89 0c 24 mov %ecx,(%esp,1)
c0159eca: e8 c1 fe ff ff call c0159d90 <max_select_fd>
c0159ecf: 89 44 24 14 mov %eax,0x14(%esp,1)
c0159ed3: 8b 83 54 06 00 00 mov 0x654(%ebx),%eax
c0159ed9: f0 ff 40 04 lock incl 0x4(%eax)
c0159edd: 8b 44 24 14 mov 0x14(%esp,1),%eax
c0159ee1: 85 c0 test %eax,%eax
c0159ee3: 0f 88 f0 00 00 00 js c0159fd9 <do_select+0x149>
c0159ee9: 89 5c 24 0c mov %ebx,0xc(%esp,1)
c0159eed: 8b 44 24 14 mov 0x14(%esp,1),%eax
c0159ef1: 8d 54 24 1c lea 0x1c(%esp,1),%edx
c0159ef5: 8b 6c 24 10 mov 0x10(%esp,1),%ebp
c0159ef9: 89 44 24 38 mov %eax,0x38(%esp,1)
c0159efd: 31 c0 xor %eax,%eax
c0159eff: 89 44 24 1c mov %eax,0x1c(%esp,1)
c0159f03: 31 c0 xor %eax,%eax
c0159f05: 89 44 24 20 mov %eax,0x20(%esp,1)
c0159f09: 31 c0 xor %eax,%eax
c0159f0b: 85 ed test %ebp,%ebp
c0159f0d: 89 44 24 18 mov %eax,0x18(%esp,1)
c0159f11: 0f 44 54 24 18 cmove 0x18(%esp,1),%edx
c0159f16: 31 ff xor %edi,%edi
c0159f18: 89 7c 24 14 mov %edi,0x14(%esp,1)
c0159f1c: 89 54 24 18 mov %edx,0x18(%esp,1)
c0159f20: b8 01 00 00 00 mov $0x1,%eax
c0159f25: 8b 4c 24 0c mov 0xc(%esp,1),%ecx
c0159f29: 87 01 xchg %eax,(%ecx)
c0159f2b: 31 ff xor %edi,%edi
c0159f2d: 3b 7c 24 38 cmp 0x38(%esp,1),%edi
c0159f31: 7d 44 jge c0159f77 <do_select+0xe7>
c0159f33: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
c0159f39: 8d bc 27 00 00 00 00 lea 0x0(%edi,1),%edi
c0159f40: 8b 44 24 3c mov 0x3c(%esp,1),%eax
c0159f44: 89 f9 mov %edi,%ecx
c0159f46: bd 01 00 00 00 mov $0x1,%ebp
c0159f4b: 83 e1 1f and $0x1f,%ecx
c0159f4e: 89 fb mov %edi,%ebx
c0159f50: c1 eb 05 shr $0x5,%ebx
c0159f53: 8b 10 mov (%eax),%edx
c0159f55: d3 e5 shl %cl,%ebp
c0159f57: 89 c1 mov %eax,%ecx
c0159f59: 8b 40 04 mov 0x4(%eax),%eax
c0159f5c: 8b 34 9a mov (%edx,%ebx,4),%esi
c0159f5f: 8b 51 08 mov 0x8(%ecx),%edx
c0159f62: 8b 04 98 mov (%eax,%ebx,4),%eax
c0159f65: 8b 0c 9a mov (%edx,%ebx,4),%ecx
c0159f68: 09 f0 or %esi,%eax
c0159f6a: 09 c8 or %ecx,%eax
c0159f6c: 85 e8 test %ebp,%eax
c0159f6e: 75 75 jne c0159fe5 <do_select+0x155>
c0159f70: 47 inc %edi
c0159f71: 3b 7c 24 38 cmp 0x38(%esp,1),%edi
c0159f75: 7c c9 jl c0159f40 <do_select+0xb0>
c0159f77: 8b 4c 24 14 mov 0x14(%esp,1),%ecx
c0159f7b: 31 db xor %ebx,%ebx
c0159f7d: 89 5c 24 18 mov %ebx,0x18(%esp,1)
c0159f81: 85 c9 test %ecx,%ecx
c0159f83: 75 31 jne c0159fb6 <do_select+0x126>
c0159f85: 8b 54 24 10 mov 0x10(%esp,1),%edx
c0159f89: 85 d2 test %edx,%edx
c0159f8b: 74 29 je c0159fb6 <do_select+0x126>
c0159f8d: 8b 4c 24 0c mov 0xc(%esp,1),%ecx
c0159f91: 8b 41 08 mov 0x8(%ecx),%eax
c0159f94: 85 c0 test %eax,%eax
c0159f96: 75 1e jne c0159fb6 <do_select+0x126>
c0159f98: 8b 44 24 1c mov 0x1c(%esp,1),%eax
c0159f9c: 85 c0 test %eax,%eax
c0159f9e: 75 12 jne c0159fb2 <do_select+0x122>
c0159fa0: 8b 44 24 10 mov 0x10(%esp,1),%eax
c0159fa4: e8 57 39 fc ff call c011d900 <schedule_timeout>
c0159fa9: 89 44 24 10 mov %eax,0x10(%esp,1)
c0159fad: e9 6e ff ff ff jmp c0159f20 <do_select+0x90>
c0159fb2: 89 44 24 14 mov %eax,0x14(%esp,1)
c0159fb6: b8 00 e0 ff ff mov $0xffffe000,%eax
c0159fbb: 21 e0 and %esp,%eax
c0159fbd: c7 00 00 00 00 00 movl $0x0,(%eax)
c0159fc3: 8d 44 24 1c lea 0x1c(%esp,1),%eax
c0159fc7: 89 04 24 mov %eax,(%esp,1)
c0159fca: e8 b1 fc ff ff call c0159c80 <poll_freewait>
c0159fcf: 8b 4c 24 10 mov 0x10(%esp,1),%ecx
c0159fd3: 8b 54 24 40 mov 0x40(%esp,1),%edx
c0159fd7: 89 0a mov %ecx,(%edx)
c0159fd9: 8b 44 24 14 mov 0x14(%esp,1),%eax
c0159fdd: 83 c4 24 add $0x24,%esp
c0159fe0: 5b pop %ebx
c0159fe1: 5e pop %esi
c0159fe2: 5f pop %edi
c0159fe3: 5d pop %ebp
c0159fe4: c3 ret
c0159fe5: 89 f8 mov %edi,%eax
c0159fe7: e8 34 f1 fe ff call c0149120 <fget>
c0159fec: 89 c6 mov %eax,%esi
c0159fee: 85 f6 test %esi,%esi
c0159ff0: b8 20 00 00 00 mov $0x20,%eax
c0159ff5: 89 44 24 08 mov %eax,0x8(%esp,1)
c0159ff9: 74 22 je c015a01d <do_select+0x18d>
c0159ffb: b9 45 01 00 00 mov $0x145,%ecx
c015a000: 89 4c 24 08 mov %ecx,0x8(%esp,1)
c015a004: 8b 46 10 mov 0x10(%esi),%eax
c015a007: 85 c0 test %eax,%eax
c015a009: 74 0b je c015a016 <do_select+0x186>
=================== OOPS @ <do_select+0x17b> ========================
c015a00b: 8b 50 14 mov 0x14(%eax),%edx
c015a00e: 85 d2 test %edx,%edx
c015a010: 0f 85 a0 00 00 00 jne c015a0b6 <do_select+0x226>
c015a016: 89 f0 mov %esi,%eax
c015a018: e8 c3 ef fe ff call c0148fe0 <fput>
c015a01d: f6 44 24 08 d9 testb $0xd9,0x8(%esp,1)
c015a022: 74 2c je c015a050 <do_select+0x1c0>
c015a024: 8b 4c 24 3c mov 0x3c(%esp,1),%ecx
c015a028: 89 ea mov %ebp,%edx
c015a02a: 8b 01 mov (%ecx),%eax
c015a02c: 8b 34 98 mov (%eax,%ebx,4),%esi
c015a02f: 21 f2 and %esi,%edx
c015a031: 85 d2 test %edx,%edx
c015a033: 74 1b je c015a050 <do_select+0x1c0>
c015a035: 8b 41 0c mov 0xc(%ecx),%eax
c015a038: 09 2c 98 or %ebp,(%eax,%ebx,4)
c015a03b: 31 c0 xor %eax,%eax
c015a03d: 89 44 24 18 mov %eax,0x18(%esp,1)
c015a041: ff 44 24 14 incl 0x14(%esp,1)
c015a045: 8d 74 26 00 lea 0x0(%esi,1),%esi
c015a049: 8d bc 27 00 00 00 00 lea 0x0(%edi,1),%edi
c015a050: f7 44 24 08 0c 03 00 testl $0x30c,0x8(%esp,1)
c015a057: 00
c015a058: 74 26 je c015a080 <do_select+0x1f0>
c015a05a: 8b 4c 24 3c mov 0x3c(%esp,1),%ecx
c015a05e: 89 ea mov %ebp,%edx
c015a060: 8b 41 04 mov 0x4(%ecx),%eax
c015a063: 8b 34 98 mov (%eax,%ebx,4),%esi
c015a066: 21 f2 and %esi,%edx
c015a068: 85 d2 test %edx,%edx
c015a06a: 74 14 je c015a080 <do_select+0x1f0>
c015a06c: 8b 41 10 mov 0x10(%ecx),%eax
c015a06f: 09 2c 98 or %ebp,(%eax,%ebx,4)
c015a072: 31 c0 xor %eax,%eax
c015a074: 89 44 24 18 mov %eax,0x18(%esp,1)
c015a078: ff 44 24 14 incl 0x14(%esp,1)
c015a07c: 8d 74 26 00 lea 0x0(%esi,1),%esi
c015a080: f6 44 24 08 02 testb $0x2,0x8(%esp,1)
c015a085: 0f 84 e5 fe ff ff je c0159f70 <do_select+0xe0>
c015a08b: 8b 4c 24 3c mov 0x3c(%esp,1),%ecx
c015a08f: 89 ea mov %ebp,%edx
c015a091: 8b 41 08 mov 0x8(%ecx),%eax
c015a094: 8b 34 98 mov (%eax,%ebx,4),%esi
c015a097: 21 f2 and %esi,%edx
c015a099: 85 d2 test %edx,%edx
c015a09b: 0f 84 cf fe ff ff je c0159f70 <do_select+0xe0>
c015a0a1: 8b 41 14 mov 0x14(%ecx),%eax
c015a0a4: 31 f6 xor %esi,%esi
c015a0a6: 09 2c 98 or %ebp,(%eax,%ebx,4)
c015a0a9: 89 74 24 18 mov %esi,0x18(%esp,1)
c015a0ad: ff 44 24 14 incl 0x14(%esp,1)
c015a0b1: e9 ba fe ff ff jmp c0159f70 <do_select+0xe0>
c015a0b6: 89 34 24 mov %esi,(%esp,1)
c015a0b9: 8b 54 24 18 mov 0x18(%esp,1),%edx
c015a0bd: 89 54 24 04 mov %edx,0x4(%esp,1)
c015a0c1: ff 50 14 call *0x14(%eax)
c015a0c4: 89 44 24 08 mov %eax,0x8(%esp,1)
c015a0c8: e9 49 ff ff ff jmp c015a016 <do_select+0x186>
c015a0cd: 8d 76 00 lea 0x0(%esi),%esi
c015a0d0 <select_bits_alloc>:
c015a0d0: 83 ec 08 sub $0x8,%esp
>
> > In 2.4.26-vs1.27 a oops triggered by caspeng occured at:
> > sock_readv_writev
> > /usr/src/2.4.26/linux-2.4.26-vs1.27/net/socket.c:636
> >
> > Caspeng inflicting two oopses at two totally different
> > locations looks very strange to me.
> >
> > Neither the vs1.29, nor the reiserfs data logging patch
> > touches fs/select.c.
> >
> > Should I forward this to linux-kernel?
>
> could be silent data corruption, you could also
> look for reiser doing strange things with f_op(->poll)
> for sure the linux-vserver code doesn't touch that
> either ...
# cd /usr/src/2.4.27/linux-2.4.27/fs/reiserfs
# find . -name "*.c" -exec grep f_op \{\} \;
# find . -name "*.c" -exec grep poll \{\} \;
Reiserfs doesn't touch neither file->f_op, nor ->poll, it seems.
-- lg, Chris_______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver