Mailing List Archive: Linux: Kernel

OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

Index | Next | Previous | View Threaded

miles.lane at gmail

Jul 3, 2005, 1:41 AM

Post #1 of 14 (740 views)
Permalink

OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0

mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
[drm:drm_unlock] *ERROR* Process 4470 using kernel context 0
mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
Unable to handle kernel paging request at virtual address 5f78735f
printing eip:
c01abbf9
*pde = 00000000
Oops: 0002 [#1]
PREEMPT
Modules linked in: pcmcia container ipv6 af_packet ohci1394
yenta_socket rsrc_nonstatic pcmcia_core ipw2200 ieee80211
ieee80211_crypt 8139too mii snd_intel8x0 snd_ac97_codec snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc ehci_hcd
uhci_hcd usbcore rtc nls_cp437 sbp2 scsi_mod ieee1394 psmouse ide_cd
cdrom
CPU: 0
EIP: 0060:[<c01abbf9>] Not tainted VLI
EFLAGS: 00010246 (2.6.13-rc1-mm1)
EIP is at sysfs_release+0x49/0xb0
eax: 5f78725f ebx: 5f78725f ecx: 00000001 edx: f7662000
esi: c19520a4 edi: f70b8a80 ebp: f7663f3c esp: f7663f2c
ds: 007b es: 007b ss: 0068
Process hald (pid: 4736, threadinfo=f7662000 task=f7c97a80)
Stack: c19520a4 00000010 f70d2d80 f7703174 f7663f68 c0169a5a f7703174 f70d2d80
00000000 00000000 c1894180 f7715c8c f70d2d80 c1bcd900 00000000 f7663f78
c016985a f70d2d80 f70d2d80 f7663f94 c0167dcb f70d2d80 c1bcd900 00000010
Call Trace:
[<c010415f>] show_stack+0x7f/0xa0
[<c0104314>] show_registers+0x164/0x1d0
[<c010452d>] die+0xed/0x180
[<c0119314>] do_page_fault+0x344/0x68d
[<c0103d6f>] error_code+0x4f/0x54
[<c0169a5a>] __fput+0x1da/0x1f0
[<c016985a>] fput+0x2a/0x50
[<c0167dcb>] filp_close+0x4b/0x80
[<c0167e7a>] sys_close+0x7a/0xb0
[<c010326b>] sysenter_past_esp+0x54/0x75
Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 60 a3 07 00 85 db 74
38 b8 01 00 00 00 e8 b2 25 f7 ff e8 ed f2 07 00 c1 e0 07 8d 04 18 <ff>
88 00 01 00 00 83 3b 02 74 43 b8 01 00 00 00 e8 d2 25 f7 ff
<6>note: hald[4736] exited with preempt_count 1
scheduling while atomic: hald/0x10000001/4736
[<c010419e>] dump_stack+0x1e/0x30
[<c0362052>] schedule+0x682/0x690
[<c0362a5f>] cond_resched+0x2f/0x50
[<c015738d>] unmap_vmas+0x16d/0x200
[<c015c2c1>] exit_mmap+0x81/0x170
[<c011f982>] mmput+0x42/0x110
[<c0123f63>] exit_mm+0xe3/0x110
[<c0124980>] do_exit+0x100/0x550
[<c01045bf>] die+0x17f/0x180
[<c0119314>] do_page_fault+0x344/0x68d
[<c0103d6f>] error_code+0x4f/0x54
[<c0169a5a>] __fput+0x1da/0x1f0
[<c016985a>] fput+0x2a/0x50
[<c0167dcb>] filp_close+0x4b/0x80
[<c0167e7a>] sys_close+0x7a/0xb0
[<c010326b>] sysenter_past_esp+0x54/0x75
eth1: no IPv6 routers present

CONFIG_PREEMPT=y
CONFIG_PREEMPT_BKL=y
CONFIG_X86_UP_APIC=y
CONFIG_X86_UP_IOAPIC=y
CONFIG_X86_LOCAL_APIC=y
CONFIG_X86_IO_APIC=y
CONFIG_X86_TSC=y
CONFIG_X86_MCE=y
CONFIG_X86_MCE_NONFATAL=y
CONFIG_X86_MCE_P4THERMAL=y
CONFIG_TOSHIBA=m
CONFIG_I8K=m
CONFIG_MICROCODE=m
CONFIG_X86_MSR=m
CONFIG_X86_CPUID=m

#
# Firmware Drivers
#
CONFIG_HIGHMEM4G=y
CONFIG_HIGHMEM=y
CONFIG_SELECT_MEMORY_MODEL=y
CONFIG_FLATMEM_MANUAL=y
CONFIG_FLATMEM=y
CONFIG_FLAT_NODE_MEM_MAP=y
CONFIG_HIGHPTE=y
CONFIG_MATH_EMULATION=y
CONFIG_MTRR=y
CONFIG_EFI=y
CONFIG_HAVE_DEC_LOCK=y
CONFIG_BOOT_IOREMAP=y

CONFIG_ACPI=y
CONFIG_ACPI_BOOT=y
CONFIG_ACPI_INTERPRETER=y
CONFIG_ACPI_SLEEP=y
CONFIG_ACPI_SLEEP_PROC_FS=y
CONFIG_ACPI_AC=y
CONFIG_ACPI_BATTERY=y
CONFIG_ACPI_BUTTON=y
CONFIG_ACPI_VIDEO=y
CONFIG_ACPI_HOTKEY=y
CONFIG_ACPI_FAN=y
CONFIG_ACPI_PROCESSOR=y
CONFIG_ACPI_THERMAL=y
CONFIG_ACPI_BLACKLIST_YEAR=0
CONFIG_ACPI_BUS=y
CONFIG_ACPI_EC=y
CONFIG_ACPI_POWER=y
CONFIG_ACPI_PCI=y
CONFIG_ACPI_SYSTEM=y
CONFIG_X86_PM_TIMER=y
CONFIG_ACPI_CONTAINER=m

CONFIG_AGP=y
CONFIG_AGP_INTEL=y
CONFIG_DRM=y
CONFIG_DRM_I830=y

CONFIG_I2C=y
CONFIG_I2C_CHARDEV=y

#
# I2C Algorithms
#
CONFIG_I2C_ALGOBIT=y
CONFIG_I2C_ALGOPCF=y
CONFIG_I2C_ALGOPCA=y

#
# I2C Hardware Bus support
#
CONFIG_I2C_I801=y
CONFIG_I2C_I810=y
CONFIG_I2C_ISA=m

CONFIG_FB=y
CONFIG_FB_CFB_FILLRECT=y
CONFIG_FB_CFB_COPYAREA=y
CONFIG_FB_CFB_IMAGEBLIT=y
CONFIG_FB_SOFT_CURSOR=y
CONFIG_FB_MODE_HELPERS=y
CONFIG_FB_TILEBLITTING=y
CONFIG_FB_VESA=y
CONFIG_VIDEO_SELECT=y

0000:00:00.0 Host bridge: Intel Corp. 82852/855GM Host Bridge (rev 02)
0000:00:00.1 System peripheral: Intel Corp. 855GM/GME GMCH Memory I/O
Control Registers (rev 02)
0000:00:00.3 System peripheral: Intel Corp. 855GM/GME GMCH
Configuration Process Registers (rev 02)
0000:00:02.0 VGA compatible controller: Intel Corp. 82852/855GM
Integrated Graphics Device (rev 02)
0000:00:02.1 Display controller: Intel Corp. 82852/855GM Integrated
Graphics Device (rev 02)
0000:00:1d.0 USB Controller: Intel Corp. 82801DB/DBL/DBM
(ICH4/ICH4-L/ICH4-M) USB UHCI Controller #1 (rev 03)
0000:00:1d.1 USB Controller: Intel Corp. 82801DB/DBL/DBM
(ICH4/ICH4-L/ICH4-M) USB UHCI Controller #2 (rev 03)
0000:00:1d.2 USB Controller: Intel Corp. 82801DB/DBL/DBM
(ICH4/ICH4-L/ICH4-M) USB UHCI Controller #3 (rev 03)
0000:00:1d.7 USB Controller: Intel Corp. 82801DB/DBM (ICH4/ICH4-M) USB
2.0 EHCI Controller (rev 03)
0000:00:1e.0 PCI bridge: Intel Corp. 82801 PCI Bridge (rev 83)
0000:00:1f.0 ISA bridge: Intel Corp. 82801DBM LPC Interface Controller (rev 03)
0000:00:1f.1 IDE interface: Intel Corp. 82801DBM (ICH4) Ultra ATA
Storage Controller (rev 03)
0000:00:1f.3 SMBus: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M)
SMBus Controller (rev 03)
0000:00:1f.5 Multimedia audio controller: Intel Corp. 82801DB/DBL/DBM
(ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 03)
0000:00:1f.6 Modem: Intel Corp. 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M)
AC'97 Modem Controller (rev 03)
0000:02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
0000:02:06.0 Network controller: Intel Corp. PRO/Wireless 2200BG (rev 05)
0000:02:09.0 CardBus bridge: Texas Instruments: Unknown device 8031
0000:02:09.2 FireWire (IEEE 1394): Texas Instruments: Unknown device 8032
0000:02:09.3 Unknown mass storage controller: Texas Instruments:
Unknown device 8033
0000:02:09.4 0805: Texas Instruments: Unknown device 8034
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

akpm at osdl

Jul 6, 2005, 3:27 PM

Post #2 of 14 (725 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

Miles Lane <miles.lane [at] gmail> wrote:
>
> mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
> [drm:drm_unlock] *ERROR* Process 4470 using kernel context 0
> mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
> Unable to handle kernel paging request at virtual address 5f78735f
> printing eip:
> c01abbf9
> *pde = 00000000
> Oops: 0002 [#1]
> PREEMPT
> Modules linked in: pcmcia container ipv6 af_packet ohci1394
> yenta_socket rsrc_nonstatic pcmcia_core ipw2200 ieee80211
> ieee80211_crypt 8139too mii snd_intel8x0 snd_ac97_codec snd_pcm_oss
> snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc ehci_hcd
> uhci_hcd usbcore rtc nls_cp437 sbp2 scsi_mod ieee1394 psmouse ide_cd
> cdrom
> CPU: 0
> EIP: 0060:[<c01abbf9>] Not tainted VLI
> EFLAGS: 00010246 (2.6.13-rc1-mm1)
> EIP is at sysfs_release+0x49/0xb0
> eax: 5f78725f ebx: 5f78725f ecx: 00000001 edx: f7662000
> esi: c19520a4 edi: f70b8a80 ebp: f7663f3c esp: f7663f2c
> ds: 007b es: 007b ss: 0068
> Process hald (pid: 4736, threadinfo=f7662000 task=f7c97a80)
> Stack: c19520a4 00000010 f70d2d80 f7703174 f7663f68 c0169a5a f7703174 f70d2d80
> 00000000 00000000 c1894180 f7715c8c f70d2d80 c1bcd900 00000000 f7663f78
> c016985a f70d2d80 f70d2d80 f7663f94 c0167dcb f70d2d80 c1bcd900 00000010
> Call Trace:
> [<c010415f>] show_stack+0x7f/0xa0
> [<c0104314>] show_registers+0x164/0x1d0
> [<c010452d>] die+0xed/0x180
> [<c0119314>] do_page_fault+0x344/0x68d
> [<c0103d6f>] error_code+0x4f/0x54
> [<c0169a5a>] __fput+0x1da/0x1f0
> [<c016985a>] fput+0x2a/0x50
> [<c0167dcb>] filp_close+0x4b/0x80
> [<c0167e7a>] sys_close+0x7a/0xb0
> [<c010326b>] sysenter_past_esp+0x54/0x75

It's irritating that when some driver screws up its sysfs handling, the
trace leaves no indication which driver it was.

One thing you could do is to disable `hald' (what is that anyway?) by
renaming it and try to get the system to boot. Then run `hald' by hand,
under strace, work out which sysfs file it was trying to close.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

schneelocke at gmail

Jul 6, 2005, 6:41 PM

Post #3 of 14 (731 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

On 07/07/05, Andrew Morton <akpm [at] osdl> wrote:
> One thing you could do is to disable `hald' (what is that anyway?) by
> renaming it and try to get the system to boot. Then run `hald' by hand,
> under strace, work out which sysfs file it was trying to close.

Probably the Hardware Abstraction Layer [1] daemon.

1. http://freedesktop.org/wiki/Software_2fhal
--
schnee
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

airlied at gmail

Jul 7, 2005, 3:31 AM

Post #4 of 14 (709 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

On 7/3/05, Miles Lane <miles.lane [at] gmail> wrote:
> mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
> [drm:drm_unlock] *ERROR* Process 4470 using kernel context 0
> mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
> Unable to handle kernel paging request at virtual address 5f78735f

That is a bit suspicious.. what distro/X are you using? if you are
running a newer X (I think anything after XFree86 4.3) you should be
using the i915 DRM not the i830..

Dave.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

miles.lane at gmail

Jul 7, 2005, 7:56 AM

Post #5 of 14 (728 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

Hmm, in my Xorg log I find this:

(II) I810(0): [drm] created "i915" driver at busid "pci:0000:00:02.0"
(WW) I810(0): i830 Kernel module detected, Use the i915 Kernel module
instead, aborting DRI init.

(II) I810(0): [drm] DRM interface version 1.2
(II) I810(0): [drm] created "i915" driver at busid "pci:0000:00:02.0"
(II) I810(0): [drm] added 8192 byte SAREA at 0xf916e000
(II) I810(0): [drm] mapped SAREA 0xf916e000 to 0xb7d38000
(II) I810(0): [drm] framebuffer handle = 0xe8020000
(II) I810(0): [drm] added 1 reserved context for kernel
(II) I810(0): [drm] removed 1 reserved context for kernel
(II) I810(0): [drm] unmapping 8192 bytes of SAREA 0xf916e000 at 0xb7d38000

On 7/7/05, Dave Airlie <airlied [at] gmail> wrote:
> On 7/3/05, Miles Lane <miles.lane [at] gmail> wrote:
> > mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
> > [drm:drm_unlock] *ERROR* Process 4470 using kernel context 0
> > mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
> > Unable to handle kernel paging request at virtual address 5f78735f
>
> That is a bit suspicious.. what distro/X are you using? if you are
> running a newer X (I think anything after XFree86 4.3) you should be
> using the i915 DRM not the i830..
>
> Dave.
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

miles.lane at gmail

Jul 10, 2005, 9:26 PM

Post #6 of 14 (720 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

On Thu, 2005-07-07 at 20:31 +1000, Dave Airlie wrote:
> On 7/3/05, Miles Lane <miles.lane [at] gmail> wrote:
> > mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
> > [drm:drm_unlock] *ERROR* Process 4470 using kernel context 0
> > mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
> > Unable to handle kernel paging request at virtual address 5f78735f
>
> That is a bit suspicious.. what distro/X are you using? if you are
> running a newer X (I think anything after XFree86 4.3) you should be
> using the i915 DRM not the i830..

Thanks Dave,

I switched to the i915 kernel driver and still got the OOPS.
I also continue to get the overlapping mtrr message. I am currently
testing 2.6.13-rc2-git3. I have tried to run strace with hald, but
cannot reproduce the problem this way. I am not sure I am invoking the
command corrently. I have written to the hal developers, but have not
received a response yet. Here's the current output:

mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
apm: BIOS version 1.2 Flags 0x03 (Driver version 1.16ac)
apm: overridden by ACPI.
Unable to handle kernel paging request at virtual address 5f78735f
printing eip:
c01e491a
*pde = 00000000
Oops: 0002 [#1]
PREEMPT
Modules linked in: pcmcia ipv6 af_packet ohci1394 yenta_socket
rsrc_nonstatic pcmcia_core ipw2200 firmware_class ieee80211
ieee80211_crypt 8139too mii snd_intel8x0 snd_ac97_codec snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc i2c_i801
uhci_hcd rtc nls_cp437 sbp2 ieee1394 psmouse ide_cd cdrom
CPU: 0
EIP: 0060:[<c01e491a>] Not tainted VLI
EFLAGS: 00010206 (2.6.13-rc2-git3)
EIP is at sysfs_release+0x4e/0xa6
eax: 5f78735f ebx: c1b0e268 ecx: 00000001 edx: c9138000
esi: 5f78725f edi: c93dfde0 ebp: c9139f3c esp: c9139f2c
ds: 007b es: 007b ss: 0068
Process hald (pid: 4615, threadinfo=c9138000 task=c9092a80)
Stack: c1b0e268 c90c6658 00000000 c18a4a70 c9139f60 c018c8cd c8c0f3d0
c90c6658
c93f87b0 c8c0f3d0 c90c6658 00000000 f731dab0 c9139f68 c018c86b
c9139f84
c018aca9 c90c6658 f731dab0 c90c6658 f731dab0 00000010 c9139fb4
c018addb
Call Trace:
[<c0104bde>] show_stack+0x9c/0xd2
[<c0104dce>] show_registers+0x19a/0x234
[<c0105049>] die+0x152/0x2e2
[<c011d740>] do_page_fault+0x250/0x6fa
[<c01046b7>] error_code+0x4f/0x54
[<c018c8cd>] __fput+0x5c/0x174
[<c018c86b>] fput+0x18/0x1e
[<c018aca9>] filp_close+0x4a/0x70
[<c018addb>] sys_close+0x10c/0x266
[<c0103bb3>] sysenter_past_esp+0x54/0x75
Code: 78 85 db 74 08 89 1c 24 e8 68 c8 08 00 85 f6 74 39 b8 01 00 00 00
e8 c8 e5 f3 ff e8 51 1a 09 00 c1 e0 07 05 00 01 00 00 8d 04 06 <ff> 08
83 3e 02 74 3c b8 01 00 00 00 e8 d9 e5 f3 ff b8 00 e0 ff
<6>note: hald[4615] exited with preempt_count 1
Debug: sleeping function called from invalid context at
include/linux/rwsem.h:43in_atomic():1, irqs_disabled():0
[<c0104c32>] dump_stack+0x1e/0x20
[<c0124b69>] __might_sleep+0x9e/0xad
[<c012bf0f>] exit_mm+0x3a/0x2b0
[<c012cd0a>] do_exit+0xe0/0x83b
[<c01051cf>] die+0x2d8/0x2e2
[<c011d740>] do_page_fault+0x250/0x6fa
[<c01046b7>] error_code+0x4f/0x54
[<c018c8cd>] __fput+0x5c/0x174
[<c018c86b>] fput+0x18/0x1e
[<c018aca9>] filp_close+0x4a/0x70
[<c018addb>] sys_close+0x10c/0x266
[<c0103bb3>] sysenter_past_esp+0x54/0x75

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

airlied at gmail

Jul 13, 2005, 12:17 AM

Post #7 of 14 (723 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

> Thanks Dave,
>
> I switched to the i915 kernel driver and still got the OOPS.
> I also continue to get the overlapping mtrr message. I am currently
> testing 2.6.13-rc2-git3. I have tried to run strace with hald, but
> cannot reproduce the problem this way. I am not sure I am invoking the
> command corrently. I have written to the hal developers, but have not
> received a response yet. Here's the current output:
>

Can you try and see if you apply the patch from

http://lkml.org/lkml/2005/7/8/257

It should apply to your kernel.. I cannot get this to happen on my
system... the mtrr overlaps are just vesafb setting up the mtrrs, you
might try without vesafb...

Dave.

> mtrr: base(0xe8020000) is not aligned on a size(0x3c0000) boundary
> mtrr: 0xe8000000,0x8000000 overlaps existing 0xe8000000,0x1000000
> apm: BIOS version 1.2 Flags 0x03 (Driver version 1.16ac)
> apm: overridden by ACPI.
> Unable to handle kernel paging request at virtual address 5f78735f
> printing eip:
> c01e491a
> *pde = 00000000
> Oops: 0002 [#1]
> PREEMPT
> Modules linked in: pcmcia ipv6 af_packet ohci1394 yenta_socket
> rsrc_nonstatic pcmcia_core ipw2200 firmware_class ieee80211
> ieee80211_crypt 8139too mii snd_intel8x0 snd_ac97_codec snd_pcm_oss
> snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc i2c_i801
> uhci_hcd rtc nls_cp437 sbp2 ieee1394 psmouse ide_cd cdrom
> CPU: 0
> EIP: 0060:[<c01e491a>] Not tainted VLI
> EFLAGS: 00010206 (2.6.13-rc2-git3)
> EIP is at sysfs_release+0x4e/0xa6
> eax: 5f78735f ebx: c1b0e268 ecx: 00000001 edx: c9138000
> esi: 5f78725f edi: c93dfde0 ebp: c9139f3c esp: c9139f2c
> ds: 007b es: 007b ss: 0068
> Process hald (pid: 4615, threadinfo=c9138000 task=c9092a80)
> Stack: c1b0e268 c90c6658 00000000 c18a4a70 c9139f60 c018c8cd c8c0f3d0
> c90c6658
> c93f87b0 c8c0f3d0 c90c6658 00000000 f731dab0 c9139f68 c018c86b
> c9139f84
> c018aca9 c90c6658 f731dab0 c90c6658 f731dab0 00000010 c9139fb4
> c018addb
> Call Trace:
> [<c0104bde>] show_stack+0x9c/0xd2
> [<c0104dce>] show_registers+0x19a/0x234
> [<c0105049>] die+0x152/0x2e2
> [<c011d740>] do_page_fault+0x250/0x6fa
> [<c01046b7>] error_code+0x4f/0x54
> [<c018c8cd>] __fput+0x5c/0x174
> [<c018c86b>] fput+0x18/0x1e
> [<c018aca9>] filp_close+0x4a/0x70
> [<c018addb>] sys_close+0x10c/0x266
> [<c0103bb3>] sysenter_past_esp+0x54/0x75
> Code: 78 85 db 74 08 89 1c 24 e8 68 c8 08 00 85 f6 74 39 b8 01 00 00 00
> e8 c8 e5 f3 ff e8 51 1a 09 00 c1 e0 07 05 00 01 00 00 8d 04 06 <ff> 08
> 83 3e 02 74 3c b8 01 00 00 00 e8 d9 e5 f3 ff b8 00 e0 ff
> <6>note: hald[4615] exited with preempt_count 1
> Debug: sleeping function called from invalid context at
> include/linux/rwsem.h:43in_atomic():1, irqs_disabled():0
> [<c0104c32>] dump_stack+0x1e/0x20
> [<c0124b69>] __might_sleep+0x9e/0xad
> [<c012bf0f>] exit_mm+0x3a/0x2b0
> [<c012cd0a>] do_exit+0xe0/0x83b
> [<c01051cf>] die+0x2d8/0x2e2
> [<c011d740>] do_page_fault+0x250/0x6fa
> [<c01046b7>] error_code+0x4f/0x54
> [<c018c8cd>] __fput+0x5c/0x174
> [<c018c86b>] fput+0x18/0x1e
> [<c018aca9>] filp_close+0x4a/0x70
> [<c018addb>] sys_close+0x10c/0x266
> [<c0103bb3>] sysenter_past_esp+0x54/0x75
>
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

miles.lane at gmail

Jul 13, 2005, 7:54 AM

Post #8 of 14 (732 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

On 7/13/05, Dave Airlie <airlied [at] gmail> wrote:
> > Thanks Dave,
> >
> > I switched to the i915 kernel driver and still got the OOPS.
> > I also continue to get the overlapping mtrr message. I am currently
> > testing 2.6.13-rc2-git3. I have tried to run strace with hald, but
> > cannot reproduce the problem this way. I am not sure I am invoking the
> > command corrently. I have written to the hal developers, but have not
> > received a response yet. Here's the current output:
> >
>
> Can you try and see if you apply the patch from
>
> http://lkml.org/lkml/2005/7/8/257
>
> It should apply to your kernel.. I cannot get this to happen on my
> system... the mtrr overlaps are just vesafb setting up the mtrrs, you
> might try without vesafb...

I will try booting without vesafb enabled.

I get an error building with the patch applied to 2.6.13-rc2-git3:

arch/i386/kernel/built-in.o(.text+0x4010): In function `die':
arch/i386/kernel/traps.c:343: undefined reference to `last_sysfs_name'
make: *** [.tmp_vmlinux1] Error 1

Thanks,
Miles
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

rdunlap at xenotime

Jul 13, 2005, 12:42 PM

Post #9 of 14 (720 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

On Wed, 13 Jul 2005 09:54:10 -0500 Miles Lane wrote:

> On 7/13/05, Dave Airlie <airlied [at] gmail> wrote:
> > > Thanks Dave,
> > >
> > > I switched to the i915 kernel driver and still got the OOPS.
> > > I also continue to get the overlapping mtrr message. I am currently
> > > testing 2.6.13-rc2-git3. I have tried to run strace with hald, but
> > > cannot reproduce the problem this way. I am not sure I am invoking the
> > > command corrently. I have written to the hal developers, but have not
> > > received a response yet. Here's the current output:
> > >
> >
> > Can you try and see if you apply the patch from
> >
> > http://lkml.org/lkml/2005/7/8/257
> >
> > It should apply to your kernel.. I cannot get this to happen on my
> > system... the mtrr overlaps are just vesafb setting up the mtrrs, you
> > might try without vesafb...
>
> I will try booting without vesafb enabled.
>
> I get an error building with the patch applied to 2.6.13-rc2-git3:
>
> arch/i386/kernel/built-in.o(.text+0x4010): In function `die':
> arch/i386/kernel/traps.c:343: undefined reference to `last_sysfs_name'
> make: *** [.tmp_vmlinux1] Error 1

Miles,
Here is an updated version of the patch that builds for me.
(uses last_sysfs_file instead of last_sysfs_name)

---
~Randy

Track and print last_sysfs_file on oops.
---

arch/i386/kernel/traps.c | 6 ++++++
fs/sysfs/file.c | 7 +++++++
2 files changed, 13 insertions(+)

diff -Naurp linux-2613-rc1-mm1/arch/i386/kernel/traps.c~last_sysfs_file linux-2613-rc1-mm1/arch/i386/kernel/traps.c
--- linux-2613-rc1-mm1/arch/i386/kernel/traps.c~last_sysfs_file 2005-07-13 12:28:25.000000000 -0700
+++ linux-2613-rc1-mm1/arch/i386/kernel/traps.c 2005-07-13 12:38:41.000000000 -0700
@@ -370,6 +370,12 @@ void die(const char * str, struct pt_reg
#endif
if (nl)
printk("\n");
+ {
+ extern char last_sysfs_file[];
+
+ printk(KERN_ALERT "last sysfs file: %s\n",
+ last_sysfs_file);
+ }
#ifdef CONFIG_KGDB
/* This is about the only place we want to go to kgdb even if in
* user mode. But we must go in via a trap so within kgdb we will
diff -Naurp linux-2613-rc1-mm1/fs/sysfs/file.c~last_sysfs_file linux-2613-rc1-mm1/fs/sysfs/file.c
--- linux-2613-rc1-mm1/fs/sysfs/file.c~last_sysfs_file 2005-07-13 12:13:35.000000000 -0700
+++ linux-2613-rc1-mm1/fs/sysfs/file.c 2005-07-13 12:26:26.000000000 -0700
@@ -6,6 +6,8 @@
#include <linux/fsnotify.h>
#include <linux/kobject.h>
#include <linux/namei.h>
+#include <linux/limits.h>
+
#include <asm/uaccess.h>
#include <asm/semaphore.h>

@@ -324,8 +326,13 @@ static int check_perm(struct inode * ino
return error;
}

+char last_sysfs_file[PATH_MAX];
+
static int sysfs_open_file(struct inode * inode, struct file * filp)
{
+ d_path(filp->f_dentry, sysfs_mount, last_sysfs_file,
+ sizeof(last_sysfs_file));
+
return check_perm(inode,filp);
}

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

sonny at burdell

Aug 8, 2005, 9:53 AM

Post #10 of 14 (707 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

On Wed, Jul 13, 2005 at 12:42:15PM -0700, randy_dunlap wrote:
> On Wed, 13 Jul 2005 09:54:10 -0500 Miles Lane wrote:
>
> > On 7/13/05, Dave Airlie <airlied [at] gmail> wrote:
> > > > Thanks Dave,
> > > >
> > > > I switched to the i915 kernel driver and still got the OOPS.
> > > > I also continue to get the overlapping mtrr message. I am currently
> > > > testing 2.6.13-rc2-git3. I have tried to run strace with hald, but
> > > > cannot reproduce the problem this way. I am not sure I am invoking the
> > > > command corrently. I have written to the hal developers, but have not
> > > > received a response yet. Here's the current output:
> > > >
> > >
> > > Can you try and see if you apply the patch from
> > >
> > > http://lkml.org/lkml/2005/7/8/257
> > >
> > > It should apply to your kernel.. I cannot get this to happen on my
> > > system... the mtrr overlaps are just vesafb setting up the mtrrs, you
> > > might try without vesafb...
> >
> > I will try booting without vesafb enabled.
> >
> > I get an error building with the patch applied to 2.6.13-rc2-git3:
> >
> > arch/i386/kernel/built-in.o(.text+0x4010): In function `die':
> > arch/i386/kernel/traps.c:343: undefined reference to `last_sysfs_name'
> > make: *** [.tmp_vmlinux1] Error 1
>
> Miles,
> Here is an updated version of the patch that builds for me.
> (uses last_sysfs_file instead of last_sysfs_name)

I think I was able to reproduce this same bug on 2.6.13-rc4-mm1,
here's the output (w/ apologies for long lines):

Unable to handle kernel paging request at virtual address 762f7473
printing eip:
c01a8bcc
*pde = 00000000
Oops: 0002 [#1]
PREEMPT SMP DEBUG_PAGEALLOC
last sysfs file: /class/vc/vcs5/dev
Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave
cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co
ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi
c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m
od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix
CPU: 0
EIP: 0060:[<c01a8bcc>] Not tainted VLI
EFLAGS: 00010246 (2.6.13-rc4-mm1)
EIP is at sysfs_release+0x4c/0xb0
eax: 762f7373 ebx: 762f7373 ecx: 00000001 edx: ef3c5000
esi: f596a188 edi: f21fecc0 ebp: ef3c5f3c esp: ef3c5f2c
ds: 007b es: 007b ss: 0068
Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550)
Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580
00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78
c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300
Call Trace:
[<c010401f>] show_stack+0x7f/0xa0
[<c01041d4>] show_registers+0x164/0x1d0
[<c0104422>] die+0x122/0x1c0
[<c030db1e>] do_page_fault+0x2ce/0x600
[<c0103ccb>] error_code+0x4f/0x54
[<c0166cea>] __fput+0x1da/0x1f0
[<c0166aeb>] fput+0x2b/0x50
[<c01650ab>] filp_close+0x4b/0x80
[<c016514e>] sys_close+0x6e/0x90
[<c010312f>] sysenter_past_esp+0x54/0x75
Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00
00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 <ff> 88 00 01 00 00 83 3b
02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff
<6>note: udev[11843] exited with preempt_count 1
Using generic hotkey driver
ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097
ibm_acpi: `enable,0xffff' invalid for parameter `hotkey'
toshiba_acpi: Unknown parameter `hotkeys_over_acpi'
apm: BIOS not found.

Let me see if I can reproduce this on either 2.6.13-rc4 or 2.6.13-rc6

Machine is an IBM x335 (dual P4), and I'm not using any framebuffer
stuff.

Sonny
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

akpm at osdl

Aug 8, 2005, 10:44 AM

Post #11 of 14 (708 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

Sonny Rao <sonny [at] burdell> wrote:
>
> On Wed, Jul 13, 2005 at 12:42:15PM -0700, randy_dunlap wrote:
> > On Wed, 13 Jul 2005 09:54:10 -0500 Miles Lane wrote:
> >
> > > On 7/13/05, Dave Airlie <airlied [at] gmail> wrote:
> > > > > Thanks Dave,
> > > > >
> > > > > I switched to the i915 kernel driver and still got the OOPS.
> > > > > I also continue to get the overlapping mtrr message. I am currently
> > > > > testing 2.6.13-rc2-git3. I have tried to run strace with hald, but
> > > > > cannot reproduce the problem this way. I am not sure I am invoking the
> > > > > command corrently. I have written to the hal developers, but have not
> > > > > received a response yet. Here's the current output:
> > > > >
> > > >
> > > > Can you try and see if you apply the patch from
> > > >
> > > > http://lkml.org/lkml/2005/7/8/257
> > > >
> > > > It should apply to your kernel.. I cannot get this to happen on my
> > > > system... the mtrr overlaps are just vesafb setting up the mtrrs, you
> > > > might try without vesafb...
> > >
> > > I will try booting without vesafb enabled.
> > >
> > > I get an error building with the patch applied to 2.6.13-rc2-git3:
> > >
> > > arch/i386/kernel/built-in.o(.text+0x4010): In function `die':
> > > arch/i386/kernel/traps.c:343: undefined reference to `last_sysfs_name'
> > > make: *** [.tmp_vmlinux1] Error 1
> >
> > Miles,
> > Here is an updated version of the patch that builds for me.
> > (uses last_sysfs_file instead of last_sysfs_name)
>
> I think I was able to reproduce this same bug on 2.6.13-rc4-mm1,
> here's the output (w/ apologies for long lines):
>
> Unable to handle kernel paging request at virtual address 762f7473
> printing eip:
> c01a8bcc
> *pde = 00000000
> Oops: 0002 [#1]
> PREEMPT SMP DEBUG_PAGEALLOC
> last sysfs file: /class/vc/vcs5/dev

gotcha.

> Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave
> cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co
> ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi
> c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m
> od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix
> CPU: 0
> EIP: 0060:[<c01a8bcc>] Not tainted VLI
> EFLAGS: 00010246 (2.6.13-rc4-mm1)
> EIP is at sysfs_release+0x4c/0xb0
> eax: 762f7373 ebx: 762f7373 ecx: 00000001 edx: ef3c5000
> esi: f596a188 edi: f21fecc0 ebp: ef3c5f3c esp: ef3c5f2c
> ds: 007b es: 007b ss: 0068
> Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550)
> Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580
> 00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78
> c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300
> Call Trace:
> [<c010401f>] show_stack+0x7f/0xa0
> [<c01041d4>] show_registers+0x164/0x1d0
> [<c0104422>] die+0x122/0x1c0
> [<c030db1e>] do_page_fault+0x2ce/0x600
> [<c0103ccb>] error_code+0x4f/0x54
> [<c0166cea>] __fput+0x1da/0x1f0
> [<c0166aeb>] fput+0x2b/0x50
> [<c01650ab>] filp_close+0x4b/0x80
> [<c016514e>] sys_close+0x6e/0x90
> [<c010312f>] sysenter_past_esp+0x54/0x75
> Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00
> 00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 <ff> 88 00 01 00 00 83 3b
> 02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff
> <6>note: udev[11843] exited with preempt_count 1
> Using generic hotkey driver
> ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097
> ibm_acpi: `enable,0xffff' invalid for parameter `hotkey'
> toshiba_acpi: Unknown parameter `hotkeys_over_acpi'
> apm: BIOS not found.
>
> Let me see if I can reproduce this on either 2.6.13-rc4 or 2.6.13-rc6
>
> Machine is an IBM x335 (dual P4), and I'm not using any framebuffer
> stuff.
>

Keith, does this look like the use-after-free which you've been hitting?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

sonny at burdell

Aug 8, 2005, 1:18 PM

Post #12 of 14 (722 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

On Mon, Aug 08, 2005 at 10:44:04AM -0700, Andrew Morton wrote:
> Sonny Rao <sonny [at] burdell> wrote:
> >
> > On Wed, Jul 13, 2005 at 12:42:15PM -0700, randy_dunlap wrote:
> > > On Wed, 13 Jul 2005 09:54:10 -0500 Miles Lane wrote:
> > >
> > > > On 7/13/05, Dave Airlie <airlied [at] gmail> wrote:
> > > > > > Thanks Dave,
> > > > > >
> > > > > > I switched to the i915 kernel driver and still got the OOPS.
> > > > > > I also continue to get the overlapping mtrr message. I am currently
> > > > > > testing 2.6.13-rc2-git3. I have tried to run strace with hald, but
> > > > > > cannot reproduce the problem this way. I am not sure I am invoking the
> > > > > > command corrently. I have written to the hal developers, but have not
> > > > > > received a response yet. Here's the current output:
> > > > > >
> > > > >
> > > > > Can you try and see if you apply the patch from
> > > > >
> > > > > http://lkml.org/lkml/2005/7/8/257
> > > > >
> > > > > It should apply to your kernel.. I cannot get this to happen on my
> > > > > system... the mtrr overlaps are just vesafb setting up the mtrrs, you
> > > > > might try without vesafb...
> > > >
> > > > I will try booting without vesafb enabled.
> > > >
> > > > I get an error building with the patch applied to 2.6.13-rc2-git3:
> > > >
> > > > arch/i386/kernel/built-in.o(.text+0x4010): In function `die':
> > > > arch/i386/kernel/traps.c:343: undefined reference to `last_sysfs_name'
> > > > make: *** [.tmp_vmlinux1] Error 1
> > >
> > > Miles,
> > > Here is an updated version of the patch that builds for me.
> > > (uses last_sysfs_file instead of last_sysfs_name)
> >
> > I think I was able to reproduce this same bug on 2.6.13-rc4-mm1,
> > here's the output (w/ apologies for long lines):
> >
> > Unable to handle kernel paging request at virtual address 762f7473
> > printing eip:
> > c01a8bcc
> > *pde = 00000000
> > Oops: 0002 [#1]
> > PREEMPT SMP DEBUG_PAGEALLOC
> > last sysfs file: /class/vc/vcs5/dev
>
> gotcha.
>
> > Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave
> > cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co
> > ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi
> > c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m
> > od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix
> > CPU: 0
> > EIP: 0060:[<c01a8bcc>] Not tainted VLI
> > EFLAGS: 00010246 (2.6.13-rc4-mm1)
> > EIP is at sysfs_release+0x4c/0xb0
> > eax: 762f7373 ebx: 762f7373 ecx: 00000001 edx: ef3c5000
> > esi: f596a188 edi: f21fecc0 ebp: ef3c5f3c esp: ef3c5f2c
> > ds: 007b es: 007b ss: 0068
> > Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550)
> > Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580
> > 00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78
> > c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300
> > Call Trace:
> > [<c010401f>] show_stack+0x7f/0xa0
> > [<c01041d4>] show_registers+0x164/0x1d0
> > [<c0104422>] die+0x122/0x1c0
> > [<c030db1e>] do_page_fault+0x2ce/0x600
> > [<c0103ccb>] error_code+0x4f/0x54
> > [<c0166cea>] __fput+0x1da/0x1f0
> > [<c0166aeb>] fput+0x2b/0x50
> > [<c01650ab>] filp_close+0x4b/0x80
> > [<c016514e>] sys_close+0x6e/0x90
> > [<c010312f>] sysenter_past_esp+0x54/0x75
> > Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00
> > 00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 <ff> 88 00 01 00 00 83 3b
> > 02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff
> > <6>note: udev[11843] exited with preempt_count 1
> > Using generic hotkey driver
> > ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097
> > ibm_acpi: `enable,0xffff' invalid for parameter `hotkey'
> > toshiba_acpi: Unknown parameter `hotkeys_over_acpi'
> > apm: BIOS not found.
> >
> > Let me see if I can reproduce this on either 2.6.13-rc4 or 2.6.13-rc6
> >
> > Machine is an IBM x335 (dual P4), and I'm not using any framebuffer
> > stuff.
> >
>
> Keith, does this look like the use-after-free which you've been hitting?

So, I've tried reproducing on 2.6.13-rc6, 2.6.13-rc5-mm1, and (the
original kernel where I hit this) 2.6.13-rc4-mm1

I haven't been able to reproduce at all, unfortunately...
As Keith noted before, this one is pretty elusive. I'm still up for
trying patches and rebooting a million times if someone has an idea.

Sonny
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

kaos at sgi

Aug 8, 2005, 4:09 PM

Post #13 of 14 (720 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

On Mon, 8 Aug 2005 10:44:04 -0700,
Andrew Morton <akpm [at] osdl> wrote:
>Sonny Rao <sonny [at] burdell> wrote:
>> Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave
>> cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co
>> ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi
>> c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m
>> od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix
>> CPU: 0
>> EIP: 0060:[<c01a8bcc>] Not tainted VLI
>> EFLAGS: 00010246 (2.6.13-rc4-mm1)
>> EIP is at sysfs_release+0x4c/0xb0
>> eax: 762f7373 ebx: 762f7373 ecx: 00000001 edx: ef3c5000
>> esi: f596a188 edi: f21fecc0 ebp: ef3c5f3c esp: ef3c5f2c
>> ds: 007b es: 007b ss: 0068
>> Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550)
>> Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580
>> 00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78
>> c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300
>> Call Trace:
>> [<c010401f>] show_stack+0x7f/0xa0
>> [<c01041d4>] show_registers+0x164/0x1d0
>> [<c0104422>] die+0x122/0x1c0
>> [<c030db1e>] do_page_fault+0x2ce/0x600
>> [<c0103ccb>] error_code+0x4f/0x54
>> [<c0166cea>] __fput+0x1da/0x1f0
>> [<c0166aeb>] fput+0x2b/0x50
>> [<c01650ab>] filp_close+0x4b/0x80
>> [<c016514e>] sys_close+0x6e/0x90
>> [<c010312f>] sysenter_past_esp+0x54/0x75
>> Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00
>> 00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 <ff> 88 00 01 00 00 83 3b
>> 02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff
>> <6>note: udev[11843] exited with preempt_count 1
>> Using generic hotkey driver
>> ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097
>> ibm_acpi: `enable,0xffff' invalid for parameter `hotkey'
>> toshiba_acpi: Unknown parameter `hotkeys_over_acpi'
>> apm: BIOS not found.
>>
>> Let me see if I can reproduce this on either 2.6.13-rc4 or 2.6.13-rc6
>>
>> Machine is an IBM x335 (dual P4), and I'm not using any framebuffer
>> stuff.
>>
>
>Keith, does this look like the use-after-free which you've been hitting?

It is certainly in the same place, freeing the data that is chained off
sd->s_element. This oops does not show any memory poisoning, but I am
guessing that the kernel was not compiled with slab debugging. On
balance, it looks like the same problem.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

sonny at burdell

Aug 8, 2005, 4:59 PM

Post #14 of 14 (725 views)
Permalink

Re: OOPS in 2.6.13-rc1-mm1 -- EIP is at sysfs_release+0x49/0xb0 [In reply to]

On Tue, Aug 09, 2005 at 09:09:57AM +1000, Keith Owens wrote:
> On Mon, 8 Aug 2005 10:44:04 -0700,
> Andrew Morton <akpm [at] osdl> wrote:
> >Sonny Rao <sonny [at] burdell> wrote:
> >> Modules linked in: cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave
> >> cpufreq_ondemand cpufreq_conservative ipv6 video thermal processor hotkey fan co
> >> ntainer button battery ac nfs lockd sunrpc af_packet tg3 ohci_hcd usbcore generi
> >> c serverworks i2c_piix4 i2c_core sworks_agp agpgart pcspkr rtc floppy tsdev dm_m
> >> od parport_pc lp parport ide_generic ide_disk ide_cd cdrom ide_core unix
> >> CPU: 0
> >> EIP: 0060:[<c01a8bcc>] Not tainted VLI
> >> EFLAGS: 00010246 (2.6.13-rc4-mm1)
> >> EIP is at sysfs_release+0x4c/0xb0
> >> eax: 762f7373 ebx: 762f7373 ecx: 00000001 edx: ef3c5000
> >> esi: f596a188 edi: f21fecc0 ebp: ef3c5f3c esp: ef3c5f2c
> >> ds: 007b es: 007b ss: 0068
> >> Process udev (pid: 11843, threadinfo=ef3c5000 task=ef78e550)
> >> Stack: f596a188 00000010 f762d580 c21bc944 ef3c5f68 c0166cea c21bc944 f762d580
> >> 00000000 00000000 c2137980 ec7e9748 f762d580 dcae7300 00000000 ef3c5f78
> >> c0166aeb f762d580 f762d580 ef3c5f94 c01650ab f762d580 dcae7300 dcae7300
> >> Call Trace:
> >> [<c010401f>] show_stack+0x7f/0xa0
> >> [<c01041d4>] show_registers+0x164/0x1d0
> >> [<c0104422>] die+0x122/0x1c0
> >> [<c030db1e>] do_page_fault+0x2ce/0x600
> >> [<c0103ccb>] error_code+0x4f/0x54
> >> [<c0166cea>] __fput+0x1da/0x1f0
> >> [<c0166aeb>] fput+0x2b/0x50
> >> [<c01650ab>] filp_close+0x4b/0x80
> >> [<c016514e>] sys_close+0x6e/0x90
> >> [<c010312f>] sysenter_past_esp+0x54/0x75
> >> Code: 85 f6 8b 40 14 8b 58 04 74 08 89 34 24 e8 0d 97 04 00 85 db 74 38 b8 01 00
> >> 00 00 e8 af 18 f7 ff e8 4a e5 04 00 c1 e0 07 8d 04 18 <ff> 88 00 01 00 00 83 3b
> >> 02 74 49 b8 01 00 00 00 e8 cf 18 f7 ff
> >> <6>note: udev[11843] exited with preempt_count 1
> >> Using generic hotkey driver
> >> ibm_acpi: acpi_evalf(DHKC, d, ...) failed: 4097
> >> ibm_acpi: `enable,0xffff' invalid for parameter `hotkey'
> >> toshiba_acpi: Unknown parameter `hotkeys_over_acpi'
> >> apm: BIOS not found.
> >>
> >> Let me see if I can reproduce this on either 2.6.13-rc4 or 2.6.13-rc6
> >>
> >> Machine is an IBM x335 (dual P4), and I'm not using any framebuffer
> >> stuff.
> >>
> >
> >Keith, does this look like the use-after-free which you've been hitting?
>
> It is certainly in the same place, freeing the data that is chained off
> sd->s_element. This oops does not show any memory poisoning, but I am
> guessing that the kernel was not compiled with slab debugging. On
> balance, it looks like the same problem.

You are correct; I didn't have slab debugging on.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads