lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <200801292254.02186.nai.xia@gmail.com>
Date:	Tue, 29 Jan 2008 22:54:02 +0800
From:	Nai Xia <nai.xia@...il.com>
To:	Jan Kara <jack@...e.cz>, linux-kernel@...r.kernel.org
Subject: Re: Oops in touch_atime for kernel 2.6.23.12

Hi,

Sorry for the late reply, I was off for a few days. 
Saddly, I never reproduced the bug. 
I moved my main machine to an older kernel and let a virtual machine track down the bug, 
but it never appeared again --- possibly because of the simpler hardwares.


And just as you say, I also think it should not be that place which origins the bug,
because no inner called functions even touched the stack. 
I think "mov    (%esp),%ebx" can only be bad on a corrupted stack. 


I will come up with more detailed info if the same problem appears 
and I catch the very first bug.

Thanks a lot for your responding. 

On Thursday 10 January 2008, you wrote:
>   Hi,
> 
>   thanks for your report.
> 
> > I'm using Debian unstable/sid/lenny with homemade kernel 2.6.23.12 
> > patched with tuxonice-3.0-rc3-for-2.6.23.9 and compiled with 
> > gcc version 4.2.3 20071123 (prerelease) (Debian 4.2.2-4).
> > 
> > My root file system is xfs which does not have "noatime" option.
> > I was "tar xf"ing a big tar ball when this happen and ultimately leads to a 
> > hang  up. I am trying to reproduce it again in a similar setting virutal 
> > machine,but till now it does not happen again. 
> > I will provide further details if it appears again.
> > 
> > The objdump for touch_atime of my vmlinux is as follows:
> > 
> > c0191870 <touch_atime>:
> > c0191870:	83 ec 0c             	sub    $0xc,%esp
> > c0191873:	89 c1                	mov    %eax,%ecx
> > c0191875:	89 1c 24             	mov    %ebx,(%esp)
> > c0191878:	89 74 24 04          	mov    %esi,0x4(%esp)
> > c019187c:	89 7c 24 08          	mov    %edi,0x8(%esp)
> > c0191880:	8b 5a 08             	mov    0x8(%edx),%ebx
> > c0191883:	f6 83 1c 01 00 00 02 	testb  $0x2,0x11c(%ebx)
> > c019188a:	0f 85 92 00 00 00    	jne    c0191922 <touch_atime+0xb2>
> > c0191890:	8b bb 88 00 00 00    	mov    0x88(%ebx),%edi
> > c0191896:	8b 47 30             	mov    0x30(%edi),%eax
> > c0191899:	a9 01 04 00 00       	test   $0x401,%eax
> > c019189e:	0f 85 7e 00 00 00    	jne    c0191922 <touch_atime+0xb2>
> > c01918a4:	f6 c4 08             	test   $0x8,%ah
> > c01918a7:	74 10                	je     c01918b9 <touch_atime+0x49>
> > c01918a9:	0f b7 43 66          	movzwl 0x66(%ebx),%eax
> > c01918ad:	25 00 f0 00 00       	and    $0xf000,%eax
> > c01918b2:	3d 00 40 00 00       	cmp    $0x4000,%eax
> > c01918b7:	74 69                	je     c0191922 <touch_atime+0xb2>
> > c01918b9:	85 c9                	test   %ecx,%ecx
> > c01918bb:	0f 84 b7 00 00 00    	je     c0191978 <touch_atime+0x108>
> > c01918c1:	8b 51 28             	mov    0x28(%ecx),%edx
> > c01918c4:	f6 c2 08             	test   $0x8,%dl
> > c01918c7:	75 59                	jne    c0191922 <touch_atime+0xb2>
> > c01918c9:	f6 c2 10             	test   $0x10,%dl
> > c01918cc:	75 63                	jne    c0191931 <touch_atime+0xc1>
> > c01918ce:	83 e2 20             	and    $0x20,%edx
> > c01918d1:	8d 73 44             	lea    0x44(%ebx),%esi
> > c01918d4:	74 0d                	je     c01918e3 <touch_atime+0x73>
> > c01918d6:	8b 43 44             	mov    0x44(%ebx),%eax
> > c01918d9:	8d 53 4c             	lea    0x4c(%ebx),%edx
> > c01918dc:	39 43 4c             	cmp    %eax,0x4c(%ebx)
> > c01918df:	7c 39                	jl     c019191a <touch_atime+0xaa>
> > c01918e1:	7e 2f                	jle    c0191912 <touch_atime+0xa2>
> > c01918e3:	89 f8                	mov    %edi,%eax
> > c01918e5:	e8 e6 04 f9 ff       	call   c0121dd0 <current_fs_time>
> > c01918ea:	39 43 44             	cmp    %eax,0x44(%ebx)
> > c01918ed:	8d 76 00             	lea    0x0(%esi),%esi
> > c01918f0:	74 5e                	je     c0191950 <touch_atime+0xe0>
> > c01918f2:	89 53 48             	mov    %edx,0x48(%ebx)
> > c01918f5:	ba 01 00 00 00       	mov    $0x1,%edx
> > c01918fa:	89 43 44             	mov    %eax,0x44(%ebx)
> > c01918fd:	89 d8                	mov    %ebx,%eax
> > c01918ff:		8b 74 24 04          	mov    0x4(%esp),%esi
> > c0191903:	8b 1c 24             	mov    (%esp),%ebx
> > c0191906:	8b 7c 24 08          	mov    0x8(%esp),%edi
> > c019190a:	83 c4 0c             	add    $0xc,%esp
> > c019190d:	e9 ce 8c 00 00       	jmp    c019a5e0 <__mark_inode_dirty>
> > c0191912:	8b 4e 04             	mov    0x4(%esi),%ecx
> > c0191915:	39 4a 04             	cmp    %ecx,0x4(%edx)
> > c0191918:	79 c9                	jns    c01918e3 <touch_atime+0x73>
> > c019191a:	3b 43 54             	cmp    0x54(%ebx),%eax
> > c019191d:	8d 53 54             	lea    0x54(%ebx),%edx
> > c0191920:	7e 35                	jle    c0191957 <touch_atime+0xe7>
> > 
> > c0191922:	8b 1c 24             	mov    (%esp),%ebx
>   This is really strange - we tried to load a value from a stack and
> oopsed...
> 
> > c0191925:	8b 74 24 04          	mov    0x4(%esp),%esi
> > c0191929:	8b 7c 24 08          	mov    0x8(%esp),%edi
> > c019192d:	83 c4 0c             	add    $0xc,%esp
> > c0191930:	c3                   	ret    
> > c0191931:	0f b7 43 66          	movzwl 0x66(%ebx),%eax
> > c0191935:	25 00 f0 00 00       	and    $0xf000,%eax
> > c019193a:	3d 00 40 00 00       	cmp    $0x4000,%eax
> > c019193f:	74 e1                	je     c0191922 <touch_atime+0xb2>
> > c0191941:	83 e2 20             	and    $0x20,%edx
> > c0191944:	8d 73 44             	lea    0x44(%ebx),%esi
> > c0191947:	74 9a                	je     c01918e3 <touch_atime+0x73>
> > c0191949:	eb 8b                	jmp    c01918d6 <touch_atime+0x66>
> > c019194b:	90                   	nop    
> > c019194c:	8d 74 26 00          	lea    0x0(%esi),%esi
> > c0191950:	39 56 04             	cmp    %edx,0x4(%esi)
> > c0191953:	75 9d                	jne    c01918f2 <touch_atime+0x82>
> > c0191955:	eb cb                	jmp    c0191922 <touch_atime+0xb2>
> > c0191957:	89 f6                	mov    %esi,%esi
> > c0191959:	8d bc 27 00 00 00 00 	lea    0x0(%edi),%edi
> > c0191960:	0f 8c 7d ff ff ff    	jl     c01918e3 <touch_atime+0x73>
> > c0191966:	8b 46 04             	mov    0x4(%esi),%eax
> > c0191969:	39 42 04             	cmp    %eax,0x4(%edx)
> > c019196c:	8d 74 26 00          	lea    0x0(%esi),%esi
> > c0191970:	0f 89 6d ff ff ff    	jns    c01918e3 <touch_atime+0x73>
> > c0191976:	eb aa                	jmp    c0191922 <touch_atime+0xb2>
> > c0191978:	8d 73 44             	lea    0x44(%ebx),%esi
> > c019197b:	90                   	nop    
> > c019197c:	8d 74 26 00          	lea    0x0(%esi),%esi
> > c0191980:	e9 5e ff ff ff       	jmp    c01918e3 <touch_atime+0x73>
> > c0191985:	90                   	nop    
> > c0191986:	90                   	nop    
> > c0191987:	90                   	nop    
> > c0191988:	90                   	nop    
> > c0191989:	90                   	nop    
> > c019198a:	90                   	nop    
> > c019198b:	90                   	nop    
> > c019198c:	90                   	nop    
> > c019198d:	90                   	nop    
> > c019198e:	90                   	nop    
> > c019198f:	90                   	nop    
> > 
> > 
> > 
> > code: 00 00 00 89 43 44 89 d8 8b 74 24 04 8b ff e9 8b 7c 24 08 83 c4 a0 01 ce 
> > 8c 00 00 8b 4e 00 00 4a 04 79 c9 3b 43 8b 54 53 54 7e 35 <8b> 1c 00 00 74 24 
> > 04 8b 7c 24 40 28 c4 0c c3 0f b7 43 8b 4c 00
> > EIP: [<c0191922>] touch_atime+0xb2/0x120 SS:ESP 0068:da1cbd80
> > BUG: unable to handle kernel paging request at virtual address 8efc67ce
> > printing eip:
> > c0191922
> > *pde = 00000000
> > Oops: 0000 [#196]
> > PREEMPT
> > Modules linked in: radeon drm binfmt_misc vboxdrv ipt_MASQUERADE iptable_nat 
> > nf_nat nf_conntrack_ipv4 nf_conntrack iptable_filter ip_tables x_tables nfsd 
> > exportfs auth_rpcgss ipv6 nfs lockd sunrpc dm_snapshot usbhid hid pcmcia 
> > snd_intel8x0 snd_intel8x0m snd_ac97_codec ac97_bus snd_pcm_oss snd_pcm 
> > snd_mixer_oss joydev tsdev snd_seq_dummy snd_seq_oss video backlight 
> > snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq yenta_socket snd_timer 
> > snd_seq_device ehci_hcd e1000 uhci_hcd rsrc_nonstatic pcmcia_core snd thermal 
> > psmouse i2c_i801 soundcore serio_raw usbcore snd_page_alloc pcspkr evdev
> > CPU:    0
> > EIP:    0060:[<c0191922>]    Tainted: G      D VLI
>   The D flag here indicates that the kernel has already oopsed before.
> The first oops will be probably more important (this second one is
> likely just an fallout). Are you able to get the first oops?
> 
> > EFLAGS: 00010246   (2.6.23.12 #1)
> > EIP is at touch_atime+0xb2/0x120
> > eax: 477e33e7   ebx: ef611618   ecx: 00000001   edx: 256ccdf0
> > esi: ef61165c   edi: efe57800   ebp: 00000000   esp: d6847d80
> > ds: 007b   es: 007b   fs: 0000  gs: 0033  ss: 0068
> > Process syslogd (pid: 4541, ti=d6846000 task=d8956a80 task.ti=d6846000)
> > Stack: 00000000 00000180 cf24a200 c015b415 00001000 00000000 00000000 00000000
> > 00000000 cf24a200 cf24a244 ef6116ac ef611618 00000180 00000001 00000000
> > 00000000 00000000 00001000 00000000 00000000 00000000 00000020 00000000
> > Call Trace:
> > [<c015b415>] do_generic_mapping_read+0x3f5/0x4e0
> > [<c015d04a>] generic_file_aio_read+0xba/0x1d0
> > [<c015a8e0>] file_read_actor+0x0/0x130
> > [<c018e06c>] dput+0x1c/0x160
> > [<c02b6b06>] xfs_read+0x156/0x380
> > [<c02b32ec>] xfs_file_aio_read+0x6c/0x80
> > [<c017c845>] do_sync_read+0xd5/0x120
> > [<c015d160>] filemap_fault+0x0/0x450
> > [<c015d160>] filemap_fault+0x0/0x450
> > [<c01302b0>] autoremove_wake_function+0x0/0x50
> > [<c011706b>] do_page_fault+0x18b/0x680
> > [<c017d111>] vfs_read+0xa1/0x140
> > [<c017c770>] do_sync_read+0x0/0x120
> > [<c017d551>] sys_read+0x41/0x70
> > [<c010411e>] sysenter_past_esp+0x5f/0x85
> > =======================
> > Code: 00 00 00 89 43 44 89 d8 8b 74 24 04 8b ff e9 8b 7c 24 08 83 c4 a0 01 ce 
> > 8c 00 00 8b 4e 00 00 4a 04 79 c9 3b 43 8b 54 53 54 7e 35 <8b> 1c 00 00 74 24 
> > 04 8b 7c 24 40 28 c4 0c c3 0f b7 43 8b 4c 00
> 
> 								Honza



-- 
Best Regards,

Nai
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ