On Tue, 2011-09-20 at 10:12 +0400, rush wrote:
> Hi,
>
> There are several Not tainted lines in old messages file. There are all of them:
>
> Sep 10 22:35:33 xen-dom0 kernel: [24183.985513] Pid: 2605, comm:
> debootstrap Not tainted 3.0.0-1-amd64 #1 Intel Corporation
> S1200BTL/S1200BTL
> Sep 10 22:35:33 xen-dom0 kernel: [24183.985621] RIP:
> e030:[<ffffffff810106db>] [<ffffffff810106db>]
> __sanitize_i387_state+0x23/0xe1
Source/disassembly:
void __sanitize_i387_state(struct task_struct *tsk)
{
u64 xstate_bv;
int feature_bit = 0x2;
struct i387_fxsave_struct *fx = &tsk->thread.fpu.state->fxsave;
ffffffff810106b8: 48 8b 97 48 04 00 00 mov 0x448(%rdi),%rdx
if (!fx)
return;
ffffffff810106bf: 48 85 d2 test %rdx,%rdx
ffffffff810106c2: 0f 84 d0 00 00 00 je 0xffffffff81010798
BUG_ON(task_thread_info(tsk)->status & TS_USEDFPU);
ffffffff810106c8: 48 8b 47 08 mov 0x8(%rdi),%rax
ffffffff810106cc: f6 40 14 01 testb $0x1,0x14(%rax)
ffffffff810106d0: 74 02 je 0xffffffff810106d4
ffffffff810106d2: 0f 0b ud2
xstate_bv = tsk->thread.fpu.state->xsave.xsave_hdr.xstate_bv;
ffffffff810106db: 48 8b b2 00 02 00 00 mov 0x200(%rdx),%rsi
So tsk->thread.fpu.state in RDX seems to be invalid.
> Sep 10 22:35:33 xen-dom0 kernel: [24183.985716] RSP:
> e02b:ffff8803bd2c5e00 EFLAGS: 00010246
> Sep 10 22:35:33 xen-dom0 kernel: [24183.985767] RAX: 0000000000000000
> RBX: 00007fff3d69ecc0 RCX: 0000000000000200
> Sep 10 22:35:33 xen-dom0 kernel: [24183.985824] RDX: ffff8803be0e8e00
> RSI: ffff8803bd2c5fd8 RDI: ffff8803bd65aa30
[...]
RDX looks like a reasonable kernel memory pointer. Given the hostname,
I assume this kernel is running under Xen. So could this be a
use-after-free where the freed page has been unmapped for reallocation
by the hypervisor? Can that happen to arbitrary pages in the dom0
kernel?
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
Attachment:
signature.asc
Description: This is a digitally signed message part