msync() bug

From: Abraham vd Merwe (abraham@2d3d.co.za)
Date: Mon Jul 09 2001 - 03:50:44 EST

Hi!

I was preparing some lecture last night and stumbled onto this bug. Maybe
some of you can shed some light on it.

Basically, I just memory map /dev/mem at 0xb8000 (text mode - yes I know you
shouldn't do this, but it was to illustrate something), reads 4k, changes it
writes it back.

Now everything works fine unless I do an msync() in which case I get an oops:

------------< snip <------< snip <------< snip <------------
root@oasis:~/tuesday-clug-talk/text-mode# ./text-mode
Unable to handle kernel NULL pointer dereference at virtual address 00000008
 printing eip:
 c011e752
 *pde = 00000000
 Oops: 0000
 CPU: 0
 EIP: 0010:[<c011e752>]
 EFLAGS: 00010246
 eax: c10030f0 ebx: c10030f0 ecx: 00000000 edx: c10030f0
 esi: 00017000 edi: cc75d404 ebp: cc7cf05c esp: cc75ff38
 ds: 0018 es: 0018 ss: 0018
 Process text-mode (pid: 516, stackpage=cc75f000)
 Stack: 00417000 c0120515 c10030f0 00000004 ccddf1a0 40018000 00000000 40017000
        cc75d404 40417000 cc75e000 00018000 40000000 00018000 40000000 00000000
            40018000 c0120627 cceed420 40017000 00001000 00000004 cceed420 40017000
Call Trace: [<c0120515>] [<c0120627>] [<c012072d>] [<c0106d6b>]

Code: 8b 51 08 89 42 04 89 10 8d 51 08 89 50 04 89 41 08 8b 41 20
Segmentation fault
root@oasis:~/tuesday-clug-talk/text-mode#
root@oasis:~# cat /proc/ksyms | grep c011f
c011f000 ___wait_on_page_Rf9de9e1d
c011fb74 generic_file_read_Reaf528e4
c011f614 do_generic_file_read_Rc634b32a
c011f1d8 __find_lock_page_R31595861
c011ff68 filemap_nopage_R50c6d0e7
c011f154 lock_page_R7c236ed9
root@oasis:~# cat /proc/ksyms | grep c0120
c012057c generic_file_mmap_Rf655e8fd
c0120368 filemap_sync_R86ba6830
root@oasis:~# cat /proc/ksyms | grep c0106
root@oasis:~# cat /proc/ksyms | grep c0105
c01051bc machine_real_restart_R3da1b07a
c01055ac dump_thread_Rae90b20c
c01053fc kernel_thread_R7e9ebb05
c0105a60 __down_failed
c0105a6c __down_failed_interruptible
c0105a78 __down_failed_trylock
c0105a84 __up_wakeup
c0105aac __down_write_failed
c0105a90 __down_read_failed
c0105cd0 __rwsem_wake
c0105840 get_wchan_R280eab06
c0105110 disable_hlt_R794487ee
c0105118 enable_hlt_R9c7077bd
c0105264 machine_restart_Re6e3ef70
c01052e4 machine_halt_R9aa32630
c01052e8 machine_power_off_R091c824a
root@oasis:~# cat /proc/ksyms | grep c011e
c011e1b4 do_brk_R9eecde16
c011e778 invalidate_inode_pages_R93da71b9
c011e98c truncate_inode_pages_R721e7180
c011eb28 generic_buffer_fdatasync_Ra1c05088
------------< snip <------< snip <------< snip <------------

So call trace translates to something like:

filemap_nopage(), generic_file_mmap(), __down_failed_interruptible()

and we were somewhere in do_brk() when it oopsed.

Any ideas why this happened? Also, if I don't use msync() the problem goes
away so my guess is something's wrong with the msync() system call.

I've attached the small C program that caused this. Also, I can only get it
to oops once (after that I have to reboot again to get it to oops). 

-- 

Regards
 Abraham

Best of all is never to have been born.  Second best is to die soon.

__________________________________________________________
 Abraham vd Merwe - 2d3D, Inc.

 Device Driver Development, Outsourcing, Embedded Systems

  Cell: +27 82 565 4451         Snailmail:
   Tel: +27 21 761 7549            Block C, Antree Park
   Fax: +27 21 761 7648            Doncaster Road
 Email: abraham@2d3d.co.za         Kenilworth, 7700
  Http: http://www.2d3d.com        South Africa

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Sun Jul 15 2001 - 21:00:09 EST