2.0.27 crash analysis

Michael Brennen (mbrennen@fni.com)
Wed, 5 Feb 1997 14:38:57 -0600 (CST)

Picked up the following crash(es) this morning after a few days on 2.0.27;
I'm back on 2.0.26 for now, as it has been stable for me so far.

There were several different faults in the series; I've broken them out
with ksymoops analysis after each one. Hopefully I've done this right;
this is the first fault I've chased this far.

This kernel does have Alan Cox's synpatch installed.

-- Michael

general protection: 0000
CPU: 0
EIP: 0010:[<0014c5ac>]
EFLAGS: 00010246
eax: c00010e4 ebx: 022c0c00 ecx: 03077f64 edx: 00000043
esi: 03077ed8 edi: 00000000 ebp: 00000000 esp: 03077e80
ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
Process tcpd (pid: 28329, process nr: 51, stackpage=03077000)
Stack: 022c0c00 03077f64 00000400 00000000 00000000 03077ed8 00000400 009eb2e8
01c0bf00 03077ee4 0013559b 009eb370 03077f64 00000400 00000000 00000000
03077ed8 bffff1fc 0000000b bffff234 bffff230 009eb370 022c0018 bffff244
Call Trace: [<0013559b>] [<001232ea>] [<00118754>] [<001346fa>] [<00135cbb>] [<0010a5a5>]
Code: ff d0 83 c4 18 5b 5e 5f 5d c3 8d 36 b8 f5 ff ff ff 5b 5e 5f

Using `/boot/System.map.2.0.27.s' to map addresses to symbols.

>>EIP: 14b508 <get_new_socknum+60/e0>
Trace: 14ba41 <inet_autobind+1d/64>
Trace: 14c58e <inet_recvmsg+52/88>
Trace: 13559b <sys_recvfrom+12f/174>
Trace: 118754 <do_wp_page>
Trace: 1346fa <sock_write+9e/b4>
Trace: 135cbb <sys_socketcall+23b/2dc>
Trace: 10a5a5 <system_call+55/80>

Code: 14b508 <get_new_socknum+60/e0> movl 0x58(%eax),%eax
Code: 14b50b <get_new_socknum+63/e0> incl %edx
Code: 14b50c <get_new_socknum+64/e0> testl %eax,%eax
Code: 14b50e <get_new_socknum+66/e0> jne 14b508 <get_new_socknum+60/e0>
Code: 14b510 <get_new_socknum+68/e0> testl %edx,%edx
Code: 14b512 <get_new_socknum+6a/e0> jne 14b53c <get_new_socknum+94/e0>
Code: 14b514 <get_new_socknum+6c/e0> movl 0x1b8748,%eax
Code: 14b519 <get_new_socknum+71/e0> incl %eax
Code: 14b51a <get_new_socknum+72/e0> addl %ecx,%eax
Code: 14b51c <get_new_socknum+74/e0>

invalid operand: 0000
CPU: 0
EIP: 0010:[<0000010b>]
EFLAGS: 00010206
eax: 009eb370 ebx: 022c0c00 ecx: 03046808 edx: 00000000
esi: 000001d1 edi: 009eb370 ebp: 00000001 esp: 03077d78
ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
Process tcpd (pid: 28329, process nr: 51, stackpage=03077000)
Stack: 0014bf38 022c0c00 00000000 009eb2e8 00000000 00134554 009eb370 00000000
009eb2e8 009eb2e8 009eb2e8 03bdb810 0013478d 009eb370 01c0bf00 00120b24
009eb2e8 01c0bf00 00000000 01c0bf00 00120b94 01c0bf00 009eb2e8 00000003
Call Trace: [<0014bf38>] [<00134554>] [<0013478d>] [<00120b24>] [<00120b94>] [<0011523e>] [<0010ab53>]
[<05000000>] [<04800000>] [<0010aef0>] [<0010aec8>] [<0010a730>] [<0014c5ac>] [<0013559b>] [<001232ea>]
[<00118754>] [<001346fa>] [<00135cbb>] [<0010a5a5>]
Code: f0 f2 4f 00 c0 6f ef 00 f0 6f ef 00 f0 6f ef 00 f0 6f ef 00

Using `/boot/System.map.2.0.27.s' to map addresses to symbols.

>>EIP: 14c5ac <inet_recvmsg+70/88>
Trace: 13559b <sys_recvfrom+12f/174>
Trace: 1232ea <getblk+3a/468>
Trace: 118754 <do_wp_page>
Trace: 1346fa <sock_write+9e/b4>
Trace: 135cbb <sys_socketcall+23b/2dc>
Trace: 10a5a5 <system_call+55/80>

Code: 14c5ac <inet_recvmsg+70/88> call *%eax
Code: 14c5ae <inet_recvmsg+72/88> addl $0x18,%esp
Code: 14c5b1 <inet_recvmsg+75/88> popl %ebx
Code: 14c5b2 <inet_recvmsg+76/88> popl %esi
Code: 14c5b3 <inet_recvmsg+77/88> popl %edi
Code: 14c5b4 <inet_recvmsg+78/88> popl %ebp
Code: 14c5b5 <inet_recvmsg+79/88> ret
Code: 14c5b6 <inet_recvmsg+7a/88> leal (%esi),%esi
Code: 14c5b8 <inet_recvmsg+7c/88> movl $0xfffffff5,%eax
Code: 14c5bd <inet_recvmsg+81/88> popl %ebx
Code: 14c5be <inet_recvmsg+82/88> popl %esi
Code: 14c5bf <inet_recvmsg+83/88> popl %edi
Code: 14c5c0 <inet_recvmsg+84/88>

general protection: 0000
CPU: 0
EIP: 0010:[<001106c2>]
EFLAGS: 00010093
eax: ffffffff ebx: 00000286 ecx: 03d8ee64 edx: 96f000ec
esi: ffffffff edi: ffffffff ebp: 03d8ee44 esp: 03d8ee40
ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
Process named (pid: 170, process nr: 9, stackpage=03d8e000)
Stack: 03e56810 03d8ee78 001102bb 03d8ee64 0000004c 03d8ef14 00000000 ffffffff
03795810 00000000 00000000 ffffffff 03e56810 00110028 0000004c 0012bf2f
00000100 00000000 00000000 bffff9e0 00000000 00000008 00b2e000 00000038
Call Trace: [<001102bb>] [<00110028>] [<0012bf2f>] [<0012c197>] [<0010f5e7>] [<0010a5a5>]
Code: 39 42 08 72 f9 89 11 8b 42 04 89 41 04 89 4a 04 8b 41 04 89

Using `/boot/System.map.2.0.27.s' to map addresses to symbols.

Trace: 14bf38 <inet_release+64/6c>
Trace: 134554 <sock_release+5c/9c>
Trace: 13478d <sock_close+25/2c>
Trace: 120b24 <__fput+1c/40>
Trace: 120b94 <close_fp+4c/5c>
Trace: 11523e <do_exit+112/1ec>
Trace: 10ab53 <die_if_kernel+2b7/2c0>
Trace: 5000000
Trace: 4800000
Trace: 10aef0 <do_general_protection+28/54>
Trace: 10aef0 <do_general_protection+28/54>
Trace: 10a730 <error_code+40/50>
Trace: 14c5ac <inet_recvmsg+70/88>
Trace: 13559b <sys_recvfrom+12f/174>
Trace: 1232ea <getblk+3a/468>
Trace: 118754 <do_wp_page>
Trace: 1346fa <sock_write+9e/b4>
Trace: 135cbb <sys_socketcall+23b/2dc>
Trace: 10a5a5 <system_call+55/80>

Code: repnz lock decl %edi
Code: addb %al,%al
Code: outsl %ds:(%esi),(%dx)
Code: outl %eax,(%dx)
Code: addb %dh,%al
Code: outsl %ds:(%esi),(%dx)
Code: outl %eax,(%dx)
Code: addb %dh,%al
Code: outsl %ds:(%esi),(%dx)
Code: outl %eax,(%dx)
Code: addb %dh,%al
Code: outsl %ds:(%esi),(%dx)
Code: outl %eax,(%dx)
Code: addb %al,(%eax)
Code: nop
Code: nop
Code: nop

general protection: 0000
CPU: 0
EIP: 0010:[<001106d5>]
EFLAGS: 00010086
eax: f000ef6f ebx: 00000202 ecx: 00ee15c8 edx: 00000000
esi: 00ee1410 edi: 00ee14b4 ebp: 03d8ed18 esp: 03d8ed14
ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
Process named (pid: 170, process nr: 9, stackpage=03d8e000)
Stack: 00000202 00000003 00139c5e 00ee15c8 00139d56 00ee1410 00ee1808 00ee1410
03f92940 0013a07d 00ee1410 03f928b8 00000000 03f92940 00134554 03f92940
00000000 03f928b8 03f928b8 03f928b8 03d3e018 0013478d 03f92940 00f87900
Call Trace: [<00139c5e>] [<00139d56>] [<0013a07d>] [<00134554>] [<0013478d>] [<00120b24>] [<00120b94>]
[<0011523e>] [<0010ab53>] [<05000000>] [<04800000>] [<0010aef0>] [<0010aec8>] [<0010a730>] [<001106c2>]
[<001102bb>] [<00110028>] [<0012bf2f>] [<0012c197>] [<0010f5e7>] [<0010a5a5>]
Code: 89 08 53 9d 8b 5d fc 89 ec 5d c3 55 89 e5 53 8b 4d 08 31 c0
task not on run-queue

Using `/boot/System.map.2.0.27.s' to map addresses to symbols.

>>EIP: 1106c2 <add_timer+16/34>
Trace: 1102bb <schedule+21b/288>
Trace: 110028 <process_timeout>
Trace: 12bf2f <do_select+1e3/238>
Trace: 12c197 <sys_select+183/254>
Trace: 10f5e7 <old_select+3f/50>
Trace: 10a5a5 <system_call+55/80>

Code: 1106c2 <add_timer+16/34> cmpl %eax,0x8(%edx)
Code: 1106c5 <add_timer+19/34> jb fffffffe <_EIP+fffffffe>
Code: 1106c7 <add_timer+1b/34> movl %edx,(%ecx)
Code: 1106c9 <add_timer+1d/34> movl 0x4(%edx),%eax
Code: 1106cc <add_timer+20/34> movl %eax,0x4(%ecx)
Code: 1106cf <add_timer+23/34> movl %ecx,0x4(%edx)
Code: 1106d2 <add_timer+26/34> movl 0x4(%ecx),%eax
Code: 1106d5 <add_timer+29/34> movl %eax,(%eax)
Code: 1106d7 <add_timer+2b/34> nop
Code: 1106d8 <add_timer+2c/34> nop
Code: 1106d9 <add_timer+2d/34> nop