[tip] NULL pointer dereference in free_irte()
From: Mike Galbraith
Date: Mon Oct 18 2010 - 23:25:46 EST
v2.6.36-rc8-1869-g13b4713 went boom.
(gdb) list *free_irte+0x43
0xffffffff81170c36 is in free_irte (drivers/pci/intr_remapping.c:254).
249 return 0;
250
251 iommu = irq_iommu->iommu;
252 index = irq_iommu->irte_index + irq_iommu->sub_handle;
253
254 start = iommu->ir_table->base + index;
255 end = start + (1 << irq_iommu->irte_mask);
256
257 for (entry = start; entry < end; entry++) {
258 set_64bit(&entry->low, 0);
(gdb)
[ 24.508170] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
[ 24.512012] IP: [<ffffffff81170c36>] free_irte+0x43/0xc0
[ 24.512012] PGD 2233e1067 PUD 226269067 PMD 0
[ 24.512012] Oops: 0000 [#1] SMP
[ 24.512012] last sysfs file: /sys/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda/size
[ 24.512012] CPU 3
[ 24.512012] Modules linked in: cpufreq_conservative cpufreq_ondemand cpufreq_userspace cpufreq_powersave acpi_cpufreq mperf snd_pcm_oss microcode snd_mixer_oss snd_seq snd_seq_device fuse loop dm_mod snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_timer ohci1394 snd ieee1394 usb_storage e1000e processor soundcore firewire_ohci sr_mod usb_libusual rtc_cmos snd_page_alloc thermal rtc_core cdrom firewire_core crc_itu_t i2c_i801 rtc_lib button sg usbhid hid uhci_hcd ehci_hcd sd_mod usbcore edd fan ext3 ext2 mbcache jbd ahci libahci libata scsi_mod
[ 24.512012]
[ 24.512012] Pid: 4301, comm: ip Not tainted 2.6.36-tip-smpx #1782 MS-7502/MS-7502
[ 24.512012] RIP: 0010:[<ffffffff81170c36>] [<ffffffff81170c36>] free_irte+0x43/0xc0
[ 24.512012] RSP: 0018:ffff880223761618 EFLAGS: 00010046
[ 24.512012] RAX: 0000000000000000 RBX: ffffffff815695b0 RCX: 0000000000000000
[ 24.512012] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 24.512012] RBP: ffff880223761638 R08: 0000000000000002 R09: 0000000000000029
[ 24.512012] R10: 0080ffff8146e0c0 R11: 0000000000000000 R12: 0000000000000282
[ 24.512012] R13: ffff880227f645f8 R14: 0000000000000001 R15: 0000000000000001
[ 24.512012] FS: 00007f5d886eb700(0000) GS:ffff8800cfd80000(0000) knlGS:0000000000000000
[ 24.512012] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 24.512012] CR2: 0000000000000080 CR3: 0000000222d70000 CR4: 00000000000006e0
[ 24.512012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 24.512012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 24.512012] Process ip (pid: 4301, threadinfo ffff880223760000, task ffff880222c92cc0)
[ 24.512012] Stack:
[ 24.512012] 0000000000000029 ffffffff81569590 0000000000000029 ffffffff81569590
[ 24.512012] <0> ffff880223761668 ffffffff8101c1c2 ffff8802237616e6 ffff88022fd32980
[ 24.512012] <0> 0000000000000001 ffff880227f645f8 ffff880223761678 ffffffff8101c436
[ 24.512012] Call Trace:
[ 24.512012] [<ffffffff8101c1c2>] destroy_irq+0x3a/0x77
[ 24.512012] [<ffffffff8101c436>] arch_teardown_msi_irq+0xe/0x10
[ 24.512012] [<ffffffff8116a6eb>] arch_teardown_msi_irqs+0x56/0x7f
[ 24.512012] [<ffffffff8116a79e>] free_msi_irqs+0x8a/0x10b
[ 24.512012] [<ffffffff8116afcc>] pci_disable_msi+0x35/0x3a
[ 24.512012] [<ffffffffa01d677a>] e1000e_reset_interrupt_capability+0x55/0x63 [e1000e]
[ 24.512012] [<ffffffffa01d71e6>] e1000_open+0x158/0x374 [e1000e]
[ 24.512012] [<ffffffff812242b6>] __dev_open+0x9c/0xcf
[ 24.512012] [<ffffffff812244f6>] __dev_change_flags+0xad/0x131
[ 25.008056] [<ffffffff812245fb>] dev_change_flags+0x21/0x57
[ 25.008056] [<ffffffff8122db03>] do_setlink+0x29e/0x618
[ 25.008056] [<ffffffff8115da5e>] ? __nla_put+0x12/0x26
[ 25.008056] [<ffffffff8122eb67>] rtnl_newlink+0x25e/0x3eb
[ 25.008056] [<ffffffff8122e9d7>] ? rtnl_newlink+0xce/0x3eb
[ 25.008056] [<ffffffff8122e71a>] rtnetlink_rcv_msg+0x1e1/0x1f5
[ 25.008056] [<ffffffff8122e539>] ? rtnetlink_rcv_msg+0x0/0x1f5
[ 25.008056] [<ffffffff81243527>] netlink_rcv_skb+0x45/0x91
[ 25.008056] [<ffffffff8122e49b>] rtnetlink_rcv+0x26/0x2d
[ 25.008056] [<ffffffff81242f74>] netlink_unicast+0x213/0x28a
[ 25.008056] [<ffffffff81243246>] netlink_sendmsg+0x25b/0x2c3
[ 25.008056] [<ffffffff81211bad>] sock_sendmsg+0xe0/0xff
[ 25.008056] [<ffffffff810997b8>] ? find_get_page+0x28/0x85
[ 25.008056] [<ffffffff81099fee>] ? filemap_fault+0xca/0x32a
[ 25.008056] [<ffffffff810999ff>] ? unlock_page+0x2a/0x2f
[ 25.008056] [<ffffffff812133c0>] ? move_addr_to_kernel+0x41/0x54
[ 25.008056] [<ffffffff8121c083>] ? verify_iovec+0x5e/0xa3
[ 25.008056] [<ffffffff812142b9>] sys_sendmsg+0x226/0x28a
[ 25.008056] [<ffffffff81242281>] ? netlink_insert+0x106/0x12b
[ 25.008056] [<ffffffff8101fef9>] ? do_page_fault+0x2f6/0x331
[ 25.008056] [<ffffffff810b648f>] ? do_brk+0x28a/0x2de
[ 25.008056] [<ffffffff81213c2a>] ? sys_getsockname+0x6b/0x91
[ 25.008056] [<ffffffff8121435f>] ? sys_recvmsg+0x42/0x63
[ 25.008056] [<ffffffff8100211b>] system_call_fastpath+0x16/0x1b
[ 25.008056] Code: 83 c8 ff 48 85 db 0f 84 95 00 00 00 48 c7 c7 40 fe 60 81 e8 17 0a 18 00 49 89 c4 31 c0 66 83 7b 0a 00 75 51 48 8b 3b 0f b7 73 08 <48> 8b 97 80 00 00 00 48 63 c6 0f b6 4b 0c 48 c1 e0 04 48 03 02
[ 25.008056] RIP [<ffffffff81170c36>] free_irte+0x43/0xc0
[ 25.008056] RSP <ffff880223761618>
[ 25.008056] CR2: 0000000000000080
[ 25.008056] ---[ end trace f270ceb2a0ecbb96 ]---
Attachment:
config.gz
Description: GNU Zip compressed data