Interrupt recursion smashes kernel memory

Matthew Dillon dillon at
Sun Jan 13 15:10:06 PST 2008

:The stack is full of interrupt frames, so I am sure that the interrupts=20
:are being serviced before the old ones can iret:

    Hmm.  Your backtraces definitely show an interrupt recursion, and
    I think the only way to get into the Xicu_slow*() function is via
    a real interrupt.

    They seem to indicate an interrupt recursion occuring near the
    beginning of doreti.  It looks like the actual doreti code
    is being interrupted rather then manually calling the delayed
    interrupt procedure.

    Give me an hour or two, I'll try to rework the code using
    PCPU(intr_nesting_level) to interlock the STI instructions and
    prevent the Xicu_slow*() interrupt from rescheduling the
    interrupt thread.

					Matthew Dillon 
					<dillon at>

:I'll work from the upper addresses downwards:
:frame (eflags)	eip		function
:0xd6e26198	0xc028fc90 <doreti>:    pop    %eax
:0xd6e2614c	0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
:0xd6e26100	0xc028fc90 <doreti>:    pop    %eax
:0xd6e260b4	0xc028fc90 <doreti>:    pop    %eax
:0xd6e2606c	0xc028fc9d <doreti+13>: cli
:0xd6e26020	0xc028fc90 <doreti>:    pop    %eax
:0xd6e25fd4	0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
:0xd6e25f8c	0xc028fc9d <doreti+13>: cli
:0xd6e25f40	0xc028fc90 <doreti>:    pop    %eax
:0xd6e25ef4	0xc028fc90 <doreti>:    pop    %eax
:0xd6e25ea8	0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
:0xd6e25e5c	0xc028fc90 <doreti>:    pop    %eax
:0xd6e25e14	0xc028fc9d <doreti+13>: cli
:0xd6e25dc8	0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
:I've also found stacks going up to
:0xc028fe40 <splz>:      pushf
:0xc018b7cf <lwkt_yield_quick+42>:       cmpl   $0x0,0xc031eac8
:0xc018bc5a <lwkt_schedule+315>: add    $0xc,%esp
:All these locations are within the ISR.  There *is* interrupt recursion=20
:going on.
:   simon

More information about the Kernel mailing list