Interrupt recursion smashes kernel memory
Simon 'corecode' Schubert
corecode at fs.ei.tum.de
Sun Jan 13 14:04:13 PST 2008
Matthew Dillon wrote:
The kernel stack is rather small. I think it's only 8K or 12K. It is
possible that the nvidia driver is exhausting it just with its normal
operation.
The stack is full of interrupt frames, so I am sure that the interrupts
are being serviced before the old ones can iret:
:Checking the return addresses, most frames have return addresses of:
:
:0xc028fc90 <doreti+0>: pop %eax
:0xc028fc91 <doreti+1>: mov $0x0,%eax
:0xc028fc9d <doreti+13>: cli
:
:or
:
:0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
here is the dump of the overwritten memory area:
(kgdb) x/128x entry->prev
0xd6e25dc0: 0xc029774f 0x00000008 0x00203286 0x00000000
0xd6e25dd0: 0x00000010 0x00000018 0x00000010 0x00000010
0xd6e25de0: 0x0000001c 0xd6814d00 0xd6e26244 0xd6e25e00
0xd6e25df0: 0xd6814d00 0xd6814d00 0x00000000 0x00000000
0xd6e25e00: 0x00000000 0x00000000 0x00000000 0xc028fc9d
0xd6e25e10: 0x00000008 0x00203286 0x00000010 0x00000018
0xd6e25e20: 0x00000010 0x00000010 0x0000001c 0xd6814d00
0xd6e25e30: 0xd6e26244 0xd6e25e48 0xd6814d00 0xd6814d00
0xd6e25e40: 0x00000000 0x00000000 0x00000000 0x00000000
0xd6e25e50: 0x00000000 0xc028fc90 0x00000008 0x00203296
0xd6e25e60: 0x00000000 0x00000010 0x00000018 0x00000010
0xd6e25e70: 0x00000010 0x0000001c 0xd6814d00 0xd6e26244
0xd6e25e80: 0xd6e25e94 0xd6814d00 0xd6814d00 0x00000000
0xd6e25e90: 0x00000000 0x00000000 0x00000000 0x00000000
0xd6e25ea0: 0xc029774f 0x00000008 0x00203286 0x00000000
0xd6e25eb0: 0x00000010 0x00000018 0x00000010 0x00000010
0xd6e25ec0: 0x0000001c 0xd6814d00 0xd6e26244 0xd6e25ee0
0xd6e25ed0: 0xd6814d00 0xd6814d00 0x00000000 0x00000000
0xd6e25ee0: 0x00000000 0x00000000 0x00000000 0xc028fc90
0xd6e25ef0: 0x00000008 0x00203282 0x00000000 0x00000010
0xd6e25f00: 0x00000018 0x00000010 0x00000010 0x0000001c
0xd6e25f10: 0xd6814d00 0xd6e26244 0xd6e25f2c 0xd6814d00
0xd6e25f20: 0xd6814d00 0x00000000 0x00000000 0x00000000
0xd6e25f30: 0x00000000 0x00000000 0xc028fc90 0x00000008
0xd6e25f40: 0x00203286 0x00000000 0x00000010 0x00000018
0xd6e25f50: 0x00000010 0x00000010 0x0000001c 0xd6814d00
0xd6e25f60: 0xd6e26244 0xd6e25f78 0xd6814d00 0xd6814d00
0xd6e25f70: 0x00000000 0x00000000 0x00000000 0x00000000
0xd6e25f80: 0x00000000 0xc028fc9d 0x00000008 0x00203282
0xd6e25f90: 0x00000010 0x00000018 0x00000010 0x00000010
0xd6e25fa0: 0x0000001c 0xd6814d00 0xd6e26244 0xd6e25fc0
0xd6e25fb0: 0xd6814d00 0xd6814d00 0x00000000 0x00000000
(kgdb)
0xd6e25fc0: 0x00000000 0x00000000 0x00000000 0xc029774f
0xd6e25fd0: 0x00000008 0x00203286 0x00000000 0x00000010
0xd6e25fe0: 0x00000018 0x00000010 0x00000010 0x0000001c
0xd6e25ff0: 0xd6814d00 0xd6e26244 0xd6e2600c 0xd6814d00
0xd6e26000: 0xd6814d00 0x00000000 0x00000000 0x00000000
0xd6e26010: 0x00000000 0x00000000 0xc028fc90 0x00000008
0xd6e26020: 0x00203286 0x00000000 0x00000010 0x00000018
0xd6e26030: 0x00000010 0x00000010 0x0000001c 0xd6814d00
0xd6e26040: 0xd6e26244 0xd6e26058 0xd6814d00 0xd6814d00
0xd6e26050: 0x00000000 0x00000000 0x00000000 0x00000000
0xd6e26060: 0x00000000 0xc028fc9d 0x00000008 0x00203286
0xd6e26070: 0x00000010 0x00000018 0x00000010 0x00000010
0xd6e26080: 0x0000001c 0xd6814d00 0xd6e26244 0xd6e260a0
0xd6e26090: 0xd6814d00 0xd6814d00 0x00000000 0x00000000
0xd6e260a0: 0x00000000 0x00000000 0x00000000 0xc028fc90
0xd6e260b0: 0x00000008 0x00203286 0x00000000 0x00000010
0xd6e260c0: 0x00000018 0x00000010 0x00000010 0x0000001c
0xd6e260d0: 0xd6814d00 0xd6e26244 0xd6e260ec 0xd6814d00
0xd6e260e0: 0xd6814d00 0x00000000 0x00000000 0x00000000
0xd6e260f0: 0x00000000 0x00000000 0xc028fc90 0x00000008
0xd6e26100: 0x00203282 0x00000000 0x00000010 0x00000018
0xd6e26110: 0x00000010 0x00000010 0x0000001c 0xd6814d00
0xd6e26120: 0xd6e26244 0xd6e26138 0xd6814d00 0xd6814d00
0xd6e26130: 0x00000000 0x00000000 0x00000000 0x00000000
0xd6e26140: 0x00000000 0xc029774f 0x00000008 0x00203296
0xd6e26150: 0x00000000 0x00000010 0x00000018 0x00000010
0xd6e26160: 0x00000010 0x0000001c 0xd6814d00 0xd6e26244
0xd6e26170: 0xd6e26184 0xd6814d00 0xd6814d00 0x00000000
0xd6e26180: 0x00000000 0x00000000 0x00000000 0x00000000
0xd6e26190: 0xc028fc90 0x00000008 0x00203286 0x00000000
0xd6e261a0: 0x00000010 0x00000018 0x00000010 0x00000010
0xd6e261b0: 0x0000001c 0xd6814d00 0xd6e26244 0xd6e261d0
I'll work from the upper addresses downwards:
frame (eflags) eip function
0xd6e26198 0xc028fc90 <doreti>: pop %eax
0xd6e2614c 0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
0xd6e26100 0xc028fc90 <doreti>: pop %eax
0xd6e260b4 0xc028fc90 <doreti>: pop %eax
0xd6e2606c 0xc028fc9d <doreti+13>: cli
0xd6e26020 0xc028fc90 <doreti>: pop %eax
0xd6e25fd4 0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
0xd6e25f8c 0xc028fc9d <doreti+13>: cli
0xd6e25f40 0xc028fc90 <doreti>: pop %eax
0xd6e25ef4 0xc028fc90 <doreti>: pop %eax
0xd6e25ea8 0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
0xd6e25e5c 0xc028fc90 <doreti>: pop %eax
0xd6e25e14 0xc028fc9d <doreti+13>: cli
0xd6e25dc8 0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
I've also found stacks going up to
0xc028fe40 <splz>: pushf
via
0xc018b7cf <lwkt_yield_quick+42>: cmpl $0x0,0xc031eac8
0xc018bc5a <lwkt_schedule+315>: add $0xc,%esp
All these locations are within the ISR. There *is* interrupt recursion
going on.
Reentrancy is protected. The interrupt is masked when taken and only
unmasked after the interrupt procedure has completed operation. In
the case of scheduled interrupts the interrupt is masked when the
interrupt is taken and unmasked by the interrupt thread after it
finishes processing it.
I see. Still, something is wrong. Maybe my ICU is broken and sometimes
passes interrupts despite them being disabled?
Is IRQ11 the video interrupt during your tests? It kinda sounds like
normal calls to the nvidia driver are causing the problem.
Yes, intr 11 is used by the video card. I really can't see how this could
be normal calls, because after all, all of these stack frames are in the
interrupt path.
cheers
simon
--
Serve - BSD +++ RENT this banner advert +++ ASCII Ribbon /"\
Work - Mac +++ space for low â¬â¬â¬ NOW!1 +++ Campaign \ /
Party Enjoy Relax | http://dragonflybsd.org Against HTML \
Dude 2c 2 the max ! http://golden-apple.biz Mail + News / \
More information about the Kernel
mailing list