Interrupt recursion smashes kernel memory
Matthew Dillon
dillon at apollo.backplane.com
Sun Jan 13 15:10:06 PST 2008
:The stack is full of interrupt frames, so I am sure that the interrupts=20
:are being serviced before the old ones can iret:
Hmm. Your backtraces definitely show an interrupt recursion, and
I think the only way to get into the Xicu_slow*() function is via
a real interrupt.
They seem to indicate an interrupt recursion occuring near the
beginning of doreti. It looks like the actual doreti code
is being interrupted rather then manually calling the delayed
interrupt procedure.
Give me an hour or two, I'll try to rework the code using
PCPU(intr_nesting_level) to interlock the STI instructions and
prevent the Xicu_slow*() interrupt from rescheduling the
interrupt thread.
-Matt
Matthew Dillon
<dillon at backplane.com>
:I'll work from the upper addresses downwards:
:
:frame (eflags) eip function
:0xd6e26198 0xc028fc90 <doreti>: pop %eax
:0xd6e2614c 0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
:0xd6e26100 0xc028fc90 <doreti>: pop %eax
:0xd6e260b4 0xc028fc90 <doreti>: pop %eax
:0xd6e2606c 0xc028fc9d <doreti+13>: cli
:0xd6e26020 0xc028fc90 <doreti>: pop %eax
:0xd6e25fd4 0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
:0xd6e25f8c 0xc028fc9d <doreti+13>: cli
:0xd6e25f40 0xc028fc90 <doreti>: pop %eax
:0xd6e25ef4 0xc028fc90 <doreti>: pop %eax
:0xd6e25ea8 0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
:0xd6e25e5c 0xc028fc90 <doreti>: pop %eax
:0xd6e25e14 0xc028fc9d <doreti+13>: cli
:0xd6e25dc8 0xc029774f <Xicu_slowintr11+143>: jmp 0xc028fc90 <doreti>
:
:I've also found stacks going up to
:
:0xc028fe40 <splz>: pushf
:via
:0xc018b7cf <lwkt_yield_quick+42>: cmpl $0x0,0xc031eac8
:0xc018bc5a <lwkt_schedule+315>: add $0xc,%esp
:
:All these locations are within the ISR. There *is* interrupt recursion=20
:going on.
:
:cheers
: simon
More information about the Kernel
mailing list