On 06/19/2018 02:25 AM, Andrew Morton wrote: > > (switched to email. Please respond via emailed reply-to-all, not via the > bugzilla web interface). > > Could the KASAN people please help interpret this one? > [ 274.337561] RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de [ 274.339796] RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6 [ 274.342043] RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184 [ 274.344269] R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00 [ 274.346529] R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000 All code ======== 0: 76 e8 jbe 0xffffffffffffffea 2: 78 3f js 0x43 4: e5 ff in $0xff,%eax 6: 4c 89 e0 mov %r12,%rax 9: 48 c1 e8 03 shr $0x3,%rax d: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1) 11: 0f 85 c7 02 00 00 jne 0x2de 17: 4c 8d 6b e8 lea -0x18(%rbx),%r13 1b: 4d 8b 3c 24 mov (%r12),%r15 1f: 49 8d 7d 08 lea 0x8(%r13),%rdi 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx 2a:* 80 3c 2a 00 cmpb $0x0,(%rdx,%rbp,1) <-- trapping instruction 2e: 0f 85 a0 02 00 00 jne 0x2d4 34: 4c 3b 7b f0 cmp -0x10(%rbx),%r15 38: 72 9d jb 0xffffffffffffffd7 3a: e8 3f 3f e5 ff callq 0xffffffffffe53f7e 3f: 41 rex.B cmpb $0x0,(%rdx,%rbp,1) is shadow check for -0x10(%rbx) address (this address is also in %rdi). So this is attempt to dereference 0x00000416000003f6 address. %rbx seems contains 'parent' pointer, -0x10(%rbx) is tmp_va->va_end tmp_va = rb_entry(parent, struct vmap_area, rb_node); if (va->va_start < tmp_va->va_end)
