Hi!
On 12:14 Fri 10 Jul , Alexey Mikhailov wrote:
> Michael, hello!
>
> Michael Blizek wrote:
>> Problem happens at c026023c line:
>>> if (unlikely(buf->offset + length > chan->subbuf_size))
>>> c026023c: 8b 55 08 mov 0x8(%ebp),%edx
>>> c026023f: 01 da add %ebx,%edx
>>> c0260241: 3b 50 04 cmp 0x4(%eax),%edx
>>> c0260244: 76 0b jbe c0260251 <_ipfix_send_msg+0x62>
...
The error is in relay_write which is inside _ipfix_send_msg in the assembly
due to inlining.
> static inline void relay_write(struct rchan *chan,
> const void *data,
> size_t length)
> {
> unsigned long flags;
> struct rchan_buf *buf;
>
> local_irq_save(flags);
> buf = chan->buf[smp_processor_id()];
> if (unlikely(buf->offset + length > chan->subbuf_size))
> length = relay_switch_subbuf(buf, length);
Here it is:
register states after the crash:
eax = ee5d4a00
edx = 00000001
ebp = 0000332e
buf = chan->buf[smp_processor_id()];
c0260231: 64 8b 15 04 60 3e c0 mov %fs:0xc03e6004,%edx
load smp_processor_id() into edx (result value is 1, meaning it is the second
cpu, because counting starts at 1)
c0260238: 8b 6c 90 20 mov 0x20(%eax,%edx,4),%ebp
eax stores chan
The instruction means dereference what is in eax + 20(hex) + edx*4 and store
it in ebp. ebp then contains buf (20 is probably the offset of buf). ebp
contains 0000332e afterwards, which does not look like a valid address.
if (unlikely(buf->offset + length > chan->subbuf_size))
c026023c: 8b 55 08 mov 0x8(%ebp),%edx
This line means dereference ebp + 8 (8 is probably the offset of "offset") and
store it in edx. Here it crashes, because ebp does not contain a valid address.
==> You probably have not initialised all chan->buf entries or made
chan->buf too small.
BTW: Linux has a built in per-cpu "library": http://lwn.net/Articles/258238/
-Michi
--
programing a layer 3+4 network protocol for mesh networks
see http://michaelblizek.twilightparadox.com
--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ
