Re: Kernel Oops on alpha with kernel version >=6.9.x

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Some updates on this:

rcu: inside rcu_barrier begin loop first pass cpu index=0
CPU: 1 UID: 0 PID: 1433 Comm: rmmod Not tainted 6.12.1-gentoo #75
        fffffc000a217c88 fffffc0000e62440 fffffc00003a8be8 0000000000000000
        fffffc0000e627b0 fffffc0000e42240 fffffc0000b67c98 fffffc0004a18000

here return address to scsi_host_dev_release is still intact on stack

 rcu: inside rcu_barrier end loop first pass
 CPU: 1 UID: 0 PID: 1433 Comm: rmmod Not tainted 6.12.1-gentoo #75
        fffffc000a217c88 fffffc0000e62440 fffffc00003a8f64 0000000000000000
        fffffc0000e627b0 fffffc0000e42240 0000000000000000 fffffc0004a18000

at the end of first pass in loop, return address in replaced by 0

 rcu: inside rcu_barrier begin loop second pass cpu index=1
 CPU: 1 UID: 0 PID: 1433 Comm: rmmod Not tainted 6.12.1-gentoo #75
        fffffc000a217c88 fffffc0000e62440 fffffc00003a8be8 0000000000000001
        fffffc0000e627b0 fffffc0000e42240 0000000000000000 fffffc0004a18000


 rcu: inside rcu_barrier end loop (second pass)
 CPU: 1 UID: 0 PID: 1433 Comm: rmmod Not tainted 6.12.1-gentoo #75
        fffffc000a217c88 fffffc0000e62440 fffffc00003a8f64 0000000000000001
        fffffc0000e627b0 fffffc0000e42240 0000000000000001 fffffc0004a18000

ant the end of second pass return address is replaced by 1.

It looks like the variable used as loop counter is the value put on the stack
overwriting the return value for scsi_host_dev_release. When adding
a reference to the address of this variable or when it is declared
volatile, stack
corruption does NOT occur.

When examining the disassembly of the code generated from kernel/rcu/tree.o
the most significant difference I can see is that in the case of a
corrupted stack
the frame pointer register $fp is used to hold a reference to the loop
count variable
but in the case with no stack corruption a regular "saved register" is
used for the
reference. Is it possible that the frame pointer is somehow altered
during the execution
of the code? not really sure how linux/alpha/gcc treats the frame pointer. I've
tried altering -fomit-frame-pointer/-f-no-omit-frame-pointer but so
far not getting
anywhere with that...

/Magnus



Return address to scsi_host_dev_release:
[<fffffc0000b67c98>] scsi_host_dev_release+0xac/0x1cc
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux