ISSUE: 2.1.37-pre2 - NULL pointer bug in shm_swap() code

Wolfgang Wander (wwc@lars.desy.de)
Fri, 2 May 1997 12:21:13 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Nick Evgenev: "cyrix 6x86 and ne2000 driver problem"
Previous message: Olivier ELSHOCHT: "Where can I find userfs? (src+doc)"

Hi,

very PC:

[1.] 2.1.37-pre2 - NULL pointer bug in shm_swap() code

[2.] in the desperate hope to find a stable smp kernel we went to
2.1.37-pre2 which is rather stable as long as you use the newer tulip
drivers as a module instead of linking it to the kernel.
However as soon as it comes to swapping of shm the kernel oopses:

[3.] keywords: ipc/shm/swap

[4.]
Linux version 2.1.37 (root@kirk.desy.de) (gcc version 2.7.2.1) #9 Fri May 2 11:02:29 MET DST 1997

[5.]
Unable to handle kernel NULL pointer dereference at virtual address 00000030
current->tss.cr3 = 00101000, Lr3 = 00101000
*pde = 00000000
Oops: 0000
CPU: 1
EIP: 0010:[<c013d0dc>]
EFLAGS: 00010286
eax: 03b3e045 ebx: c7d29400 ecx: 40000000 edx: c3b0b000
esi: c00977d8 edi: 00000000 ebp: 40000000 esp: c000df78
ds: 0018 es: 0018 ss: 0018
Process kswapd (pid: 3, process nr: 4, stackpage=c000d000)
Stack: 00000006 00000000 00000003 00000000 00000000 40000000 c3b3e000 0000004b
00000000 00000000 00000000 00002b00 c00977d8 03b3e067 03b3e045 c0123e94
00000006 00000000 00000000 c01c86c0 c000c000 00009000 c01240c3 00000003
Call Trace:
Code: 8b 47 30 c1 e8 08 83 e0 7f 39 44 24 28 74 19 50 8b 74 24 2c

---

This translates to:

Using `/System.map' to map addresses to symbols.

>>EIP: c013d0dc <shm_swap+128/2fc>

Code: c013d0dc <shm_swap+128/2fc>

or in c-code:

ipc/shm.c: 758 if (shp->attaches) for (shmd = shp->attaches; ; ) { do { pgd_t *page_dir; pmd_t *page_middle; pte_t *page_table, pte; unsigned long tmp;

-*> if ((SWP_OFFSET(shmd->vm_pte) & SHM_ID_MASK) != id) {

obviously shmd = shp->attaches equals the NULL pointer and this is not checked for.

[7.1] Linux kirk.desy.de 2.1.37 #9 Fri May 2 11:02:29 MET DST 1997 i686 unknown Kernel modules 2.1.34 Gnu C 2.7.2.1 Binutils 2.7.0.9 Linux C Library 5.4.23 Dynamic Linker (ld.so) 1.8.10 Linux C++ Library 27.1.0 Procps 0.99 Mount 2.6g Net-tools 1.3.50-BETA6f Kbd 0.93 Sh-utils 1.16

[7.2] processor : 0 cpu : 686 model : Pentium Pro vendor_id : GenuineIntel stepping : 9 fdiv_bug : no hlt_bug : no fpu : yes fpu_exception : yes cpuid : yes wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic 11 mtrr pge mca cmov bogomips : 199.07

processor : 1 cpu : 686 model : Pentium Pro vendor_id : GenuineIntel stepping : 9 fdiv_bug : no hlt_bug : no fpu : yes fpu_exception : yes cpuid : yes wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic 11 mtrr pge mca cmov bogomips : 199.07

[7.3.] $ cat /proc/modules tulip 17672 1 (autoclean)

[7.4.] SCSI information (from /proc/scsi/scsi):

Doescat /proc/scsi/scsi Attached devices: Host: scsi0 Channel: 00 Id: 00 Lun: 00 Vendor: Model: DFRSS4F Rev: 4B4B Type: Direct-Access ANSI SCSI revision: 02 Host: scsi0 Channel: 00 Id: 01 Lun: 00 Vendor: Model: DFRSS4F Rev: 4B4B Type: Direct-Access ANSI SCSI revision: 02

[7.5] cat /proc/meminfo total: used: free: shared: buffers: cached: Mem: 130707456 119865344 10842112 13778944 86577152 15613952 Swap: 132567040 0 132567040 MemTotal: 127644 kB MemFree: 10588 kB MemShared: 13456 kB Buffers: 84548 kB Cached: 15248 kB SwapTotal: 129460 kB SwapFree: 129460 kB

[99.] anyone have a qualified fix? ;-)

Wolfgang

--
   _/  _/ _/  _/ _/_/_/ . Wolfgang Wander HERMES Collaboration 
  _/  _/ _/  _/ _/     . DESY Hamburg    Email: Wolfgang.Wander@desy.de
 _/_/_/ _/_/_/ _/     . Notkestr. 85    Tel: +49 40 8998 4638  Fax: -4034
_/_/_/ _/_/_/ _/_/_/ . 22603 Hamburg   http://www-hermes.desy.de/wander.html

Next message: Nick Evgenev: "cyrix 6x86 and ne2000 driver problem"
Previous message: Olivier ELSHOCHT: "Where can I find userfs? (src+doc)"