[2.1.51] Three oops in 60 seconds

Riccardo Facchetti (fizban@tin.it)
Wed, 27 Aug 1997 21:46:36 +0200 (MET DST)

I was exiting pppd when The kernel oopsed on me.
Attached a log of the three oopses.

Ciao,
Riccardo.
------
Unable to handle kernel paging request at virtual address 19d9e824
current->tss.cr3 = 011d0000, (r3 = 011d0000
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c0140684>]
EFLAGS: 00010282
eax: 19d9e800 ebx: 00008913 ecx: c0a2608b edx: bffff6a4
esi: c0811360 edi: bffff6a4 ebp: 00000005 esp: c0961f8c
ds: 0018 es: 0018 ss: 0018
Process pppd (pid: 753, process nr: 42, stackpage=c0961000)
Stack: c0a2608b 00008913 bffff6a4 00008913 c012af72 c0a25fff c0811360 00008913
bffff6a4 c0960000 00000003 00000000 bffff674 c010946a 00000005 00008913
bffff6a4 00000003 00000000 bffff674 00000036 0000002b 0000002b 00000036
Call Trace: [<c012af72>] [<c010946a>]
Code: 8b 40 24 ff d0 83 c4 0c 5b c3 89 f6 8b 44 24 04 8b 4c 24 08

Using `System.map' to map addresses to symbols.

>>EIP: c0140684 <sock_ioctl+1c/28>
Trace: c012af72 <sys_ioctl+14e/164>
Trace: c010946a <system_call+3a/40>

oops_decode.o: file format a.out-i386-linux

Disassembly of section .text:

0000000000000000 <_EIP>:
0: 8b 40 24 movl 0x24(%eax),%eax
3: ff d0 call *%eax
5: 83 c4 0c addl $0xc,%esp
8: 5b popl %ebx
9: c3 ret
a: 89 f6 movl %esi,%esi
c: 8b 44 24 04 movl 0x4(%esp,1),%eax
10: 8b 4c 24 08 movl 0x8(%esp,1),%ecx

In net/socket.c:sock_ioctl() at line:

return sock->ops->ioctl(sock, cmd, arg);

oops dereferencing the ioctl function.

------------

Unable to handle kernel NULL pointer dereference at virtual address 000000e4
current->tss.cr3 = 00101000, (r3 = 00101000
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c012c3f0>]
EFLAGS: 00010206
eax: c0a25fff ebx: c0a2605b ecx: c0ca1fa0 edx: c13665c0
esi: 000000c0 edi: c18e0700 ebp: c0811360 esp: c0961e88
ds: 0018 es: 0018 ss: 0018
Process pppd (pid: 753, process nr: 42, stackpage=c0961000)
Stack: c0811360 00000001 c18e0700 00000001 c0a25fff 00000000 c0ca1500 c0ca1500
c0ca159c c08c86fc c012dbe7 c0ca1500 c08c86c0 c13665c0 c07973f0 c012236b
c0ca1500 c13665c0 00000000 c18e0700 c01223af c0960000 c0811360 00000005
Call Trace: [<c012dbe7>] [<c012236b>] [<c01223af>] [<c0115840>] [<c01099d8>] [<c018455a>] [<c0185199>]
[<c010e6ea>] [<c0185199>] [<c01095e2>] [<c0140684>] [<c012af72>] [<c010946a>]
Code: 8a 46 24 a8 01 74 09 8b 4c 24 54 39 4e 14 74 10 a8 02 74 54

Using `System.map' to map addresses to symbols.

>>EIP: c012c3f0 <locks_remove_locks+24/9c>
Trace: c012dbe7 <dput+7f/a8>
Trace: c012236b <__fput+43/50>
Trace: c01223af <close_fp+37/80>
Trace: c0115840 <do_exit+12c/220>
Trace: c01099d8 <die_if_kernel+44/48>
Trace: c018455a <sprintf+1e66/2869>
Trace: c0185199 <bad_pmd_string+23c/26f>
Trace: c010e6ea <do_page_fault+2ea/2fc>
Trace: c0185199 <bad_pmd_string+23c/26f>
Trace: c01095e2 <error_code+32/40>
Trace: c0140684 <sock_ioctl+1c/28>
Trace: c012af72 <sys_ioctl+14e/164>
Trace: c010946a <system_call+3a/40>

oops_decode.o: file format a.out-i386-linux

Disassembly of section .text:

0000000000000000 <_EIP>:
0: 8a 46 24 movb 0x24(%esi),%al
3: a8 01 testb $0x1,%al
5: 74 09 je 10 <_EIP+10>
7: 8b 4c 24 54 movl 0x54(%esp,1),%ecx
b: 39 4e 14 cmpl %ecx,0x14(%esi)
e: 74 10 je 20 <_EIP+20>
10: a8 02 testb $0x2,%al
12: 74 54 je 68 <_EIP+68>

In fs/locks.c:locks_remove_locks() the line

if (((fl->fl_flags & FL_POSIX) && (fl->fl_owner == task)) ||
((fl->fl_flags & FL_FLOCK) && (fl->fl_file == filp) &&
(filp->f_count == 1))) {

oops dereferencing fl_flags the first time.

---------------

Unable to handle kernel NULL pointer dereference at virtual address 00000053
current->tss.cr3 = 00101000, (r3 = 00101000
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c012da25>]
EFLAGS: 00010246
eax: c0f94540 ebx: ffffffff ecx: ffffffff edx: c0f94540
esi: 00000000 edi: c0f94520 ebp: 00000000 esp: c000dfa4
ds: 0018 es: 0018 ss: 0018
Process kswapd (pid: 3, process nr: 3, stackpage=c000d000)
Stack: c1fa7140 c0f94548 c0f94520 c012dc90 ffffffff 00000006 00000000 00000003
c011f9c1 00000000 c000c000 00000000 00009000 c011fb9b 00000003 00000000
00000000 00000100 c0003fe4 c01082ba 00000000 c011fa90 c0107fdc
Call Trace: [<c012dc90>] [<c011f9c1>] [<c011fb9b>] [<c01082ba>] [<c011fa90>] [<c0107fdc>]
Code: 8b 43 54 85 c0 74 09 8b 40 10 85 c0 74 02 89 c6 85 f6 74 0d

Using `System.map' to map addresses to symbols.

>>EIP: c012da25 <iput+11/b0>
Trace: c012dc90 <shrink_dcache+54/7c>
Trace: c011f9c1 <try_to_free_page+65/c8>
Trace: c011fb9b <kswapd+10b/128>
Trace: c01082ba <init+42/1a8>
Trace: c011fb9b <kswapd+10b/128>
Trace: c0107fdc <this_must_match_init_task+1fdc/2000>

oops_decode.o: file format a.out-i386-linux

Disassembly of section .text:

0000000000000000 <_EIP>:
0: 8b 43 54 movl 0x54(%ebx),%eax
3: 85 c0 testl %eax,%eax
5: 74 09 je 10 <_EIP+10>
7: 8b 40 10 movl 0x10(%eax),%eax
a: 85 c0 testl %eax,%eax
c: 74 02 je 10 <_EIP+10>
e: 89 c6 movl %eax,%esi
10: 85 f6 testl %esi,%esi
12: 74 0d je 21 <_EIP+21>

In fs/inode.c:iput() the line:

if (inode->i_sb && inode->i_sb->s_op)

oops dereferencing i_sb.