http://bugzilla.suse.com/show_bug.cgi?id=1167793 http://bugzilla.suse.com/show_bug.cgi?id=1167793#c4 Michal Hocko <mhocko@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mhocko@suse.com --- Comment #4 from Michal Hocko <mhocko@suse.com> --- FWIW and so that it doesn't get lost in the mailing list: All code ======== 0: cc int3 1: cc int3 2: cc int3 3: cc int3 4: cc int3 5: cc int3 6: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) b: 49 89 f9 mov %rdi,%r8 e: 48 89 d1 mov %rdx,%rcx 11: 83 e2 07 and $0x7,%edx 14: 48 c1 e9 03 shr $0x3,%rcx 18: 40 0f b6 f6 movzbl %sil,%esi 1c: 48 b8 01 01 01 01 01 movabs $0x101010101010101,%rax 23: 01 01 01 26: 48 0f af c6 imul %rsi,%rax 2a: f3 48 ab rep stos %rax,%es:*(%rdi) <-- trapping instruction 2d: 89 d1 mov %edx,%ecx 2f: f3 aa rep stos %al,%es:(%rdi) 31: 4c 89 c8 mov %r9,%rax 34: c3 retq 35: 90 nop 36: 49 89 f9 mov %rdi,%r9 39: 40 88 f0 mov %sil,%al 3c: 48 89 d1 mov %rdx,%rcx 3f: f3 repz
[ 94.453117] RSP: 0018:ffffa208802f0898 EFLAGS: 00010216 [ 94.453120] RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 000000001ff1a800 [ 94.453122] RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff8ca8947d7ffa [ 94.453124] RBP: ffff8ca916f36800 R08: ffff8ca8d612e800 R09: ffff8ca8940ac002
Interesting. The pointer to memory to initialize was in rdi with a copy to r8. The number of bytes was initially in rdx but a copy is in rcx (later multiplied by 8) and here we can see the problem already. I doubt that the buffer was really ~512MB large For the completeness the crash happens while trying to store 0 to the address at rdi which is really far away from the given address. I didn't get to look at the call path but it is likely that a bogus buffer length is either provided by the HW and not being checked properly or it has been miscalculated on the way. -- You are receiving this mail because: You are on the CC list for the bug.