What | Removed | Added |
---|---|---|
CC | mhocko@suse.com |
FWIW and so that it doesn't get lost in the mailing list:
All code
========
0: cc int3
1: cc int3
2: cc int3
3: cc int3
4: cc int3
5: cc int3
6: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
b: 49 89 f9 mov %rdi,%r8
e: 48 89 d1 mov %rdx,%rcx
11: 83 e2 07 and $0x7,%edx
14: 48 c1 e9 03 shr $0x3,%rcx
18: 40 0f b6 f6 movzbl %sil,%esi
1c: 48 b8 01 01 01 01 01 movabs $0x101010101010101,%rax
23: 01 01 01
26: 48 0f af c6 imul %rsi,%rax
2a: f3 48 ab rep stos %rax,%es:*(%rdi) <--
trapping instruction
2d: 89 d1 mov %edx,%ecx
2f: f3 aa rep stos %al,%es:(%rdi)
31: 4c 89 c8 mov %r9,%rax
34: c3 retq
35: 90 nop
36: 49 89 f9 mov %rdi,%r9
39: 40 88 f0 mov %sil,%al
3c: 48 89 d1 mov %rdx,%rcx
3f: f3 repz
> [ 94.453117] RSP: 0018:ffffa208802f0898 EFLAGS: 00010216
> [ 94.453120] RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 000000001ff1a800
> [ 94.453122] RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff8ca8947d7ffa
> [ 94.453124] RBP: ffff8ca916f36800 R08: ffff8ca8d612e800 R09: ffff8ca8940ac002
Interesting. The pointer to memory to initialize was in rdi with a copy
to r8. The number of bytes was initially in rdx but a copy is in rcx
(later multiplied by 8) and here we can see the problem already. I doubt
that the buffer was really ~512MB large
For the completeness the crash happens while trying to store 0 to the address
at rdi
which is really far away from the given address.
I didn't get to look at the call path but it is likely that a bogus
buffer length is either provided by the HW and not being checked
properly or it has been miscalculated on the way.