Michal Hocko changed bug 1167793
What Removed Added
CC   mhocko@suse.com

Comment # 4 on bug 1167793 from
FWIW and so that it doesn't get lost in the mailing list:
All code
========
   0:   cc                      int3
   1:   cc                      int3
   2:   cc                      int3
   3:   cc                      int3
   4:   cc                      int3
   5:   cc                      int3
   6:   0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
   b:   49 89 f9                mov    %rdi,%r8
   e:   48 89 d1                mov    %rdx,%rcx
  11:   83 e2 07                and    $0x7,%edx
  14:   48 c1 e9 03             shr    $0x3,%rcx
  18:   40 0f b6 f6             movzbl %sil,%esi
  1c:   48 b8 01 01 01 01 01    movabs $0x101010101010101,%rax
  23:   01 01 01
  26:   48 0f af c6             imul   %rsi,%rax
  2a:   f3 48 ab                rep stos %rax,%es:*(%rdi)               <--
trapping instruction
  2d:   89 d1                   mov    %edx,%ecx
  2f:   f3 aa                   rep stos %al,%es:(%rdi)
  31:   4c 89 c8                mov    %r9,%rax
  34:   c3                      retq
  35:   90                      nop
  36:   49 89 f9                mov    %rdi,%r9
  39:   40 88 f0                mov    %sil,%al
  3c:   48 89 d1                mov    %rdx,%rcx
  3f:   f3                      repz

> [   94.453117] RSP: 0018:ffffa208802f0898 EFLAGS: 00010216
> [   94.453120] RAX: 0000000000000000 RBX: 00000000ffffffff RCX: 000000001ff1a800
> [   94.453122] RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff8ca8947d7ffa
> [   94.453124] RBP: ffff8ca916f36800 R08: ffff8ca8d612e800 R09: ffff8ca8940ac002

Interesting. The pointer to memory to initialize was in rdi with a copy
to r8. The number of bytes was initially in rdx but a copy is in rcx
(later multiplied by 8) and here we can see the problem already. I doubt
that the buffer was really ~512MB large

For the completeness the crash happens while trying to store 0 to the address
at rdi
which is really far away from the given address.

I didn't get to look at the call path but it is likely that a bogus
buffer length is either provided by the HW and not being checked
properly or it has been miscalculated on the way.


You are receiving this mail because: