[linux-cifs-client] OOPS in 2.6.26

Gautam Iyer gi1242+samba at stanford.edu
Wed Jul 16 18:48:20 GMT 2008 

On Wed, Jul 16, 2008 at 02:11:31PM -0400, Jeff Layton wrote:

> Thanks for the info. Here's some disassembly from around that area:
> 
>     5b24:       29 c2                   sub    %eax,%edx
>     5b26:       83 ea 05                sub    $0x5,%edx
>     5b29:       29 ca                   sub    %ecx,%edx
>     5b2b:       85 d2                   test   %edx,%edx
>     5b2d:       0f 8e 63 ff ff ff       jle    5a96 <CIFSSMBQAllEAs+0x196>
>     5b33:       8d 44 05 01             lea    0x1(%ebp,%eax,1),%eax
>     5b37:       01 c8                   add    %ecx,%eax
>     5b39:       89 c3                   mov    %eax,%ebx
>     5b3b:       8b 4c 24 1c             mov    0x1c(%esp),%ecx
>     5b3f:       8d 68 04                lea    0x4(%eax),%ebp
>     5b42:       0f b6 43 01             movzbl 0x1(%ebx),%eax  <<<< CRASH HERE
>     5b46:       8d 44 08 06             lea    0x6(%eax,%ecx,1),%eax
>     5b4a:       39 44 24 48             cmp    %eax,0x48(%esp)
>     5b4e:       89 44 24 1c             mov    %eax,0x1c(%esp)
>     5b52:       7e bc                   jle    5b10 <CIFSSMBQAllEAs+0x210>
>     5b54:       a1 5c 01 00 00          mov    0x15c,%eax
>     5b59:       89 ee                   mov    %ebp,%esi
>     5b5b:       c6 47 04 2e             movb   $0x2e,0x4(%edi)
>     5b5f:       89 07                   mov    %eax,(%edi)
>     5b61:       83 c7 05                add    $0x5,%edi
>     5b64:       89 7c 24 0c             mov    %edi,0xc(%esp)
>     5b68:       0f b6 43 01             movzbl 0x1(%ebx),%eax
>     5b6c:       89 c1                   mov    %eax,%ecx
>     5b6e:       c1 e9 02                shr    $0x2,%ecx
> 
> Large hairy function here and not a lot of handy markers nearby. So
> we're zero extending the byte at address in %ebx+1 and then copying
> that result to %eax. That jives with the oops message, but I'm having 
> problems matching up the assembly with C code.
> 
> My guess is that %ebx is intended to hold a "struct fea" at this time
> and the crash occurred while trying to reference its name_len. Nothing
> stands out at me as a bug here though. A reproducer would sure be
> nice.

Ok. Will rm some junk and try and reproduce in a VM. Might take a week
or two before I get everything set up...

Thanks for the response,

GI

-- 
Twenty Ways To Maintain A Healthy Level of Insanity
17. When the money comes out the ATM, scream "I won! I won!"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux-cifs-client/attachments/20080716/328d0a89/attachment.bin

More information about the linux-cifs-client mailing list