libreport version: 2.0.10 cmdline: BOOT_IMAGE=/vmlinuz-3.4.2-1.fc16.i686 root=UUID=a2cfc46e-badc-43d2-970d-c65cc62fdb4b ro rd.md=0 rd.lvm=0 rd.dm=0 KEYTABLE=us quiet SYSFONT=latarcyrheb-sun16 rhgb rd.luks=0 LANG=en_US.UTF-8 backtrace: :BUG: unable to handle kernel paging request at 03028301 :IP: [<c0525eca>] __kmalloc_track_caller+0xaa/0x1e0 :*pde = 00000000 :Oops: 0000 [#1] SMP :Modules linked in: ppdev parport_pc lp parport lockd be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fcoe libfcoe libfc scsi_transport_fc scsi_tgt 8021q garp stp llc rfcomm bnep fuse snd_hda_codec_hdmi snd_hda_codec_realtek btusb bluetooth arc4 snd_hda_intel snd_hda_codec snd_hwdep ath9k snd_seq snd_seq_device mac80211 snd_pcm ath9k_common ath9k_hw ath cfg80211 snd_timer acer_wmi iTCO_wdt snd uvcvideo videobuf2_core videodev media videobuf2_vmalloc videobuf2_memops tg3 i2c_i801 soundcore iTCO_vendor_support coretemp sparse_keymap rfkill snd_page_alloc joydev microcode uinput sunrpc crc32c_intel sdhci_pci sdhci mmc_core wmi i915 drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: scsi_wait_scan] :Pid: 1138, comm: X Not tainted 3.4.2-1.fc16.i686 #1 Acer Aspire V3-571/VA50_HC_HR :EIP: 0060:[<c0525eca>] EFLAGS: 00213246 CPU: 0 :EIP is at __kmalloc_track_caller+0xaa/0x1e0 :EAX: 00000000 EBX: e1ac1a80 ECX: 03028301 EDX: 000010aa :ESI: f4002700 EDI: c0c64c90 EBP: f0ebbd34 ESP: f0ebbd04 : DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 :CR0: 80050033 CR2: 03028301 CR3: 3093a000 CR4: 000407d0 :DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 :DR6: ffff0ff0 DR7: 00000400 :Process X (pid: 1138, ti=f0eba000 task=f0f38000 task.ti=f0eba000) :Stack: : f0b10a80 f4002180 f4ff4200 f0ebbd6c c083745e c0832ce4 000004d0 00001240 : 03028301 e1ac1a80 000004d0 00001174 f0ebbd54 c0837481 00000000 f0ebbd50 : f4002180 efb17cc0 00000000 f0f38000 f0ebbd90 c0832ce4 ffffffff 00001174 :Call Trace: : [<c083745e>] ? __alloc_skb+0x2e/0x200 : [<c0832ce4>] ? sock_alloc_send_pskb+0x164/0x2a0 : [<c0837481>] __alloc_skb+0x51/0x200 : [<c0832ce4>] sock_alloc_send_pskb+0x164/0x2a0 : [<c06052c7>] ? sock_has_perm+0xa7/0xd0 : [<c0832e3d>] sock_alloc_send_skb+0x1d/0x30 : [<c08cc41f>] unix_stream_sendmsg+0x2ff/0x3f0 : [<c082f0be>] sock_aio_write+0xfe/0x120 : [<c082efc0>] ? sock_aio_dtor+0x20/0x20 : [<c0534ff4>] do_sync_readv_writev+0xa4/0xe0 : [<c065b622>] ? _copy_from_user+0x42/0x60 : [<c05347dc>] ? rw_verify_area+0x6c/0x120 : [<c0535243>] do_readv_writev+0xa3/0x190 : [<c082efc0>] ? sock_aio_dtor+0x20/0x20 : [<c053536e>] vfs_writev+0x3e/0x60 : [<c05354cd>] sys_writev+0x3d/0xa0 : [<c093a79f>] sysenter_do_call+0x12/0x28 :Code: fd 00 00 00 8b 06 64 03 05 08 f7 c5 c0 8b 50 04 8b 08 85 c9 89 4d f0 0f 84 20 01 00 00 8b 3e 8b 46 14 8b 4d f0 f7 c7 07 00 00 00 <8b> 1c 01 0f 85 07 01 00 00 8d 4a 01 8b 45 f0 64 0f c7 0f 0f 94 :EIP: [<c0525eca>] __kmalloc_track_caller+0xaa/0x1e0 SS:ESP 0068:f0ebbd04 :CR2: 0000000003028301
I stared at this for a while, and can't come up with a scenario to explain this. Is it reproducable ? The oops is way down in the allocator guts here.. static inline void *get_freepointer(struct kmem_cache *s, void *object) { return *(void **)(object + s->offset); 4c7d: 8b 1c 01 mov (%ecx,%eax,1),%ebx We passed a null object, and also had an enormous s->offset. bizarre. Were you low on memory when this happened ?