Bug 984678 - memory or cpu state corruption on THD(Thread technology) DX1/DX1 system [NEEDINFO]
memory or cpu state corruption on THD(Thread technology) DX1/DX1 system
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stanislaw Gruszka
Fedora Extras Quality Assurance
: 986226 987780 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2013-07-15 12:35 EDT by shaw
Modified: 2013-10-09 10:27 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-09 10:27:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
sgruszka: needinfo? (constantshaw)

Attachments (Terms of Use)
File: dmesg (60.58 KB, text/plain)
2013-07-15 12:35 EDT, shaw
no flags Details

  None (edit)
Description shaw 2013-07-15 12:35:19 EDT
Additional info:
reporter:       libreport-2.1.5
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffffa0232cec>] cfg80211_chandef_valid+0xc/0x140 [cfg80211]
PGD 0 
Oops: 0000 [#1] SMP 
Modules linked in: fuse ebtable_nat ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle bnep bluetooth nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi iTCO_wdt iTCO_vendor_support arc4 brcmsmac snd_hda_codec_via snd_hda_intel snd_hda_codec cordic snd_hwdep brcmutil snd_seq snd_seq_device snd_pcm mac80211 uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core cfg80211 rfkill videodev snd_page_alloc snd_timer media snd i2c_i801 mperf coretemp lpc_ich microcode mfd_core soundcore bcma uinput i915 r8169 i2c_algo_bit drm_kms_helper drm mii i2c_core video usb_storage sunrpc
CPU 1 
Pid: 602, comm: NetworkManager Not tainted 3.9.9-201.fc18.x86_64 #1 THD(Thread technology) DX1/DX1
RIP: 0010:[<ffffffffa0232cec>]  [<ffffffffa0232cec>] cfg80211_chandef_valid+0xc/0x140 [cfg80211]
RSP: 0018:ffff8800797b9918  EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffff8800797b9990 RCX: ffff8800797b9990
RDX: 0000099e00000000 RSI: ffff8800797b9990 RDI: ffff8800797b9990
RBP: ffff8800797b9918 R08: 0000000000000e70 R09: ffff880077d7a058
R10: 0000000000000000 R11: 0000000000000004 R12: ffff88001e509a00
R13: 0000000000000000 R14: ffff880077d7a014 R15: ffff880078cd8000
FS:  00007f342043e840(0000) GS:ffff88007f280000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000797c0000 CR4: 00000000000007e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process NetworkManager (pid: 602, threadinfo ffff8800797b8000, task ffff88007a695dc0)
 ffff8800797b9958 ffffffffa021a26e ffff8800797b9948 ffffffff81321649
 ffff88001e509a00 ffff88007b4bc810 ffff88001e509a00 ffff88007b4bc810
 ffff8800797b99d8 ffffffffa021c293 ffff88007c801900 ffff880078cd8260
Call Trace:
 [<ffffffffa021a26e>] nl80211_send_chandef+0x1e/0x150 [cfg80211]
 [<ffffffff81321649>] ? __nla_put+0x29/0x40
 [<ffffffffa021c293>] nl80211_send_iface+0x2a3/0x330 [cfg80211]
 [<ffffffffa021c55b>] nl80211_get_interface+0x5b/0xb0 [cfg80211]
 [<ffffffff815802a0>] genl_rcv_msg+0x250/0x2d0
 [<ffffffff81580050>] ? genl_rcv+0x40/0x40
 [<ffffffff8157fc41>] netlink_rcv_skb+0xb1/0xc0
 [<ffffffff81580035>] genl_rcv+0x25/0x40
 [<ffffffff8157f561>] netlink_unicast+0x1a1/0x220
 [<ffffffff8157f8e1>] netlink_sendmsg+0x301/0x3c0
 [<ffffffff8153aa30>] sock_sendmsg+0xb0/0xe0
 [<ffffffff8153c511>] ? sock_recvmsg+0xc1/0xf0
 [<ffffffff81198b28>] ? mem_cgroup_charge_common+0xa8/0x120
 [<ffffffff8153c43c>] ___sys_sendmsg+0x3ac/0x3c0
 [<ffffffff811b28b0>] ? __pollwait+0xf0/0xf0
 [<ffffffff811b28b0>] ? __pollwait+0xf0/0xf0
 [<ffffffff811b28b0>] ? __pollwait+0xf0/0xf0
 [<ffffffff8101b3e9>] ? read_tsc+0x9/0x20
 [<ffffffff8153e409>] __sys_sendmsg+0x49/0x90
 [<ffffffff8153e462>] sys_sendmsg+0x12/0x20
 [<ffffffff8166afd9>] system_call_fastpath+0x16/0x1b
Code: 48 8d 82 a0 fd 82 ff 48 8d 55 fa 48 89 01 e8 fc bb ff ff c9 c3 00 41 49 02 00 0f 1f 44 04 00 0f 1f 44 00 00 48 00 07 55 48 89 e5 <48> 85 08 0f 84 f3 00 00 00 0f 01 50 04 31 c0 83 7f 08 08 76 07 
RIP  [<ffffffffa0232cec>] cfg80211_chandef_valid+0xc/0x140 [cfg80211]
 RSP <ffff8800797b9918>
Comment 1 shaw 2013-07-15 12:35:27 EDT
Created attachment 773823 [details]
File: dmesg
Comment 2 Stanislaw Gruszka 2013-07-25 06:52:07 EDT
This bug is strange. I do not see NULL pointer dereference, %rdi is ffff8800797b9990, and dissembled corresponding code looks like below:

objdump  -d -r --prefix-addresses /lib/modules/3.9.9-201.fc18.x86_64/kernel/net/wireless/cfg80211.ko  | grep -A 3 -B 3 "<cfg80211_chandef_valid+0xc>"

> 0000000000024ce5 <cfg80211_chandef_valid+0x5> mov    (%rdi),%rax
> 0000000000024ce8 <cfg80211_chandef_valid+0x8> push   %rbp
> 0000000000024ce9 <cfg80211_chandef_valid+0x9> mov    %rsp,%rbp
> 0000000000024cec <cfg80211_chandef_valid+0xc> test   %rax,%rax        <- RIP HERE
> 0000000000024cef <cfg80211_chandef_valid+0xf> je     0000000000024de8 <cfg80211_chandef_valid+0x108>
> 0000000000024cf5 <cfg80211_chandef_valid+0x15> movzwl 0x4(%rax),%edx
> 0000000000024cf9 <cfg80211_chandef_valid+0x19> xor    %eax,%eax

So this looks like CPU state corruption or some memory corruption. 

I looked at some other bugs you reported (bug 986226 and bug 987780), both have some pointer corrupted i.e. ff0088007b454960 instead of ffff88007b454960, so that's real problem on your system.

Please run memtest to see if your memory works correctly, if memtest will not find any problems, please install kernel-debug and run on that kernel , it could detect issues, i.e. driver that corrupt memory.
Comment 3 Stanislaw Gruszka 2013-07-25 06:53:40 EDT
*** Bug 986226 has been marked as a duplicate of this bug. ***
Comment 4 Stanislaw Gruszka 2013-07-25 06:54:26 EDT
*** Bug 987780 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.