Menu

#19 fregs -a causes crash to segfault under rare circumstances

1.0
closed
Martin Moore
None
2025-08-08
2025-07-30
Martin Moore
No

With crash 8 or 9 (but not 7), running fregs -a will cause crash to segfault if it encounters a routine in the stack trace that is a text variable. For example:

 #0 [ffff9974c2d4f5b0] __schedule at ffffffff8c7b7ab8
 #1 [ffff9974c2d4f618] schedule at ffffffff8c7b7e89
 #2 [ffff9974c2d4f628] throttle_direct_reclaim at ffffffff8c1dce55
 #3 [ffff9974c2d4f698] try_to_free_pages at ffffffff8c1e0cca
 #4 [ffff9974c2d4f730] __alloc_pages_nodemask at ffffffff8c1d4681
 #5 [ffff9974c2d4f860] alloc_pages_vma at ffffffff8c229439
 #6 [ffff9974c2d4f8c8] handle_mm_fault at ffffffff8c20235f
 #7 [ffff9974c2d4f990] __do_page_fault at ffffffff8c7bf7d3
 #8 [ffff9974c2d4fa00] do_page_fault at ffffffff8c7bfb05
 #9 [ffff9974c2d4fa30] page_fault at ffffffff8c7bb7b8
    [exception RIP: copy_user_enhanced_fast_string+9]
    RIP: ffffffff8c3ab8e9  RSP: ffff9974c2d4fae0  RFLAGS: 00050206
    RAX: ffff9974c2d4c000  RBX: ffff9974c2d4fe50  RCX: 0000000000000860
    RDX: 0000000000000860  RSI: ffff99751a4222f0  RDI: 00007f6c5e503000
    RBP: ffff9974c2d4fb18   R8: ffff9974c2d50000   R9: 0000000000009310
    R10: 0000000000009310  R11: 000000000000cba0  R12: 0000000000000860
    R13: ffff99751a4222f0  R14: 0000000000000860  R15: 0000000000000860
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
#10 [ffff9974c2d4fae0] memcpy_toiovec at ffffffff8c3b3dcc
#11 [ffff9974c2d4fb20] skb_copy_datagram_iovec at ffffffff8c6702e8
#12 [ffff9974c2d4fb80] tcp_recvmsg at ffffffff8c6db86a
#13 [ffff9974c2d4fc20] inet_recvmsg at ffffffff8c70b6b0
#14 [ffff9974c2d4fc50] sock_aio_read at ffffffff8c65d7dc
#15 [ffff9974c2d4fd18] sock_aio_read at ffffffff8c65d829
#16 [ffff9974c2d4fd28] do_sync_readv_writev at ffffffff8c25b39b
#17 [ffff9974c2d4fe00] do_readv_writev at ffffffff8c25cf5e
#18 [ffff9974c2d4fef8] vfs_readv at ffffffff8c25d132
#19 [ffff9974c2d4ff08] sys_readv at ffffffff8c25d239
#20 [ffff9974c2d4ff50] system_call_fastpath at ffffffff8c7c539f

crash> fregs -a
    :
    #9 page_fault entered by exception at <copy_user_enhanced_fast_string+9>
    RIP: ffffffff8c3ab8e9  RSP: ffff9974c2d4fae0  RFLAGS: 00050206
    RAX: ffff9974c2d4c000  RBX: ffff9974c2d4fe50  RCX: 0000000000000860
    RDX: 0000000000000860  RSI: ffff99751a4222f0  RDI: 00007f6c5e503000
    RBP: ffff9974c2d4fb18   R8: ffff9974c2d50000   R9: 0000000000009310
    R10: 0000000000009310  R11: 000000000000cba0  R12: 0000000000000860
    R13: ffff99751a4222f0  R14: 0000000000000860  R15: 0000000000000860
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018

copy_user_enhanced_fast_string called from 0xffffffff8c3b3dcc <memcpy_toiovec+92>
Segmentation fault

This appears to be a problem in the C++ GDB interface code caused by when processing this whatis output for copy_user_enhanced_fast_string:

crash64> whatis copy_user_enhanced_fast_string
<text variable, no debug info> copy_user_enhanced_fast_string;

Discussion

  • Martin Moore

    Martin Moore - 2025-08-08
    • status: open --> closed
     

  • Martin Moore

    Martin Moore - 2025-08-08

    Fixed in [8b4e6c].

     

    Related

    Commit: [8b4e6c]

Log in to post a comment.

MongoDB Logo MongoDB