KERNEL: /usr/lib/debug/lib/modules/3.10.0-514.26.2.el7.x86_64/vmlinux
DUMPFILE: vmcore [PARTIAL DUMP]
CPUS: 4
DATE: Fri Nov 22 06:53:47 2019
UPTIME: 00:10:51
LOAD AVERAGE: 0.09, 0.06, 0.05
TASKS: 142
NODENAME: cpe
RELEASE: 3.10.0-514.26.2.el7.x86_64
VERSION: #1 SMP Tue Jul 4 15:04:05 UTC 2017
MACHINE: x86_64 (1996 Mhz)
MEMORY: 1.9 GB
PANIC: “BUG: unable to handle kernel paging request at ffffeb04000ffb40”
crash> bt
PID: 2216 TASK: ffff880073f39f60 CPU: 2 COMMAND: “CommuSend”
#0 [ffff8800517bb5b8] machine_kexec at ffffffff81059beb
#1 [ffff8800517bb618] __crash_kexec at ffffffff81105822
#2 [ffff8800517bb6e8] crash_kexec at ffffffff81105910
#3 [ffff8800517bb700] oops_end at ffffffff81690008
#4 [ffff8800517bb728] no_context at ffffffff8167fc96
#5 [ffff8800517bb778] __bad_area_nosemaphore at ffffffff8167fd2c
#6 [ffff8800517bb7c0] bad_area_nosemaphore at ffffffff8167fe96
#7 [ffff8800517bb7d0] __do_page_fault at ffffffff81692e4e
#8 [ffff8800517bb830] do_page_fault at ffffffff81692ff5
#9 [ffff8800517bb860] page_fault at ffffffff8168f208
[exception RIP: kmem_cache_free+101]
RIP: ffffffff811dcd85 RSP: ffff8800517bb910 RFLAGS: 00010282
RAX: ffffeb04000ffb40 RBX: ffffc90003fed0c8 RCX: 0000000000000006
RDX: ffffea0000000000 RSI: ffffc90003fed0c8 RDI: ffff880071f28700
RBP: ffff8800517bb928 R8: 0000000000000092 R9: ffffffffa08374c9
R10: 0000000000000000 R11: ffff8800517bb636 R12: ffff880071f28700
R13: 0000000000000005 R14: 0000000000000074 R15: ffff8800517bb9fc
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#10 [ffff8800517bb930] PoolFree at ffffffffa08374c9 [module]
#11 [ffff8800517bb960] _DpFree at ffffffffa07c3cf3 [module]
#12 [ffff8800517bb978] _DpProcess at ffffffffa07c3e82 [module]
#13 [ffff8800517bb9e0] DProcess at ffffffffa084ce0a [module]
#14 [ffff8800517bb9f0] TxHook at ffffffffa0858b07 [module]
#15 [ffff8800517bba30] nf_iterate at ffffffff815a75c0
#16 [ffff8800517bba70] nf_hook_slow at ffffffff815a76a8
#17 [ffff8800517bbaa8] ip_output at ffffffff815b78ce
#18 [ffff8800517bbb08] ip_local_out_sk at ffffffff815b5531
#19 [ffff8800517bbb28] ip_queue_xmit at ffffffff815b58a3
#20 [ffff8800517bbb60] tcp_transmit_skb at ffffffff815cf04f
#21 [ffff8800517bbbd0] tcp_write_xmit at ffffffff815cf68a
#22 [ffff8800517bbc38] __tcp_push_pending_frames at ffffffff815d048e
#23 [ffff8800517bbc50] tcp_push at ffffffff815bed2c
#24 [ffff8800517bbc60] tcp_sendmsg at ffffffff815c25b8
#25 [ffff8800517bbd28] inet_sendmsg at ffffffff815ed854
#26 [ffff8800517bbd58] sock_aio_write at ffffffff81555227
#27 [ffff8800517bbe20] do_sync_write at ffffffff811fe18d
#28 [ffff8800517bbef8] vfs_write at ffffffff811feaf5
#29 [ffff8800517bbf38] sys_write at ffffffff811ff51f
#30 [ffff8800517bbf80] system_call_fastpath at ffffffff81697809
RIP: 00007f376767579d RSP: 00007f37575e4c68 RFLAGS: 00000202
RAX: 0000000000000001 RBX: ffffffff81697809 RCX: 0000000000000018
RDX: 0000000000000040 RSI: 00007f374720114c RDI: 0000000000000016
RBP: 0000000000000000 R8: 0000000000000404 R9: 0000000000000028
R10: 0000000000000032 R11: 0000000000000293 R12: 00007f374720114c
R13: 00007f3747201138 R14: 0000000000000001 R15: 0000000000000040
ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b
功能模塊加載後,很快就出現crash棧。
從crash位置看 kmem_cache_free+101 ,這是要釋放的內存所對應的page地址ffffeb04000ffb40異常,通過page訪問page->flags時,page_fault最終crash。
從dump 寄存器配合反彙編可以得知 釋放的內存地址爲 RBX: ffffc90003fed0c8,這個地址不像正常地址。因爲正常內存地址在 [ffff880000000000~FFFF880080000000)之間。