RSI looks kinda like slab poison here, so re-using a free'd ptr ? general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.10.0-rc4-think+ #2 task: ffffffff81e16500 task.stack: ffffffff81e00000 RIP: 0010:prb_retire_rx_blk_timer_expired+0x42/0x130 RSP: 0018:ffff880507803e30 EFLAGS: 00010246 RAX: ffffffff81e16500 RBX: ffff8804bc751158 RCX: 0000000000000000 RDX: ffff8804fb6e8008 RSI: a56b6b6b6b6b6b6b RDI: 0000000000000001 RBP: ffff880507803e48 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000061f74469 R11: 0000000000000054 R12: ffff8804bc751338 R13: ffff8804bc7516d8 R14: ffffffff818ab6a0 R15: ffff8804bc751158 FS: 0000000000000000(0000) GS:ffff880507800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005578f64a0130 CR3: 0000000003e11000 CR4: 00000000001406f0 DR0: 00007f539ba38000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 Call Trace: <IRQ> call_timer_fn+0xd2/0x340 ? call_timer_fn+0x5/0x340 ? prb_retire_current_block+0x100/0x100 run_timer_softirq+0x284/0x650 ? 0xffffffffa035c077 ? run_timer_softirq+0x5/0x650 ? lapic_next_deadline+0x5/0x40 __do_softirq+0x143/0x431 irq_exit+0xa5/0xb0 smp_apic_timer_interrupt+0x3d/0x50 apic_timer_interrupt+0x8d/0xa0 RIP: 0010:cpuidle_enter_state+0x129/0x360 RSP: 0018:ffffffff81e03db8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10 RAX: 0000000000000000 RBX: ffffe8ffff603cc8 RCX: 000000000000001f RDX: 20c49ba5e353f7cf RSI: ffffffff81c5e743 RDI: ffffffff81c48102 RBP: ffffffff81e03df8 R08: cccccccccccccccd R09: 0000000000000018 R10: 000000000000022e R11: 0000000000000a2c R12: 0000000000000005 R13: ffffffff81eaf918 R14: 0000000000000005 R15: ffffffff81eaf900 </IRQ> ? cpuidle_enter_state+0x113/0x360 cpuidle_enter+0x17/0x20 call_cpuidle+0x23/0x40 do_idle+0xf6/0x1f0 cpu_startup_entry+0x71/0x80 rest_init+0xb8/0xc0 start_kernel+0x432/0x453 x86_64_start_reservations+0x2a/0x2c x86_64_start_kernel+0x178/0x18b start_cpu+0x14/0x14 ? start_cpu+0x14/0x14 Code: fb 4c 89 e7 e8 b0 f1 01 00 0f b7 8b 2a 05 00 00 48 8b 93 18 05 00 00 80 bb 29 05 00 00 00 0f b6 bb 28 05 00 00 48 8b 34 ca 75 58 <8b> 56 0c 48 89 c8 85 d2 74 1d 8b 93 70 05 00 00 85 d2 74 13 f3
All code ======== 0: fb sti 1: 4c 89 e7 mov %r12,%rdi 4: e8 b0 f1 01 00 callq 0x1f1b9 9: 0f b7 8b 2a 05 00 00 movzwl 0x52a(%rbx),%ecx 10: 48 8b 93 18 05 00 00 mov 0x518(%rbx),%rdx 17: 80 bb 29 05 00 00 00 cmpb $0x0,0x529(%rbx) 1e: 0f b6 bb 28 05 00 00 movzbl 0x528(%rbx),%edi 25: 48 8b 34 ca mov (%rdx,%rcx,8),%rsi 29: 75 58 jne 0x83 2b:* 8b 56 0c mov 0xc(%rsi),%edx <-- trapping instruction 2e: 48 89 c8 mov %rcx,%rax 31: 85 d2 test %edx,%edx 33: 74 1d je 0x52 35: 8b 93 70 05 00 00 mov 0x570(%rbx),%edx 3b: 85 d2 test %edx,%edx 3d: 74 13 je 0x52 3f: f3 repz Code starting with the faulting instruction =========================================== 0: 8b 56 0c mov 0xc(%rsi),%edx 3: 48 89 c8 mov %rcx,%rax 6: 85 d2 test %edx,%edx 8: 74 1d je 0x27 a: 8b 93 70 05 00 00 mov 0x570(%rbx),%edx 10: 85 d2 test %edx,%edx 12: 74 13 je 0x27 14: f3 repz That code is the BLOCK_NUM_PKTS line here.. 677 spin_lock(&po->sk.sk_receive_queue.lock); 678 679 frozen = prb_queue_frozen(pkc); 680 pbd = GET_CURR_PBLOCK_DESC_FROM_CORE(pkc); 681 682 if (unlikely(pkc->delete_blk_timer)) 683 goto out; 684 685 /* We only need to plug the race when the block is partially filled. 686 * tpacket_rcv: 687 * lock(); increment BLOCK_NUM_PKTS; unlock() 688 * copy_bits() is in progress ... 689 * timer fires on other cpu: 690 * we can't retire the current block because copy_bits 691 * is in progress. 692 * 693 */ 694 if (BLOCK_NUM_PKTS(pbd)) {