RE: [Bug translator/1276] support more timer varieties

["Stone, Joshua I" <joshua dot i dot stone at intel dot com>]

Stone, Joshua I wrote:
> When I was writing the test script, I did find a couple of probes that
> failed, but it was unrelated to "current" dereferencing.  I will
> follow up in another email...

As promised, here they are.  I tried these with very simple probe bodies
(increment a global number), so I know the crashes have nothing to do
with "current" dereferencing.

The first one that failed on me was 'kernel.inline("get_current")'.  I
figured this would be a dangerous one, but I wanted to try it.  This
matched 2710 locations for me, and probably a lot of them are in
critical locations.  When I ran this, I got "NMI Watchdog detected
LOCKUP".  It probably isn't worth trying to make this one work, but if
we have a blacklist, this should be on it.

The second one that failed was 'kernel.function("__switch_to").return'.
This one is a problem with kretprobes only, as all of my other probes in
__switch_to behaved just fine, even in the middle of the function.
Running this gave "Kernel BUG at kprobes:449" (the full dump is included
below).  The line mentioned is in trampoline_probe_handler:

    BUG_ON(!orig_ret_address || (orig_ret_address ==
trampoline_address));

It seems pretty obvious that the actions taken in __switch_to would
conflict with the way the trampoline works.  I don't know if it's
possible to make kretprobes work on this function - if not, it should be
blacklisted.


Josh


crashdump from kernel.function("__switch_to").return
===================================================================
Kernel BUG at kprobes:449
invalid operand: 0000 [1] SMP
CPU 1
Modules linked in: stap_4037(U) nfsd exportfs lockd md5 ipv6
parport_pc lp parport autofs4 i2c_dev i2c_core smbfs sunrpc ds
yenta_socket pcmcia_core ipt_REJECT ipt_state ip_conntrack
iptable_filter ip_tables dm_mirror dm_mod button battery ac
joydev uhci_hcd ehci_hcd shpchp hw_random ata_piix snd_azx
snd_hda_codec snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd
soundcore snd_page_alloc sk98lin(U) floppy ext3 jbd ahci libata
sd_mod scsi_mod
Pid: 4006, comm: sshd Tainted: GF     2.6.9-22.ELsmp
RIP: 0010:[<ffffffff80121809>]
<ffffffff80121809>{trampoline_probe_handler+130}
RSP: 0018:0000010071d81b28  EFLAGS: 00010002
RAX: 0000000000000001 RBX: 000001007f9d4600 RCX: ffffffffa0000000
RDX: 0000000000000001 RSI: 0000010071d81bf8 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000010037e14000 R09: 0000000000000003
R10: 00000000000000ff R11: 0000000000000003 R12: 0000000000000000
R13: 0000010071d81bf8 R14: 0000000000000000 R15: 0000010002c1a5e0
FS:  0000002a96a33280(0000) GS:ffffffff804d3180(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000383c38f070 CR3: 0000000037e18000 CR4: 00000000000006e0
Process sshd (pid: 4006, threadinfo 0000010071d80000, task
0000010076dc3030)
Stack: ffffffff803d16a0 ffffffff803d16a0 ffffffff80121785
0000010071d81bf8
       ffffffff80121786 ffffffff80121751 ffffffff803db140
0000010071d81bb8
       0000000000000002 0000010076dc3030
Call Trace:
       <ffffffff80121785>{kretprobe_trampoline+0}
       <ffffffff80121786>{kretprobe_trampoline+1}
       <ffffffff80121751>{kprobe_handler+559}
       <ffffffff80121a27>{kprobe_exceptions_notify+40}
       <ffffffff801432fb>{notifier_call_chain+31}
       <ffffffff80112460>{do_int3+66}
       <ffffffff80110aed>{error_exit+0}
       <ffffffff80121786>{kretprobe_trampoline+1}
       <ffffffff80121785>{kretprobe_trampoline+0}
       <ffffffff80222bad>{tty_ldisc_try+60}
       <ffffffff80303924>{schedule_timeout+101}
       <ffffffff80222ce0>{tty_ldisc_deref+103}
       <ffffffff8018902b>{do_select+939}
       <ffffffff80188bc5>{__pollwait+0}
       <ffffffff801893aa>{sys_select+820}
       <ffffffff801908fc>{dnotify_parent+34}
       <ffffffff80110052>{system_call+126}

Code: 0f 0b 64 b8 31 80 ff ff ff ff c1 01 49 89 ad 80 00 00 00 e8
RIP <ffffffff80121809>{trampoline_probe_handler+130} RSP
<0000010071d81b28>