This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
[Bug runtime/22155] kernel panic due to NULL vma_cache_p->f_path.dentry
- From: "penguin-kernel at i-love dot sakura dot ne dot jp" <sourceware-bugzilla at sourceware dot org>
- To: systemtap at sourceware dot org
- Date: Wed, 20 Sep 2017 06:16:40 +0000
- Subject: [Bug runtime/22155] kernel panic due to NULL vma_cache_p->f_path.dentry
- Auto-submitted: auto-generated
- References: <bug-22155-6586@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=22155
--- Comment #5 from Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> ---
(In reply to David Smith from comment #3)
> Unless you can get us a reproducer, debugging becomes quite difficult.
Below is a reproducer written in C and a patch in order to make it easier to
test this problem. I don't know side effect of removing "tgt->mmap_events == 1"
check, but I think I succeeded to reproduce the problem because the backtrace
is same.
(1) Patch runtime/linux/task_finder2.c as below.
[root@localhost ~]# rpm -V systemtap-devel-3.1-3.el7.x86_64
S.5....T. /usr/share/systemtap/runtime/linux/task_finder2.c
[root@localhost ~]# diff -u
/usr/share/systemtap/runtime/linux/task_finder2.c.orig
/usr/share/systemtap/runtime/linux/task_finder2.c
--- /usr/share/systemtap/runtime/linux/task_finder2.c.orig
+++ /usr/share/systemtap/runtime/linux/task_finder2.c
@@ -1210,6 +1210,9 @@
if (vma_cache) {
int i;
+ printk(KERN_INFO "Injecting mdelay() at
__stp_call_mmap_callbacks_for_task()\n");
+ mdelay(10);
+
// Loop over our cached information and make callbacks
// based on it.
vma_cache_p = vma_cache;
@@ -1361,7 +1364,7 @@
group leader, don't bother inform map callback
clients about its memory map, since they will
simply duplicate each other. */
- if (tgt->mmap_events == 1 && tsk->tgid == tsk->pid) {
+ if (/*tgt->mmap_events == 1 && */ tsk->tgid == tsk->pid) {
__stp_call_mmap_callbacks_for_task(tgt, tsk);
}
}
(2) Compile a.out and run SystemTap probe as below.
[root@localhost ~]# gcc -Wall -O0 -g -o a.out -x c - << "EOF"
#define _GNU_SOURCE
#include <sys/stat.h>
#include <fcntl.h>
#include <sched.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/poll.h>
#include <sys/mman.h>
static int thread_func(void *unused)
{
sleep(1);
const int fd = open("/proc/self/exe", O_RDONLY);
void *ptr = mmap(NULL, 4096, PROT_READ, MAP_PRIVATE, fd, 0);
poll(NULL, 0, 1);
munmap(ptr, 4096);
close(fd);
return 0;
}
static void leader_func(void)
{
poll(NULL, 0, 1);
}
int main(int argc, char *argv[])
{
int i;
for (i = 0; i < 1024; i++)
clone(thread_func, malloc(4096) + 4096, CLONE_VM, NULL);
while (1)
leader_func();
return 0;
}
EOF
[root@localhost ~]# stap -e 'global count; probe
process("a.out").function("leader_func") { printf("leader_func %u\n", ++count);
}'
(3) Run ./a.out from another shell. If the problem do not reproduce, terminate
it
with Ctrl-C and try again. The problem should be reproduced within a few
trials.
----------
[ 647.845554] BUG: unable to handle kernel NULL pointer dereference at
0000000000000060
[ 647.847323] IP: [<ffffffff81219b04>] d_path+0x34/0x150
[ 647.848538] PGD 29ff067 PUD 29fe067 PMD 0
[ 647.849618] Oops: 0000 [#1] SMP
[ 647.850496] Modules linked in:
stap_b9cc31d25bb1799d76699c0d4e9b27d_10606(OE) nf_conntrack_netbios_ns
nf_conntrack_broadcast ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT
nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge
stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6
ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security
iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter
vmw_vsock_vmci_transport vsock coretemp iosf_mbi crc32_pclmul
ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper ppdev
vmw_balloon cryptd nfit pcspkr joydev sg parport_pc parport libnvdimm shpchp
vmw_vmci i2c_piix4 ip_tables xfs libcrc32c
[ 647.878391] sd_mod crc_t10dif crct10dif_generic sr_mod cdrom ata_generic
pata_acpi vmwgfx crct10dif_pclmul crct10dif_common crc32c_intel drm_kms_helper
ahci libahci syscopyarea sysfillrect sysimgblt fb_sys_fops serio_raw ttm
ata_piix drm mptspi e1000 scsi_transport_spi mptscsih libata mptbase i2c_core
[last unloaded: stap_234fabfb03ce8e31588682ff44f0b625_8281]
[ 647.890978] CPU: 0 PID: 11136 Comm: a.out Tainted: G OE
------------ 3.10.0-693.2.2.el7.x86_64 #1
[ 647.897707] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 647.900578] task: ffff880002e95ee0 ti: ffff880002bd8000 task.ti:
ffff880002bd8000
[ 647.902828] RIP: 0010:[<ffffffff81219b04>] [<ffffffff81219b04>]
d_path+0x34/0x150
[ 647.909394] RSP: 0018:ffff880002bdbd90 EFLAGS: 00010246
[ 647.911286] RAX: ffff88007704c000 RBX: ffff880003285a10 RCX:
ffff880035e5bc80
[ 647.917906] RDX: 0000000000001000 RSI: ffff88007704b000 RDI:
0000000000000000
[ 647.920215] RBP: ffff880002bdbdc0 R08: 00007f5fce020000 R09:
0000000000021000
[ 647.922530] R10: 00000000000008a1 R11: 0000000000aaaaaa R12:
ffff880002bfda40
[ 647.929254] R13: ffff880002e95ee0 R14: ffff880002bfd980 R15:
ffff88007704bfea
[ 647.931577] FS: 00007f5fce22f740(0000) GS:ffff88007b600000(0000)
knlGS:0000000000000000
[ 647.938604] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 647.940735] CR2: 0000000000000060 CR3: 000000007830c000 CR4:
00000000001407f0
[ 647.943176] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 647.950390] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[ 647.952865] Stack:
[ 647.958860] 00001000ce020000 ffff88007704c000 ffff880002bfda40
ffff880002e95ee0
[ 647.961448] 000000007e98da24 ffff88007704b000 ffff880002bdbe20
ffffffffc050f06b
[ 647.968495] 0000000000000000 0000000008000875 ffff880002bfd800
ffffffffc0516a88
[ 647.971015] Call Trace:
[ 647.972424] [<ffffffffc050f06b>]
__stp_call_mmap_callbacks_for_task+0x1bb/0x270
[stap_b9cc31d25bb1799d76699c0d4e9b27d_10606]
[ 647.979902] [<ffffffffc050f275>]
__stp_utrace_task_finder_target_quiesce+0x155/0x2a0
[stap_b9cc31d25bb1799d76699c0d4e9b27d_10606]
[ 647.983069] [<ffffffffc050940e>] start_callback.isra.40+0x7e/0x100
[stap_b9cc31d25bb1799d76699c0d4e9b27d_10606]
[ 647.990284] [<ffffffffc050af09>] utrace_resume+0x109/0x390
[stap_b9cc31d25bb1799d76699c0d4e9b27d_10606]
[ 647.993002] [<ffffffff810ad247>] task_work_run+0xa7/0xf0
[ 647.999038] [<ffffffff8102ab62>] do_notify_resume+0x92/0xb0
[ 648.000915] [<ffffffff816b52bd>] int_signal+0x12/0x17
[ 648.002663] Code: 48 01 f0 48 89 e5 53 48 89 fb 48 83 ec 28 65 48 8b 3c 25
28 00 00 00 48 89 7c 24 20 31 ff 48 8b 7b 08 89 54 24 04 48 89 44 24 08 <48> 8b
4f 60 48 85 c9 74 43 48 8b 49 40 48 85 c9 74 3a 48 3b 7f
[ 648.018302] RIP [<ffffffff81219b04>] d_path+0x34/0x150
[ 648.024164] RSP <ffff880002bdbd90>
[ 648.029608] CR2: 0000000000000060
----------
--
You are receiving this mail because:
You are the assignee for the bug.