This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug runtime/22155] kernel panic due to NULL vma_cache_p->f_path.dentry

From: "penguin-kernel at i-love dot sakura dot ne dot jp" <sourceware-bugzilla at sourceware dot org>
To: systemtap at sourceware dot org
Date: Wed, 20 Sep 2017 06:16:40 +0000
Subject: [Bug runtime/22155] kernel panic due to NULL vma_cache_p->f_path.dentry
Auto-submitted: auto-generated
References: <bug-22155-6586@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=22155

--- Comment #5 from Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> ---
(In reply to David Smith from comment #3)
> Unless you can get us a reproducer, debugging becomes quite difficult.

Below is a reproducer written in C and a patch in order to make it easier to
test this problem. I don't know side effect of removing "tgt->mmap_events == 1"
check, but I think I succeeded to reproduce the problem because the backtrace
is same.

(1) Patch runtime/linux/task_finder2.c as below.

[root@localhost ~]# rpm -V systemtap-devel-3.1-3.el7.x86_64
S.5....T.    /usr/share/systemtap/runtime/linux/task_finder2.c
[root@localhost ~]# diff -u
/usr/share/systemtap/runtime/linux/task_finder2.c.orig
/usr/share/systemtap/runtime/linux/task_finder2.c
--- /usr/share/systemtap/runtime/linux/task_finder2.c.orig
+++ /usr/share/systemtap/runtime/linux/task_finder2.c
@@ -1210,6 +1210,9 @@
        if (vma_cache) {
                int i;

+               printk(KERN_INFO "Injecting mdelay() at
__stp_call_mmap_callbacks_for_task()\n");
+               mdelay(10);
+
                // Loop over our cached information and make callbacks
                // based on it.
                vma_cache_p = vma_cache;
@@ -1361,7 +1364,7 @@
                   group leader, don't bother inform map callback
                   clients about its memory map, since they will
                   simply duplicate each other. */
-               if (tgt->mmap_events == 1 && tsk->tgid == tsk->pid) {
+               if (/*tgt->mmap_events == 1 && */ tsk->tgid == tsk->pid) {
                        __stp_call_mmap_callbacks_for_task(tgt, tsk);
                }
        }

(2) Compile a.out and run SystemTap probe as below.

[root@localhost ~]# gcc -Wall -O0 -g -o a.out -x c - << "EOF"
#define _GNU_SOURCE
#include <sys/stat.h>
#include <fcntl.h>
#include <sched.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/poll.h>
#include <sys/mman.h>

static int thread_func(void *unused)
{
        sleep(1);
        const int fd = open("/proc/self/exe", O_RDONLY);
        void *ptr = mmap(NULL, 4096, PROT_READ, MAP_PRIVATE, fd, 0);
        poll(NULL, 0, 1);
        munmap(ptr, 4096);
        close(fd);
        return 0;
}

static void leader_func(void)
{
        poll(NULL, 0, 1);
}

int main(int argc, char *argv[])
{
        int i;
        for (i = 0; i < 1024; i++)
                clone(thread_func, malloc(4096) + 4096, CLONE_VM, NULL);
        while (1)
                leader_func();
        return 0;
}
EOF
[root@localhost ~]# stap -e 'global count; probe
process("a.out").function("leader_func") { printf("leader_func %u\n", ++count);
}'

(3) Run ./a.out from another shell. If the problem do not reproduce, terminate
it
    with Ctrl-C and try again. The problem should be reproduced within a few
trials.

----------
[  647.845554] BUG: unable to handle kernel NULL pointer dereference at
0000000000000060
[  647.847323] IP: [<ffffffff81219b04>] d_path+0x34/0x150
[  647.848538] PGD 29ff067 PUD 29fe067 PMD 0
[  647.849618] Oops: 0000 [#1] SMP
[  647.850496] Modules linked in:
stap_b9cc31d25bb1799d76699c0d4e9b27d_10606(OE) nf_conntrack_netbios_ns
nf_conntrack_broadcast ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT
nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge
stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6
ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security
iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter
vmw_vsock_vmci_transport vsock coretemp iosf_mbi crc32_pclmul
ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper ppdev
vmw_balloon cryptd nfit pcspkr joydev sg parport_pc parport libnvdimm shpchp
vmw_vmci i2c_piix4 ip_tables xfs libcrc32c
[  647.878391]  sd_mod crc_t10dif crct10dif_generic sr_mod cdrom ata_generic
pata_acpi vmwgfx crct10dif_pclmul crct10dif_common crc32c_intel drm_kms_helper
ahci libahci syscopyarea sysfillrect sysimgblt fb_sys_fops serio_raw ttm
ata_piix drm mptspi e1000 scsi_transport_spi mptscsih libata mptbase i2c_core
[last unloaded: stap_234fabfb03ce8e31588682ff44f0b625_8281]
[  647.890978] CPU: 0 PID: 11136 Comm: a.out Tainted: G           OE 
------------   3.10.0-693.2.2.el7.x86_64 #1
[  647.897707] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[  647.900578] task: ffff880002e95ee0 ti: ffff880002bd8000 task.ti:
ffff880002bd8000
[  647.902828] RIP: 0010:[<ffffffff81219b04>]  [<ffffffff81219b04>]
d_path+0x34/0x150
[  647.909394] RSP: 0018:ffff880002bdbd90  EFLAGS: 00010246
[  647.911286] RAX: ffff88007704c000 RBX: ffff880003285a10 RCX:
ffff880035e5bc80
[  647.917906] RDX: 0000000000001000 RSI: ffff88007704b000 RDI:
0000000000000000
[  647.920215] RBP: ffff880002bdbdc0 R08: 00007f5fce020000 R09:
0000000000021000
[  647.922530] R10: 00000000000008a1 R11: 0000000000aaaaaa R12:
ffff880002bfda40
[  647.929254] R13: ffff880002e95ee0 R14: ffff880002bfd980 R15:
ffff88007704bfea
[  647.931577] FS:  00007f5fce22f740(0000) GS:ffff88007b600000(0000)
knlGS:0000000000000000
[  647.938604] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  647.940735] CR2: 0000000000000060 CR3: 000000007830c000 CR4:
00000000001407f0
[  647.943176] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[  647.950390] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[  647.952865] Stack:
[  647.958860]  00001000ce020000 ffff88007704c000 ffff880002bfda40
ffff880002e95ee0
[  647.961448]  000000007e98da24 ffff88007704b000 ffff880002bdbe20
ffffffffc050f06b
[  647.968495]  0000000000000000 0000000008000875 ffff880002bfd800
ffffffffc0516a88
[  647.971015] Call Trace:
[  647.972424]  [<ffffffffc050f06b>]
__stp_call_mmap_callbacks_for_task+0x1bb/0x270
[stap_b9cc31d25bb1799d76699c0d4e9b27d_10606]
[  647.979902]  [<ffffffffc050f275>]
__stp_utrace_task_finder_target_quiesce+0x155/0x2a0
[stap_b9cc31d25bb1799d76699c0d4e9b27d_10606]
[  647.983069]  [<ffffffffc050940e>] start_callback.isra.40+0x7e/0x100
[stap_b9cc31d25bb1799d76699c0d4e9b27d_10606]
[  647.990284]  [<ffffffffc050af09>] utrace_resume+0x109/0x390
[stap_b9cc31d25bb1799d76699c0d4e9b27d_10606]
[  647.993002]  [<ffffffff810ad247>] task_work_run+0xa7/0xf0
[  647.999038]  [<ffffffff8102ab62>] do_notify_resume+0x92/0xb0
[  648.000915]  [<ffffffff816b52bd>] int_signal+0x12/0x17
[  648.002663] Code: 48 01 f0 48 89 e5 53 48 89 fb 48 83 ec 28 65 48 8b 3c 25
28 00 00 00 48 89 7c 24 20 31 ff 48 8b 7b 08 89 54 24 04 48 89 44 24 08 <48> 8b
4f 60 48 85 c9 74 43 48 8b 49 40 48 85 c9 74 3a 48 3b 7f
[  648.018302] RIP  [<ffffffff81219b04>] d_path+0x34/0x150
[  648.024164]  RSP <ffff880002bdbd90>
[  648.029608] CR2: 0000000000000060
----------

-- 
You are receiving this mail because:
You are the assignee for the bug.

References:
- [Bug runtime/22155] New: kernel panic due to NULL vma_cache_p->f_path.dentry
  - From: penguin-kernel at i-love dot sakura dot ne dot jp

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]