This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
[Bug runtime/14682] New: kernel null deref during pmap_agg_overflow.exp test
- From: "fche at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: systemtap at sourceware dot org
- Date: Sun, 07 Oct 2012 22:59:47 +0000
- Subject: [Bug runtime/14682] New: kernel null deref during pmap_agg_overflow.exp test
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=14682
Bug #: 14682
Summary: kernel null deref during pmap_agg_overflow.exp test
Product: systemtap
Version: unspecified
Status: NEW
Severity: critical
Priority: P2
Component: runtime
AssignedTo: systemtap@sourceware.org
ReportedBy: fche@redhat.com
Classification: Unclassified
On rawhide and on rhel6, x86-64, the pmap_agg_overflow.exp test case fails
during shutdown by triggering a kernel null deref. This must be a recent
regression. The oops reads something like:
[ 92.933398] stap_066aedcae675ff178ad67841a6b558ca_1707: systemtap:
2.0/0.155, base: ffffffffa021e000, memory: 29dat
a/40text/6ctx/2058net/1138alloc kb, probes: 5
[ 105.475935] BUG: unable to handle kernel NULL pointer dereference at
0000000000000068
[ 105.476134] IP: [<ffffffffa0224ded>] _stp_pmap_agg+0xed/0x430
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] PGD 78b66067 PUD 36b2f067 PMD 0
[ 105.476134] Oops: 0000 [#1] SMP
[ 105.476134] Modules linked in: stap_066aedcae675ff178ad67841a6b558ca_1707(F)
nfsv4 auth_rpcgss nfs dns_resolver fscache lockd sunrpc ipt_MASQUERADE
nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT
nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables iptable_nat nf_nat
iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ppdev
parport_pc parport microcode virtio_net i2c_piix4 drm_kms_helper ttm drm
i2c_core
[ 105.476134] CPU 1
[ 105.476134] Pid: 1707, comm: stapio Tainted: GF
3.6.0-3.fc18.x86_64 #1 Bochs Bochs
[ 105.476134] RIP: 0010:[<ffffffffa0224ded>] [<ffffffffa0224ded>]
_stp_pmap_agg+0xed/0x430 [stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] RSP: 0018:ffff880036611d88 EFLAGS: 00010283
[ 105.476134] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
0000000000007fc8
[ 105.476134] RDX: ffff8800765210c8 RSI: ffff880075d27fc0 RDI:
ffff8800765210c8
[ 105.476134] RBP: ffff880036611de8 R08: ffff8800765210e0 R09:
0000000000000000
[ 105.476134] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff880075b2ff60
[ 105.476134] R13: ffff88007cd9bd10 R14: ffff880075b2ff70 R15:
0000000000000000
[ 105.476134] FS: 00002b5f59e73640(0000) GS:ffff88007cc80000(0000)
knlGS:0000000000000000
[ 105.476134] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 105.476134] CR2: 0000000000000068 CR3: 0000000077320000 CR4:
00000000000006e0
[ 105.476134] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 105.476134] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[ 105.476134] Process stapio (pid: 1707, threadinfo ffff880036610000, task
ffff880036500000)
[ 105.476134] Stack:
[ 105.476134] ffff880036611d98 0000000300000001 ffff8800765210c0
0000000000007fc8
[ 105.476134] ffff880075d27fc0 0000000000000000 ffff880000000000
ffff88007542d000
[ 105.476134] 0000000000000001 0000000000000001 0000000000000000
0000000000000001
[ 105.476134] Call Trace:
[ 105.476134] [<ffffffffa022538a>] probe_2047+0x2a/0x220
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] [<ffffffff81625dc8>] ? unregister_kprobes.part.21+0x88/0xb0
[ 105.476134] [<ffffffffa0225ef9>] enter_be_probe+0xe9/0x1d0
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] [<ffffffffa0226e3d>] _stp_cleanup_and_exit+0x3bd/0x430
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] [<ffffffff8108fd60>] ? thread_group_times+0xb0/0xb0
[ 105.476134] [<ffffffffa02271ea>] _stp_ctl_write_cmd+0x25a/0xa40
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] [<ffffffff8127e7cc>] ? security_file_permission+0x2c/0xb0
[ 105.476134] [<ffffffff8118f2ec>] vfs_write+0xac/0x180
[ 105.476134] [<ffffffff8118f61a>] sys_write+0x4a/0x90
[ 105.476134] [<ffffffff81628269>] system_call_fastpath+0x16/0x1b
[ 105.476134] Code: 00 48 63 45 ac 48 8b 55 b0 48 c7 45 b8 00 00 00 00 c7 45
a8 00 00 00 00 4c 8b 2a 4c 03 2c c5 e0 bc cd 81 48 8b 45 c8 48 8b 4d b8 <48> 03
48 68 49 8b 45 68 48 89 4d c0 48 8b 4d b8 4c 8b 34 08 4d
[ 105.476134] RIP [<ffffffffa0224ded>] _stp_pmap_agg+0xed/0x430
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] RSP: 0018:ffff880036611d88 EFLAGS: 00010283
[ 105.476134] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
0000000000007fc8
[ 105.476134] RDX: ffff8800765210c8 RSI: ffff880075d27fc0 RDI:
ffff8800765210c8
[ 105.476134] RBP: ffff880036611de8 R08: ffff8800765210e0 R09:
0000000000000000
[ 105.476134] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff880075b2ff60
[ 105.476134] R13: ffff88007cd9bd10 R14: ffff880075b2ff70 R15:
0000000000000000
[ 105.476134] FS: 00002b5f59e73640(0000) GS:ffff88007cc80000(0000)
knlGS:0000000000000000
[ 105.476134] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 105.476134] CR2: 0000000000000068 CR3: 0000000077320000 CR4:
00000000000006e0
[ 105.476134] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 105.476134] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[ 105.476134] Process stapio (pid: 1707, threadinfo ffff880036610000, task
ffff880036500000)
[ 105.476134] Stack:
[ 105.476134] ffff880036611d98 0000000300000001 ffff8800765210c0
0000000000007fc8
[ 105.476134] ffff880075d27fc0 0000000000000000 ffff880000000000
ffff88007542d000
[ 105.476134] 0000000000000001 0000000000000001 0000000000000000
0000000000000001
[ 105.476134] Call Trace:
[ 105.476134] [<ffffffffa022538a>] probe_2047+0x2a/0x220
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] [<ffffffff81625dc8>] ? unregister_kprobes.part.21+0x88/0xb0
[ 105.476134] [<ffffffffa0225ef9>] enter_be_probe+0xe9/0x1d0
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] [<ffffffffa0226e3d>] _stp_cleanup_and_exit+0x3bd/0x430
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] [<ffffffff8108fd60>] ? thread_group_times+0xb0/0xb0
[ 105.476134] [<ffffffffa02271ea>] _stp_ctl_write_cmd+0x25a/0xa40
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] [<ffffffff8127e7cc>] ? security_file_permission+0x2c/0xb0
[ 105.476134] [<ffffffff8118f2ec>] vfs_write+0xac/0x180
[ 105.476134] [<ffffffff8118f61a>] sys_write+0x4a/0x90
[ 105.476134] [<ffffffff81628269>] system_call_fastpath+0x16/0x1b
[ 105.476134] Code: 00 48 63 45 ac 48 8b 55 b0 48 c7 45 b8 00 00 00 00 c7 45
a8 00 00 00 00 4c 8b 2a 4c 03 2c c5 e0 bc cd 81 48 8b 45 c8 48 8b 4d b8 <48> 03
48 68 49 8b 45 68 48 89 4d c0 48 8b 4d b8 4c 8b 34 08 4d
[ 105.476134] RIP [<ffffffffa0224ded>] _stp_pmap_agg+0xed/0x430
[stap_066aedcae675ff178ad67841a6b558ca_1707]
[ 105.476134] RSP <ffff880036611d88>
[ 105.476134] CR2: 0000000000000068
The crash specifically is here'bouts:
MAP_LOCK(m);
/* walk the hash chains. */
for (hash = 0; hash < HASH_TABLE_SIZE; hash++) {
head = &m->hashes[hash];
ahead = &agg->hashes[hash];
6de5: 48 8b 45 c8 mov -0x38(%rbp),%rax
6de9: 48 8b 4d b8 mov -0x48(%rbp),%rcx
6ded: 48 03 48 68 add 0x68(%rax),%rcx <<-----
here
hlist_for_each(e, head) {
6df1: 49 8b 45 68 mov 0x68(%r13),%rax
#endif
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.