Project

General

Profile

Actions
Copy link

Bug #1107

closed

Null pointer dereference on boot with built-in lttng-modules

Added by Francis Deslauriers almost 7 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
05/17/2017
Due date:
% Done:

100%

Estimated time:

Description

Booting a kernel (v4.4.68 stable branch) with the lttng-modules built-in crashes the kernel.

Procedure I followed:
  1. run ./lttng-modules/built-in.sh ./linux
  2. Turning on the LTTng option in the .config
  3. cd ./linux && make
  4. Boot the kernel with qemu [1]

When booting, the VM hits a bug and prints this callstack [2].

I can successfully build and boot the kernel using that same command [1] when I turn off the lttng-modules in the .config.

lttng-modules commit: c6f05468ac90af73c0077095f5e57f287197e9d8
linux-stable 4.4.y commit: be90e260145c0463c7a5c80ced379adc2f4850cc

[1]

qemu-system-x86_64 deb.qcow2 
    -enable-kvm
    -m 1G  
    -nographic
    -kernel linux/arch/x86/boot/bzImage
    -initrd linux/arch/x86/boot/initrd.img 
    -append "root=UUID=8bf5feb2-6f3a-4842-a242-70aad1afeb98 console=ttyS0"

[2]: https://pastebin.com/CJD2cTBZ

Actions
Copy link
 #1

Updated by Mathieu Desnoyers almost 7 years ago

Can you add printks between each called function within lttng_events_init so we can identify where it crashes ?

Actions
Copy link
 #2

Updated by Michael Jeanson almost 7 years ago

The problematic code is in wrapper/tracepoint.h :

static inline
int wrapper_lttng_fixup_sig(struct module *mod)
{
        int ret = 0;

        /*
         * This is for module.c confusing force loaded modules with
         * unsigned modules.
         */
        if (!THIS_MODULE->sig_ok &&
                        THIS_MODULE->taints & (1U << TAINT_FORCED_MODULE)) {
                THIS_MODULE->taints &= ~(1U << TAINT_FORCED_MODULE);
                ret = wrapper_tracepoint_module_notify(NULL,
                                MODULE_STATE_COMING, mod);
                THIS_MODULE->taints |= (1U << TAINT_FORCED_MODULE);
        }
        return ret;
}

It's only enabled with CONFIG_MODULES_SIG and should probably be disabled when CONFIG_LTTNG=y

Actions
Copy link
 #3

Updated by Mathieu Desnoyers almost 7 years ago

Francis is preparing a patch that adds a THIS_MODULE NULL pointer check to this function, which seems more robust.

Actions
Copy link
 #4

Updated by Francis Deslauriers almost 7 years ago

Actually, GCC warns that THIS_MODULE is always true when building the lttng-modules as modules due to this [1] #ifdef.

I am adding #ifdef MODULE guards to replace the wrapper_lttng_fixup_sig function in the same way.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tree/include/linux/export.h?h=linux-4.4.y&id=be90e260145c0463c7a5c80ced379adc2f4850cc#n34

Actions
Copy link
 #5

Updated by Mathieu Desnoyers almost 7 years ago

Fair point. The solution seems acceptable.

Actions
Copy link
 #6

Updated by Francis Deslauriers almost 7 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF