Project

General

Profile

Bug #622

lttng-modules 2.3-rc triggers kernel OOPS (null pointer)

Added by Mathieu Desnoyers over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Target version:
Start date:
08/25/2013
Due date:
% Done:

100%

Estimated time:

Description

The following OOPS has been reported by David Goulet on lttng-modules 2.3-rc:

[44586.258771] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[44586.258819] IP: [<ffffffffa079983a>] lttng_metadata_output_channel+0x54/0xe5 [lttng_tracer]
[44586.258854] PGD 3e9231067 PUD 3a05da067 PMD 0 
[44586.258874] Oops: 0000 [#1] SMP 
[44586.258890] Modules linked in: lttng_probe_workqueue(O) lttng_probe_vmscan(O) lttng_probe_udp(O) lttng_probe_timer(O) lttng_probe_sunrpc(O) lttng_probe_statedump(O) lttng_probe_sock(O) lttng_probe_skb(O) lttng_probe_signal(O) lttng_probe_scsi(O) lttng_probe_sched(O) lttng_probe_rpm(O) lttng_probe_regulator(O) lttng_probe_regmap(O) lttng_probe_rcu(O) lttng_probe_random(O) lttng_probe_printk(O) lttng_probe_power(O) lttng_probe_net(O) lttng_probe_napi(O) lttng_probe_module(O) lttng_probe_kvm(O) lttng_probe_kmem(O) lttng_probe_jbd2(O) lttng_probe_jbd(O) lttng_probe_irq(O) lttng_probe_gpio(O) lttng_probe_compaction(O) lttng_probe_block(O) lttng_types(O) lttng_ring_buffer_metadata_mmap_client(O) lttng_ring_buffer_client_mmap_overwrite(O) lttng_ring_buffer_client_mmap_discard(O) lttng_ring_buffer_metadata_client(O) lttng_ring_buffer_client_overwrite(O) lttng_ring_buffer_client_discard(O) lttng_tracer(O) lttng_statedump(O) lttng_kprobes(O) lttng_lib_ring_buffer(O) lttng_kretprobes(O) cpuid twofish_generic twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64 twofish_common xts ip6table_filter ip6_tables iptable_filter ip_tables ebtable_nat ebtables x_tables parport_pc ppdev lp parport bnep rfcomm binfmt_misc uinput nfsd auth_rpcgss oid_registry nfs_acl nfs lockd dns_resolver fscache sunrpc loop fuse dm_crypt snd_hda_codec_hdmi snd_hda_codec_realtek joydev iTCO_wdt iTCO_vendor_support arc4 uvcvideo videobuf2_vmalloc videobuf2_memops coretemp videobuf2_core videodev media btusb kvm_intel snd_hda_intel bluetooth kvm snd_hda_codec iwldvm snd_hwdep snd_pcm microcode snd_page_alloc thinkpad_acpi nvram snd_seq mac80211 snd_seq_device snd_timer psmouse serio_raw pcspkr evdev iwlwifi i915 lpc_ich mfd_core cfg80211 snd i2c_i801 drm_kms_helper rfkill battery drm tpm_tis tpm i2c_algo_bit tpm_bios ac i2c_core soundcore mei_me mei video wmi mperf processor button ext4 crc16 jbd2 mbcache dm_mod sg sd_mod crc_t10dif crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 ablk_helper cryptd lrw gf128mul glue_helper thermal thermal_sys ahci xhci_hcd libahci ehci_pci ehci_hcd libata e1000e ptp pps_core sdhci_pci sdhci mmc_core scsi_mod usbcore usb_common [last unloaded: lttng_statedump]
[44586.259693] CPU: 0 PID: 25230 Comm: lttng-consumerd Tainted: G           O 3.10-2-amd64 #1 Debian 3.10.5-1
[44586.259731] Hardware name: LENOVO 2306CTO/2306CTO, BIOS G2ET86WW (2.06 ) 11/13/2012
[44586.259757] task: ffff880408ad4780 ti: ffff880384a96000 task.ti: ffff880384a96000
[44586.259782] RIP: 0010:[<ffffffffa079983a>]  [<ffffffffa079983a>] lttng_metadata_output_channel+0x54/0xe5 [lttng_tracer]
[44586.259821] RSP: 0018:ffff880384a97e20  EFLAGS: 00010202
[44586.259839] RAX: 0000000000000010 RBX: ffff8803cda3cf40 RCX: 000000000062eba0
[44586.259863] RDX: ffff8803c338fa00 RSI: ffff8803cda3cf40 RDI: ffff88040b811788
[44586.259886] RBP: ffff88040b811780 R08: 0000000000000001 R09: 0000000000000000
[44586.259910] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000c3d
[44586.259933] R13: 0000000000000000 R14: 0000000000000001 R15: 00007fedd7fff700
[44586.259958] FS:  00007fedd7fff700(0000) GS:ffff88041e200000(0000) knlGS:0000000000000000
[44586.259984] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[44586.260003] CR2: 0000000000000060 CR3: 000000038934a000 CR4: 00000000001407f0
[44586.260027] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[44586.260050] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[44586.260073] Stack:
[44586.260081]  00000000000007f8 ffff880384a97f58 0000000000000007 00007fedd7ffd788
[44586.260109]  ffff880408ad4780 0000000000000029 ffff88040b3b1140 ffffffff8138b2f3
[44586.260137]  0000000000000282 ffff88040b3b11a8 ffff8803c30a1c00 ffff88040d3b22c0
[44586.260165] Call Trace:
[44586.260178]  [<ffffffff8138b2f3>] ? __do_page_fault+0x32d/0x3cb
[44586.260210]  [<ffffffffa079ab08>] ? lttng_metadata_ring_buffer_ioctl_get_next_subbuf.isra.5+0x14/0x26 [lttng_tracer]
[44586.260256]  [<ffffffffa079abbe>] ? lttng_metadata_ring_buffer_ioctl+0x36/0x6c [lttng_tracer]
[44586.260286]  [<ffffffff81115eff>] ? vfs_ioctl+0x1b/0x25
[44586.260304]  [<ffffffff81116720>] ? do_vfs_ioctl+0x3e8/0x42a
[44586.260325]  [<ffffffff8110a8a0>] ? __fput+0x18e/0x1b1
[44586.260344]  [<ffffffff8111f1f1>] ? mntput_no_expire+0x2d/0x137
[44586.260366]  [<ffffffff8105f64a>] ? should_resched+0x5/0x23
[44586.260387]  [<ffffffff81387589>] ? _cond_resched+0x5/0x18
[44586.260408]  [<ffffffff810550ad>] ? task_work_run+0x80/0x8f
[44586.260427]  [<ffffffff811167b0>] ? SyS_ioctl+0x4e/0x79
[44586.261613]  [<ffffffff8138d4a9>] ? system_call_fastpath+0x16/0x1b
[44586.262812] Code: 8b 43 10 45 31 ed 3b 43 14 0f 85 9f 00 00 00 48 8b 53 08 44 8b 62 0c 41 29 c4 4d 85 e4 0f 84 8b 00 00 00 48 8b 45 48 48 8b 7d 08 <ff> 50 50 4c 39 e0 48 c7 44 24 08 00 00 00 00 c7 44 24 18 01 00 
[44586.265351] RIP  [<ffffffffa079983a>] lttng_metadata_output_channel+0x54/0xe5 [lttng_tracer]
[44586.266592]  RSP <ffff880384a97e20>
[44586.267802] CR2: 0000000000000060
[44586.273502] ---[ end trace 693f6e404320bee1 ]---

Files

fix-metadata-refcount.patch (1.2 KB) fix-metadata-refcount.patch Fix: metadata lttng channel refcount Mathieu Desnoyers, 08/25/2013 06:48 PM
#1

Updated by Mathieu Desnoyers over 6 years ago

  • Assignee set to Mathieu Desnoyers

I suspect this is caused by a missing reference on the lttng channel structure, which could lead to accessing the object after it has been destroyed if the lttng channel file descriptor is closed while the metadata stream fd is still in use.

#3

Updated by Mathieu Desnoyers over 6 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF