Double fault when single-stepping compat task with PREEMPT_RT
From: Ben Hutchings
Date: Wed Sep 25 2013 - 09:24:41 EST
On Tue, 2013-09-24 at 13:43 -0700, Brian Silverman wrote:
[...]
> I got down to a really simple program that reproduces this bug:
>
>
> #include <sys/syscall.h>
> #include <unistd.h>
> int main() {
> // I've tried SYS_getpid, SYS_write, and SYS_read here too.
> syscall(SYS_gettid);
> }
>
>
> Any syscall I put in there seems to give the same results. In order
> for it to trigger the bug, you have to compile it with `gcc -m32
> whatever.c` (I'm testing with the standard Wheezy gcc (4:4.7.2-1) and
> gdb (7.4.1+dfsg-0.1)). I would imagine that something in gcc and/or
> gdb is contributing to this too.
>
>
> I also minimized the gdb commands down to:
>
>
> break main
> run
> record
I assume this enables single-stepping.
> continue
[...]
I can reproduce this in VMs running the latest Debian RT kernel versions
(based on 3.2.51-rt72, and on 3.10.11 with the 3.10.10-rt7 patch).
As Brian says, x86_64 userland on x86_64 kernel works, and similarly for
i386 on i386. So it is specifically the 'compat' case that's broken.
Here's what I got:
[ 68.394276] double fault: 0000 [#1] PREEMPT SMP
[ 68.394304] Modules linked in: rfcomm bnep bluetooth rfkill crc16 nfsd auth_rpcgss oid_registry nfs_acl nfs lockd dns_resolver fscache sunrpc loop fuse joydev hid_generic usbhid hid snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq snd_seq_device snd_timer snd processor evdev ttm drm_kms_helper thermal_sys psmouse soundcore drm i2c_piix4 serio_raw virtio_balloon button i2c_core pcspkr microcode ext3 mbcache jbd sg sr_mod cdrom ata_generic virtio_net virtio_blk floppy uhci_hcd ata_piix ehci_hcd libata usbcore virtio_pci scsi_mod usb_common virtio_ring virtio
[ 68.394307] CPU: 0 PID: 3044 Comm: bug723180 Not tainted 3.10-3-rt-amd64 #1 Debian 3.10.11-1
[ 68.394307] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 68.394309] task: ffff88001df34300 ti: ffff88001b564000 task.ti: ffff88001b564000
[ 68.394316] RIP: 0010:[<ffffffff8139ec30>] [<ffffffff8139ec30>] native_irq_enable_sysexit+0x10/0x10
[ 68.394317] RSP: 0018:0000000000000000 EFLAGS: 00010192
[ 68.394318] RAX: 00000000000000e0 RBX: 0000000000000000 RCX: 000000000804842b
[ 68.394319] RDX: 00000000f7fc7000 RSI: 0000000008048420 RDI: 0000000000000000
[ 68.394319] RBP: 00000000ffffd53c R08: 0000000000000000 R09: 0000000000000000
[ 68.394320] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 68.394320] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 68.394321] FS: 0000000000000000(0000) GS:ffff88001fc00000(0063) knlGS:00000000f7e1b900
[ 68.394322] CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
[ 68.394323] CR2: fffffffffffffff8 CR3: 000000001f121000 CR4: 00000000000006f0
[ 68.394326] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 68.394329] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
[ 68.394329] Stack:
[ 68.394331] ffff88001fc05e68 ffff88001fc05f58 0000000000000ac0 0000000000000000
[ 68.394332] 0000000000000000 0000000000000000 0000000000000040 ffffffff8100ef56
[ 68.394334] 0000000081837a35 00000000ffffffff ffff88001fc05f58 ffffffff814011e8
[ 68.394334] Call Trace:
[ 68.394336] <#DF>
[ 68.394340] [<ffffffff8100ef56>] ? show_regs+0x6d/0x1bd
[ 68.394343] [<ffffffff81399cbe>] ? __die+0x9e/0xdb
[ 68.394345] [<ffffffff8100fbe9>] ? die+0x3d/0x56
[ 68.394346] [<ffffffff8100de24>] ? do_double_fault+0x5c/0x5e
[ 68.394348] [<ffffffff8139e888>] ? double_fault+0x28/0x30
[ 68.394350] [<ffffffff8139ec30>] ? native_irq_enable_sysexit+0x10/0x10
[ 68.394351] <<EOE>>
[ 68.394361] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 0f 01 f8 0f 07 66 66 2e 0f 1f 84 00 00 00 00 00 0f 01 f8 fb 0f 35 66 2e 0f 1f 84 00 00 00 00 00 <0f> 01 f8 65 48 8b 24 25 e0 a7 00 00 48 83 c4 28 fb 0f 1f 80 00
[ 68.394362] RIP [<ffffffff8139ec30>] native_irq_enable_sysexit+0x10/0x10
[ 68.394362] RSP <0000000000000000>
[ 68.394385] ---[ end trace 0000000000000002 ]---
[ 68.394434] ------------[ cut here ]------------
[ 68.394442] WARNING: at /build/linux-BPzSEt/linux-3.10.11/debian/build/source_rt/kernel/smp.c:244 smp_call_function_single+0x71/0x157()
[ 68.394454] Modules linked in: rfcomm bnep bluetooth rfkill crc16 nfsd auth_rpcgss oid_registry nfs_acl nfs lockd dns_resolver fscache sunrpc loop fuse joydev hid_generic usbhid hid snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq snd_seq_device snd_timer snd processor evdev ttm drm_kms_helper thermal_sys psmouse soundcore drm i2c_piix4 serio_raw virtio_balloon button i2c_core pcspkr microcode ext3 mbcache jbd sg sr_mod cdrom ata_generic virtio_net virtio_blk floppy uhci_hcd ata_piix ehci_hcd libata usbcore virtio_pci scsi_mod usb_common virtio_ring virtio
[ 68.394456] CPU: 0 PID: 3044 Comm: bug723180 Tainted: G D 3.10-3-rt-amd64 #1 Debian 3.10.11-1
[ 68.394459] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 68.394460] 0000000000000000 ffffffff8103cced 0000000000000000 0000000000000000
[ 68.394461] 0000000000000000 ffffffff810c08d9 ffff88001fc05e50 ffffffff810830f6
[ 68.394462] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 68.394463] Call Trace:
[ 68.394466] <#DF> [<ffffffff8103cced>] ? warn_slowpath_common+0x5b/0x70
[ 68.394470] [<ffffffff810c08d9>] ? perf_cgroup_exit+0x16/0x16
[ 68.394472] [<ffffffff810830f6>] ? smp_call_function_single+0x71/0x157
[ 68.394473] [<ffffffff810bff63>] ? task_function_call+0x42/0x4c
[ 68.394475] [<ffffffff810c3f87>] ? perf_cgroup_switch+0x141/0x141
[ 68.394477] [<ffffffff810924af>] ? cgroup_exit+0xc8/0xd3
[ 68.394478] [<ffffffff81041cbd>] ? do_exit+0x404/0x946
[ 68.394480] [<ffffffff81399c1b>] ? oops_end+0xa9/0xae
[ 68.394482] [<ffffffff8100de24>] ? do_double_fault+0x5c/0x5e
[ 68.394484] [<ffffffff8139e888>] ? double_fault+0x28/0x30
[ 68.394485] [<ffffffff8139ec30>] ? native_irq_enable_sysexit+0x10/0x10
[ 68.394486] <<EOE>>
[ 68.394486] ---[ end trace 0000000000000003 ]---
Ben.
--
Ben Hutchings
Humans are not rational beings; they are rationalising beings.
Attachment:
signature.asc
Description: This is a digitally signed message part