[BUG] kernel panic after bpf program removed.

From: Wangnan (F)
Date: Thu May 14 2015 - 23:55:01 EST

Next message: Alistair Popple: "[PATCH v4 3/9] ipmi/powernv: Convert to irq event interface"
Previous message: Calvin Owens: "[PATCH 6/6] Fix unsafe fw_event_list usage"
Next in thread: Alexei Starovoitov: "Re: [BUG] kernel panic after bpf program removed."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Alexei Starovoitov and other,

I triggered a kernel panic when developing my 'perf bpf' facility. The call stack is listed at the bottom of
this mail.

I attached two bpf programs on 'kmem_cache_free%return' and '__alloc_pages_nodemask'. The programs is very simple.
The panic is raised after closing the bpf program and the perf event file. Looks like the panic is caused
by racing between closing perf event fd and bpf program fd. I'm unable to reproduce this problem with similar
operations.

Following is the exact instruction cause the panic.

ffffffff8111cf70 <bpf_prog_put>:

void bpf_prog_put(struct bpf_prog *prog)
{
ffffffff8111cf70: e8 fb a1 49 00 callq ffffffff815b7170 <__fentry__>
ffffffff8111cf75: 55 push %rbp
ffffffff8111cf76: 48 89 e5 mov %rsp,%rbp
ffffffff8111cf79: 53 push %rbx
ffffffff8111cf7a: 48 89 fb mov %rdi,%rbx
ffffffff8111cf7d: 48 83 ec 08 sub $0x8,%rsp
ffffffff8111cf81: 48 8b 47 10 mov 0x10(%rdi),%rax <-- *panic at this instruction*
ffffffff8111cf85: f0 ff 08 lock decl (%rax)
ffffffff8111cf88: 74 0e je ffffffff8111cf98 <bpf_prog_put+0x28>
if (atomic_dec_and_test(&prog->aux->refcnt)) {
free_used_maps(prog->aux);
bpf_prog_free(prog);
}
}
ffffffff8111cf8a: 48 83 c4 08 add $0x8,%rsp
ffffffff8111cf8e: 5b pop %rbx
ffffffff8111cf8f: 5d pop %rbp
ffffffff8111cf90: c3 retq

Thank you.

----------------------- KERNEL PANIC -------------------

[ 261.839750] BUG: unable to handle kernel NULL pointer dereference at 00000000000006d0
[ 261.839750] IP: [<ffffffff8111cf81>] bpf_prog_put+0x11/0x50
[ 261.839750] PGD 7f7d0067 PUD 7f74d067 PMD 0
[ 261.839750] Oops: 0000 [#1] SMP
[ 261.839750] Modules linked in:
[ 261.839750] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0+ #11
[ 261.839750] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014
[ 261.839750] task: ffffffff81a114a0 ti: ffffffff81a00000 task.ti: ffffffff81a00000
[ 261.839750] RIP: 0010:[<ffffffff8111cf81>] [<ffffffff8111cf81>] bpf_prog_put+0x11/0x50
[ 261.839750] RSP: 0018:ffff88007ea03e68 EFLAGS: 00000292
[ 261.839750] RAX: ffff880076e35d20 RBX: 00000000000006c0 RCX: ffffffff81123d60
[ 261.839750] RDX: 00000001000d000b RSI: 0000000000000000 RDI: 00000000000006c0
[ 261.839750] RBP: ffff88007ea03e78 R08: ffff88007f10c3c0 R09: ffff88007ea189c0
[ 261.839750] R10: ffff88007aa68290 R11: ffff88007ea0800d R12: ffff88007643a000
[ 261.839750] R13: 000000000000000a R14: 0000000000000125 R15: ffff88007ea16540
[ 261.839750] FS: 0000000000000000(0000) GS:ffff88007ea00000(0000) knlGS:0000000000000000
[ 261.839750] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 261.839750] CR2: 00000000000006d0 CR3: 0000000078aa5000 CR4: 00000000000006f0
[ 261.839750] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 261.839750] DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000
[ 261.839750] Stack:
[ 261.839750] ffff88007ea03e78 ffff88007643a320 ffff88007ea03e98 ffffffff81123dac
[ 261.839750] ffffffff81a38380 ffff88007f7de000 ffff88007ea03f08 ffffffff810a2d0b
[ 261.839750] ffffffff81ced238 ffff88007b911508 ffff88007ea16570 ffffffff81a114a0
[ 261.839750] Call Trace:
[ 261.839750] <IRQ>
[ 261.839750] [<ffffffff81123dac>] free_event_rcu+0x4c/0x60
[ 261.839750] [<ffffffff810a2d0b>] rcu_process_callbacks+0x25b/0x5a0
[ 261.839750] [<ffffffff8105749d>] __do_softirq+0xed/0x280
[ 261.839750] [<ffffffff810577fd>] irq_exit+0x4d/0x60
[ 261.839750] [<ffffffff815b7b3a>] smp_apic_timer_interrupt+0x4a/0x60
[ 261.839750] [<ffffffff815b617b>] apic_timer_interrupt+0x6b/0x70
[ 261.839750] <EOI>
[ 261.839750] [<ffffffff8100cd10>] ? default_idle+0x20/0xb0
[ 261.839750] [<ffffffff8100d69f>] arch_cpu_idle+0xf/0x20
[ 261.839750] [<ffffffff8108c117>] cpu_startup_entry+0x2f7/0x400
[ 261.839750] [<ffffffff815a4e87>] rest_init+0x77/0x80
[ 261.839750] [<ffffffff81ae7fcd>] start_kernel+0x423/0x430
[ 261.839750] [<ffffffff81ae799a>] ? set_init_arg+0x56/0x56
[ 261.839750] [<ffffffff81ae75ad>] x86_64_start_reservations+0x2a/0x2c
[ 261.839750] [<ffffffff81ae769b>] x86_64_start_kernel+0xec/0xf0
[ 261.839750] Code: 24 72 e7 49 8b 7d 00 e8 8e ce 05 00 48 83 c4 08 5b 41 5c 41 5d 5d c3 0f 1f 00 66 66 66 66 90 55 48 89 e5 53 48 89 fb 48 83 ec 08 <48> 8b 47 10 3e ff 08 74 0e 48 83 c4 08 5b 5d c3 0f 1f 80 00 00
[ 261.839750] RIP [<ffffffff8111cf81>] bpf_prog_put+0x11/0x50
[ 261.839750] RSP <ffff88007ea03e68>
[ 261.839750] CR2: 00000000000006d0
[ 261.839750] ---[ end trace dddf4ec721745b49 ]---
[ 261.839750] Kernel panic - not syncing: Fatal exception in interrupt
[ 261.839750] Kernel Offset: disabled
[ 261.839750] ---[ end Kernel panic - not syncing: Fatal exception in interrupt

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alistair Popple: "[PATCH v4 3/9] ipmi/powernv: Convert to irq event interface"
Previous message: Calvin Owens: "[PATCH 6/6] Fix unsafe fw_event_list usage"
Next in thread: Alexei Starovoitov: "Re: [BUG] kernel panic after bpf program removed."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]