Re: [CRED bug?] 2.6.29-rc3 don't survive on stress workload

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Howells <dhowells@redhat.com>
To: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: dhowells@redhat.com, Serge Hallyn <serue@us.ibm.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Lee Schermerhorn <Lee.Schermerhorn@hp.com>
Subject: Re: [CRED bug?] 2.6.29-rc3 don't survive on stress workload
Date: Thu, 12 Feb 2009 11:09:52 +0000	[thread overview]
Message-ID: <27421.1234436992@redhat.com> (raw)
In-Reply-To: <20090210142443.629E.KOSAKI.MOTOHIRO@jp.fujitsu.com>


Aha!  I reproduced it myself (with my patch to check atomic_dec_and_test() in
there, but not Serge's patch).  Ironically, 13 hours of running Vegard's
setreuid() program didn't show anything, but halting the box whilst someone
was trying to SSH-crack it did.

Shutting down ntpd: ------------[ cut here ]------------
kernel BUG at mm/slab.c:591!
invalid opcode: 0000 [#1] SMP 
last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq
CPU 1 
Modules linked in:
Pid: 0, comm: swapper Not tainted 2.6.29-rc4-cachefs #35
RIP: 0010:[<ffffffff8028c192>]  [<ffffffff8028c192>] kfree+0x65/0xd1
RSP: 0018:ffff88003dc9fe50  EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffffffff80625a00 RCX: 0000000000000059
RDX: ffffe20000015818 RSI: 0000000000000059 RDI: ffffffff80625a00
RBP: ffffffff8025d238 R08: 0000000000000000 R09: ffff88003cffc9c8
R10: ffff88003cd4e000 R11: 09f911029d74e35b R12: ffffffff80625a00
R13: 0000000000000286 R14: 0000000000000009 R15: 0000000000000008
FS:  0000000000000000(0000) GS:ffff88003dc64268(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 00007f2bbb54f7f8 CR3: 000000003d2fe000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 0, threadinfo ffff88003dc98000, task ffff88003dc95290)
Stack:
 09f911029d74e35b ffffffff80625a00 ffffffff8025d238 ffff88003cc82338
 0000000000000202 ffffffff803820bd 0000000000000286 ffff88003d2fcec0
 0000000000000286 ffffffff8023a488 ffff88003cc823b8 ffff88003cffc9c8
Call Trace:
 <IRQ> <0> [<ffffffff8025d238>] ? free_user_ns+0x0/0x19
 [<ffffffff803820bd>] ? kref_put+0x51/0x5c
 [<ffffffff8023a488>] ? free_uid+0x4c/0x99
 [<ffffffff80246cd1>] ? put_cred_rcu+0x70/0x83
 [<ffffffff802691d9>] ? __rcu_process_callbacks+0x157/0x1d2
 [<ffffffff8026927a>] ? rcu_process_callbacks+0x26/0x4b
 [<ffffffff802362e7>] ? __do_softirq+0x7a/0x13d
 [<ffffffff8020c2bc>] ? call_softirq+0x1c/0x28
 [<ffffffff8020d7e4>] ? do_softirq+0x2c/0x6c
 [<ffffffff8021a893>] ? smp_apic_timer_interrupt+0x93/0xac
 [<ffffffff8020bcf3>] ? apic_timer_interrupt+0x13/0x20
 <EOI> <0> [<ffffffff80447cce>] ? datagram_poll+0x0/0xc2
 [<ffffffff802119d0>] ? mwait_idle+0x41/0x44
 [<ffffffff8020a018>] ? cpu_idle+0x40/0x5e
Code: 48 8d 14 10 48 8b 02 25 00 00 01 00 48 85 c0 74 15 48 8b 52 10 48 8b 02 25 00 00 01 00 48 85 c0 74 04 48 8b 52 10 80 3a 00 78 04 <0f> 0b eb fe 48 8b 5a 28 65 8b 04 25 24 00 00 00 89 c0 48 8b 2c 
RIP  [<ffffffff8028c192>] kfree+0x65/0xd1
 RSP <ffff88003dc9fe50>
---[ end trace 36e0423a3db60c4b ]---
Kernel panic - not syncing: Fatal exception in interrupt


This is due to the BUG_ON() in the following:

	static inline struct kmem_cache *page_get_cache(struct page *page)
	{
		page = compound_head(page);
		BUG_ON(!PageSlab(page));
		return (struct kmem_cache *)page->lru.next;
	}

This is due to the user_namespace being released being init_user_ns.  RDI and
R12 both hold the parameter to kfree() at this point, and gdb says:

	(gdb) i sym 0xffffffff80625a00
	init_user_ns in section .data

David

next prev parent reply	other threads:[~2009-02-12 11:10 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-10  5:41 [CRED bug?] 2.6.29-rc3 don't survive on stress workload KOSAKI Motohiro
2009-02-10  7:10 ` Vegard Nossum
2009-02-10  7:28   ` KOSAKI Motohiro
2009-02-11  3:56     ` Vegard Nossum
2009-02-11 10:48       ` David Howells
2009-02-10 12:18   ` Ingo Molnar
2009-02-11 12:25   ` KOSAKI Motohiro
2009-02-11 12:54     ` David Howells
2009-02-10 10:35 ` David Howells
2009-02-10 10:49   ` KOSAKI Motohiro
2009-02-11 12:41 ` David Howells
2009-02-11 12:52   ` KOSAKI Motohiro
2009-02-11 13:09     ` David Howells
2009-02-11 14:04       ` KOSAKI Motohiro
2009-02-11 16:33       ` Ingo Molnar
2009-02-11 17:07         ` David Howells
2009-02-11 17:19           ` Ingo Molnar
2009-02-12 11:09 ` David Howells [this message]
2009-02-12 11:23   ` KOSAKI Motohiro
2009-02-12 12:04     ` David Howells
2009-02-12 14:39       ` Serge E. Hallyn
2009-02-12 17:18         ` David Howells
2009-02-13  4:44           ` KOSAKI Motohiro
2009-02-13  8:28           ` Ingo Molnar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=27421.1234436992@redhat.com \
    --to=dhowells@redhat.com \
    --cc=Lee.Schermerhorn@hp.com \
    --cc=kosaki.motohiro@jp.fujitsu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=serue@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.