From: Peter Osterlund <petero2@telia.com>
To: Robert Love <rml@novell.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Andrew Morton <akpm@osdl.org>,
Linux Kernel list <linux-kernel@vger.kernel.org>
Subject: Re: 2.6.11-rc3-mm1
Date: 09 Feb 2005 00:08:56 +0100 [thread overview]
Message-ID: <m33bw63b07.fsf@telia.com> (raw)
In-Reply-To: <1107796935.24154.14.camel@localhost>
Robert Love <rml@novell.com> writes:
> On Sun, 2005-02-06 at 22:22 +0100, Peter Osterlund wrote:
>
> > > > > EIP is a strncpy_from_user+0x33/0x47
> > > > > ...
> > > > > Call Trace:
> > > > > getname+0x69/0xa5
> > > > > sys_open+0x12/0xc6
> > > > > sysenter_past_esp+0x52/0x75
> > > > > ...
> > > > > Kernel panic - not syncing: Attempted to kill init!
> >
> > I found the if I disable CONFIG_INOTIFY, the problem goes away.
>
> Weird. While we touch sys_open() with an inotify hook, we do so after
> the call to getname, and we don't touch getname() or strncpy_from_user()
> at all.
>
> I wonder if there is another bug and inotify is just affecting the
> timing?
Possible, but it fails every time with CONFIG_INOTIFY enabled and
works every time with CONFIG_INOTIFY disabled.
I added some printk's to do_getname and got this:
...
Freeing unused kernel memory: 160k freed
...
do_getname: init /etc/localtime
do_getname: init seg:1 page:df404000 filename:455dd11f len:4096
do_getname: init /etc/localtime
do_getname: init seg:1 page:df404000 filename:455dd11f len:4096
do_getname: init /etc/localtime
do_getname: init seg:1 page:df404000 filename:455dd11f len:4096
do_getname: init /etc/localtime
do_getname: init seg:1 page:df404000 filename:00000000 len:4096
Unable to handle kernel NULL pointer dereference at virtual address 00000000
printing eip:
c01d8257
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in:
CPU: 0
EIP: 0060:[<c01d8257>] Not tainted VLI
EFLAGS: 00010206 (2.6.11-rc3-mm1)
EIP is at strncpy_from_user+0x33/0x47
eax: c14f0000 ebx: fffffff2 ecx: 00001000 edx: 00001000
esi: 00000000 edi: df404000 ebp: 00000000 esp: c14f1f60
ds: 007b es: 007b ss: 0068
Process init (pid: 1, threadinfo=c14f0000 task=dff4ba40)
Stack: c14f0000 fffffff4 df404000 00000000 c0166854 df404000 00000000 00001000
df404000 00000000 00001000 00001000 00000000 00000000 00000901 c14f0000
c0158725 00000000 00000000 00000000 00000002 00000000 00000000 00000901
Call Trace:
[<c0166854>] getname+0xb4/0x10f
[<c0158725>] sys_open+0x12/0xc6
[<c0102f19>] sysenter_past_esp+0x52/0x75
Code: 57 56 53 bb f2 ff ff ff 8b 74 24 18 8b 7c 24 14 8b 4c 24 1c 89 f2 83 c2 01 19 ed 39 50 18 83 dd 00 85 ed 75 13 89 ca 85 c9 74 0b <ac> aa 84 c0 74 03 49 75 f7 29 ca 89 d3 89 d8 5b 5e 5f 5d c3 57
do_getname: hotplug seg:1 page:dfca1000 filename:080e6770 len:4096
do_getname: hotplug /etc/hotplug.d/default/20-hal.hotplug
do_getname: hotplug seg:1 page:df6d1000 filename:080e6770 len:4096
do_getname: hotplug /etc/hotplug.d/default/20-hal.hotplug
Kernel panic - not syncing: Attempted to kill init!
If I add this code to do_getname()
+ if (!filename)
+ return -EFAULT;
the machine boots correctly, but then fails later when trying to start
the X server:
Unable to handle kernel paging request at virtual address 00008050
printing eip:
c01d840a
*pde = 16fd4067
*pte = 00000000
Oops: 0002 [#1]
PREEMPT
Modules linked in: radeon joydev mousedev nfs psmouse snd_atiixp_modem nfsd exportfs lockd parport_pc lp parport autofs4 pcmcia sunrpc ipt_LOG ipt_limit ipt_state ipt_REJECT iptable_filter ipt_MASQUERADE iptable_nat ip_tables binfmt_misc dm_mod yenta_socket rsrc_nonstatic pcmcia_core ohci_hcd ehci_hcd usbcore ide_cd cdrom
CPU: 0
EIP: 0060:[<c01d840a>] Not tainted VLI
EFLAGS: 00013246 (2.6.11-rc3-mm1)
EIP is at __copy_to_user_ll+0x3c/0x64
eax: 00000000 ebx: 00008050 ecx: 00000002 edx: 00008058
esi: e1a5cc67 edi: 00008050 ebp: ffffffff esp: d75e9e58
ds: 007b es: 007b ss: 0068
Process X (pid: 4757, threadinfo=d75e8000 task=d7584020)
Stack: 00000027 00008050 00000000 00000000 e1a5cc70 c01d84ce 00008050 e1a5cc67
00000008 00000008 d75e9ec8 e1a51140 00008050 e1a5cc67 00000008 00000000
d75e9f08 c01d8511 d75e9f08 bfd4a320 d7957800 bfd4a320 d75e9f08 ffffffea
Call Trace:
[<c01d84ce>] copy_to_user+0x38/0x42
[<e1a51140>] version+0xe8/0x138 [radeon]
[<c01d8511>] copy_from_user+0x39/0x68
[<c02524e0>] drm_setversion+0x49/0x11b
[<c0251219>] drm_ioctl+0xeb/0x1c1
[<c0106407>] handle_vm86_fault+0x78f/0x909
[<c0106407>] handle_vm86_fault+0x78f/0x909
[<c016bac7>] do_ioctl+0x57/0x85
[<c0106407>] handle_vm86_fault+0x78f/0x909
[<c016bcc8>] vfs_ioctl+0x5c/0x1c3
[<c0106407>] handle_vm86_fault+0x78f/0x909
[<c016be6b>] sys_ioctl+0x3c/0x59
[<c0106407>] handle_vm86_fault+0x78f/0x909
[<c0102f19>] sysenter_past_esp+0x52/0x75
[<c0106407>] handle_vm86_fault+0x78f/0x909
Code: 83 f9 3f 76 0c 89 f8 31 f0 85 05 80 bd 44 c0 75 28 89 c8 83 f9 07 76 17 89 f9 f7 d9 83 e1 07 29 c8 f3 a4 89 c1 c1 e9 02 83 e0 03 <f3> a5 89 c1 f3 a4 83 c4 0c 5e 89 c8 5f c3 89 4c 24 08 89 74 24
<3>[drm:drm_release] *ERROR* Device busy: 1 0
Patch used during tests:
diff -puN fs/namei.c~panic-debug fs/namei.c
--- linux/fs/namei.c~panic-debug 2005-02-08 23:06:54.604431440 +0100
+++ linux-petero/fs/namei.c 2005-02-08 23:52:26.585107248 +0100
@@ -116,15 +116,28 @@ static inline int do_getname(const char
{
int retval;
unsigned long len = PATH_MAX;
+ int segment = 0;
if (!segment_eq(get_fs(), KERNEL_DS)) {
+ segment = 1;
if ((unsigned long) filename >= TASK_SIZE)
return -EFAULT;
if (TASK_SIZE - (unsigned long) filename < PATH_MAX)
len = TASK_SIZE - (unsigned long) filename;
}
+#if 0
+ printk("do_getname: %s seg:%d page:%p filename:%p len:%ld\n",
+ current->comm, segment, page, filename, len);
+#endif
+
+ if (!filename)
+ return -EFAULT;
+
retval = strncpy_from_user(page, filename, len);
+#if 0
+ printk("do_getname: %s %s\n", current->comm, page);
+#endif
if (retval > 0) {
if (retval < len)
return 0;
--
Peter Osterlund - petero2@telia.com
http://web.telia.com/~u89404340
next prev parent reply other threads:[~2005-02-08 23:09 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-04 18:33 2.6.11-rc3-mm1 Andrew Morton
2005-02-04 20:11 ` [patch] 2.6.11-rc3-mm1: fix swsusp with gcc 3.4 Adrian Bunk
2005-02-04 21:51 ` Rafael J. Wysocki
2005-02-05 9:32 ` Pavel Machek
2005-02-04 20:44 ` 2.6.11-rc3-mm1 (compile stats) John Cherry
2005-02-04 21:13 ` Andrew Morton
[not found] ` <1107553914.14618.12.camel@cherrypit.pdx.osdl.net>
2005-02-04 23:31 ` John Cherry
2005-02-04 21:08 ` Add changelog entries for bk-trees? Sam Ravnborg
2005-02-04 22:17 ` 2.6.11-rc3-mm1 Sean Neakums
2005-02-04 23:57 ` 2.6.11-rc3-mm1 Benjamin Herrenschmidt
2005-02-05 0:05 ` 2.6.11-rc3-mm1 Sean Neakums
2005-02-05 0:16 ` 2.6.11-rc3-mm1 Benjamin Herrenschmidt
2005-02-05 0:54 ` 2.6.11-rc3-mm1 Bartlomiej Zolnierkiewicz
2005-02-05 10:48 ` 2.6.11-rc3-mm1 Sean Neakums
2005-02-05 22:35 ` 2.6.11-rc3-mm1 Benjamin Herrenschmidt
2005-02-04 23:50 ` 2.6.11-rc3-mm1: device_resume() hangs on Athlon64 Rafael J. Wysocki
2005-02-05 6:35 ` bk-usb is now safe (was 2.6.11-rc3-mm1) Greg KH
2005-02-05 8:47 ` 2.6.11-rc3-mm1 : can't insmod dm-mod Laurent Riffard
2005-02-05 11:26 ` Andrew Morton
2005-02-05 13:25 ` Laurent Riffard
2005-02-05 16:29 ` Christoph Hellwig
2005-02-05 20:03 ` Al Viro
2005-02-05 12:23 ` 2.6.11-rc3-mm1 William Lee Irwin III
2005-02-05 12:44 ` 2.6.11-rc3-mm1: kobject_register fails for processor on Athlon64 Rafael J. Wysocki
2005-02-05 13:11 ` 2.6.11-rc3-mm1: softlockup and suspend/resume Rafael J. Wysocki
2005-02-05 14:35 ` Ingo Molnar
2005-02-05 14:48 ` Rafael J. Wysocki
2005-02-05 19:07 ` Ingo Molnar
2005-02-06 19:15 ` Rafael J. Wysocki
2005-02-07 8:57 ` Ingo Molnar
2005-02-07 12:53 ` Rafael J. Wysocki
2005-02-08 11:04 ` Ingo Molnar
2005-02-09 16:35 ` Rafael J. Wysocki
2005-02-10 0:22 ` 2.6.11-rc3-mm1: softlockup and suspend/resume [update] Rafael J. Wysocki
2005-02-05 19:48 ` 2.6.11-rc3-mm1: softlockup and suspend/resume Pavel Machek
2005-02-05 19:47 ` Pavel Machek
2005-02-05 18:10 ` 2.6.11-rc3-mm1 Rogério Brito
2005-02-05 18:43 ` 2.6.11-rc3-mm1 Jurriaan
2005-02-05 22:28 ` 2.6.11-rc3-mm1 Rogério Brito
2005-02-05 22:45 ` irq 10: nobody cared! (was: Re: 2.6.11-rc3-mm1) Rogério Brito
2005-02-05 22:48 ` Rogério Brito
2005-02-06 2:36 ` William Park
2005-02-06 9:07 ` Rogério Brito
2005-02-12 22:21 ` William Park
2005-02-12 22:47 ` Rogério Brito
2005-02-12 23:21 ` William Park
2005-02-12 23:50 ` Rogério Brito
2005-02-13 1:41 ` William Park
2005-02-13 16:37 ` Rogério Brito
2005-02-13 16:56 ` Rogério Brito
2005-02-13 18:49 ` [Partially solved] " Rogério Brito
2005-02-06 10:07 ` 2.6.11-rc3-mm1 Peter Osterlund
2005-02-06 10:33 ` 2.6.11-rc3-mm1 Benjamin Herrenschmidt
2005-02-06 12:14 ` 2.6.11-rc3-mm1 Peter Osterlund
2005-02-06 21:22 ` 2.6.11-rc3-mm1 Peter Osterlund
2005-02-07 17:22 ` 2.6.11-rc3-mm1 Robert Love
2005-02-08 23:08 ` Peter Osterlund [this message]
2005-02-06 12:30 ` 2.6.11-rc3-mm1 Joseph Fannin
2005-02-09 3:58 ` 2.6.11-rc3-mm1 Marcos D. Marado Torres
2005-02-09 4:54 ` 2.6.11-rc3-mm1 Andrew Morton
2005-02-09 8:55 ` 2.6.11-rc3-mm1 Barry K. Nathan
2005-02-09 5:00 ` 2.6.11-rc3-mm1 Zwane Mwaikambo
2005-02-10 4:12 ` 2.6.11-rc3-mm1 Andrew Morton
2005-02-10 4:32 ` 2.6.11-rc3-mm1 Barry K. Nathan
2005-02-09 5:59 ` 2.6.11-rc3-mm1: two oops on startup Clemens Schwaighofer
2005-02-09 6:09 ` Andrew Morton
2005-02-09 6:14 ` Clemens Schwaighofer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m33bw63b07.fsf@telia.com \
--to=petero2@telia.com \
--cc=akpm@osdl.org \
--cc=benh@kernel.crashing.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rml@novell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.