From mboxrd@z Thu Jan  1 00:00:00 1970
From: Burton Windle <bwindle@fint.org>
Subject: 2.5.48: reliable oops in lock_get_status, with test program
Date: Wed, 20 Nov 2002 14:42:44 -0500 (EST)
Sender: linux-fsdevel-owner@vger.kernel.org
Message-ID: <Pine.LNX.4.43.0211201437510.481-100000@morpheus>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: linux-fsdevel@vger.kernel.org
Return-path: <linux-fsdevel-owner@vger.kernel.org>
To: matthew@wil.cx
List-Id: linux-fsdevel.vger.kernel.org

I can reproduce this is at will with a simple test case. This is also
logged at http://bugzilla.kernel.org/show_bug.cgi?id=16

Using this file, taken from LKML post by Dave Olien <dmo@osdl.org>:

-------------threaded test program. Run this first---------------------------
------------ compile with -lpthread -lm flags --------------------------

#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <math.h>
#include <pthread.h>
#include <getopt.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/fcntl.h>
#include <sys/time.h>
#include <sys/utsname.h>

void *worker_thread(void *arg)
{
	sleep(60);
}


static pthread_attr_t thread_attr;
#define NTHREADS 8

main()
{
	int i;
	int fd;
	struct flock lock;

	fd = open("/tmp/dmo", O_RDWR);
	if (fd == -1) {
		perror("open failed");
		exit(0);
	}
	lock.l_whence = SEEK_SET;
	lock.l_type = F_WRLCK;
	lock.l_start = 0;
	lock.l_len = 1;

	if (fcntl(fd, F_SETLK, &lock) == -1) {
		perror("F_SETLK failed\n");
		exit(0);
	}

	pthread_attr_init(&thread_attr);
	pthread_attr_setdetachstate(&thread_attr, PTHREAD_CREATE_DETACHED);

	for (i = 0; i < NTHREADS; i++) {
		pthread_t worker_tid;

		if (pthread_create(&worker_tid, &thread_attr, worker_thread,
					(void *)NULL) != 0) {
			perror("thread create failed");
			exit(1);
		}
	}
	sleep(30);
}

---end ----

so it is named "1", and run this script will cause an oops on my machine
100% of the time.


#!/bin/sh
echo "asdf" > /tmp/dmo
./1 &
sleep 2
killall 1
#erase /tmo/dmo because lock still exists for dead program (bug?)
rm /tmp/dmo
echo "asdf" > /tmp/dmo
./1 &
sleep 2
cat /proc/locks
killall 1
#next cat will oops
cat /proc/locks


Here is the decoded oops:
Unable to handle kernel NULL pointer dereference at virtual address
00000008
 printing eip:
c014c54f
*pde = 00000000
Oops: 0000
CPU:    0
EIP:    0060:[<c014c54f>]    Not tainted
EFLAGS: 00010286
EIP is at lock_get_status+0x17/0x20c
eax: 00000000   ebx: c8d3b02d   ecx: c8d3b000   edx: c8d3b02d
esi: c13cf814   edi: 00000000   ebp: 00000400   esp: c8d33ee0
ds: 0068   es: 0068   ss: 0068
Process cat (pid: 267, threadinfo=c8d32000 task=c8d15940)
Stack: c13cf618 c13cf818 c13cf814 c014c85c c8d3b02d c13cf814 00000002 c0287173
       c8d32000 00000400 00000400 c8d3b000 c8d33f1c c8d33f20 00000002 c8d3b02d
       0000002d c015feaa c8d3b000 c8d33f7c 00000000 00000400 00000000 00000400
Call Trace:
 [<c014c85c>] get_locks_status+0x80/0x148
 [<c015feaa>] locks_read_proc+0x36/0x80
 [<c015dc98>] proc_file_read+0xec/0x190
 [<c013a022>] vfs_read+0xc2/0x158
 [<c013a2f2>] sys_read+0x2a/0x3c
 [<c010891b>] syscall_call+0x7/0xb

Code: 8b 78 08 8b 44 24 1c 50 8b 44 24 1c 50 68 8c 70 28 c0 53 e8

--
Burton Windle                           burton@fint.org
Linux: the "grim reaper of innocent orphaned children."
          from /usr/src/linux-2.4.18/init/main.c:461