[BUG] kernel panic after bpf program removed.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Wangnan (F)" <wangnan0@huawei.com>
To: <ast@plumgrid.com>, <linux-kernel@vger.kernel.org>
Cc: lizefan 00213767 <lizefan@huawei.com>
Subject: [BUG] kernel panic after bpf program removed.
Date: Fri, 15 May 2015 11:54:11 +0800	[thread overview]
Message-ID: <55556DE3.5020106@huawei.com> (raw)

Hi Alexei Starovoitov and other,

I triggered a kernel panic when developing my 'perf bpf' facility. The 
call stack is listed at the bottom of
this mail.

I attached two bpf programs on 'kmem_cache_free%return' and 
'__alloc_pages_nodemask'. The programs is very simple.
The panic is raised after closing the bpf program and the perf event 
file. Looks like the panic is caused
by racing between closing perf event fd and bpf program fd. I'm unable 
to reproduce this problem with similar
operations.

Following is the exact instruction cause the panic.

ffffffff8111cf70 <bpf_prog_put>:

void bpf_prog_put(struct bpf_prog *prog)
{
ffffffff8111cf70:       e8 fb a1 49 00          callq ffffffff815b7170 
<__fentry__>
ffffffff8111cf75:       55                      push   %rbp
ffffffff8111cf76:       48 89 e5                mov    %rsp,%rbp
ffffffff8111cf79:       53                      push   %rbx
ffffffff8111cf7a:       48 89 fb                mov    %rdi,%rbx
ffffffff8111cf7d:       48 83 ec 08             sub    $0x8,%rsp
ffffffff8111cf81:       48 8b 47 10             mov 0x10(%rdi),%rax     
<-- *panic at this instruction*
ffffffff8111cf85:       f0 ff 08                lock decl (%rax)
ffffffff8111cf88:       74 0e                   je ffffffff8111cf98 
<bpf_prog_put+0x28>
         if (atomic_dec_and_test(&prog->aux->refcnt)) {
                 free_used_maps(prog->aux);
                 bpf_prog_free(prog);
         }
}
ffffffff8111cf8a:       48 83 c4 08             add    $0x8,%rsp
ffffffff8111cf8e:       5b                      pop    %rbx
ffffffff8111cf8f:       5d                      pop    %rbp
ffffffff8111cf90:       c3                      retq

Thank you.

----------------------- KERNEL PANIC -------------------

[  261.839750] BUG: unable to handle kernel NULL pointer dereference at 
00000000000006d0
[  261.839750] IP: [<ffffffff8111cf81>] bpf_prog_put+0x11/0x50
[  261.839750] PGD 7f7d0067 PUD 7f74d067 PMD 0
[  261.839750] Oops: 0000 [#1] SMP
[  261.839750] Modules linked in:
[  261.839750] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0+ #11
[  261.839750] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), 
BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 
04/01/2014
[  261.839750] task: ffffffff81a114a0 ti: ffffffff81a00000 task.ti: 
ffffffff81a00000
[  261.839750] RIP: 0010:[<ffffffff8111cf81>] [<ffffffff8111cf81>] 
bpf_prog_put+0x11/0x50
[  261.839750] RSP: 0018:ffff88007ea03e68  EFLAGS: 00000292
[  261.839750] RAX: ffff880076e35d20 RBX: 00000000000006c0 RCX: 
ffffffff81123d60
[  261.839750] RDX: 00000001000d000b RSI: 0000000000000000 RDI: 
00000000000006c0
[  261.839750] RBP: ffff88007ea03e78 R08: ffff88007f10c3c0 R09: 
ffff88007ea189c0
[  261.839750] R10: ffff88007aa68290 R11: ffff88007ea0800d R12: 
ffff88007643a000
[  261.839750] R13: 000000000000000a R14: 0000000000000125 R15: 
ffff88007ea16540
[  261.839750] FS:  0000000000000000(0000) GS:ffff88007ea00000(0000) 
knlGS:0000000000000000
[  261.839750] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  261.839750] CR2: 00000000000006d0 CR3: 0000000078aa5000 CR4: 
00000000000006f0
[  261.839750] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[  261.839750] DR3: 0000000000000000 DR6: 0000000000000000 DR7: 
0000000000000000
[  261.839750] Stack:
[  261.839750]  ffff88007ea03e78 ffff88007643a320 ffff88007ea03e98 
ffffffff81123dac
[  261.839750]  ffffffff81a38380 ffff88007f7de000 ffff88007ea03f08 
ffffffff810a2d0b
[  261.839750]  ffffffff81ced238 ffff88007b911508 ffff88007ea16570 
ffffffff81a114a0
[  261.839750] Call Trace:
[  261.839750]  <IRQ>
[  261.839750]  [<ffffffff81123dac>] free_event_rcu+0x4c/0x60
[  261.839750]  [<ffffffff810a2d0b>] rcu_process_callbacks+0x25b/0x5a0
[  261.839750]  [<ffffffff8105749d>] __do_softirq+0xed/0x280
[  261.839750]  [<ffffffff810577fd>] irq_exit+0x4d/0x60
[  261.839750]  [<ffffffff815b7b3a>] smp_apic_timer_interrupt+0x4a/0x60
[  261.839750]  [<ffffffff815b617b>] apic_timer_interrupt+0x6b/0x70
[  261.839750]  <EOI>
[  261.839750]  [<ffffffff8100cd10>] ? default_idle+0x20/0xb0
[  261.839750]  [<ffffffff8100d69f>] arch_cpu_idle+0xf/0x20
[  261.839750]  [<ffffffff8108c117>] cpu_startup_entry+0x2f7/0x400
[  261.839750]  [<ffffffff815a4e87>] rest_init+0x77/0x80
[  261.839750]  [<ffffffff81ae7fcd>] start_kernel+0x423/0x430
[  261.839750]  [<ffffffff81ae799a>] ? set_init_arg+0x56/0x56
[  261.839750]  [<ffffffff81ae75ad>] x86_64_start_reservations+0x2a/0x2c
[  261.839750]  [<ffffffff81ae769b>] x86_64_start_kernel+0xec/0xf0
[  261.839750] Code: 24 72 e7 49 8b 7d 00 e8 8e ce 05 00 48 83 c4 08 5b 
41 5c 41 5d 5d c3 0f 1f 00 66 66 66 66 90 55 48 89 e5 53 48 89 fb 48 83 
ec 08 <48> 8b 47 10 3e ff 08 74 0e 48 83 c4 08 5b 5d c3 0f 1f 80 00 00
[  261.839750] RIP  [<ffffffff8111cf81>] bpf_prog_put+0x11/0x50
[  261.839750]  RSP <ffff88007ea03e68>
[  261.839750] CR2: 00000000000006d0
[  261.839750] ---[ end trace dddf4ec721745b49 ]---
[  261.839750] Kernel panic - not syncing: Fatal exception in interrupt
[  261.839750] Kernel Offset: disabled
[  261.839750] ---[ end Kernel panic - not syncing: Fatal exception in 
interrupt

next             reply	other threads:[~2015-05-15  3:54 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-15  3:54 Wangnan (F) [this message]
2015-05-15  5:37 ` [BUG] kernel panic after bpf program removed Alexei Starovoitov
2015-05-15  9:20   ` Wangnan (F)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55556DE3.5020106@huawei.com \
    --to=wangnan0@huawei.com \
    --cc=ast@plumgrid.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lizefan@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox