Recent Linus' tree, kernel BUG at fs/inode.c:1436!

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Recent Linus' tree, kernel BUG at fs/inode.c:1436!
@ 2014-12-19 11:34 Pavel Emelyanov
  2014-12-19 12:01 ` Al Viro
  0 siblings, 1 reply; 3+ messages in thread
From: Pavel Emelyanov @ 2014-12-19 11:34 UTC (permalink / raw)
  To: Linux Netdev List, linux-fsdevel

Hi,

It looks like there's a strange refcount underflow in VFS/socket code.
The proggie [1] crashes the recent Linus' tree (d790be38 Merge tag
'modules-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux) 
with the calltrace [2].

If in the proggie the psk is replaced with non-socket descriptor the
issue doesn't appear.

Thanks,
Pavel


[1]--------------------------------------------

#include <sys/socket.h>
#include <sys/un.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>

int main(int argc, char **argv)
{
	int psk, proc;
	char buf[1024];

	psk = socket(PF_LOCAL, SOCK_STREAM, 0);
	sprintf(buf, "/proc/self/fd/%d", psk);
	proc = open(buf, O_RDONLY);
	close(proc);
	close(psk);

	return 0;
}

[2]--------------------------------------------

[  322.823998] ------------[ cut here ]------------
[  322.824251] kernel BUG at fs/inode.c:1436!
[  322.824251] invalid opcode: 0000 [#6] SMP 
[  322.824251] Modules linked in: serio_raw ata_generic
[  322.824251] CPU: 0 PID: 1058 Comm: a.out Tainted: G      D        3.18.0-criu+ #10
[  322.824251] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  322.824251] task: ffff88003ca7d070 ti: ffff880037058000 task.ti: ffff880037058000
[  322.824251] RIP: 0010:[<ffffffff811521bf>]  [<ffffffff811521bf>] iput+0x13f/0x180
[  322.824251] RSP: 0018:ffff88003705be08  EFLAGS: 00010202
[  322.824251] RAX: 0000000000000000 RBX: ffff88003dd0dbb0 RCX: dead000000200200
[  322.824251] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88003dd0dbb0
[  322.824251] RBP: ffff88003705be28 R08: ffff88003d187a50 R09: ffff88003fc15820
[  322.824251] R10: ffffffff81392d4e R11: ffffea0000f74300 R12: ffff88003dd0dbb0
[  322.824251] R13: ffff88003d187a18 R14: 0000000000000000 R15: ffff88003d1879c0
[  322.824251] FS:  00007f1720ba7740(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[  322.824251] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  322.824251] CR2: 00007f17206c4630 CR3: 000000003731d000 CR4: 00000000000006f0
[  322.824251] Stack:
[  322.824251]  ffff88003d1879c0 ffff88003dd0dbb0 ffff88003d187a18 0000000000000000
[  322.824251]  ffff88003705be58 ffffffff8114d710 ffff88003705be58 0000000000000000
[  322.824251]  ffff88003d187a18 ffff88003dd0dbb0 ffff88003705be88 ffffffff8114d7fd
[  322.824251] Call Trace:
[  322.824251]  [<ffffffff8114d710>] __dentry_kill+0x180/0x1d0
[  322.824251]  [<ffffffff8114d7fd>] dput+0x9d/0x160
[  322.824251]  [<ffffffff81139198>] __fput+0x168/0x1e0
[  322.824251]  [<ffffffff81139259>] ____fput+0x9/0x10
[  322.824251]  [<ffffffff81065d2f>] task_work_run+0xaf/0xf0
[  322.824251]  [<ffffffff81002c71>] do_notify_resume+0x51/0x80
[  322.824251]  [<ffffffff81494920>] int_signal+0x12/0x17
[  322.824251] Code: 00 00 00 eb a0 0f 1f 80 00 00 00 00 48 81 8b 90 00 00 00 00 01 00 00 48 89 df e8 7d fe ff ff 80 83 80 00 00 00 01 e9 fb fe ff ff <0f> 0b be 71 05 00 00 48 c7 c7 53 2a 75 81 e8 5e a9 ef ff e9 06 
[  322.824251] RIP  [<ffffffff811521bf>] iput+0x13f/0x180
[  322.824251]  RSP <ffff88003705be08>
[  322.855968] ---[ end trace 2e35ddcef73fed30 ]---

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Recent Linus' tree, kernel BUG at fs/inode.c:1436!
  2014-12-19 11:34 Recent Linus' tree, kernel BUG at fs/inode.c:1436! Pavel Emelyanov
@ 2014-12-19 12:01 ` Al Viro
  2014-12-19 12:08   ` Pavel Emelyanov
  0 siblings, 1 reply; 3+ messages in thread
From: Al Viro @ 2014-12-19 12:01 UTC (permalink / raw)
  To: Pavel Emelyanov; +Cc: Linux Netdev List, linux-fsdevel

On Fri, Dec 19, 2014 at 02:34:00PM +0300, Pavel Emelyanov wrote:
> Hi,
> 
> It looks like there's a strange refcount underflow in VFS/socket code.
> The proggie [1] crashes the recent Linus' tree (d790be38 Merge tag
> 'modules-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux) 
> with the calltrace [2].
> 
> If in the proggie the psk is replaced with non-socket descriptor the
> issue doesn't appear.

Gyah... mismerge on cherry-pick.  My fault - ->i_fop assignment should've
been removed from sock_alloc_file() in bd9b51.  Could you verify that the
following recovers the things?

diff --git a/net/socket.c b/net/socket.c
index 70bbde6..a2c33a4 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -372,7 +372,6 @@ struct file *sock_alloc_file(struct socket *sock, int flags, const char *dname)
 	path.mnt = mntget(sock_mnt);
 
 	d_instantiate(path.dentry, SOCK_INODE(sock));
-	SOCK_INODE(sock)->i_fop = &socket_file_ops;
 
 	file = alloc_file(&path, FMODE_READ | FMODE_WRITE,
 		  &socket_file_ops);

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: Recent Linus' tree, kernel BUG at fs/inode.c:1436!
  2014-12-19 12:01 ` Al Viro
@ 2014-12-19 12:08   ` Pavel Emelyanov
  0 siblings, 0 replies; 3+ messages in thread
From: Pavel Emelyanov @ 2014-12-19 12:08 UTC (permalink / raw)
  To: Al Viro; +Cc: Linux Netdev List, linux-fsdevel

On 12/19/2014 03:01 PM, Al Viro wrote:
> On Fri, Dec 19, 2014 at 02:34:00PM +0300, Pavel Emelyanov wrote:
>> Hi,
>>
>> It looks like there's a strange refcount underflow in VFS/socket code.
>> The proggie [1] crashes the recent Linus' tree (d790be38 Merge tag
>> 'modules-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux) 
>> with the calltrace [2].
>>
>> If in the proggie the psk is replaced with non-socket descriptor the
>> issue doesn't appear.
> 
> Gyah... mismerge on cherry-pick.  My fault - ->i_fop assignment should've
> been removed from sock_alloc_file() in bd9b51.  Could you verify that the
> following recovers the things?
> 
> diff --git a/net/socket.c b/net/socket.c
> index 70bbde6..a2c33a4 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -372,7 +372,6 @@ struct file *sock_alloc_file(struct socket *sock, int flags, const char *dname)
>  	path.mnt = mntget(sock_mnt);
>  
>  	d_instantiate(path.dentry, SOCK_INODE(sock));
> -	SOCK_INODE(sock)->i_fop = &socket_file_ops;
>  
>  	file = alloc_file(&path, FMODE_READ | FMODE_WRITE,
>  		  &socket_file_ops);
> .
> 

Acked-by: Pavel Emelyanov <xemul@parallels.com>

This also makes socket non-open-able back again, which, in turn, was
another issue I was surprised with on the new kernel :)

Thanks,
Pavel


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-12-19 12:08 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-19 11:34 Recent Linus' tree, kernel BUG at fs/inode.c:1436! Pavel Emelyanov
2014-12-19 12:01 ` Al Viro
2014-12-19 12:08   ` Pavel Emelyanov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).