Here is a reproducer:
1. Run netns.sh script in loop
# while true; do ./netns.sh; done
# cat netns.sh
#!/bin/bash
num=1000
function create_netns()
{
for((i=0; i<$num; i++))
do
ip netns add local$i
ip netns exec local$i pwd &
done
}
function clean_netns()
{
for((i=0; i<$num; i++))
do
ip netns del local$i
done
}
create_netns
clean_netns
2. run fs_bind/fs_bind24 in loop, fs_bind24 only
# cat /opt/ltp/runtest/fs_bind
#DESCRIPTION:Bind mounts and shared subtrees
fs_bind24_sh fs_bind24.sh
# while true; do /opt/ltp/runltp -f fs_bind; done
This oops also exists in the latest kernel code:
[ 1381.034793] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000010
[ 1381.035608] PGD 0 P4D 0
[ 1381.035865] Oops: 0000 [#1] SMP PTI
[ 1381.036227] CPU: 0 PID: 281475 Comm: mount Kdump: loaded Not
tainted 4.19.90-2109.1.0.0108.oe1.x86_64 #1
[ 1381.037174] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[ 1381.038001] RIP: 0010:propagate_one+0x9d/0x200
[ 1381.038450] Code: 01 00 00 49 89 d1 49 8b 91 d8 00 00 00 4c 39 c2
75 e7 4c 8b 15 4c ae 9e 01 48 89 fa eb 09 48 8b 92 d8 00 00 00 89 c6
49 39 d2 <48> 8b 4a 10 0f 84 10 01 00 00 4c 39 81 d8 00 00 00 75 e1 40
84 f6
[ 1381.040317] RSP: 0018:ffffb7648932fdd8 EFLAGS: 00010282
[ 1381.041049] RAX: ffff893a8f19a101 RBX: ffff893aa421b500 RCX: ffff893a99e2f380
[ 1381.041776] RDX: 0000000000000000 RSI: 000000008f19a101 RDI: ffff893a9f939200
[ 1381.043437] RBP: ffff893aadba5980 R08: ffff893aadba5980 R09: ffff893aa421b500
[ 1381.044159] R10: ffff893a9f939080 R11: 0000000000017f40 R12: ffffb7648932fe28
[ 1381.044867] R13: 0000000000000000 R14: ffff893aa421b500 R15: ffff8939c7d08900
[ 1381.045578] FS: 00007fae96b07c80(0000) GS:ffff893ad7a00000(0000)
knlGS:0000000000000000
[ 1381.046395] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1381.046968] CR2: 0000000000000010 CR3: 00000001d8ea4006 CR4: 00000000000606f0
[ 1381.047678] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1381.048391] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1381.049104] Call Trace:
[ 1381.049366] propagate_mnt+0x11f/0x150
[ 1381.049745] attach_recursive_mnt+0x220/0x2e0
[ 1381.050191] do_mount+0xa6c/0xc80
[ 1381.050526] ? __kmalloc_track_caller+0x5a/0x200
[ 1381.051007] ? _copy_from_user+0x37/0x60
[ 1381.051403] ksys_mount+0x80/0xd0
[ 1381.051738] __x64_sys_mount+0x21/0x30
[ 1381.052124] do_syscall_64+0x5f/0x240
[ 1381.052500] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1381.053017] RIP: 0033:0x7fae96cbf24a
[ 1381.053378] Code: 48 8b 0d 59 7c 0b 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 26 7c 0b 00 f7 d8 64 89
01 48
[ 1381.055249] RSP: 002b:00007ffd13aa2d88 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[ 1381.056004] RAX: ffffffffffffffda RBX: 000055f4e88f6420 RCX: 00007fae96cbf24a
[ 1381.056714] RDX: 000055f4e88f6650 RSI: 000055f4e88f93d0 RDI: 000055f4e88f8350
[ 1381.057636] RBP: 0000000000000000 R08: 0000000000000000 R09: 000055f4e88f5010
[ 1381.058502] R10: 0000000000001000 R11: 0000000000000246 R12: 000055f4e88f8350
[ 1381.059236] R13: 000055f4e88f6650 R14: 0000000000000001 R15: 00007fae96e62224
[ 1381.059959] Modules linked in: veth xt_addrtype br_netfilter
dm_thin_pool dm_persistent_data dm_bio_prison dm_bufio loop
ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4
xt_conntrack ebtable_filter ebtable_nat ebtable_broute bridge stp llc
ebtables ip6table_nat nf_nat_ipv6 ip6table_mangle ip6table_raw
ip6table_security iptable_nat nf_nat_ipv4 nf_nat iptable_mangle
iptable_raw iptable_security nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 libcrc32c rfkill ip_set nfnetlink ip6table_filter
ip6_tables iptable_filter vfat fat vmwgfx snd_intel8x0 snd_ac97_codec
crct10dif_pclmul crc32_pclmul ac97_bus snd_pcm ghash_clmulni_intel ttm
snd_timer drm_kms_helper snd syscopyarea joydev sg sysfillrect
sysimgblt fb_sys_fops soundcore i2c_piix4 drm pcspkr intel_rapl_perf
video ip_tables ext4 mbcache
[ 1381.067111] jbd2 sr_mod cdrom sd_mod ata_generic crc32c_intel
serio_raw ata_piix ahci libahci e1000 libata dm_mirror dm_region_hash
dm_log dm_mod
[ 1381.068437] CR2: 0000000000000010
On Tue, Nov 15, 2022 at 11:04:01PM +0800, ditang chen wrote:
> Here is a reproducer:
> 1. Run netns.sh script in loop
> # while true; do ./netns.sh; done
> # cat netns.sh
> #!/bin/bash
> num=1000
> function create_netns()
> {
> for((i=0; i<$num; i++))
> do
> ip netns add local$i
> ip netns exec local$i pwd &
> done
> }
> function clean_netns()
> {
> for((i=0; i<$num; i++))
> do
> ip netns del local$i
> done
> }
> create_netns
> clean_netns
>
> 2. run fs_bind/fs_bind24 in loop, fs_bind24 only
> # cat /opt/ltp/runtest/fs_bind
> #DESCRIPTION:Bind mounts and shared subtrees
> fs_bind24_sh fs_bind24.sh
> # while true; do /opt/ltp/runltp -f fs_bind; done
>
> This oops also exists in the latest kernel code:
I've been running this since yesterday on v6.1-rc7 to reproduce and it
didn't trigger. It's unclear whether you're saying that you've managed
to reproduce this on mainline. It doesn't seem to be.
cc [email protected] [email protected]
ditang chen <[email protected]> 于2022年12月4日周日 23:46写道:
>
> Thank you for your reply ~~
>
> In the second step, it's easier to reproduce using the following script:
> # cat /opt/ltp/testcases/bin/fs_bind24.sh
> #!/bin/sh
> FS_BIND_TESTFUNC=test
>
> test()
> {
> tst_res TINFO "bind: shared child to shared parent"
>
> fs_bind_makedir rshared dir1
> mkdir dir1/1 dir1/1/2 dir1/1/2/3 dir1/1/2/fs_bind_check dir2 dir3 dir4
> touch dir4/ls
>
> EXPECT_PASS mount --bind dir1/1/2 dir2
> EXPECT_PASS mount --make-rslave dir1
> EXPECT_PASS mount --make-rshared dir1
>
> EXPECT_PASS mount --bind dir1/1/2/3 dir3
> EXPECT_PASS mount --make-rslave dir1
>
> while true
> do
> EXPECT_PASS mount --bind dir4 dir2/fs_bind_check
> EXPECT_PASS umount dir2/fs_bind_check
> done
>
> fs_bind_check dir1/1/2/fs_bind_check/ dir4
>
> EXPECT_PASS umount dir2/fs_bind_check
> EXPECT_PASS umount dir3
> EXPECT_PASS umount dir2
> EXPECT_PASS umount dir1
> }
>
> . fs_bind_lib.sh
> tst_run
>
> And then,run netns.sh while running fs_bind:
> # /opt/ltp/runltp -f fs_bind
>
> Here is a reproducer in 6.1.0-rc7:
> [ 115.848393] BUG: kernel NULL pointer dereference, address: 0000000000000010
> [ 115.848967] #PF: supervisor read access in kernel mode
> [ 115.849386] #PF: error_code(0x0000) - not-present page
> [ 115.849803] PGD 0 P4D 0
> [ 115.850012] Oops: 0000 [#1] PREEMPT SMP PTI
> [ 115.850354] CPU: 0 PID: 15591 Comm: mount Not tainted 6.1.0-rc7 #3
> [ 115.850851] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
> VirtualBox 12/01/2006
> [ 115.851510] RIP: 0010:propagate_one.part.0+0x7f/0x1a0
> [ 115.851924] Code: 75 eb 4c 8b 05 c2 25 37 02 4c 89 ca 48 8b 4a 10
> 49 39 d0 74 1e 48 3b 81 e0 00 00 00 74 26 48 8b 92 e0 00 00 00 be 01
> 00 00 00 <48> 8b 4a 10 49 39 d0 75 e2 40 84 f6 74 38 4c 89 05 84 25 37
> 02 4d
> [ 115.853441] RSP: 0018:ffffb8d5443d7d50 EFLAGS: 00010282
> [ 115.853865] RAX: ffff8e4d87c41c80 RBX: ffff8e4d88ded780 RCX: ffff8e4da4333a00
> [ 115.854458] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e4d88ded780
> [ 115.855044] RBP: ffff8e4d88ded780 R08: ffff8e4da4338000 R09: ffff8e4da43388c0
> [ 115.855693] R10: 0000000000000002 R11: ffffb8d540158000 R12: ffffb8d5443d7da8
> [ 115.856304] R13: ffff8e4d88ded780 R14: 0000000000000000 R15: 0000000000000000
> [ 115.856859] FS: 00007f92c90c9800(0000) GS:ffff8e4dfdc00000(0000)
> knlGS:0000000000000000
> [ 115.857531] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 115.858006] CR2: 0000000000000010 CR3: 0000000022f4c002 CR4: 00000000000706f0
> [ 115.858598] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 115.859393] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 115.860099] Call Trace:
> [ 115.860358] <TASK>
> [ 115.860535] propagate_mnt+0x14d/0x190
> [ 115.860848] attach_recursive_mnt+0x274/0x3e0
> [ 115.861212] path_mount+0x8c8/0xa60
> [ 115.861503] __x64_sys_mount+0xf6/0x140
> [ 115.861819] do_syscall_64+0x5b/0x80
> [ 115.862117] ? do_faccessat+0x123/0x250
> [ 115.862435] ? syscall_exit_to_user_mode+0x17/0x40
> [ 115.862826] ? do_syscall_64+0x67/0x80
> [ 115.863133] ? syscall_exit_to_user_mode+0x17/0x40
> [ 115.863527] ? do_syscall_64+0x67/0x80
> [ 115.863835] ? do_syscall_64+0x67/0x80
> [ 115.864144] ? do_syscall_64+0x67/0x80
> [ 115.864452] ? exc_page_fault+0x70/0x170
> [ 115.864775] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> [ 115.865187] RIP: 0033:0x7f92c92b0ebe
> [ 115.865480] Code: 48 8b 0d 75 4f 0c 00 f7 d8 64 89 01 48 83 c8 ff
> c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00
> 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 42 4f 0c 00 f7 d8 64 89
> 01 48
> [ 115.866984] RSP: 002b:00007fff000aa728 EFLAGS: 00000246 ORIG_RAX:
> 00000000000000a5
> [ 115.867607] RAX: ffffffffffffffda RBX: 000055a77888d6b0 RCX: 00007f92c92b0ebe
> [ 115.868240] RDX: 000055a77888d8e0 RSI: 000055a77888e6e0 RDI: 000055a77888e620
> [ 115.868823] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
> [ 115.869403] R10: 0000000000001000 R11: 0000000000000246 R12: 000055a77888e620
> [ 115.869994] R13: 000055a77888d8e0 R14: 00000000ffffffff R15: 00007f92c93e4076
> [ 115.870581] </TASK>
> [ 115.870763] Modules linked in: nft_fib_inet nft_fib_ipv4
> nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
> nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
> nf_defrag_ipv4 ip_set rfkill nf_tables nfnetlink qrtr snd_intel8x0
> sunrpc snd_ac97_codec ac97_bus snd_pcm snd_timer intel_rapl_msr
> intel_rapl_common snd vboxguest intel_powerclamp video rapl joydev
> soundcore i2c_piix4 wmi fuse zram xfs vmwgfx crct10dif_pclmul
> crc32_pclmul crc32c_intel polyval_clmulni polyval_generic
> drm_ttm_helper ttm e1000 ghash_clmulni_intel serio_raw ata_generic
> pata_acpi scsi_dh_rdac scsi_dh_emc scsi_dh_alua dm_multipath
> [ 115.875288] CR2: 0000000000000010
> [ 115.875641] ---[ end trace 0000000000000000 ]---
> [ 115.876135] RIP: 0010:propagate_one.part.0+0x7f/0x1a0
> [ 115.876551] Code: 75 eb 4c 8b 05 c2 25 37 02 4c 89 ca 48 8b 4a 10
> 49 39 d0 74 1e 48 3b 81 e0 00 00 00 74 26 48 8b 92 e0 00 00 00 be 01
> 00 00 00 <48> 8b 4a 10 49 39 d0 75 e2 40 84 f6 74 38 4c 89 05 84 25 37
> 02 4d
> [ 115.878086] RSP: 0018:ffffb8d5443d7d50 EFLAGS: 00010282
> [ 115.878511] RAX: ffff8e4d87c41c80 RBX: ffff8e4d88ded780 RCX: ffff8e4da4333a00
> [ 115.879128] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e4d88ded780
> [ 115.879715] RBP: ffff8e4d88ded780 R08: ffff8e4da4338000 R09: ffff8e4da43388c0
> [ 115.880359] R10: 0000000000000002 R11: ffffb8d540158000 R12: ffffb8d5443d7da8
> [ 115.880962] R13: ffff8e4d88ded780 R14: 0000000000000000 R15: 0000000000000000
> [ 115.881548] FS: 00007f92c90c9800(0000) GS:ffff8e4dfdc00000(0000)
> knlGS:0000000000000000
> [ 115.882234] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 115.882713] CR2: 0000000000000010 CR3: 0000000022f4c002 CR4: 00000000000706f0
> [ 115.883314] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 115.883966] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
> Best regards,
> --
>
>
> Christian Brauner <[email protected]> 于2022年11月29日周二 18:25写道:
>
>
> >
> > On Tue, Nov 15, 2022 at 11:04:01PM +0800, ditang chen wrote:
> > > Here is a reproducer:
> > > 1. Run netns.sh script in loop
> > > # while true; do ./netns.sh; done
> > > # cat netns.sh
> > > #!/bin/bash
> > > num=1000
> > > function create_netns()
> > > {
> > > for((i=0; i<$num; i++))
> > > do
> > > ip netns add local$i
> > > ip netns exec local$i pwd &
> > > done
> > > }
> > > function clean_netns()
> > > {
> > > for((i=0; i<$num; i++))
> > > do
> > > ip netns del local$i
> > > done
> > > }
> > > create_netns
> > > clean_netns
> > >
> > > 2. run fs_bind/fs_bind24 in loop, fs_bind24 only
> > > # cat /opt/ltp/runtest/fs_bind
> > > #DESCRIPTION:Bind mounts and shared subtrees
> > > fs_bind24_sh fs_bind24.sh
> > > # while true; do /opt/ltp/runltp -f fs_bind; done
> > >
> > > This oops also exists in the latest kernel code:
> >
> > I've been running this since yesterday on v6.1-rc7 to reproduce and it
> > didn't trigger. It's unclear whether you're saying that you've managed
> > to reproduce this on mainline. It doesn't seem to be.