Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933937AbbEODyp (ORCPT ); Thu, 14 May 2015 23:54:45 -0400 Received: from szxga01-in.huawei.com ([58.251.152.64]:4878 "EHLO szxga01-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933169AbbEODyo (ORCPT ); Thu, 14 May 2015 23:54:44 -0400 Message-ID: <55556DE3.5020106@huawei.com> Date: Fri, 15 May 2015 11:54:11 +0800 From: "Wangnan (F)" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: , CC: lizefan 00213767 Subject: [BUG] kernel panic after bpf program removed. Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.111.66.109] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5387 Lines: 121 Hi Alexei Starovoitov and other, I triggered a kernel panic when developing my 'perf bpf' facility. The call stack is listed at the bottom of this mail. I attached two bpf programs on 'kmem_cache_free%return' and '__alloc_pages_nodemask'. The programs is very simple. The panic is raised after closing the bpf program and the perf event file. Looks like the panic is caused by racing between closing perf event fd and bpf program fd. I'm unable to reproduce this problem with similar operations. Following is the exact instruction cause the panic. ffffffff8111cf70 : void bpf_prog_put(struct bpf_prog *prog) { ffffffff8111cf70: e8 fb a1 49 00 callq ffffffff815b7170 <__fentry__> ffffffff8111cf75: 55 push %rbp ffffffff8111cf76: 48 89 e5 mov %rsp,%rbp ffffffff8111cf79: 53 push %rbx ffffffff8111cf7a: 48 89 fb mov %rdi,%rbx ffffffff8111cf7d: 48 83 ec 08 sub $0x8,%rsp ffffffff8111cf81: 48 8b 47 10 mov 0x10(%rdi),%rax <-- *panic at this instruction* ffffffff8111cf85: f0 ff 08 lock decl (%rax) ffffffff8111cf88: 74 0e je ffffffff8111cf98 if (atomic_dec_and_test(&prog->aux->refcnt)) { free_used_maps(prog->aux); bpf_prog_free(prog); } } ffffffff8111cf8a: 48 83 c4 08 add $0x8,%rsp ffffffff8111cf8e: 5b pop %rbx ffffffff8111cf8f: 5d pop %rbp ffffffff8111cf90: c3 retq Thank you. ----------------------- KERNEL PANIC ------------------- [ 261.839750] BUG: unable to handle kernel NULL pointer dereference at 00000000000006d0 [ 261.839750] IP: [] bpf_prog_put+0x11/0x50 [ 261.839750] PGD 7f7d0067 PUD 7f74d067 PMD 0 [ 261.839750] Oops: 0000 [#1] SMP [ 261.839750] Modules linked in: [ 261.839750] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.0.0+ #11 [ 261.839750] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [ 261.839750] task: ffffffff81a114a0 ti: ffffffff81a00000 task.ti: ffffffff81a00000 [ 261.839750] RIP: 0010:[] [] bpf_prog_put+0x11/0x50 [ 261.839750] RSP: 0018:ffff88007ea03e68 EFLAGS: 00000292 [ 261.839750] RAX: ffff880076e35d20 RBX: 00000000000006c0 RCX: ffffffff81123d60 [ 261.839750] RDX: 00000001000d000b RSI: 0000000000000000 RDI: 00000000000006c0 [ 261.839750] RBP: ffff88007ea03e78 R08: ffff88007f10c3c0 R09: ffff88007ea189c0 [ 261.839750] R10: ffff88007aa68290 R11: ffff88007ea0800d R12: ffff88007643a000 [ 261.839750] R13: 000000000000000a R14: 0000000000000125 R15: ffff88007ea16540 [ 261.839750] FS: 0000000000000000(0000) GS:ffff88007ea00000(0000) knlGS:0000000000000000 [ 261.839750] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 261.839750] CR2: 00000000000006d0 CR3: 0000000078aa5000 CR4: 00000000000006f0 [ 261.839750] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 261.839750] DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000 [ 261.839750] Stack: [ 261.839750] ffff88007ea03e78 ffff88007643a320 ffff88007ea03e98 ffffffff81123dac [ 261.839750] ffffffff81a38380 ffff88007f7de000 ffff88007ea03f08 ffffffff810a2d0b [ 261.839750] ffffffff81ced238 ffff88007b911508 ffff88007ea16570 ffffffff81a114a0 [ 261.839750] Call Trace: [ 261.839750] [ 261.839750] [] free_event_rcu+0x4c/0x60 [ 261.839750] [] rcu_process_callbacks+0x25b/0x5a0 [ 261.839750] [] __do_softirq+0xed/0x280 [ 261.839750] [] irq_exit+0x4d/0x60 [ 261.839750] [] smp_apic_timer_interrupt+0x4a/0x60 [ 261.839750] [] apic_timer_interrupt+0x6b/0x70 [ 261.839750] [ 261.839750] [] ? default_idle+0x20/0xb0 [ 261.839750] [] arch_cpu_idle+0xf/0x20 [ 261.839750] [] cpu_startup_entry+0x2f7/0x400 [ 261.839750] [] rest_init+0x77/0x80 [ 261.839750] [] start_kernel+0x423/0x430 [ 261.839750] [] ? set_init_arg+0x56/0x56 [ 261.839750] [] x86_64_start_reservations+0x2a/0x2c [ 261.839750] [] x86_64_start_kernel+0xec/0xf0 [ 261.839750] Code: 24 72 e7 49 8b 7d 00 e8 8e ce 05 00 48 83 c4 08 5b 41 5c 41 5d 5d c3 0f 1f 00 66 66 66 66 90 55 48 89 e5 53 48 89 fb 48 83 ec 08 <48> 8b 47 10 3e ff 08 74 0e 48 83 c4 08 5b 5d c3 0f 1f 80 00 00 [ 261.839750] RIP [] bpf_prog_put+0x11/0x50 [ 261.839750] RSP [ 261.839750] CR2: 00000000000006d0 [ 261.839750] ---[ end trace dddf4ec721745b49 ]--- [ 261.839750] Kernel panic - not syncing: Fatal exception in interrupt [ 261.839750] Kernel Offset: disabled [ 261.839750] ---[ end Kernel panic - not syncing: Fatal exception in interrupt -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/