[Bugme-new] [Bug 9210] New: 9p: unmount userspace server causes crash

bugme-daemon at bugzilla.kernel.org bugme-daemon at bugzilla.kernel.org
Mon Oct 22 11:00:36 PDT 2007


http://bugzilla.kernel.org/show_bug.cgi?id=9210

           Summary: 9p: unmount userspace  server causes crash
           Product: File System
           Version: 2.5
     KernelVersion: 2.6.22
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: v9fs
        AssignedTo: ericvh at gmail.com
        ReportedBy: ericvh at gmail.com


From: sqweek at gmail.com
Hi guys,
 I've been working on an SUID 9mount/9umount recently for mounting 9p
file systems in userspace, and with all the mount/unmounting going on
I managed to crash v9fs a couple of times. Running linux-2.6.22, both
times v9fs choked I was unmounting p9p's factotum
(unix!/tmp/ns.sqweek.:0/factotum).

 Anyway, here's the first dump:

BUG: unable to handle kernel NULL pointer dereference at virtual
address 00000001
 printing eip:
c011176a
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: nvidia(P)
CPU:    0
EIP:    0060:[<c011176a>]    Tainted: P       VLI
EFLAGS: 00010086   (2.6.22 #1)
EIP is at __wake_up_common+0x13/0x4f
eax: 00000001   ebx: f7cac000   ecx: 00000001   edx: 00000003
esi: 00000000   edi: 00000001   ebp: f7cadeac   esp: f7cade90
ds: 007b   es: 007b   fs: 0000  gs: 0000  ss: 0068
Process v9fs/0 (pid: 202, ti=f7cac000 task=f7d65590 task.ti=f7cac000)
Stack: f7d65590 00000003 f2b83adc c033b45d f7cac000 00000000 00000286 f7cadec8
      c0112844 00000000 00000000 f7032d20 f2b83aa0 f7032d3c f6848000 c01d43f3
      00000000 f7caded0 00000000 00000000 c02f2d67 f7cade34 00000001 0000000a
Call Trace:
 [<c033b45d>] preempt_schedule+0x3c/0x58
 [<c0112844>] __wake_up+0x2a/0x4f
 [<c01d43f3>] v9fs_read_work+0x42c/0x511
 [<c02f2d67>] net_tx_action+0x5a/0xc8
 [<c0118f89>] __do_softirq+0x35/0x75
 [<c01191ae>] irq_exit+0x25/0x30
 [<c014d0cb>] vfs_write+0xfc/0x10c
 [<c01d2874>] v9fs_fd_write+0x85/0xbf
 [<c01d384d>] v9fs_write_work+0x0/0x1ca
 [<c01d392f>] v9fs_write_work+0xe2/0x1ca
 [<c01d3fc7>] v9fs_read_work+0x0/0x511
 [<c01d3fc7>] v9fs_read_work+0x0/0x511
 [<c0121379>] run_workqueue+0x8c/0x128
 [<c01218ac>] worker_thread+0x0/0xbc
 [<c012195e>] worker_thread+0xb2/0xbc
 [<c0123f37>] autoremove_wake_function+0x0/0x35
 [<c0123e7f>] kthread+0x36/0x5b
 [<c0123e49>] kthread+0x0/0x5b
 [<c0103eb3>] kernel_thread_helper+0x7/0x10
 =======================
Code: c0 11 15 0c 62 43 c0 eb 0c 01 1d 18 62 43 c0 11 15 1c 62 43 c0
5b c9 c3 55 89 e5 57 89 cf 56 53 83 ec 10 89 45 ec 89 55 e8 8b 00 <8b>
30 eb 2b 8d 58 f4 8b 40 f4 8b 4d 08 8b 55 e8 89 45 f0 8b 45
EIP: [<c011176a>] __wake_up_common+0x13/0x4f SS:ESP 0068:f7cade90
note: v9fs/0[202] exited with preempt_count 1



 Second time around I captured everything v9fs related in dmesg
instead of just the dump... I don't think there's anything useful in
there:

Installing v9fs 9p2000 file system support
...
v9fs: v9fs_tcp_init (20745): v9fs_trans_tcp: problem connecting socket
to 192.168.1.86
v9fs: v9fs_session_init (20745): problem initializing transport
v9fs: v9fs_tcp_init (28973): v9fs_trans_tcp: problem connecting socket
to 192.168.1.86
v9fs: v9fs_session_init (28973): problem initializing transport
v9fs: v9fs_tcp_init (29050): v9fs_trans_tcp: problem connecting socket
to 192.168.1.86
v9fs: v9fs_session_init (29050): problem initializing transport
v9fs_errstr2errno: errstr :interrupted: not found
...
9P2000: v9fs_t_read returned -512
BUG: unable to handle kernel NULL pointer dereference at virtual
address 00000001
 printing eip:
c011176a
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: nvidia(P)
CPU:    0
EIP:    0060:[<c011176a>]    Tainted: P       VLI
EFLAGS: 00010086   (2.6.22 #1)
EIP is at __wake_up_common+0x13/0x4f
eax: 00000001   ebx: f7cac000   ecx: 00000001   edx: 00000003
esi: 00000000   edi: 00000001   ebp: f7cadeac   esp: f7cade90
ds: 007b   es: 007b   fs: 0000  gs: 0000  ss: 0068
Process v9fs/0 (pid: 202, ti=f7cac000 task=f7d65590 task.ti=f7cac000)
Stack: f7d65590 00000003 d86bdb9c c033b45d f7cac000 00000000 00000286 f7cadec8
      c0112844 00000000 00000000 e68e0820 d86bdb60 e68e083c c3594000 c01d43f3
      00000000 f7caded0 00000000 00000000 c0122153 f7cade34 c718800c c043b568
Call Trace:
 [<c033b45d>] preempt_schedule+0x3c/0x58
 [<c0112844>] __wake_up+0x2a/0x4f
 [<c01d43f3>] v9fs_read_work+0x42c/0x511
 [<c0122153>] __rcu_process_callbacks+0x112/0x170
 [<c0118f89>] __do_softirq+0x35/0x75
 [<c01191ae>] irq_exit+0x25/0x30
 [<c014d0cb>] vfs_write+0xfc/0x10c
 [<c01d2874>] v9fs_fd_write+0x85/0xbf
 [<c033b37f>] __sched_text_start+0x497/0x539
 [<c01d3fc7>] v9fs_read_work+0x0/0x511
 [<c01d3fc7>] v9fs_read_work+0x0/0x511
 [<c0121379>] run_workqueue+0x8c/0x128
 [<c01218ac>] worker_thread+0x0/0xbc
 [<c012195e>] worker_thread+0xb2/0xbc
 [<c0123f37>] autoremove_wake_function+0x0/0x35
 [<c0123e7f>] kthread+0x36/0x5b
 [<c0123e49>] kthread+0x0/0x5b
 [<c0103eb3>] kernel_thread_helper+0x7/0x10
 =======================
Code: c0 11 15 0c 62 43 c0 eb 0c 01 1d 18 62 43 c0 11 15 1c 62 43 c0
5b c9 c3 55 89 e5 57 89 cf 56 53 83 ec 10 89 45 ec 89 55 e8 8b 00 <8b>
30 eb 2b 8d 58 f4 8b 40 f4 8b 4d 08 8b 55 e8 89 45 f0 8b 45
EIP: [<c011176a>] __wake_up_common+0x13/0x4f SS:ESP 0068:f7cade90
note: v9fs/0[202] exited with preempt_count 1



 Finally, awhile back I ran into other unmounting problems. This was
back on a linux-2.6.19 kernel, so might be fixed now anyway... I was
unmounting a 9p2000.u fs served by ufs (spfs) from my netbsd machine.

kernel BUG at kernel/workqueue.c:114!
invalid opcode: 0000 [#1]
PREEMPT
Modules linked in: nvidia(P)
CPU:    0
EIP:    0060:[<c01227e8>]    Tainted: P      VLI
EFLAGS: 00010213   (2.6.19 #4)
EIP is at queue_work+0x21/0x4f
eax: f70904d4   ebx: 00000000   ecx: f7d203a0   edx: f70904d0
esi: 00000004   edi: c045f5e4   ebp: c045f5e0   esp: f18a7f94
ds: 007b   es: 007b   ss: 0068
Process v9fs-poll (pid: 3191, ti=f18a6000 task=f1d9d090 task.ti=f18a6000)
Stack: f7090400 c01de1a5 f2d396a0 00000000 f1d9d090 00000f21 00000000 c045f5e0
      f08d9cf4 c01ddf73 00000000 c01258aa c045f5e0 f18a7fd0 00000000 ffffffff
      ffffffff c01257e5 00000000 00000000 c010306b f08d9cf4 00000000 00000000
Call Trace:
 [<c01de1a5>] v9fs_poll_proc+0x232/0x2d1
 [<c01ddf73>] v9fs_poll_proc+0x0/0x2d1
 [<c01258aa>] kthread+0xc5/0xf3
 [<c01257e5>] kthread+0x0/0xf3
 [<c010306b>] kernel_thread_helper+0x7/0x10
 =======================
Code: 54 24 04 8b 42 14 8b 00 eb 8d 53 89 c1 89 e0 25 00 e0 ff ff ff
40 14 0f ba 2a 00 19 c0 31 db 85 c0 75 1c 8d 42 04 39 42 04 74 08 <0f>
0b 72 00 18 f4 37 c0 8b 01 bb 01 00 00 00 e8 58 ff ff ff 89
EIP: [<c01227e8>] queue_work+0x21/0x4f SS:ESP 0068:f18a7f94
 <6>note: v9fs-poll[3191] exited with preempt_count 1



kernel BUG at kernel/workqueue.c:114!
invalid opcode: 0000 [#1]
PREEMPT
Modules linked in: nvidia(P)
CPU:    0
EIP:    0060:[<c01227e8>]    Tainted: P      VLI
EFLAGS: 00010213   (2.6.19 #4)
EIP is at queue_work+0x21/0x4f
eax: f76d14d4   ebx: 00000000   ecx: f7d1f3a0   edx: f76d14d0
esi: 00000004   edi: f76d1a00   ebp: c045f5e0   esp: f5877f94
ds: 007b   es: 007b   ss: 0068
Process v9fs-poll (pid: 2643, ti=f5876000 task=f7c2a580 task.ti=f5876000)
Stack: f76d1400 c01de1a5 f7580c60 00000000 f7c2a580 00000e73 00000000 c045f5e0
      f589bcf4 c01ddf73 00000000 c01258aa c045f5e0 f5877fd0 00000000 ffffffff
      ffffffff c01257e5 00000000 00000000 c010306b f589bcf4 00000000 00000000
Call Trace:
 [<c01de1a5>] v9fs_poll_proc+0x232/0x2d1
 [<c01ddf73>] v9fs_poll_proc+0x0/0x2d1
 [<c01258aa>] kthread+0xc5/0xf3
 [<c01257e5>] kthread+0x0/0xf3
 [<c010306b>] kernel_thread_helper+0x7/0x10
 =======================
Code: 54 24 04 8b 42 14 8b 00 eb 8d 53 89 c1 89 e0 25 00 e0 ff ff ff
40 14 0f ba 2a 00 19 c0 31 db 85 c0 75 1c 8d 42 04 39 42 04 74 08 <0f>
0b 72 00 18 f4 37 c0 8b 01 bb 01 00 00 00 e8 58 ff ff ff 89
EIP: [<c01227e8>] queue_work+0x21/0x4f SS:ESP 0068:f5877f94
 <6>note: v9fs-poll[2643] exited with preempt_count 1
BUG: unable to handle kernel NULL pointer dereference at virtual
address 00000011
 printing eip:
c0152a78
*pde = 00000000
Oops: 0000 [#2]
PREEMPT
Modules linked in: nvidia(P)
CPU:    0
EIP:    0060:[<c0152a78>]    Tainted: P      VLI
EFLAGS: 00010202   (2.6.19 #4)
EIP is at __free_pipe_info+0x1d/0x48
eax: 00000001   ebx: f76d14c4   ecx: 00000000   edx: 00000001
esi: f76d1400   edi: 00000009   ebp: f72e04e0   esp: f1ed3f18
ds: 007b   es: 007b   ss: 0068
Process fish (pid: 3114, ti=f1ed2000 task=f24bcad0 task.ti=f1ed2000)
Stack: f76d1400 f76d14c4 f72e04e0 00000000 f76d1400 c0152ab9 f76d1400 00000001
      c0152b0e f72e04e0 ef1bfde0 f72e04e0 f72e054c 00000010 ef1bfde0 f72e04e0
      f20e3514 c014dfd3 f72e04e0 ef1bfde0 00000000 00000000 00000000 c17d35a0
Call Trace:
 [<c0152ab9>] free_pipe_info+0x16/0x23
 [<c0152b0e>] pipe_release+0x48/0xb1
 [<c014dfd3>] __fput+0xaf/0x19b
 [<c014b7b3>] filp_close+0x61/0x69
 [<c014c9aa>] sys_close+0x7b/0xd1
 [<c0102d91>] sysenter_past_esp+0x56/0x79
 =======================
Code: a7 00 00 89 5c 24 0c 5b 5b e9 5c b4 ff ff 57 31 ff 56 53 83 ec
08 8b 74 24 18 8d 5e 10 8b 43 0c 85 c0 74 0a 89 5c 24 04 89 34 24 <ff>
50 10 47 83 c3 14 83 ff 10 75 e6 8b 86 50 01 00 00 85 c0 74
EIP: [<c0152a78>] __free_pipe_info+0x1d/0x48 SS:ESP 0068:f1ed3f18


-- 
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


More information about the Bugme-new mailing list