[Bug runtime/11148] New: Loading/unloading several scripts concurrently can cause kernel panic

["mhiramat at redhat dot com" <sourceware-bugzilla at sourceware dot org>]

Running below script (and waiting a while - in one hour) caused a kernel panic.

----
#!/bin/sh
stap -p4 -m test1 -e 'probe begin{}'
stap -p4 -m test2 -e 'probe begin{}'
runtask(){
while [ 1 ]; do
  taskset -c $2 staprun -L $1.ko &> /dev/null
  taskset -c $2 rmmod $1 &> /dev/null
done
}
runtask test1 0 &
runtask test2 1 &
----


----
Unable to handle kernel NULL pointer dereference at 000000000000004c RIP:
 [<ffffffff8000d89b>] permission+0x10/0xc8
PGD 0
Oops: 0000 [1] SMP
last sysfs file: /module/xfrm_nalgo/sections/__versions
CPU 0
Modules linked in: test1(U) test2(U) ipv6 xfrm_nalgo crypto_api autofs4 hidp 
rfcomm l2cap bluetooth lockd sunrpc dm_multipath scsi_dh video backlight sbs 
power_meter hwmon i2c_ec dell_wmi wmi button battery asus_acpi acpi_memhotplug 
ac parport_pc lp parport floppy snd_ens1370 gameport snd_rawmidi snd_seq_dummy 
snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss 
i2c_piix4 8139too snd_pcm pcspkr i2c_core 8139cp virtio_pci snd_timer mii 
virtio_ring ide_cd virtio snd_ak4531_codec snd serio_raw soundcore cdrom 
snd_page_alloc dm_raid45 dm_message dm_region_hash dm_mem_cache dm_snapshot 
dm_zero dm_mirror dm_log dm_mod ata_piix libata sd_mod scsi_mod ext3 jbd 
uhci_hcd ohci_hcd ehci_hcd
Pid: 16157, comm: staprun Tainted: G      2.6.18-182.el5 #1
RIP: 0010:[<ffffffff8000d89b>]  [<ffffffff8000d89b>] permission+0x10/0xc8
RSP: 0000:ffff81000f175d58  EFLAGS: 00010246
RAX: 0000000000000310 RBX: 0000000000000000 RCX: 00000000ffffffff
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: 000000001375a948 R09: 000000000000003e
R10: ffff81001fc5c038 R11: 0000000040000000 R12: 0000000000000000
R13: ffff81000f175db8 R14: 0000000000000000 R15: 0000000000000000
FS:  00002b9631cd56e0(0000) GS:ffffffff803c9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000000000004c CR3: 000000000de11000 CR4: 00000000000006e0
Process staprun (pid: 16157, threadinfo ffff81000f174000, task ffff81000e8c10c0)
Stack:  ffff81000f175e68 00000000000041ed ffff81000de76300 ffffffff80036fff
 ffff81000de42110 ffff81000f175e68 00000000000041ed ffff8100135b5b40
 ffff81000de76300 0000000000000000 0000000000000000 ffffffff800e8a91
Call Trace:
 [<ffffffff80036fff>] __lookup_hash+0x28/0x12f
 [<ffffffff800e8a91>] lookup_one_len+0x53/0x61
 [<ffffffff8011d4c9>] debugfs_create_file+0xae/0x195
 [<ffffffff88588df2>] :test1:init_module+0x13b/0x6d1
 [<ffffffff8008d792>] __activate_task+0x56/0x6d
 [<ffffffff800a70d6>] __link_module+0x0/0x18
 [<ffffffff8008f5f2>] __cond_resched+0x1c/0x44
 [<ffffffff8006410d>] wait_for_completion+0x1f/0xa2
 [<ffffffff800a70d6>] __link_module+0x0/0x18
 [<ffffffff80065644>] __down_read+0x12/0x92
 [<ffffffff80022128>] __up_read+0x19/0x7f
 [<ffffffff800a7c80>] sys_init_module+0xaf/0x1f2
 [<ffffffff8005e28d>] tracesys+0xd5/0xe0


Code: 8b 57 4c 74 36 48 8b 87 f8 00 00 00 f6 40 58 01 74 20 89 d0
RIP  [<ffffffff8000d89b>] permission+0x10/0xc8
 RSP <ffff81000f175d58>
----

This is because test2 removed stp_root_dir right after test1 got it
by _stp_get_root_dir(). I assume that stap should lock while
not only removing directory but also creating it.

-- 
           Summary: Loading/unloading several scripts concurrently can cause
                    kernel panic
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: runtime
        AssignedTo: systemtap at sources dot redhat dot com
        ReportedBy: mhiramat at redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=11148

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.