91603 – Swapoff w/regular file causes Oops

Bug 91603 - Swapoff w/regular file causes Oops

Summary: Swapoff w/regular file causes Oops

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	kernel
Sub Component:
Version:	9
Hardware:	i586
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Arjan van de Ven
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-05-25 17:16 UTC by Steve Grubb
Modified:	2007-04-18 16:54 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-08-20 14:04:55 UTC
Embargoed:

Attachments	(Terms of Use)
fix LTP swapoff02 testcase crashes (858 bytes, patch) 2003-06-12 08:08 UTC, BSc. Ing. Wilfried Weissmann	no flags	Details \| Diff
View All

Description Steve Grubb 2003-05-25 17:16:07 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
Kernel Oops is caused by passing a regular file into swapoff system call.

Version-Release number of selected component (if applicable):
kernel-2.4.20-13.9

How reproducible:
Always

Steps to Reproduce:
1. Compile and run the following program:

#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <errno.h>
                                                                                
int main(void)
{
    int ret;
                                                                                
    if (geteuid() != 0) {
        puts("Must be super/root for this test!");
        return 1;
    }
                                                                                
    if (creat("./abcd", S_IRWXU) == 0) {
        printf("Unable to setup abcd");
        return 1;
    }
                                                                                
    ret = swapoff("./abcd");
    if (ret == -1 && errno != EINVAL) {
        printf("%d returned instead of EINVAL.\n", errno);
        return 1;
    }
    unlink("./abcd");
    return 0;
}


Actual Results:  May 25 12:59:58 dds kernel:  <1>Unable to handle kernel NULL
pointer dereference at virtual address 0000026e
May 25 12:59:58 dds kernel:  printing eip:
May 25 12:59:58 dds kernel: c0149985
May 25 12:59:58 dds kernel: *pde = 00000000
May 25 12:59:58 dds kernel: Oops: 0002
May 25 12:59:58 dds kernel: parport_pc lp parport 3c59x ipv6 ipt_LOG ipt_state
iptable_nat ip_conntrack iptable_filter ip_tables ide-scsi scsi_mod ide-cd cdrom
loop lvm-mod keybdev mouse
May 25 12:59:58 dds kernel: CPU:    0
May 25 12:59:58 dds kernel: EIP:    0060:[<c0149985>]    Not tainted
May 25 12:59:58 dds kernel: EFLAGS: 00010202
May 25 12:59:58 dds kernel:
May 25 12:59:58 dds kernel: EIP is at path_release [kernel] 0x15 (2.4.20-13.9)
May 25 12:59:58 dds kernel: eax: c1ac6f84   ebx: c2e5ff90   ecx: ffffffff   edx:
00000246
May 25 12:59:58 dds kernel: esi: 00000002   edi: ffffffea   ebp: c0c3cbe0   esp:
c2e5ff84
May 25 12:59:58 dds kernel: ds: 0068   es: 0068   ss: 0068
May 25 12:59:58 dds kernel: Process sigtest (pid: 1900, stackpage=c2e5f000)
May 25 12:59:58 dds kernel: Stack: c037ae88 c013a831 c2e5ff90 c1ac6f84 00000246
00000003 c013f2f0 c1ac6f84
May 25 12:59:58 dds kernel:        cf814000 c2e5e000 00000004 c2e5e000 40012820
bffff624 bffff5c8 c0109103
May 25 12:59:58 dds kernel:        080484e8 000001c0 4014e9a0 40012820 bffff624
bffff5c8 00000073 0000002b
May 25 12:59:58 dds kernel: Call Trace:   [<c013a831>] sys_swapoff [kernel]
0x191 (0xc2e5ff88))
May 25 12:59:58 dds kernel: [<c013f2f0>] sys_open [kernel] 0x70 (0xc2e5ff9c))
May 25 12:59:58 dds kernel: [<c0109103>] system_call [kernel] 0x33
(0xc2e5ffc0))May 25 12:59:58 dds kernel:
May 25 12:59:58 dds kernel:
May 25 12:59:58 dds kernel: Code: ff 4a 28 0f 94 c0 84 c0 75 02 5b c3 89 54 24
08 5b e9 65 c3


Expected Results:  No output from program.

Additional info:

I'm classifying this as a high severity since its a kernel Oops which may upset
the internal state of the kernel. You have to be superuser to call swapoff so
its not likely to be a security risk. Hopefully, being easy to reproduce, it
will be a quick fix.

Comment 1 Steve Grubb 2003-05-26 15:23:10 UTC

Some more info...I have another machine running RH 8.0. The 2.4.18-24.8.0 kernel
does not have this problem. I upgraded that machine to the 5-13-2003 released
kernel (2.4.20-13.8) and now the RH 8.0 machine also dies when running the above
program. The RH 8.0 machine also reports that the init process was attempted to
be killed and then locks up with flashing caps lock & scroll lock lights. The
machine must be powered off, which is a much more severe reaction. The
information in the logs is almost identical to what I posted for the RH 9 system.

The filesystem is ext3 on IDE hdd & the cpu is K6-2 if this helps.

Comment 2 Alan Cox 2003-06-05 15:34:37 UTC

This bug has already been fixed upstream. I thought the fix was in the current
errata. Do you still see it there ?

Comment 3 Steve Grubb 2003-06-05 20:03:14 UTC

I'm using the kernel-2.4.20-18.9 package and now see 2 seperate Oops. The
following is copied straight from /var/log/messages:

Jun  5 15:58:40 dds kernel: Unable to handle kernel paging request at virtual
address 0020026e
Jun  5 15:58:40 dds kernel:  printing eip:
Jun  5 15:58:40 dds kernel: c0149985
Jun  5 15:58:40 dds kernel: *pde = 00000000
Jun  5 15:58:40 dds kernel: Oops: 0002
Jun  5 15:58:40 dds kernel: ppp_deflate zlib_deflate ppp_async ppp_generic slhc
sd_mod sr_mod parport_pc lp parport 3c59x ipv6 ipt_LOG ipt_state iptable_nat
ip_conntrack iptable_filter i
Jun  5 15:58:40 dds kernel: CPU:    0
Jun  5 15:58:40 dds kernel: EIP:    0060:[<c0149985>]    Not tainted
Jun  5 15:58:40 dds kernel: EFLAGS: 00210202
Jun  5 15:58:40 dds kernel:
Jun  5 15:58:40 dds kernel: EIP is at path_release [kernel] 0x15 (2.4.20-18.9)
Jun  5 15:58:40 dds kernel: eax: c1ac6f84   ebx: ce261f90   ecx: ffffffff   edx:
00200246
Jun  5 15:58:40 dds kernel: esi: 00000001   edi: ffffffea   ebp: c503f4e0   esp:
ce261f84
Jun  5 15:58:40 dds kernel: ds: 0068   es: 0068   ss: 0068
Jun  5 15:58:40 dds kernel: Process sigtest (pid: 3253, stackpage=ce261000)
Jun  5 15:58:40 dds kernel: Stack: c037ae54 c013a831 ce261f90 c1ac6f84 00200246
00000003 c013f2f0 c1ac6f84
Jun  5 15:58:40 dds kernel:        c1a61000 ce260000 00000004 ce260000 40012820
bfffe114 bfffe0b8 c0109103
Jun  5 15:58:41 dds kernel:        08048620 000001c0 4014d9a0 40012820 bfffe114
bfffe0b8 00000073 0000002b
Jun  5 15:58:41 dds kernel: Call Trace:   [<c013a831>] sys_swapoff [kernel]
0x191 (0xce261f88))
Jun  5 15:58:41 dds kernel: [<c013f2f0>] sys_open [kernel] 0x70 (0xce261f9c))
Jun  5 15:58:41 dds kernel: [<c0109103>] system_call [kernel] 0x33
(0xce261fc0))Jun  5 15:58:41 dds kernel:
Jun  5 15:58:41 dds kernel:
Jun  5 15:58:41 dds kernel: Code: ff 4a 28 0f 94 c0 84 c0 75 02 5b c3 89 54 24
08 5b e9 65 c3
Jun  5 15:58:41 dds kernel:  <1>Unable to handle kernel paging request at
virtual address 84ac6f87
Jun  5 15:58:41 dds kernel:  printing eip:
Jun  5 15:58:41 dds kernel: c0134973
Jun  5 15:58:41 dds kernel: *pde = 00000000
Jun  5 15:58:41 dds kernel: Oops: 0002
Jun  5 15:58:41 dds kernel: ppp_deflate zlib_deflate ppp_async ppp_generic slhc
sd_mod sr_mod parport_pc lp parport 3c59x ipv6 ipt_LOG ipt_state iptable_nat
ip_conntrack iptable_filter i
Jun  5 15:58:41 dds kernel: CPU:    0
Jun  5 15:58:41 dds kernel: EIP:    0060:[<c0134973>]    Not tainted
Jun  5 15:58:41 dds kernel: EFLAGS: 00210056
Jun  5 15:58:41 dds kernel:
Jun  5 15:58:41 dds kernel: EIP is at __kmem_cache_alloc [kernel] 0x73 (2.4.20-18.9)
Jun  5 15:58:41 dds kernel: eax: 84ac6f83   ebx: c1a61000   ecx: c1ac1f20   edx:
c1ac6f8c
Jun  5 15:58:41 dds kernel: esi: c1ac6f84   edi: 00200246   ebp: c1a61000   esp:
c8caff40
Jun  5 15:58:41 dds kernel: ds: 0068   es: 0068   ss: 0068
Jun  5 15:58:41 dds kernel: Process gnome-terminal (pid: 1119, stackpage=c8caf000)
Jun  5 15:58:41 dds kernel: Stack: 08315590 fffffff4 c8caff90 00000008 c013432f
c1ac6f84 000001f0 c014972d
Jun  5 15:58:41 dds kernel:        c1ac6f84 000001f0 c8cae000 bfffcd70 c8caff90
c014a5ee 08315590 c8cae000
Jun  5 15:58:41 dds kernel:        bfffcd70 00001000 c8caff90 c0146aa6 bfffdda8
00000000 c011e9a2 bfffdda8
Jun  5 15:58:41 dds kernel: Call Trace:   [<c013432f>] kmem_cache_alloc [kernel]
0xf (0xc8caff50))
Jun  5 15:58:41 dds kernel: [<c014972d>] getname [kernel] 0x1d (0xc8caff5c))
Jun  5 15:58:41 dds kernel: [<c014a5ee>] __user_walk [kernel] 0xe (0xc8caff74))
Jun  5 15:58:41 dds kernel: [<c0146aa6>] sys_readlink [kernel] 0x26 (0xc8caff8c))
Jun  5 15:58:41 dds kernel: [<c011e9a2>] sys_gettimeofday [kernel] 0x22
(0xc8caff98))
Jun  5 15:58:41 dds kernel: [<c0109103>] system_call [kernel] 0x33
(0xc8caffc0))Jun  5 15:58:41 dds kernel:
Jun  5 15:58:41 dds kernel:
Jun  5 15:58:41 dds kernel: Code: 89 48 04 89 71 04 eb d9 8d 46 10 8b 4e 10 39
c1 74 20 8b 41

I also see a whole bunch of errors trying to unmount partitions as the machine
shuts down. It reports them as busy. kernel-2.4.20-13.9 only creates 1 Oops...so
 the new kernel does *something* different. It should also be noted that the
program I listed at the top does an immediate unconditioanal Oops on every
2.4.20 kernel I've tried, be it RH 7.3, 8.0 or 9. However, 2.4.18 on RH 7.3 or
8.0 do not seem to Oops.

If you can point me to a src rpm that you think is fixed, I'd be more than happy
to try it.

Comment 4 Alan Cox 2003-06-05 22:13:49 UTC

Ok this all fits.

Arjan - you need to pull the sys_swapoff fix from current 2.4.21rc, that should
sort it out.

Comment 5 BSc. Ing. Wilfried Weissmann 2003-06-12 08:08:56 UTC

Created attachment 92352 [details]
fix LTP swapoff02 testcase crashes

This patch fixes a bug in the match-dentry patch. It is only a experimental
workaround for fixing the swapoff02 testcase.
Steve Grubb suggested to post this for informational purposes.

Greetings,
Wilfried

Note You need to log in before you can comment on or make changes to this bug.