From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.2.1) Gecko/20030225 Description of problem: Kernel Oops is caused by passing a regular file into swapoff system call. Version-Release number of selected component (if applicable): kernel-2.4.20-13.9 How reproducible: Always Steps to Reproduce: 1. Compile and run the following program: #include <stdio.h> #include <unistd.h> #include <sys/stat.h> #include <errno.h> int main(void) { int ret; if (geteuid() != 0) { puts("Must be super/root for this test!"); return 1; } if (creat("./abcd", S_IRWXU) == 0) { printf("Unable to setup abcd"); return 1; } ret = swapoff("./abcd"); if (ret == -1 && errno != EINVAL) { printf("%d returned instead of EINVAL.\n", errno); return 1; } unlink("./abcd"); return 0; } Actual Results: May 25 12:59:58 dds kernel: <1>Unable to handle kernel NULL pointer dereference at virtual address 0000026e May 25 12:59:58 dds kernel: printing eip: May 25 12:59:58 dds kernel: c0149985 May 25 12:59:58 dds kernel: *pde = 00000000 May 25 12:59:58 dds kernel: Oops: 0002 May 25 12:59:58 dds kernel: parport_pc lp parport 3c59x ipv6 ipt_LOG ipt_state iptable_nat ip_conntrack iptable_filter ip_tables ide-scsi scsi_mod ide-cd cdrom loop lvm-mod keybdev mouse May 25 12:59:58 dds kernel: CPU: 0 May 25 12:59:58 dds kernel: EIP: 0060:[<c0149985>] Not tainted May 25 12:59:58 dds kernel: EFLAGS: 00010202 May 25 12:59:58 dds kernel: May 25 12:59:58 dds kernel: EIP is at path_release [kernel] 0x15 (2.4.20-13.9) May 25 12:59:58 dds kernel: eax: c1ac6f84 ebx: c2e5ff90 ecx: ffffffff edx: 00000246 May 25 12:59:58 dds kernel: esi: 00000002 edi: ffffffea ebp: c0c3cbe0 esp: c2e5ff84 May 25 12:59:58 dds kernel: ds: 0068 es: 0068 ss: 0068 May 25 12:59:58 dds kernel: Process sigtest (pid: 1900, stackpage=c2e5f000) May 25 12:59:58 dds kernel: Stack: c037ae88 c013a831 c2e5ff90 c1ac6f84 00000246 00000003 c013f2f0 c1ac6f84 May 25 12:59:58 dds kernel: cf814000 c2e5e000 00000004 c2e5e000 40012820 bffff624 bffff5c8 c0109103 May 25 12:59:58 dds kernel: 080484e8 000001c0 4014e9a0 40012820 bffff624 bffff5c8 00000073 0000002b May 25 12:59:58 dds kernel: Call Trace: [<c013a831>] sys_swapoff [kernel] 0x191 (0xc2e5ff88)) May 25 12:59:58 dds kernel: [<c013f2f0>] sys_open [kernel] 0x70 (0xc2e5ff9c)) May 25 12:59:58 dds kernel: [<c0109103>] system_call [kernel] 0x33 (0xc2e5ffc0))May 25 12:59:58 dds kernel: May 25 12:59:58 dds kernel: May 25 12:59:58 dds kernel: Code: ff 4a 28 0f 94 c0 84 c0 75 02 5b c3 89 54 24 08 5b e9 65 c3 Expected Results: No output from program. Additional info: I'm classifying this as a high severity since its a kernel Oops which may upset the internal state of the kernel. You have to be superuser to call swapoff so its not likely to be a security risk. Hopefully, being easy to reproduce, it will be a quick fix.
Some more info...I have another machine running RH 8.0. The 2.4.18-24.8.0 kernel does not have this problem. I upgraded that machine to the 5-13-2003 released kernel (2.4.20-13.8) and now the RH 8.0 machine also dies when running the above program. The RH 8.0 machine also reports that the init process was attempted to be killed and then locks up with flashing caps lock & scroll lock lights. The machine must be powered off, which is a much more severe reaction. The information in the logs is almost identical to what I posted for the RH 9 system. The filesystem is ext3 on IDE hdd & the cpu is K6-2 if this helps.
This bug has already been fixed upstream. I thought the fix was in the current errata. Do you still see it there ?
I'm using the kernel-2.4.20-18.9 package and now see 2 seperate Oops. The following is copied straight from /var/log/messages: Jun 5 15:58:40 dds kernel: Unable to handle kernel paging request at virtual address 0020026e Jun 5 15:58:40 dds kernel: printing eip: Jun 5 15:58:40 dds kernel: c0149985 Jun 5 15:58:40 dds kernel: *pde = 00000000 Jun 5 15:58:40 dds kernel: Oops: 0002 Jun 5 15:58:40 dds kernel: ppp_deflate zlib_deflate ppp_async ppp_generic slhc sd_mod sr_mod parport_pc lp parport 3c59x ipv6 ipt_LOG ipt_state iptable_nat ip_conntrack iptable_filter i Jun 5 15:58:40 dds kernel: CPU: 0 Jun 5 15:58:40 dds kernel: EIP: 0060:[<c0149985>] Not tainted Jun 5 15:58:40 dds kernel: EFLAGS: 00210202 Jun 5 15:58:40 dds kernel: Jun 5 15:58:40 dds kernel: EIP is at path_release [kernel] 0x15 (2.4.20-18.9) Jun 5 15:58:40 dds kernel: eax: c1ac6f84 ebx: ce261f90 ecx: ffffffff edx: 00200246 Jun 5 15:58:40 dds kernel: esi: 00000001 edi: ffffffea ebp: c503f4e0 esp: ce261f84 Jun 5 15:58:40 dds kernel: ds: 0068 es: 0068 ss: 0068 Jun 5 15:58:40 dds kernel: Process sigtest (pid: 3253, stackpage=ce261000) Jun 5 15:58:40 dds kernel: Stack: c037ae54 c013a831 ce261f90 c1ac6f84 00200246 00000003 c013f2f0 c1ac6f84 Jun 5 15:58:40 dds kernel: c1a61000 ce260000 00000004 ce260000 40012820 bfffe114 bfffe0b8 c0109103 Jun 5 15:58:41 dds kernel: 08048620 000001c0 4014d9a0 40012820 bfffe114 bfffe0b8 00000073 0000002b Jun 5 15:58:41 dds kernel: Call Trace: [<c013a831>] sys_swapoff [kernel] 0x191 (0xce261f88)) Jun 5 15:58:41 dds kernel: [<c013f2f0>] sys_open [kernel] 0x70 (0xce261f9c)) Jun 5 15:58:41 dds kernel: [<c0109103>] system_call [kernel] 0x33 (0xce261fc0))Jun 5 15:58:41 dds kernel: Jun 5 15:58:41 dds kernel: Jun 5 15:58:41 dds kernel: Code: ff 4a 28 0f 94 c0 84 c0 75 02 5b c3 89 54 24 08 5b e9 65 c3 Jun 5 15:58:41 dds kernel: <1>Unable to handle kernel paging request at virtual address 84ac6f87 Jun 5 15:58:41 dds kernel: printing eip: Jun 5 15:58:41 dds kernel: c0134973 Jun 5 15:58:41 dds kernel: *pde = 00000000 Jun 5 15:58:41 dds kernel: Oops: 0002 Jun 5 15:58:41 dds kernel: ppp_deflate zlib_deflate ppp_async ppp_generic slhc sd_mod sr_mod parport_pc lp parport 3c59x ipv6 ipt_LOG ipt_state iptable_nat ip_conntrack iptable_filter i Jun 5 15:58:41 dds kernel: CPU: 0 Jun 5 15:58:41 dds kernel: EIP: 0060:[<c0134973>] Not tainted Jun 5 15:58:41 dds kernel: EFLAGS: 00210056 Jun 5 15:58:41 dds kernel: Jun 5 15:58:41 dds kernel: EIP is at __kmem_cache_alloc [kernel] 0x73 (2.4.20-18.9) Jun 5 15:58:41 dds kernel: eax: 84ac6f83 ebx: c1a61000 ecx: c1ac1f20 edx: c1ac6f8c Jun 5 15:58:41 dds kernel: esi: c1ac6f84 edi: 00200246 ebp: c1a61000 esp: c8caff40 Jun 5 15:58:41 dds kernel: ds: 0068 es: 0068 ss: 0068 Jun 5 15:58:41 dds kernel: Process gnome-terminal (pid: 1119, stackpage=c8caf000) Jun 5 15:58:41 dds kernel: Stack: 08315590 fffffff4 c8caff90 00000008 c013432f c1ac6f84 000001f0 c014972d Jun 5 15:58:41 dds kernel: c1ac6f84 000001f0 c8cae000 bfffcd70 c8caff90 c014a5ee 08315590 c8cae000 Jun 5 15:58:41 dds kernel: bfffcd70 00001000 c8caff90 c0146aa6 bfffdda8 00000000 c011e9a2 bfffdda8 Jun 5 15:58:41 dds kernel: Call Trace: [<c013432f>] kmem_cache_alloc [kernel] 0xf (0xc8caff50)) Jun 5 15:58:41 dds kernel: [<c014972d>] getname [kernel] 0x1d (0xc8caff5c)) Jun 5 15:58:41 dds kernel: [<c014a5ee>] __user_walk [kernel] 0xe (0xc8caff74)) Jun 5 15:58:41 dds kernel: [<c0146aa6>] sys_readlink [kernel] 0x26 (0xc8caff8c)) Jun 5 15:58:41 dds kernel: [<c011e9a2>] sys_gettimeofday [kernel] 0x22 (0xc8caff98)) Jun 5 15:58:41 dds kernel: [<c0109103>] system_call [kernel] 0x33 (0xc8caffc0))Jun 5 15:58:41 dds kernel: Jun 5 15:58:41 dds kernel: Jun 5 15:58:41 dds kernel: Code: 89 48 04 89 71 04 eb d9 8d 46 10 8b 4e 10 39 c1 74 20 8b 41 I also see a whole bunch of errors trying to unmount partitions as the machine shuts down. It reports them as busy. kernel-2.4.20-13.9 only creates 1 Oops...so the new kernel does *something* different. It should also be noted that the program I listed at the top does an immediate unconditioanal Oops on every 2.4.20 kernel I've tried, be it RH 7.3, 8.0 or 9. However, 2.4.18 on RH 7.3 or 8.0 do not seem to Oops. If you can point me to a src rpm that you think is fixed, I'd be more than happy to try it.
Ok this all fits. Arjan - you need to pull the sys_swapoff fix from current 2.4.21rc, that should sort it out.
Created attachment 92352 [details] fix LTP swapoff02 testcase crashes This patch fixes a bug in the match-dentry patch. It is only a experimental workaround for fixing the swapoff02 testcase. Steve Grubb suggested to post this for informational purposes. Greetings, Wilfried