OOPS: found a fatal bug in Redhat Enterprise Server 3 Update 9 <2.4.21-50.EL> on x86_64, who can help to fix it

[Gang He]

Hi all,

I found a fatal bug in Redhat Enterprise Server 3 Update 9
<2.4.21-50.EL> on x86_64 when I used "wait_queue_head_t" data
structure, the same program works very well on i386, but porting it to
x86_64 will bring Linux kernel crash, who can help to take a look at
it, thanks.
all source code are as follows:
ghe.c - kernel module source file
mk.sh - command lines to compile all source files
read.c - read operation
write.c - write operation
rhel3u9-64bit.txt - oops output

Reproduce bug:
1) run  "./mk.sh" to compile all source files
2) run "insmod ghe.o" to insert kernel module to kernel
3) run "mknod /dev/ghe xxx" to create char device file
4) run "./devread" to read data from /dev/ghe
5) run "./devwrite" to write data to /dev/ghe, bug will take place.


Thanks
Gang

Attachment: ghe.c
Description: Binary data

Attachment: mk.sh
Description: Bourne shell script

Attachment: read.c
Description: Binary data

Attachment: write.c
Description: Binary data

ghe_read: file: 0000010039860c80 buf: 0000007fbfffb7f0 sz: 128 *ppos: 0

No data to read, waiting ... 

ghe_open: inode: 72997, file: 0000010039860380

ghe_write: file: 0000010039860380 buf: 0000007fbfffc820 sz: 1 *ppos: 0

Wakeup read user ... 

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000

 printing rip:

ffffffff8012199b

PML4 39435067 PGD 3961d067 PMD 0 

Oops: 0000

CPU 0 

Pid: 1583, comm: devwrite Not tainted

RIP: 0010:[<ffffffff8012199b>]{__wake_up+91}

RSP: 0018:0000010039653ed8  EFLAGS: 00010046

RAX: 0000000000000000 RBX: 000001003cb71580 RCX: 0000010039652000

RDX: 0000000000000000 RSI: 0000000000000073 RDI: 0000000000000000

RBP: 0000010039653f18 R08: ffffffffffffffff R09: 0000000000000001

R10: ffffffff805f2040 R11: 0000000000000000 R12: 0000000000000001

R13: 000001003cb71500 R14: 000001003cb71588 R15: 000001003cb71580

FS:  0000002a958c94c0(0000) GS:ffffffff805eb3c0(0000) knlGS:0000000000000000

CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b

CR2: 0000000000000000 CR3: 0000000000101000 CR4: 00000000000006e0


Call Trace: [<ffffffff801219af>]{__wake_up+111} [<ffffffffa01023f4>]{:ghe:ghe_write+244} 

       [<ffffffff80161b52>]{sys_write+178} [<ffffffff801102f7>]{system_call+119} 

       

Process devwrite (pid: 1583, stackpage=10039653000)

Stack: 0000010039653ed8 0000000000000018 ffffffff801219af 0000000000000002 

       00000001805f2088 0000000000000202 0000000000000001 0000000000000001 

       00000100398603b8 0000007fbfffc820 0000000000000000 0000000000000001 

       ffffffffa01023f4 0000000000000001 0000010039860380 ffffffffffffffea 

       0000007fbfffc820 0000000000000000 ffffffff80161b52 0000000000000000 

       0000002a9566b020 0000007fbfffcc40 0000000000400670 0000000000000000 

       ffffffff801102f7 0000000000000246 0000002a9568baa0 0000000000000000 

       fefefefefefefeff 0000000000000001 0000000000000031 0000000000000001 

       0000007fbfffc820 0000000000000003 0000000000000001 0000002a957501d2 

       0000000000000033 0000000000010202 0000007fbfffc808 000000000000002b 

Call Trace: [<ffffffff801219af>]{__wake_up+111} [<ffffffffa01023f4>]{:ghe:ghe_write+244} 

       [<ffffffff80161b52>]{sys_write+178} [<ffffffff801102f7>]{system_call+119} 

       


Code: 48 8b 07 85 45 cc 74 1b 8b 75 cc 31 c9 31 d2 e8 71 e1 ff ff


Kernel panic: Fatal exception