[TRACING] NULL pointer dereference shmem_recalc_inode+0x32 from free_trace_uprobe+0x41

From: Pekka PietikÃinen
Date: Thu May 04 2017 - 13:58:27 EST


Trying out latest bcc git, noticing it worked in funny ways and trying out the test suite resulted in some failures followed by a nice null dereference.

This is on Fedora's 4.10.13-200.fc25.x86_64, which for some reason has " ** trace_printk() being used. Allocating extra memory. **
** This means that this is a DEBUG kernel and it is **
** unsafe for production use."

[78764.996871] eth0: renamed from py_call1_c.in
[78765.094079] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[78765.184680] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[78810.283364] VFS: Busy inodes after unmount of tmpfs. Self-destruct in 5 seconds. Have a nice day...
[78811.475428] BUG: unable to handle kernel NULL pointer dereference at (null)
[78811.475478] IP: shmem_recalc_inode+0x32/0xa0
[78811.475496] PGD 0

[78811.475515] Oops: 0000 [#1] SMP
[78811.475529] Modules linked in: cls_bpf xt_nat veth xt_addrtype br_netfilter 8021q garp mrp bridge stp llc cmac bnep xt_socket nf_socket_ipv4 nf_socket_ipv6 xt_mark iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat libcrc32c nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack vfat fat arc4 b43 mac80211 intel_rapl cfg80211 x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm btrfs irqbypass ssb crct10dif_pclmul crc32_pclmul mmc_core btusb ghash_clmulni_intel btrtl btbcm intel_cstate btintel bluetooth snd_hda_codec_hdmi iTCO_wdt iTCO_vendor_support raid1 eeepc_wmi asus_wmi sparse_keymap intel_uncore xor mxm_wmi snd_hda_codec_realtek snd_hda_codec_generic rfkill snd_hda_intel snd_hda_codec intel_rapl_perf snd_hda_core snd_hwdep snd_seq snd_seq_device bcma
[78811.480716] snd_pcm i2c_i801 lpc_ich raid6_pq snd_timer snd mei_me soundcore mei ie31200_edac edac_core shpchp tpm_tis tpm_tis_core wmi tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc binfmt_misc hid_logitech_hidpp hid_logitech_dj i915 i2c_algo_bit drm_kms_helper crc32c_intel drm r8169 mpt3sas e1000e mii raid_class ptp scsi_transport_sas pps_core fjes video analog gameport joydev
[78811.483642] CPU: 1 PID: 32313 Comm: python Not tainted 4.10.13-200.fc25.x86_64 #1
[78811.485120] Hardware name: System manufacturer System Product Name/P8Z77-V DELUXE, BIOS 2104 08/13/2013
[78811.486631] task: ffff9218c7404b00 task.stack: ffffb65449318000
[78811.488157] RIP: 0010:shmem_recalc_inode+0x32/0xa0
[78811.489679] RSP: 0018:ffffb6544931ba58 EFLAGS: 00010006
[78811.491187] RAX: 0000000000000017 RBX: ffff9218c8418320 RCX: ffffb6544931bb68
[78811.492725] RDX: ffff92190c0a1800 RSI: ffffb6544931ba10 RDI: 0000000000000000
[78811.494269] RBP: ffffb6544931ba68 R08: ffffb6544931bae8 R09: 0000000000000001
[78811.495827] R10: ffffb6544931bb68 R11: 0000000000000000 R12: 0000000000000017
[78811.497411] R13: 0000000000000009 R14: 0000000000000017 R15: 0000000000000000
[78811.498980] FS: 00007f89743b8700(0000) GS:ffff92191fa40000(0000) knlGS:0000000000000000
[78811.500588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[78811.502213] CR2: 0000000000000000 CR3: 00000002f4650000 CR4: 00000000001406e0
[78811.503866] Call Trace:
[78811.505528] shmem_undo_range+0x639/0xc20
[78811.507201] ? call_rcu_sched+0x1d/0x20
[78811.508895] shmem_truncate_range+0x14/0x40
[78811.510579] shmem_evict_inode+0xb1/0x190
[78811.512290] evict+0xbb/0x1c0
[78811.513986] iput+0x1b0/0x230
[78811.515683] free_trace_uprobe+0x41/0x80
[78811.517373] unregister_trace_uprobe+0x79/0x90
[78811.519057] create_trace_uprobe+0x22e/0x920
[78811.520771] ? path_openat+0x6e5/0x1420
[78811.522452] ? __kmalloc_track_caller+0x120/0x210
[78811.524163] ? __kmalloc+0x168/0x1f0
[78811.525832] ? argv_split+0x8b/0x130
[78811.527513] ? trace_uprobe_register+0x240/0x240
[78811.529193] traceprobe_command+0x72/0x90
[78811.530855] traceprobe_probes_write+0x77/0x140

[78811.532560] ? trace_uprobe_register+0x240/0x240
[78811.534229] probes_write+0x10/0x20
[78811.535921] __vfs_write+0x37/0x160
[78811.537566] ? selinux_file_permission+0xd7/0x110
[78811.539206] ? security_file_permission+0x3b/0xc0
[78811.540845] vfs_write+0xb5/0x1a0
[78811.542446] SyS_write+0x55/0xc0
[78811.544067] entry_SYSCALL_64_fastpath+0x1a/0xa9
[78811.545659] RIP: 0033:0x7f8973be75c0
[78811.547270] RSP: 002b:00007ffde7187868 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[78811.548862] RAX: ffffffffffffffda RBX: 0000556973189830 RCX: 00007f8973be75c0
[78811.550457] RDX: 000000000000002b RSI: 00007ffde7187870 RDI: 0000000000000006
[78811.552077] RBP: 00007ffde71879a0 R08: 0000000000000001 R09: 000000000000002b
[78811.553658] R10: 0000000000000064 R11: 0000000000000246 R12: 0000000000000000
[78811.555320] R13: 0000000000000002 R14: 00007ffde7187aa0 R15: 00007ffde7187ac0
[78811.556909] Code: 89 e5 41 54 53 48 8b 47 a8 48 8b 57 30 49 89 c4 4c 2b 67 b0 4c 2b 62 50 4d 85 e4 7e 30 48 8b 57 28 48 89 fb 48 8b ba 30 04 00 00 <48> 83 3f 00 75 3e 4c 29 e0 48 89 43 a8 4a 8d 04 e5 00 00 00 00
[78811.558629] RIP: shmem_recalc_inode+0x32/0xa0 RSP: ffffb6544931ba58
[78811.560371] CR2: 0000000000000000
[78811.571515] ---[ end trace 6587169c5c1a1a42 ]---