cc linux-fsdevel@xxxxxxxxxxxxxxx linux-kernel@xxxxxxxxxxxxxxx
ditang chen <ditang.c@xxxxxxxxx> 于2022年12月4日周日 23:46写道:
>
> Thank you for your reply ~~
>
> In the second step, it's easier to reproduce using the following script:
> # cat /opt/ltp/testcases/bin/fs_bind24.sh
> #!/bin/sh
> FS_BIND_TESTFUNC=test
>
> test()
> {
> tst_res TINFO "bind: shared child to shared parent"
>
> fs_bind_makedir rshared dir1
> mkdir dir1/1 dir1/1/2 dir1/1/2/3 dir1/1/2/fs_bind_check dir2 dir3 dir4
> touch dir4/ls
>
> EXPECT_PASS mount --bind dir1/1/2 dir2
> EXPECT_PASS mount --make-rslave dir1
> EXPECT_PASS mount --make-rshared dir1
>
> EXPECT_PASS mount --bind dir1/1/2/3 dir3
> EXPECT_PASS mount --make-rslave dir1
>
> while true
> do
> EXPECT_PASS mount --bind dir4 dir2/fs_bind_check
> EXPECT_PASS umount dir2/fs_bind_check
> done
>
> fs_bind_check dir1/1/2/fs_bind_check/ dir4
>
> EXPECT_PASS umount dir2/fs_bind_check
> EXPECT_PASS umount dir3
> EXPECT_PASS umount dir2
> EXPECT_PASS umount dir1
> }
>
> . fs_bind_lib.sh
> tst_run
>
> And then,run netns.sh while running fs_bind:
> # /opt/ltp/runltp -f fs_bind
>
> Here is a reproducer in 6.1.0-rc7:
> [ 115.848393] BUG: kernel NULL pointer dereference, address: 0000000000000010
> [ 115.848967] #PF: supervisor read access in kernel mode
> [ 115.849386] #PF: error_code(0x0000) - not-present page
> [ 115.849803] PGD 0 P4D 0
> [ 115.850012] Oops: 0000 [#1] PREEMPT SMP PTI
> [ 115.850354] CPU: 0 PID: 15591 Comm: mount Not tainted 6.1.0-rc7 #3
> [ 115.850851] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
> VirtualBox 12/01/2006
> [ 115.851510] RIP: 0010:propagate_one.part.0+0x7f/0x1a0
> [ 115.851924] Code: 75 eb 4c 8b 05 c2 25 37 02 4c 89 ca 48 8b 4a 10
> 49 39 d0 74 1e 48 3b 81 e0 00 00 00 74 26 48 8b 92 e0 00 00 00 be 01
> 00 00 00 <48> 8b 4a 10 49 39 d0 75 e2 40 84 f6 74 38 4c 89 05 84 25 37
> 02 4d
> [ 115.853441] RSP: 0018:ffffb8d5443d7d50 EFLAGS: 00010282
> [ 115.853865] RAX: ffff8e4d87c41c80 RBX: ffff8e4d88ded780 RCX: ffff8e4da4333a00
> [ 115.854458] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e4d88ded780
> [ 115.855044] RBP: ffff8e4d88ded780 R08: ffff8e4da4338000 R09: ffff8e4da43388c0
> [ 115.855693] R10: 0000000000000002 R11: ffffb8d540158000 R12: ffffb8d5443d7da8
> [ 115.856304] R13: ffff8e4d88ded780 R14: 0000000000000000 R15: 0000000000000000
> [ 115.856859] FS: 00007f92c90c9800(0000) GS:ffff8e4dfdc00000(0000)
> knlGS:0000000000000000
> [ 115.857531] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 115.858006] CR2: 0000000000000010 CR3: 0000000022f4c002 CR4: 00000000000706f0
> [ 115.858598] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 115.859393] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 115.860099] Call Trace:
> [ 115.860358] <TASK>
> [ 115.860535] propagate_mnt+0x14d/0x190
> [ 115.860848] attach_recursive_mnt+0x274/0x3e0
> [ 115.861212] path_mount+0x8c8/0xa60
> [ 115.861503] __x64_sys_mount+0xf6/0x140
> [ 115.861819] do_syscall_64+0x5b/0x80
> [ 115.862117] ? do_faccessat+0x123/0x250
> [ 115.862435] ? syscall_exit_to_user_mode+0x17/0x40
> [ 115.862826] ? do_syscall_64+0x67/0x80
> [ 115.863133] ? syscall_exit_to_user_mode+0x17/0x40
> [ 115.863527] ? do_syscall_64+0x67/0x80
> [ 115.863835] ? do_syscall_64+0x67/0x80
> [ 115.864144] ? do_syscall_64+0x67/0x80
> [ 115.864452] ? exc_page_fault+0x70/0x170
> [ 115.864775] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> [ 115.865187] RIP: 0033:0x7f92c92b0ebe
> [ 115.865480] Code: 48 8b 0d 75 4f 0c 00 f7 d8 64 89 01 48 83 c8 ff
> c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00
> 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 42 4f 0c 00 f7 d8 64 89
> 01 48
> [ 115.866984] RSP: 002b:00007fff000aa728 EFLAGS: 00000246 ORIG_RAX:
> 00000000000000a5
> [ 115.867607] RAX: ffffffffffffffda RBX: 000055a77888d6b0 RCX: 00007f92c92b0ebe
> [ 115.868240] RDX: 000055a77888d8e0 RSI: 000055a77888e6e0 RDI: 000055a77888e620
> [ 115.868823] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
> [ 115.869403] R10: 0000000000001000 R11: 0000000000000246 R12: 000055a77888e620
> [ 115.869994] R13: 000055a77888d8e0 R14: 00000000ffffffff R15: 00007f92c93e4076
> [ 115.870581] </TASK>
> [ 115.870763] Modules linked in: nft_fib_inet nft_fib_ipv4
> nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
> nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
> nf_defrag_ipv4 ip_set rfkill nf_tables nfnetlink qrtr snd_intel8x0
> sunrpc snd_ac97_codec ac97_bus snd_pcm snd_timer intel_rapl_msr
> intel_rapl_common snd vboxguest intel_powerclamp video rapl joydev
> soundcore i2c_piix4 wmi fuse zram xfs vmwgfx crct10dif_pclmul
> crc32_pclmul crc32c_intel polyval_clmulni polyval_generic
> drm_ttm_helper ttm e1000 ghash_clmulni_intel serio_raw ata_generic
> pata_acpi scsi_dh_rdac scsi_dh_emc scsi_dh_alua dm_multipath
> [ 115.875288] CR2: 0000000000000010
> [ 115.875641] ---[ end trace 0000000000000000 ]---
> [ 115.876135] RIP: 0010:propagate_one.part.0+0x7f/0x1a0
> [ 115.876551] Code: 75 eb 4c 8b 05 c2 25 37 02 4c 89 ca 48 8b 4a 10
> 49 39 d0 74 1e 48 3b 81 e0 00 00 00 74 26 48 8b 92 e0 00 00 00 be 01
> 00 00 00 <48> 8b 4a 10 49 39 d0 75 e2 40 84 f6 74 38 4c 89 05 84 25 37
> 02 4d
> [ 115.878086] RSP: 0018:ffffb8d5443d7d50 EFLAGS: 00010282
> [ 115.878511] RAX: ffff8e4d87c41c80 RBX: ffff8e4d88ded780 RCX: ffff8e4da4333a00
> [ 115.879128] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e4d88ded780
> [ 115.879715] RBP: ffff8e4d88ded780 R08: ffff8e4da4338000 R09: ffff8e4da43388c0
> [ 115.880359] R10: 0000000000000002 R11: ffffb8d540158000 R12: ffffb8d5443d7da8
> [ 115.880962] R13: ffff8e4d88ded780 R14: 0000000000000000 R15: 0000000000000000
> [ 115.881548] FS: 00007f92c90c9800(0000) GS:ffff8e4dfdc00000(0000)
> knlGS:0000000000000000
> [ 115.882234] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 115.882713] CR2: 0000000000000010 CR3: 0000000022f4c002 CR4: 00000000000706f0
> [ 115.883314] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 115.883966] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
> Best regards,
> --
>
>
> Christian Brauner <brauner@xxxxxxxxxx> 于2022年11月29日周二 18:25写道:
>
>
> >
> > On Tue, Nov 15, 2022 at 11:04:01PM +0800, ditang chen wrote:
> > > Here is a reproducer:
> > > 1. Run netns.sh script in loop
> > > # while true; do ./netns.sh; done
> > > # cat netns.sh
> > > #!/bin/bash
> > > num=1000
> > > function create_netns()
> > > {
> > > for((i=0; i<$num; i++))
> > > do
> > > ip netns add local$i
> > > ip netns exec local$i pwd &
> > > done
> > > }
> > > function clean_netns()
> > > {
> > > for((i=0; i<$num; i++))
> > > do
> > > ip netns del local$i
> > > done
> > > }
> > > create_netns
> > > clean_netns
> > >
> > > 2. run fs_bind/fs_bind24 in loop, fs_bind24 only
> > > # cat /opt/ltp/runtest/fs_bind
> > > #DESCRIPTION:Bind mounts and shared subtrees
> > > fs_bind24_sh fs_bind24.sh
> > > # while true; do /opt/ltp/runltp -f fs_bind; done
> > >
> > > This oops also exists in the latest kernel code:
> >
> > I've been running this since yesterday on v6.1-rc7 to reproduce and it
> > didn't trigger. It's unclear whether you're saying that you've managed
> > to reproduce this on mainline. It doesn't seem to be.
