tmpfs kernel panic in final /dev/tty close

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Commit 1f55c718c2 ["pty: make sure super_block is still valid in final
/dev/tty close"] addressed a corner case in devpts, but the same
problem can occur in other file systems as well.
I ran into this panic in tmpfs, which I can reproduce using this program
(adapted from Herton's) in both 4.5.5 and 3.18.28.
I am not sure if this affects other file systems as well, or what the
right fix should be.
Any suggestions are appreciated.
Thanks,
Francesco Ruggeri

#define _XOPEN_SOURCE
#include <fcntl.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, char **argv)
{
	pid_t pid;
	int ptm_fd, pty_fd, tty_fd;

	system("mkdir -p /mnt/dev");
	system("mount -n -t tmpfs none /mnt/dev");
	system("mknod --mode=0666 /mnt/dev/ptmx c 5 2");
	pid = fork();
	if (pid != 0)
		exit(0);
	daemon(1, 0);
	ptm_fd = open("/mnt/dev/ptmx", O_RDWR);
	unlockpt(ptm_fd);
	pty_fd = open(ptsname(ptm_fd), O_RDWR);
	tty_fd = open("/dev/tty", O_RDWR);
	pid = fork();
	if (pid == 0) {
		ioctl(tty_fd, TIOCNOTTY, NULL);
		setsid();
		sleep(10);
		close(pty_fd);
		close(ptm_fd);
		system("umount /mnt/dev");
		sleep(10);
		exit(0);
	}
	sleep(5);
	close(pty_fd);
	close(ptm_fd);
	return 0;
}

[ 2912.559259] VFS: Busy inodes after unmount of tmpfs. Self-destruct in 5 seconds.  Have a nice day...
[ 2922.561790] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[ 2922.562186] IP: [<ffffffff8110e089>] shmem_free_inode+0x13/0x2f
[ 2922.562606] PGD 0 
[ 2922.562973] Oops: 0000 [#1] SMP 
[ 2922.563347] Modules linked in: ... <snip>
[ 2922.568920] CPU: 1 PID: 4291 Comm: devpts Not tainted 4.5.5-3224969.AroraKernelnextfruggeri.4.fc18.x86_64 #1
[ 2922.570075] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2012
[ 2922.571343] task: ffff8801396b2640 ti: ffff8800ba580000 task.ti: ffff8800ba580000
[ 2922.571993] RIP: 0010:[<ffffffff8110e089>]  [<ffffffff8110e089>] shmem_free_inode+0x13/0x2f
[ 2922.572665] RSP: 0018:ffff8800ba583ca8  EFLAGS: 00010246
[ 2922.573296] RAX: ffff880137e1d6b0 RBX: 0000000000000000 RCX: 0000000000000036
[ 2922.573951] RDX: ffff88013ffebd80 RSI: 000000000000012a RDI: ffff8801390e1800
[ 2922.574616] RBP: ffff8800ba583cb8 R08: 0000000000000001 R09: ffff880035c24000
[ 2922.575290] R10: ffff8800ba583d48 R11: ffff880035c24000 R12: ffff880137e1d540
[ 2922.575948] R13: ffff880137e1d540 R14: ffff880137e1d540 R15: 0000000000000000
[ 2922.576586] FS:  0000000000000000(0000) GS:ffff88013ae20000(0000) knlGS:0000000000000000
[ 2922.577233] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2922.577924] CR2: 0000000000000030 CR3: 0000000001a09000 CR4: 00000000001406e0
[ 2922.578699] Stack:
[ 2922.579402]  0000000000000001 ffff880137e1d558 ffff8800ba583ce8 ffffffff811110ee
[ 2922.580148]  ffff880137e1d558 ffff880137e1d668 ffffffff81612540 ffff880138083600
[ 2922.580907]  ffff8800ba583d18 ffffffff8115ea4a ffff880137e1d658 ffff880137e1d558
[ 2922.581692] Call Trace:
[ 2922.582466]  [<ffffffff811110ee>] shmem_evict_inode+0xe0/0xf1
[ 2922.583266]  [<ffffffff8115ea4a>] evict+0xb9/0x16b
[ 2922.584088]  [<ffffffff8115f3bc>] iput+0x195/0x1bf
[ 2922.584877]  [<ffffffff811adea6>] devpts_del_ref+0x23/0x30
[ 2922.585707]  [<ffffffff81343783>] pty_unix98_shutdown+0x41/0x45
[ 2922.586482]  [<ffffffff8133c3fd>] release_tty+0x51/0xb9
[ 2922.587269]  [<ffffffff8133c8ad>] tty_release+0x448/0x4b1
[ 2922.588007]  [<ffffffff8114b298>] __fput+0xe7/0x18c
[ 2922.588724]  [<ffffffff8114b377>] ____fput+0xe/0x10
[ 2922.589509]  [<ffffffff81065f15>] task_work_run+0x6b/0x82
[ 2922.590192]  [<ffffffff81051581>] do_exit+0x3fa/0x9d7
[ 2922.590890]  [<ffffffff81001471>] ? do_audit_syscall_entry+0x63/0x65
[ 2922.591573]  [<ffffffff81051c4b>] do_group_exit+0x71/0xa7
[ 2922.592224]  [<ffffffff81051c98>] SyS_exit_group+0x17/0x17
[ 2922.592882]  [<ffffffff8153e1ae>] entry_SYSCALL_64_fastpath+0x12/0x71
[ 2922.593501] Code: ff 4c 89 e6 4c 89 ef e8 f0 e2 04 00 5b 41 5c 41 5d 44 89 f0 41 5e 5d c3 0f 1f 44 00 00 55 48 89 e5 53 41 50 48 8b 9f 58 04 00 00 <48> 83 7b 30 00 74 11 48 8d 7b 40 e8 65 fe 42 00 48 ff 43 38 c6 
[ 2922.595397] RIP  [<ffffffff8110e089>] shmem_free_inode+0x13/0x2f
[ 2922.595982]  RSP <ffff8800ba583ca8>
[ 2922.596566] CR2: 0000000000000030
--
To unsubscribe from this list: send the line "unsubscribe linux-serial" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux PPP]     [Linux FS]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Linmodem]     [Device Mapper]     [Linux Kernel for ARM]

  Powered by Linux