[Bug runtime/20433] New: "NULL pointer dereference" crash on fedora

[Bug runtime/20433] New: "NULL pointer dereference" crash on fedora

[dsmith at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=20433

            Bug ID: 20433
           Summary: "NULL pointer dereference" crash on fedora
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: runtime
          Assignee: systemtap at sourceware dot org
          Reporter: dsmith at redhat dot com
  Target Milestone: ---

I'm seeing the following crash on fedora 24 and rawhide when doing parallel
testing:

====
[ 8892.057039] NULL pointer dereference at           (null)
[ 8892.057039] IP: [<ffffffff81461a96>] strcmp+0x16/0x30
[ 8892.057039] PGD 0
[ 8892.057039] Oops: 0000 [#14] SMP
[ 8892.057039] Modules linked in:
stap_fb76a125ab551bce12880276c3d71c0d_3132(OE) tun snd_hda_codec_generic
snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep ppdev snd_seq snd_seq_device
snd_pcm snd_timer snd soundcore joydev virtio_net virtio_balloon pvpanic
parport_pc parport i2c_piix4 acpi_cpufreq tpm_tis tpm nfsd auth_rpcgss nfs_acl
lockd grace sunrpc xfs libcrc32c virtio_blk cirrus drm_kms_helper ttm drm
serio_raw virtio_pci ata_generic virtio_ring virtio pata_acpi [last unloaded:
stap_002d24fc7f63d7963b9aadd0778e624b_2961]
[ 8892.057039] CPU: 0 PID: 3567 Comm: avahi-daemon Tainted: G      D    OE  
4.6.4-301.fc24.x86_64+debug #1
[ 8892.057039] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007
[ 8892.057039] task: ffff8800c7d50000 ti: ffff880119ba0000 task.ti:
ffff880119ba0000
[ 8892.057039] RIP: 0010:[<ffffffff81461a96>]  [<ffffffff81461a96>]
strcmp+0x16/0x30
[ 8892.057039] RSP: 0018:ffff880119ba3bc0  EFLAGS: 00010202
[ 8892.057039] RAX: 000000000000002f RBX: ffff8800ba6bdfe9 RCX:
ffff8800c7d50000
[ 8892.057039] RDX: ffffffffc045cae6 RSI: 0000000000000001 RDI:
ffff8800ba6bdfea
[ 8892.057039] RBP: ffff880119ba3bc0 R08: 0000000000000000 R09:
0000000000000001
[ 8892.057039] R10: 0000000000000def R11: 00007fff29165000 R12:
ffffffffc046b028
[ 8892.057039] R13: 0000565272b79000 R14: ffff8800c7d50000 R15:
ffffffffc0698160
[ 8892.057039] FS:  00007fe6d1525880(0000) GS:ffff88011b200000(0000)
knlGS:0000000000000000
[ 8892.057039] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8892.057039] CR2: 0000000000000000 CR3: 0000000117711000 CR4:
00000000000006f0
[ 8892.057039] DR0: ffffffff81e78880 DR1: 0000000000000000 DR2:
0000000000000000
[ 8892.057039] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000600
[ 8892.057039] Stack:
[ 8892.057039]  ffff880119ba3c00 ffffffffc045f8ae 000000000001e000
ffffffffc0697f90
[ 8892.057039]  ffff8800c7d50000 ffffffffc0697fa0 ffff8800d733d780
ffff8800ba6bdfe9
[ 8892.057039]  ffff880119ba3c58 ffffffffc045fe2a 0000000000000000
0000000008000875
[ 8892.057039] Call Trace:
[ 8892.057039]  [<ffffffffc045f8ae>] _stp_vma_mmap_cb+0xde/0x270
[stap_fb76a125ab551bce12880276c3d71c0d_3132]
[ 8892.057039]  [<ffffffffc045fe2a>]
__stp_call_mmap_callbacks.part.82+0x6a/0xc0
[stap_fb76a125ab551bce12880276c3d71c0d_3132]
[ 8892.057039]  [<ffffffffc04601b0>]
__stp_call_mmap_callbacks_for_task+0x190/0x220
[stap_fb76a125ab551bce12880276c3d71c0d_3132]
[ 8892.057039]  [<ffffffffc0460c46>] __stp_tf_quiesce_worker+0x126/0x140
[stap_fb76a125ab551bce12880276c3d71c0d_3132]
[ 8892.057039]  [<ffffffff810d86ac>] task_work_run+0x8c/0xc0
[ 8892.057039]  [<ffffffff810c6b16>] get_signal+0x936/0x960
[ 8892.057039]  [<ffffffff81035157>] do_signal+0x37/0x720
[ 8892.057039]  [<ffffffff811114bd>] ? trace_hardirqs_on+0xd/0x10
[ 8892.057039]  [<ffffffffc045c7b4>] ? __stp_tf_get_map_entry+0xb4/0xc0
[stap_fb76a125ab551bce12880276c3d71c0d_3132]
[ 8892.057039]  [<ffffffffc0460296>] ?
__stp_utrace_task_finder_target_syscall_exit+0x56/0x340
[stap_fb76a125ab551bce12880276c3d71c0d_3132]
[ 8892.057039]  [<ffffffffc045a89d>] ? start_callback.isra.38+0x8d/0xe0
[stap_fb76a125ab551bce12880276c3d71c0d_3132]
[ 8892.057039]  [<ffffffffc045e7aa>] ? utrace_report_syscall_exit+0x11a/0x130
[stap_fb76a125ab551bce12880276c3d71c0d_3132]
[ 8892.057039]  [<ffffffff81003286>] exit_to_usermode_loop+0x96/0xd0
[ 8892.057039]  [<ffffffff810040f6>] do_syscall_64+0x126/0x190
[ 8892.057039]  [<ffffffff818d02bf>] entry_SYSCALL64_slow_path+0x25/0x25
[ 8892.057039] Code: 01 0f b6 4e ff 48 83 c2 01 84 c9 88 4a ff 75 ed 5d c3 0f
1f 00 55 48 89 e5 eb 04 84 c0 74 18 48 83 c7 01 0f b6 47 ff 48 83 c6 01 <3a> 46
ff 74 eb 19 c0 83 c8 01 5d c3 31 c0 5d c3 66 2e 0f 1f 84
[ 8892.057039] RIP  [<ffffffff81461a96>] strcmp+0x16/0x30
[ 8892.057039]  RSP <ffff880119ba3bc0>
[ 8892.057039] CR2: 0000000000000000
[ 8892.089633] BUG: unable to handle kernel [ 8892.120366] ---[ end trace
d6e2774980c78f0c ]---
====

Tracking down the source line, it appears this crash is from the following from
the _stp_vma_mmap_cb() function in the following line:

                       if (strcmp(path, _stp_modules[i]->path) == 0)      

In this case _stp_modules[i]->path is NULL and causes the crash.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/20433] "NULL pointer dereference" crash on fedora

[dsmith at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=20433

David Smith <dsmith at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from David Smith <dsmith at redhat dot com> ---
Fix(ish) in commit b91ef70. This fix avoids the kernel crash by adding a new
version of strcmp() that treats NULL pointers as empty strings.

Unfortunately, this crash stopped occurring and I couldn't track down why
stp_modules[i]->path was NULL in the first place.

-- 
You are receiving this mail because:
You are the assignee for the bug.