Latest working kernel version: 2.6.18 possibly works, at least could not reproduce on one 2.6.18 machine Earliest failing kernel version: Distribution: Debian sid (unstable) Hardware Environment: x86 qemu Software Environment: Minimal Debian sid (unstable) Problem Description: A BUG() in the VFS code can be hit by a user, even with strict ulimits I believe, forking new processes, opening the /proc/$pid directories for them and then killing and wait()ing for the processes. A single process can only hold open 1021 or so such directories, so several need to be run in order to do this (15 seems to be enough). The attached program forks 15 processes that all do this. I'm not actually sure this is anything very /proc related, but this is what I did to trigger the crash. First, I get "VFS: file-max limit 11682 reached" in the dmesg. Then simply typing ls in /root directory gives me the BUG(). Here's dmesg output: ---------- VFS: file-max limit 11682 reached ------------[ cut here ]------------ kernel BUG at fs/inode.c:1156! invalid opcode: 0000 [#1] Pid: 661, comm: bash Not tainted (2.6.25.4 #3) EIP: 0060:[<c026f4b1>] EFLAGS: 00000246 CPU: 0 EIP is at iput+0x67/0x6b EAX: c054cca0 EBX: c7420000 ECX: 00000001 EDX: 00000000 ESI: c60a6ab0 EDI: ffffffe9 EBP: c7afff58 ESP: c7afff54 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 Process bash (pid: 661, ti=c7afe000 task=c7af2ea0 task.ti=c7afe000) Stack: c7420000 c7afff7c c02631ae c054c880 00000000 00000000 c05c8aa5 080ee9ac c7afffa0 bfef1458 c7afff98 c02631e1 c7afffa0 00000000 080ee9ac c7afffa0 bfef1458 c7afffb0 c0205bb3 c7afffb0 c0207d88 080ee9ac 00000000 c7afe000 Call Trace: [<c02631ae>] ? create_write_pipe+0x13d/0x15f [<c02631e1>] ? do_pipe+0x11/0xac [<c0205bb3>] ? sys_pipe+0x12/0x3b [<c0207d88>] ? do_syscall_trace+0x8c/0xf9 [<c0202cd2>] ? syscall_call+0x7/0xb ======================= Code: 00 85 c0 74 23 8b 83 04 01 00 00 8b 40 20 ba 4b 03 27 c0 85 c0 74 0d 8b 50 14 85 d2 b8 4b 03 27 c0 0f 44 d0 89 d8 ff d2 5b 5d c3 <0f> 0b eb fe 55 89 e5 56 53 83 ec 1c 8d 88 0c 02 00 00 8b 15 00 EIP: [<c026f4b1>] iput+0x67/0x6b SS:ESP 0068:c7afff54 ---[ end trace 17ba5b2f93203a5e ]--- ---------- Steps to reproduce: 1. Compile the attached program dos2.c with gcc dos2.c -o dos2 -O2 2. Run the program on the target computer as a normal user 3. Wait several seconds or more, depending on the speed of your computer, until the VFS error appears in dmesg 4. Type "ls". You should get the BUG().
Created attachment 16418 [details] Test case
hm, well that's pretty sad. Alexey, Oleg: would one of you be able to take a look please?
On 06/06, bugme-daemon@bugzilla.kernel.org wrote: > > http://bugzilla.kernel.org/show_bug.cgi?id=10878 Can't reproduce on 2.6.26-rc2 ... I doubt this is related to the proc management, looks like the pipe inode was killed twice? Sami, could you try to reproduce this BUG whith another test? Say, just open "/dev/null" until "VFS: file-max limit %d reached", and then ls. For example, $ su -c 'echo 512 >> /proc/sys/fs/file-max' $ $ perl -le 'for (;;) { open my $fd, "</dev/null" or last; push @_, $fd; } print 0+@_," $!"; sleep;' and, on another console $ ls Oleg.
On 06/07, Oleg Nesterov wrote: > > On 06/06, bugme-daemon@bugzilla.kernel.org wrote: > > > > http://bugzilla.kernel.org/show_bug.cgi?id=10878 > > Can't reproduce on 2.6.26-rc2 ... > > I doubt this is related to the proc management, looks like > the pipe inode was killed twice? Aha. Could you re-test with this [PATCH] double-free of inode on alloc_file() failure exit in create_write_pipe() http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ed1524371716466e9c762808b02601d0d0276a92 patch? it looks very promising... Oleg.
Your perl script crashes too. Now testing with that patch.
Yes, that patch fixes the issue.
On 06/07, bugme-daemon@bugzilla.kernel.org wrote: > > http://bugzilla.kernel.org/show_bug.cgi?id=10878 > > ------- Comment #6 from sliedes@cc.hut.fi 2008-06-07 09:34 ------- > Yes, that patch fixes the issue. Thanks a lot! Please close this BUG. May I suggest you to send that patch to stable@kernel.org ? Oleg.
Ok, I'll do that.