Date: Wed, 02 Oct 2024 20:39:52 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 281825] SDT tracepoints are not cleaned up when a module is unloaded Message-ID: <bug-281825-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D281825 Bug ID: 281825 Summary: SDT tracepoints are not cleaned up when a module is unloaded Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: jhb@FreeBSD.org Kernel modules may reference SDT probes defined in another module (or the kernel itself). A specific example of this are all the mbuf probes in <sys/mbuf.h> for functions like m_get(). Kernel modules which use these in= line functions will include a tracepoint that gets registered during kldload in sdt_kld_load_probes. However, sdt_kldunload_try() doesn't cleanup any of t= he state initialized in sdt_kld_load_probes, only the state initialized in set_kld_load_providers(). As a result, this can leave dangling pointers (e= .g. in the tp->probe->tracepoint_list) when a module is unloaded. The panic I've seen is when re-loading a previously-unloaded module that crashes in sdt_kld_load_probes() when it walks off an invalid pointer in the STAILQ_INSERT_TAIL of the tracepoint_list. However, that panic is a bit finicky and not easy to reproduce. A simpler reproducer is below: kldload sdt kldload nvmft kldunload nvmft dtrace -n m-get Panic: Fatal trap 12: page fault while in kernel mode cpuid =3D 6; apic id =3D 06 fault virtual address =3D 0xffffffff8283d008 fault code =3D supervisor read data, page not present instruction pointer =3D 0x20:0xffffffff82816b96 stack pointer =3D 0x28:0xfffffe00dc1e9730 frame pointer =3D 0x28:0xfffffe00dc1e9740 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D resume, IOPL =3D 0 current process =3D 1115 (dtrace) rdi: 0000000000000001 rsi: ffffffff80f3a4fc rdx: 000000000000000f rcx: 0000000080040033 r8: 0000000000000016 r9: 00000000000f4240 rax: 0000000080050033 rbx: fffffe00dc1e98e8 rbp: fffffe00dc1e9740 r10: 0000000000000000 r11: 0000000000000000 r12: 0000000000000000 r13: ffffffff82816b20 r14: ffffffff8283d000 r15: 0000000000000000 trap number =3D 12 panic: page fault cpuid =3D 6 time =3D 1727901518 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00dc1e9= 400 vpanic() at vpanic+0x13f/frame 0xfffffe00dc1e9530 panic() at panic+0x43/frame 0xfffffe00dc1e9590 trap_fatal() at trap_fatal+0x40b/frame 0xfffffe00dc1e95f0 trap_pfault() at trap_pfault+0xa0/frame 0xfffffe00dc1e9660 calltrap() at calltrap+0x8/frame 0xfffffe00dc1e9660 --- trap 0xc, rip =3D 0xffffffff82816b96, rsp =3D 0xfffffe00dc1e9730, rbp = =3D 0xfffffe00dc1e9740 --- sdt_probe_update_cb() at sdt_probe_update_cb+0x76/frame 0xfffffe00dc1e9740 smp_rendezvous_action() at smp_rendezvous_action+0x9d/frame 0xfffffe00dc1e9= 780 smp_rendezvous_cpus() at smp_rendezvous_cpus+0x145/frame 0xfffffe00dc1e9840 smp_rendezvous() at smp_rendezvous+0x34/frame 0xfffffe00dc1e98d0 sdt_enable() at sdt_enable+0xae/frame 0xfffffe00dc1e9910 dtrace_ecb_create_enable() at dtrace_ecb_create_enable+0xee8/frame 0xfffffe00dc1e99a0 dtrace_match() at dtrace_match+0x444/frame 0xfffffe00dc1e9a80 dtrace_enabling_match() at dtrace_enabling_match+0xc8/frame 0xfffffe00dc1e9= b10 dtrace_ioctl() at dtrace_ioctl+0x178b/frame 0xfffffe00dc1e9c00 devfs_ioctl() at devfs_ioctl+0xd1/frame 0xfffffe00dc1e9c50 vn_ioctl() at vn_ioctl+0xbc/frame 0xfffffe00dc1e9cc0 devfs_ioctl_f() at devfs_ioctl_f+0x1e/frame 0xfffffe00dc1e9ce0 kern_ioctl() at kern_ioctl+0x286/frame 0xfffffe00dc1e9d40 sys_ioctl() at sys_ioctl+0x12d/frame 0xfffffe00dc1e9e00 amd64_syscall() at amd64_syscall+0x158/frame 0xfffffe00dc1e9f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00dc1e9f30 --- syscall (54, FreeBSD ELF64, ioctl), rip =3D 0xc9cf811a9fa, rsp =3D 0xc9ced0c5c28, rbp =3D 0xc9ced0c5c70 --- --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-281825-227>