[android-kernel] kernel panic in qtaguid_mt()

[Fei Yang]

Hello everyone,
I'm running into a panic with 4.4 kernel after applying google patches from
Android common.git.
The panic is apparently triggered by the rwlock introduced in the following
patch. Somehow the sk structure is pointing to an uninitialized rwlock,
sk_callback_lock.
I found that the sk I'm getting in qtaguid_mt() is initially NULL, thus it
tries to find a valid sk by calling qtaguid_find_sk(). But somehow this sk
has an uninitialized rwlock.
My question is how does a sk found from qtaguid_find_sk() get allocated?
I'm running out of idea to trace it back and figure out why the sk is not
initialized properly.
Shouldn't all sk initialized through either sock_init_data()
or sk_clone_lock() which guarantee a valid rwlock?

Thanks,
Fei

commit a508c81670efdb8792daa53aa872d3c3218162dc
Author: Mohamad Ayyash <mkayy...@google.com>
Date:   Tue Jan 13 19:20:44 2015 -0800

    xt_qtaguid: Use sk_callback_lock read locks before reading sk->sk_socket

    It prevents a kernel panic when accessing sk->sk_socket fields due to
NULLing sk->sk_socket when sock_orphan is called through
    sk_common_release.

    Change-Id: I4aa46b4e2d8600e4d4ef8dcdd363aa4e6e5f8433
    Signed-off-by: Mohamad Ayyash <mkayy...@google.com>
    (cherry picked from commit cdea0ebcb8bcfe57688f6cb692b49e550ebd9796)
    Signed-off-by: John Stultz <john.stu...@linaro.org>



[  116.909901] BUG: rwlock bad magic on CPU#2, swapper/2/0, ffff88004d2e4fe8
[  116.910228] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G        W IO
 4.4.0-quilt-2e5dc0ac-00663-gc166f19 #1
[  116.933434] Hardware name: Intel Corp. Broxton M/RVP, BIOS
GSND_VPA.86C.0000.B55.1602241113 02/24/2016
[  116.947652]  ffff88004d2e4fe8 ffff880076f03658 ffffffff8143055c
ffffffff81fbecee
[  116.977034]  ffff880076f03678 ffffffff810d1900 ffff88004d2e4fe8
ffff880073e20b00
[  116.986053]  ffff880076f03690 ffffffff810d1b49 ffff88004d2e4fe8
ffff880076f036a8
[  117.010534] Call Trace:
[  117.020064]  <IRQ>  [<ffffffff8143055c>] dump_stack+0x4e/0x82
[  117.025634]  [<ffffffff810d1900>] rwlock_bug+0x60/0x70
[  117.046834]  [<ffffffff810d1b49>] do_raw_read_lock+0x39/0x50
[  117.050652]  [<ffffffff81b0efd3>] _raw_read_lock_bh+0x23/0x30
[  117.063651]  [<ffffffff81a33595>] qtaguid_mt+0xa5/0x8f0
[  117.084834]  [<ffffffff81b0ee1c>] ? _raw_spin_unlock_bh+0x1c/0x20
[  117.088851]  [<ffffffff81a36339>] ? quota_mt2+0x69/0xb0
[  117.108834]  [<ffffffff81a92683>] ipt_do_table+0x253/0x510
[  117.114851]  [<ffffffff81a92a07>] iptable_filter_hook+0x27/0x60
[  117.127451]  [<ffffffff81a10ddd>] nf_iterate+0x5d/0x70
[  117.149034]  [<ffffffff81a10e5a>] nf_hook_slow+0x6a/0xb0
[  117.152851]  [<ffffffff81a4149d>] __ip_local_out+0xcd/0xd0
[  117.165051]  [<ffffffff81a3f6b0>] ? ip_forward_options+0x1b0/0x1b0
[  117.185534]  [<ffffffff81a414bc>] ip_local_out+0x1c/0x40
[  117.191852]  [<ffffffff81a4162d>] ip_build_and_send_pkt+0x14d/0x1c0
[  117.204051]  [<ffffffff81a61b3b>] tcp_v4_send_synack+0x5b/0xb0
[  117.226434]  [<ffffffff81a47da6>] ?
inet_csk_reqsk_queue_hash_add+0x76/0xa0
[  117.231851]  [<ffffffff81a5146e>] tcp_conn_request+0xa5e/0xab0
[  117.255834]  [<ffffffff810912a4>] ? __local_bh_enable_ip+0x64/0xd0
[  117.261251]  [<ffffffff81a3147f>] ? tag_stat_update+0x7f/0x120
[  117.275451]  [<ffffffff81a5fe2e>] tcp_v4_conn_request+0x5e/0x70
[  117.296834]  [<ffffffff81a5741c>] tcp_rcv_state_process+0x19c/0xd00
[  117.302452]  [<ffffffff813c440b>] ? security_sock_rcv_skb+0x3b/0x50
[  117.324834]  [<ffffffff81a60fd9>] tcp_v4_do_rcv+0x79/0x230
[  117.331252]  [<ffffffff81a62691>] tcp_v4_rcv+0x9b1/0xa20
[  117.343851]  [<ffffffff81a8d386>] ? ipv4_confirm+0xb6/0xe0
[  117.364034]  [<ffffffff81a3c0eb>] ip_local_deliver_finish+0x7b/0x1f0
[  117.368652]  [<ffffffff81a3c410>] ip_local_deliver+0x60/0xd0
[  117.391234]  [<ffffffff81a3c070>] ? ip_rcv_finish+0x310/0x310
[  117.396251]  [<ffffffff81a3bde7>] ip_rcv_finish+0x87/0x310
[  117.409453]  [<ffffffff81a3c6f4>] ip_rcv+0x274/0x3d0
[  117.430034]  [<ffffffff81a3bd60>] ? inet_del_offload+0x40/0x40
[  117.433452]  [<ffffffff819dc72e>] __netif_receive_skb_core+0x2ee/0xa10
[  117.454834]  [<ffffffff81a67533>] ? tcp4_gro_receive+0x123/0x1c0
[  117.461851]  [<ffffffff81a77bef>] ? inet_gro_receive+0x8f/0x220
[  117.475651]  [<ffffffff819dce66>] __netif_receive_skb+0x16/0x70
[  117.497234]  [<ffffffff819dcee8>] netif_receive_skb_internal+0x28/0xa0
[  117.502852]  [<ffffffff819ddaac>] napi_gro_receive+0xac/0xf0
[  117.525834]  [<ffffffff8173c429>] igb_clean_rx_irq+0x689/0x700
[  117.530851]  [<ffffffff8173c7e4>] igb_poll+0x344/0x6f0
[  117.544252]  [<ffffffff8144cb67>] ? debug_smp_processor_id+0x17/0x20
[  117.561534]  [<ffffffff819dd3c2>] net_rx_action+0x1f2/0x320
[  117.570651]  [<ffffffff81091e25>] __do_softirq+0x125/0x300
[  117.591434]  [<ffffffff81092195>] irq_exit+0xa5/0xb0
[  117.596052]  [<ffffffff81b119b0>] do_IRQ+0x60/0xf0
[  117.607451]  [<ffffffff81b0ff49>] common_interrupt+0x89/0x89
[  117.625534]  <EOI>  [<ffffffff8100dfcd>] ? mwait_idle+0x9d/0x180
[  117.631435]  [<ffffffff8100dfc4>] ? mwait_idle+0x94/0x180
[  117.653234]  [<ffffffff8100e55f>] arch_cpu_idle+0xf/0x20
[  117.657651]  [<ffffffff810c9a48>] default_idle_call+0x38/0x50
[  117.669851]  [<ffffffff810c9dda>] cpu_startup_entry+0x31a/0x380
[  117.694046]  [<ffffffff81036bac>] start_secondary+0x14c/0x170
[  117.709834] BUG: unable to handle kernel paging request at
0000000000001018
[  117.710828] IP: [<ffffffff81a33745>] qtaguid_mt+0x255/0x8f0
[  117.710828] PGD 73c54067 PUD 0
[  117.710828] Oops: 0000 [#1] PREEMPT SMP
[  117.710828] Modules linked in: ip6table_raw iptable_raw iwlmvm(O)
iwlwifi(O) iwl_mac80211(O) iwl_cfg80211(O) compat(O) aoh_psh aoh_ipc
rfkill_gpio snd_soc_gsd_afe
[  117.773061] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G        W IO
 4.4.0-quilt-2e5dc0ac-00663-gc166f19 #1
[  117.773061] Hardware name: Intel Corp. Broxton M/RVP, BIOS
GSND_VPA.86C.0000.B55.1602241113 02/24/2016
[  117.773061] task: ffff880075e66340 ti: ffff880075e6c000 task.ti:
ffff880075e6c000
[  117.773061] RIP: 0010:[<ffffffff81a33745>]  [<ffffffff81a33745>]
qtaguid_mt+0x255/0x8f0
[  117.773061] RSP: 0018:ffff880076f036b8  EFLAGS: 00210246
[  117.773061] RAX: 0000000000000000 RBX: ffff880076f03748 RCX:
0000000000000004
[  117.773061] RDX: 0000000000001000 RSI: 0000000000000000 RDI:
00000000ffffffff
[  117.773061] RBP: ffff880076f03700 R08: 78302b797261646e R09:
0000000000000433
[  117.773061] R10: ffff880073ea38e4 R11: 0000000000000433 R12:
ffff880073e20b00
[  117.773061] R13: ffff88004d2e4fe8 R14: ffff88004d1ece48 R15:
ffff88004d2e4dd0
[  117.773061] FS:  0000000000000000(0000) GS:ffff880076f00000(0000)
knlGS:0000000000000000
[  117.773061] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  117.773061] CR2: 0000000000001018 CR3: 0000000074fce000 CR4:
00000000000006e0
[  117.773061] Stack:
[  117.773061]  ffff880076f036c8 ffffffff81b0ee1c ffff880076f03700
ffffffff81a36339
[  117.773061]  ffff880073e20b00 ffffffff8261fb18 ffff88004d1ecdb8
ffff88004d1ece28
[  117.773061]  ffff880073ea38e4 ffff880076f037a8 ffffffff81a92683
ffff88004d1ec00c
[  117.773061] Call Trace:
[  117.773061]  <IRQ>
[  117.773061]  [<ffffffff81b0ee1c>] ? _raw_spin_unlock_bh+0x1c/0x20
[  117.773061]  [<ffffffff81a36339>] ? quota_mt2+0x69/0xb0
[  117.773061]  [<ffffffff81a92683>] ipt_do_table+0x253/0x510
[  117.773061]  [<ffffffff81a92a07>] iptable_filter_hook+0x27/0x60
[  117.773061]  [<ffffffff81a10ddd>] nf_iterate+0x5d/0x70
[  117.773061]  [<ffffffff81a10e5a>] nf_hook_slow+0x6a/0xb0
[  117.773061]  [<ffffffff81a4149d>] __ip_local_out+0xcd/0xd0
[  117.773061]  [<ffffffff81a3f6b0>] ? ip_forward_options+0x1b0/0x1b0
[  117.773061]  [<ffffffff81a414bc>] ip_local_out+0x1c/0x40
[  117.773061]  [<ffffffff81a4162d>] ip_build_and_send_pkt+0x14d/0x1c0
[  117.773061]  [<ffffffff81a61b3b>] tcp_v4_send_synack+0x5b/0xb0
[  117.773061]  [<ffffffff81a47da6>] ?
inet_csk_reqsk_queue_hash_add+0x76/0xa0
[  117.773061]  [<ffffffff81a5146e>] tcp_conn_request+0xa5e/0xab0
[  117.773061]  [<ffffffff810912a4>] ? __local_bh_enable_ip+0x64/0xd0
[  117.773061]  [<ffffffff81a3147f>] ? tag_stat_update+0x7f/0x120
[  117.773061]  [<ffffffff81a5fe2e>] tcp_v4_conn_request+0x5e/0x70
[  117.773061]  [<ffffffff81a5741c>] tcp_rcv_state_process+0x19c/0xd00
[  117.773061]  [<ffffffff813c440b>] ? security_sock_rcv_skb+0x3b/0x50
[  117.773061]  [<ffffffff81a60fd9>] tcp_v4_do_rcv+0x79/0x230
[  117.773061]  [<ffffffff81a62691>] tcp_v4_rcv+0x9b1/0xa20
[  117.773061]  [<ffffffff81a8d386>] ? ipv4_confirm+0xb6/0xe0
[  117.773061]  [<ffffffff81a3c0eb>] ip_local_deliver_finish+0x7b/0x1f0
[  117.773061]  [<ffffffff81a3c410>] ip_local_deliver+0x60/0xd0
[  117.773061]  [<ffffffff81a3c070>] ? ip_rcv_finish+0x310/0x310
[  117.773061]  [<ffffffff81a3bde7>] ip_rcv_finish+0x87/0x310
[  117.773061]  [<ffffffff81a3c6f4>] ip_rcv+0x274/0x3d0
[  117.773061]  [<ffffffff81a3bd60>] ? inet_del_offload+0x40/0x40
[  117.773061]  [<ffffffff819dc72e>] __netif_receive_skb_core+0x2ee/0xa10
[  117.773061]  [<ffffffff81a67533>] ? tcp4_gro_receive+0x123/0x1c0
[  117.773061]  [<ffffffff81a77bef>] ? inet_gro_receive+0x8f/0x220
[  117.773061]  [<ffffffff819dce66>] __netif_receive_skb+0x16/0x70
[  117.773061]  [<ffffffff819dcee8>] netif_receive_skb_internal+0x28/0xa0
[  117.773061]  [<ffffffff819ddaac>] napi_gro_receive+0xac/0xf0
[  117.773061]  [<ffffffff8173c429>] igb_clean_rx_irq+0x689/0x700
[  117.773061]  [<ffffffff8173c7e4>] igb_poll+0x344/0x6f0
[  117.773061]  [<ffffffff8144cb67>] ? debug_smp_processor_id+0x17/0x20
[  117.773061]  [<ffffffff819dd3c2>] net_rx_action+0x1f2/0x320
[  117.773061]  [<ffffffff81091e25>] __do_softirq+0x125/0x300
[  117.773061]  [<ffffffff81092195>] irq_exit+0xa5/0xb0
[  117.773061]  [<ffffffff81b119b0>] do_IRQ+0x60/0xf0
[  117.773061]  [<ffffffff81b0ff49>] common_interrupt+0x89/0x89
[  117.773061]  <EOI>
[  117.773061]  [<ffffffff8100dfcd>] ? mwait_idle+0x9d/0x180
[  117.773061]  [<ffffffff8100dfc4>] ? mwait_idle+0x94/0x180
[  117.773061]  [<ffffffff8100e55f>] arch_cpu_idle+0xf/0x20
[  117.773061]  [<ffffffff810c9a48>] default_idle_call+0x38/0x50
[  117.773061]  [<ffffffff810c9dda>] cpu_startup_entry+0x31a/0x380
[  117.773061]  [<ffffffff81036bac>] start_secondary+0x14c/0x170
[  117.773061] Code: 89 e1 31 f6 49 8d 79 48 e8 29 d9 ff ff 48 c7 c7 10 de
32 82 e8 cd b6 0d 00 41 0f b6 46 11 41 38 46 10 41 0f 95 c4 e9 9e fe ff ff
<4c> 8b 42 18 4d 85 c0 0f 84 57 03 00 00 49 8b 90 d0 00 00 00 f6
[  117.773061] RIP  [<ffffffff81a33745>] qtaguid_mt+0x255/0x8f0
[  117.773061]  RSP <ffff880076f036b8>
[  117.773061] CR2: 0000000000001018
[  117.773061] ---[ end trace 6a53ee9b1bb6aa46 ]---
[  117.773061] Kernel panic - not syncing: Fatal exception in interrupt
[  117.773061] Kernel Offset: disabled
[  117.773061] Rebooting in 10 seconds..

-- 
-- 
unsubscribe: android-kernel+unsubscr...@googlegroups.com
website: http://groups.google.com/group/android-kernel
--- 
You received this message because you are subscribed to the Google Groups 
"Android Linux Kernel Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to android-kernel+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.