crash starting at kernel v3.13.0-72 in timer code

It seems to a problem in add_timer_on moving from a timer_base to a new timer_base

It does look like 470ed44 exposed the problem by switching to add_timer_on from mod_timer; this is a fix to add_timer_on

Reference:
---
https://lkml.org/lkml/2016/2/3/295
https://lkml.org/lkml/2016/2/4/247

Patch:
https://lkml.org/lkml/diff/2016/2/4/247/1
---

Eric

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1546320

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

See "dmesg_detach_if_pending.out" taken from the last crash into /var/crash/

It seems like commit: 22b886dd timers: Use proper base migration in add_timer_on() [1]

Has been started to by apply :

$ git tag --contains 22b886dd
Ubuntu-lts-4.4.0-4.19_14.04.1
Ubuntu-lts-4.4.0-4.19_14.04.2

[1] $ git show 22b886dd
commit 22b886dd1018093920c4250dee2a9a3cb7cff7b8
Author: Tejun Heo <email address hidden>
Date: Wed Nov 4 12:15:33 2015 -0500

    timers: Use proper base migration in add_timer_on()

    Regardless of the previous CPU a timer was on, add_timer_on()
    currently simply sets timer->flags to the new CPU. As the caller must
    be seeing the timer as idle, this is locally fine, but the timer
    leaving the old base while unlocked can lead to race conditions as
    follows.

    Let's say timer was on cpu 0.

      cpu 0 cpu 1
      -----------------------------------------------------------------------------
      del_timer(timer) succeeds
                                        del_timer(timer)
                                          lock_timer_base(timer) locks cpu_0_base
      add_timer_on(timer, 1)
        spin_lock(&cpu_1_base->lock)
        timer->flags set to cpu_1_base
        operates on @timer operates on @timer

    This triggered with mod_delayed_work_on() which contains
    "if (del_timer()) add_timer_on()" sequence eventually leading to the
    following oops.

      BUG: unable to handle kernel NULL pointer dereference at (null)
      IP: [<ffffffff810ca6e9>] detach_if_pending+0x69/0x1a0
      ...
      Workqueue: wqthrash wqthrash_workfunc [wqthrash]
      task: ffff8800172ca680 ti: ffff8800172d0000 task.ti: ffff8800172d0000
      RIP: 0010:[<ffffffff810ca6e9>] [<ffffffff810ca6e9>] detach_if_pending+0x69/0x1a0
      ...
      Call Trace:
       [<ffffffff810cb0b4>] del_timer+0x44/0x60
       [<ffffffff8106e836>] try_to_grab_pending+0xb6/0x160
       [<ffffffff8106e913>] mod_delayed_work_on+0x33/0x80
       [<ffffffffa0000081>] wqthrash_workfunc+0x61/0x90 [wqthrash]
       [<ffffffff8106dba8>] process_one_work+0x1e8/0x650
       [<ffffffff8106e05e>] worker_thread+0x4e/0x450
       [<ffffffff810746af>] kthread+0xef/0x110
       [<ffffffff8185980f>] ret_from_fork+0x3f/0x70

    Fix it by updating add_timer_on() to perform proper migration as
    __mod_timer() does.

    Reported-and-tested-by: Jeff Layton <email address hidden>
    Signed-off-by: Tejun Heo <email address hidden>
    Cc: Chris Worley <email address hidden>
    Cc: <email address hidden>
    Cc: Michael Skralivetsky <email address hidden>
    Cc: Trond Myklebust <email address hidden>
    Cc: Shaohua Li <email address hidden>
    Cc: Jeff Layton <email address hidden>
    Cc: <email address hidden>
    Cc: <email address hidden>
    Link: http://<email address hidden>
    Link: http://<email address hidden>
    Signed-off-by: Thomas Gleixner <email address hidden>

diff --git a/kernel/time/timer.c b/kernel/time/timer.c
index 74591ba..bbc5d11 100644
--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -977,13 +977,29 @@ EXPORT_SYMBOL(add_timer);
  */...

The problem has been reported by few different peoples of the community already.

Eric comments that this may be fixed by the mainline stable commit:

[mainline] 22b886d "timers: Use proper base migration in add_timer_on()"

... but that can't be applied to pre-4.2 kernels (since it would require 0eeda71 "timer: Replace timer base by a cpu index", which isn't suitable for pre-4.2).

@Eric, please try reverting the commit that (apparently) introduced the problem:

[trusty] 470ed44 "workqueue: make sure delayed work run in local cpu"

# SUMMARY

- recent changes (2016) broke timer guarantee of work items queue without explicit cpuu to be put on local cpus.
- 874bbfe made sure delayed work run in local cpu (Sep 2015)
- vmstat was broken and fixed by 176bed1de5bf (explicitly scheduling per-cpu work) (Oct 2015)
- 874bbfe introduced a bug fixed by 22b886d (Nov 2015)
- 22b886d could NOT be backported beyond certain point (older kernels)
- kernels with only 874bbfe started crashing (THIS CASE)
- since 176bed1de5bf fixed vmstat, 874bbfe SHOULD BE REMOVED from stable kernels
- newer bugs expected (delayed work will not be guaranteed to run locally)
- new bugs will be backported to stable kernels as they appear

Working on removing "874bbfe" from Trusty, as Kamal well said:

commit 874bbfe600a660cba9c776b3957b1ce393151b76
Author: Shaohua Li <email address hidden>
Date: Wed Sep 30 09:05:30 2015 -0700

    workqueue: make sure delayed work run in local cpu

Is commit:

commit 470ed447e21e8411cd628c92ab93dcebaa0d199d
Author: Shaohua Li <email address hidden>
Date: Wed Sep 30 09:05:30 2015 -0700

    workqueue: make sure delayed work run in local cpu

    BugLink: http://bugs.launchpad.net/bugs/1520264

In Trusty.

inaddy@rafael(~/Codes/kernel/linux/stable)$ git tag --contains 22b886d
v4.4
v4.4-rc1

22b886d first appeared in 4.4-rc1

commit 22b886dd1018093920c4250dee2a9a3cb7cff7b8
Author: Tejun Heo <email address hidden>
Date: Wed Nov 4 12:15:33 2015 -0500

    timers: Use proper base migration in add_timer_on()

And Wily is good:

commit 3896b1a08841c8dad99a84e58a4818b7cbd0c631
Author: Tejun Heo <email address hidden>
Date: Wed Nov 4 12:15:33 2015 -0500

    timers: Use proper base migration in add_timer_on()

    BugLink: http://bugs.launchpad.net/bugs/1532342

    commit 22b886dd1018093920c4250dee2a9a3cb7cff7b8 upstream.

So, for now, it only affects Trusty & Vivid (EOL).

So, Wily can be "more safe" with both: 874bbfe & 22b886d, since the upstream decision described in:

"The local CPU guarantee was accidental more than anything else and we
    want to get rid of it anyway. As, with the vmstat case fixed,
    874bbfe600a6 is causing more problems than it's fixing, it has been
    decided to take the chance and officially break the guarantee by
    reverting the commit. A debug feature will be added to force foreign
    CPU assignment to expose cases relying on the guarantee and fixes for
    the individual cases will be backported to stable as necessary.
"

Assures that removing patch 874bbfe will indeed break the "guarantee".

So, IMO, this is a (using upstream tags):

Trusty: Remove 874bbfe
Wily: Keep 874bbfe & 22b886d
Xenial: Follow upstream

I build a test kernel and made it available on a PPA[1] for verification in order to bring confidence for the SRU process.

This test kernel revert the offending commit "470ed447: workqueue: make sure delayed work run in local cpu".

Instructions
--
# Add the PPA to your system
$ sudo add-apt-repository ppa:slashd/bug1546320-hotfix

# Resynchronize the package index files from their sources
$ sudo apt-get update

# Installing the packages desired for installation
$ sudo apt-get install linux-image-3.13.0-78-generic=3.13.0-78.122hf1546320v20160218b6 -y
$ sudo apt-get install linux-headers-3.13.0-78-generic=3.13.0-78.122hf1546320v20160218b6 -y

Note: A reboot will be necessary for the hotfix kernel to be effective and taken into account by your systems.
--

[1] - https://launchpad.net/~slashd/+archive/ubuntu/bug1546320-hotfix
[2] - https://wiki.ubuntu.com/Kernel/kernel-sru-workflow

Regards,
Eric

Here's a positive feedback by someone from the community about the trusty testfix kernel with commit 470ed447 reverted that I have provided yesterday:

"I am able to reproduce the kernel panic consistently courtesy of the wqthrash kernel module on this LKML post: https://lkml.org/lkml/2015/11/3/582

Building and inserting this module reliably causes an instantaneous kernel panic on -76 and -77 for both physical and virtual machines, so long as more than one CPU is present. It did not cause a kernel panic on -61 or the hotfixed -78 kernel from the PPA."

Rectification about the hotfix instruction procedure on comment #11.

Instructions
--
# Add the PPA to your system
$ sudo add-apt-repository ppa:slashd/bug1546320-hotfix

# Resynchronize the package index files from their sources
$ sudo apt-get update

# Installing the packages desired for installation
$ sudo apt-get install linux-image-3.13.0-78-generic=3.13.0-78.122hf1546320v20160218b6 -y
$ sudo apt-get install linux-headers-3.13.0-78-generic=3.13.0-78.122hf1546320v20160218b6 -y
$ sudo apt-get install linux-image-extra-3.13.0-78-generic=3.13.0-78.122hf1546320v20160218b6 -y

Note: A reboot will be necessary for the hotfix kernel to be effective and taken into account by your systems.
--

Eric

It also been brought to my attention the following about the hotfix kernel:

--
Hi Eric,

We have applied the update from your PPA to the controller nodes and they have been stable over the weekend. We will see if they remain stable under load over the rest of the week.

Thanks
--

Eric

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug was fixed in the package linux - 3.19.0-56.62

---------------
linux (3.19.0-56.62) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555832

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux (3.19.0-55.61) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1554708

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
    - LP: #1554608

linux (3.19.0-54.60) vivid; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1552337

  [ Upstream Kernel Changes ]

  * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6"
    - LP: #1551419

linux (3.19.0-53.59) vivid; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1550576

  [ Kamal Mostafa ]

  * Merged back 3.19.0-52.58

linux (3.19.0-52.58) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548548

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
    - LP: #1505564

  [ Upstream Kernel Changes ]

  * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
    - LP: #1542457
  * Revert "workqueue: make sure delayed work run in local cpu"
    - LP: #1546320
  * net: ipmr: fix static mfc/dev leaks on table destruction
    - LP: #1542457
  * drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c
    - LP: #1542457
  * ovl: allow zero size xattr
    - LP: #1542457
  * ovl: use a minimal buffer in ovl_copy_xattr
    - LP: #1542457
  * [media] vb2: fix a regression in poll() behavior for output,streams
    - LP: #1542457
  * [media] gspca: ov534/topro: prevent a division by 0
    - LP: #1542457
  * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
    - LP: #1542457
  * tools lib traceevent: Fix output of %llu for 64 bit values read on 32
    bit machines
    - LP: #1542457
  * KVM: x86: expose MSR_TSC_AUX to userspace
    - LP: #1542457
  * KVM: x86: correctly print #AC in traces
    - LP: #1542457
  * drm/radeon: call hpd_irq_event on resume
    - LP: #1542457
  * xhci: refuse loading if nousb is used
    - LP: #1542457
  * arm64: Clear out any singlestep state on a ptrace detach operation
    - LP: #1542457
  * time: Avoid signed overflow in timekeeping_get_ns()
    - LP: #1542457
  * ovl: root: copy attr
    - LP: #1542457
  * Bluetooth: Add support of Toshiba Broadcom based devices
    - LP: #1522949, #1542457
  * rtlwifi: fix memory leak for USB device
    - LP: #1542457
  * wlcore/wl12xx: spi: fix oops on firmware load
    - LP: #1542457
  * ovl: check dentry positiveness in ovl_cleanup_whiteouts()
    - LP: #1542457
  * EDAC, mc_sysfs: Fix freeing bus' name
    - LP: #1542457
  * EDAC: Robustify workqueues destruction
    - LP: #1542457
  * arm64: mm: ensure that the zero page is visible to the page table
    walker
    - LP: #1542457
  * powerpc: Make value-returning atomics fully ordered
    - LP: #1542457
  * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
    - LP: #1542457
  * dm space map metadata: remove unused variable in brb_pop()
    - LP: #1542457
  * dm thi...

This bug was fixed in the package linux - 3.13.0-83.127

---------------
linux (3.13.0-83.127) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555839

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux (3.13.0-82.126) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1554732

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
    - LP: #1554608
  * net: generic dev_disable_lro() stacked device handling
    - LP: #1547680

linux (3.13.0-81.125) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1552316

  [ Upstream Kernel Changes ]

  * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6"
    - LP: #1551419
  * bcache: Fix a lockdep splat in an error path
    - LP: #1551327

linux (3.13.0-80.124) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548519

  [ Andy Whitcroft ]

  * [Debian] hv: hv_set_ifconfig -- convert to python3
    - LP: #1506521
  * [Debian] hv: hv_set_ifconfig -- switch to approved indentation
    - LP: #1540586
  * [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues
    - LP: #1540586

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
    - LP: #1505564

  [ Upstream Kernel Changes ]

  * Revert "workqueue: make sure delayed work run in local cpu"
    - LP: #1546320
  * [media] gspca: ov534/topro: prevent a division by 0
    - LP: #1542497
  * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
    - LP: #1542497
  * tools lib traceevent: Fix output of %llu for 64 bit values read on 32
    bit machines
    - LP: #1542497
  * KVM: x86: correctly print #AC in traces
    - LP: #1542497
  * drm/radeon: call hpd_irq_event on resume
    - LP: #1542497
  * xhci: refuse loading if nousb is used
    - LP: #1542497
  * arm64: Clear out any singlestep state on a ptrace detach operation
    - LP: #1542497
  * time: Avoid signed overflow in timekeeping_get_ns()
    - LP: #1542497
  * rtlwifi: fix memory leak for USB device
    - LP: #1542497
  * wlcore/wl12xx: spi: fix oops on firmware load
    - LP: #1542497
  * EDAC, mc_sysfs: Fix freeing bus' name
    - LP: #1542497
  * EDAC: Don't try to cancel workqueue when it's never setup
    - LP: #1542497
  * EDAC: Robustify workqueues destruction
    - LP: #1542497
  * powerpc: Make value-returning atomics fully ordered
    - LP: #1542497
  * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
    - LP: #1542497
  * dm space map metadata: remove unused variable in brb_pop()
    - LP: #1542497
  * dm thin: fix race condition when destroying thin pool workqueue
    - LP: #1542497
  * futex: Drop refcount if requeue_pi() acquired the rtmutex
    - LP: #1542497
  * drm/radeon: clean up fujitsu quirks
    - LP: #1542497
  * mmc: sdio: Fix invalid vdd in voltage switch power cycle
    - LP: #1542497
  * mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off()
    - LP: #1542497
  * udf: limit the maximum number of indirect extents in a row
    - LP: #1542497
  * nfs: Fix race in __update_open_stateid...

This bug was fixed in the package linux-lts-utopic - 3.16.0-67.87~14.04.1

---------------
linux-lts-utopic (3.16.0-67.87~14.04.1) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555847

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux-lts-utopic (3.16.0-66.86~14.04.1) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555277

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
    - LP: #1554608

linux-lts-utopic (3.16.0-65.85~14.04.1) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1552352

  [ Upstream Kernel Changes ]

  * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6"
    - LP: #1551419

linux-lts-utopic (3.16.0-64.84~14.04.1) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1550605

  [ Kamal Mostafa ]

  * Merged back 3.16.0-63.83~14.04.1

linux-lts-utopic (3.16.0-63.83~14.04.1) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548934

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
    - LP: #1505564

  [ Upstream Kernel Changes ]

  * Revert "workqueue: make sure delayed work run in local cpu"
    - LP: #1546320
  * drm/nouveau/nv46: Change mc subdev oclass from nv44 to nv4c
    - LP: #1543126
  * veth: don’t modify ip_summed; doing so treats packets with bad
    checksums as good.
    - LP: #1543126
  * sctp: sctp should release assoc when sctp_make_abort_user return NULL
    in sctp_close
    - LP: #1543126
  * connector: bump skb->users before callback invocation
    - LP: #1543126
  * unix: properly account for FDs passed over unix sockets
    - LP: #1543126
  * bridge: Only call /sbin/bridge-stp for the initial network namespace
    - LP: #1543126
  * vxlan: fix test which detect duplicate vxlan iface
    - LP: #1543126
  * net: sctp: prevent writes to cookie_hmac_alg from accessing invalid
    memory
    - LP: #1543126
  * tcp_yeah: don't set ssthresh below 2
    - LP: #1543126
  * bonding: Prevent IPv6 link local address on enslaved devices
    - LP: #1543126
  * phonet: properly unshare skbs in phonet_rcv()
    - LP: #1543126
  * net: bpf: reject invalid shifts
    - LP: #1543126
  * ipv6: update skb->csum when CE mark is propagated
    - LP: #1543126
  * team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
    - LP: #1543126
  * xen-netback: respect user provided max_queues
    - LP: #1543126
  * xen-netfront: respect user provided max_queues
    - LP: #1543126
  * xen-netfront: print correct number of queues
    - LP: #1543126
  * xen-netfront: update num_queues to real created
    - LP: #1543126
  * sctp: Prevent soft lockup when sctp_accept() is called during a timeout
    event
    - LP: #1543126
  * sctp: convert sack_needed and sack_generation to bits
    - LP: #1543126
  * sctp: start t5 timer only when peer rwnd is 0 and local state is
    SHUTDOWN_PENDING
    - LP: #1543126
  * nfs: Fix unused variable error
    - LP: #1543126
  * [media] gspca: ov534/topro: prevent a division by 0
    - LP: #1543126
  * [me...