From: Glauber Costa <glommer@parallels.com>
To: Pekka Enberg <penberg@kernel.org>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
Christoph Lameter <cl@linux.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [linux-next-20130422] Bug in SLAB?
Date: Mon, 29 Apr 2013 18:44:40 +0400 [thread overview]
Message-ID: <517E8758.9040803@parallels.com> (raw)
In-Reply-To: <CAOJsxLFYDC+EDdJrXVnc1qfEyd56bhFLeGE+6Mbhwiq73KQQLQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2516 bytes --]
On 04/29/2013 02:12 PM, Pekka Enberg wrote:
> On Mon, Apr 29, 2013 at 5:40 AM, Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> Tetsuo Handa wrote:
>>> Also, kmalloc_index() in include/linux/slab.h can return 0 to 26.
>>>
>>> If (MAX_ORDER + PAGE_SHIFT - 1) > 25 is true and
>>> kmalloc_index(64 * 1024 * 1024) is requested (I don't know whether such case
>>> happens), kmalloc_caches[26] is beyond the array, for kmalloc_caches[26]
>>> allows 0 to 25.
>>>
>>> If (MAX_ORDER + PAGE_SHIFT - 1) <= 25 is true and
>>> kmalloc_index(64 * 1024 * 1024) is requested (I don't know whether such case
>>> happens), kmalloc_caches[26] is beyond the array, for
>>> kmalloc_caches[MAX_ORDER + PAGE_SHIFT] allows 0 to MAX_ORDER + PAGE_SHIFT - 1.
>>>
>>> Would you recheck that the array size is correct?
>>>
>>
>> I confirmed (on x86_32) that
>>
>> volatile unsigned int size = 8 * 1024 * 1024;
>> kmalloc(size, GFP_KERNEL);
>>
>> causes no warning at compile time and returns NULL at runtime. But
>>
>> unsigned int size = 8 * 1024 * 1024;
>> kmalloc(size, GFP_KERNEL);
>>
>> causes compile time warning
>>
>> include/linux/slab_def.h:136: warning: array subscript is above array bounds
>>
>> and runtime bug.
>>
>> BUG: unable to handle kernel NULL pointer dereference at 00000058
>> IP: [<c10b9d76>] kmem_cache_alloc+0x26/0xb0
>>
>> I confirmed (on x86_32) that
>>
>> kmalloc(64 * 1024 * 1024, GFP_KERNEL);
>>
>> causes compile time warning
>>
>> include/linux/slab_def.h:136: warning: array subscript is above array bounds
>>
>> and runtime bug.
>>
>> Kernel BUG at c10b9c5b [verbose debug info unavailable]
>> invalid opcode: 0000 [#1] SMP
>>
>> Also,
>>
>> volatile unsigned int size = 64 * 1024 * 1024;
>> kmalloc(size, GFP_KERNEL);
>>
>> causes no warning at compile time but runtime bug.
>>
>> Kernel BUG at c10b9c5b [verbose debug info unavailable]
>> invalid opcode: 0000 [#1] SMP
>>
>> There are kernel modules which expect kmalloc() to return NULL rather than
>> oops when the requested size is too large.
>
> Christoph, Glauber, it seems like commit e3366016 ("slab: Use common
> kmalloc_index/kmalloc_size functions") is causing some problems here.
> Can you please take a look?
>
> Pekka
>
I believe this is because the code now always assume that the cache is
found when a constant is passed. Before this patch, we had a "found"
statement that was mistakenly removed.
If I am right, the following (untested) patch should solve the problem.
[-- Attachment #2: 0001-slab-fix-kmalloc-regression-with-big-constant-alloca.patch --]
[-- Type: text/x-patch, Size: 1551 bytes --]
>From 45ad685c47e4c6bba7d772dbd298d321a73dc78a Mon Sep 17 00:00:00 2001
From: Glauber Costa <glommer@openvz.org>
Date: Mon, 29 Apr 2013 18:36:59 +0400
Subject: [PATCH] slab: fix kmalloc regression with big constant allocations
kmalloc have a maximum allocation size, but we are currently not
respecting it. We create a list of kmalloc sizes and return an array
index up to 26, which may or may not be within our limits, since this is
architecture dependent.
This patch fix this by making the slab code do the same as slub does: An
explicit check for the maximum size before the call to kmalloc_index,
and the use of the kmalloc non-constant fallback function in that case.
Signed-off-by: Glauber Costa <glommer@openvz.org>
---
include/linux/slab_def.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/linux/slab_def.h b/include/linux/slab_def.h
index 113ec08..3a240c8 100644
--- a/include/linux/slab_def.h
+++ b/include/linux/slab_def.h
@@ -172,8 +172,10 @@ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
if (!size)
return ZERO_SIZE_PTR;
- i = kmalloc_index(size);
+ if (size > KMALLOC_MAX_SIZE)
+ goto not_found;
+ i = kmalloc_index(size);
#ifdef CONFIG_ZONE_DMA
if (flags & GFP_DMA)
cachep = kmalloc_dma_caches[i];
@@ -183,6 +185,7 @@ static __always_inline void *kmalloc_node(size_t size, gfp_t flags, int node)
return kmem_cache_alloc_node_trace(cachep, flags, node, size);
}
+not_found:
return __kmalloc_node(size, flags, node);
}
--
1.8.1.4
next prev parent reply other threads:[~2013-04-29 14:43 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-24 12:08 [linux-next-20130422] Bug in bootup code or debug code? Tetsuo Handa
2013-04-25 12:20 ` [linux-next-20130422] Bug in SLAB? Tetsuo Handa
2013-04-29 2:40 ` Tetsuo Handa
2013-04-29 10:12 ` Pekka Enberg
2013-04-29 14:44 ` Glauber Costa [this message]
2013-04-29 14:59 ` Christoph Lameter
2013-04-29 15:16 ` Glauber Costa
2013-04-29 15:46 ` Christoph Lameter
2013-04-29 15:54 ` Glauber Costa
2013-04-29 15:28 ` Tetsuo Handa
2013-04-29 16:16 ` Tetsuo Handa
2013-05-09 12:25 ` Tetsuo Handa
2013-05-09 14:14 ` Christoph Lameter
2013-05-09 21:54 ` Tetsuo Handa
2013-05-10 12:38 ` Tetsuo Handa
2013-05-10 15:57 ` Christoph Lameter
[not found] ` <201305272153.HEH51089.OHFQMOOtFLSFVJ@I-love.SAKURA.ne.jp>
2013-06-17 11:59 ` Tetsuo Handa
2013-04-29 17:48 ` Christoph Lameter
2013-04-29 21:45 ` Tetsuo Handa
2013-04-30 14:26 ` Christoph Lameter
2013-04-30 16:01 ` Tetsuo Handa
2013-04-30 17:27 ` Christoph Lameter
2013-05-01 8:05 ` Pekka Enberg
2013-05-02 15:12 ` Christoph Lameter
2013-05-01 12:14 ` Tetsuo Handa
2013-05-02 11:51 ` Tetsuo Handa
2013-05-02 20:53 ` Christoph Lameter
2013-05-03 8:26 ` Tetsuo Handa
2013-05-03 15:43 ` Christoph Lameter
2013-05-06 6:59 ` Geert Uytterhoeven
2013-05-06 7:27 ` Pekka Enberg
2013-05-03 18:04 ` Christoph Lameter
2013-05-03 18:48 ` Tetsuo Handa
2013-05-03 19:21 ` Christoph Lameter
2013-05-04 0:15 ` Tetsuo Handa
2013-05-06 13:46 ` Christoph Lameter
2013-05-07 10:38 ` Tetsuo Handa
2013-05-07 14:28 ` Christoph Lameter
2013-07-01 20:09 ` Andrew Morton
2013-07-01 21:45 ` Tetsuo Handa
2013-07-01 21:53 ` Andrew Morton
2013-07-02 12:49 ` Tetsuo Handa
2013-07-02 19:12 ` Andrew Morton
2013-07-07 15:58 ` Pekka Enberg
2013-05-06 6:32 ` Pekka Enberg
2013-05-06 13:47 ` Christoph Lameter
2013-05-06 20:24 ` Pekka Enberg
2013-05-07 14:23 ` Christoph Lameter
2013-05-07 14:44 ` Pekka Enberg
2013-05-07 15:40 ` Christoph Lameter
2013-04-30 14:34 ` Christoph Lameter
2013-05-01 8:03 ` Pekka Enberg
2013-05-02 15:13 ` Christoph Lameter
2013-04-30 15:16 ` Fix off by one error in slab.h Christoph Lameter
2013-04-29 2:56 ` [linux-next-20130422] Bug in SLAB? Zhan Jianyu
2013-04-29 2:56 ` Zhan Jianyu
2013-04-29 3:56 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=517E8758.9040803@parallels.com \
--to=glommer@parallels.com \
--cc=cl@linux.com \
--cc=linux-kernel@vger.kernel.org \
--cc=penberg@kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.