From: yalin wang <yalin.wang2010@gmail.com>
To: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Vlastimil Babka <vbabka@suse.cz>,
jmarchan@redhat.com, mgorman@techsingularity.net,
Ebru Akagunduz <ebru.akagunduz@gmail.com>,
willy@linux.intel.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm: fix kernel crash in khugepaged thread
Date: Sat, 24 Oct 2015 00:00:14 +0800 [thread overview]
Message-ID: <F58227A2-5E76-48B8-89CF-50EB40EA85B5@gmail.com> (raw)
In-Reply-To: <20151023101113.GA13604@node.shutemov.name>
> On Oct 23, 2015, at 18:11, Kirill A. Shutemov <kirill@shutemov.name> wrote:
>
> On Fri, Oct 23, 2015 at 05:38:49PM +0800, yalin wang wrote:
>> This crash is caused by NULL pointer deference:
>> [ 182.639154 ] Unable to handle kernel NULL pointer dereference at virtual address 00000000
>> [ 182.639491 ] pgd = ffffffc00077a000
>> [ 182.639761 ] [00000000] *pgd=00000000b9422003, *pud=00000000b9422003, *pmd=00000000b9423003, *pte=0060000008000707
>> [ 182.640749 ] Internal error: Oops: 94000006 [#1] SMP
>> [ 182.641197 ] Modules linked in:
>> [ 182.641580 ] CPU: 1 PID: 26 Comm: khugepaged Tainted: G W 4.3.0-rc6-next-20151022ajb-00001-g32f3386-dirty #3
>> [ 182.642077 ] Hardware name: linux,dummy-virt (DT)
>> [ 182.642227 ] task: ffffffc07957c080 ti: ffffffc079638000 task.ti: ffffffc079638000
>> [ 182.642598 ] PC is at khugepaged+0x378/0x1af8
>> [ 182.642826 ] LR is at khugepaged+0x418/0x1af8
>> [ 182.643047 ] pc : [<ffffffc0001980ac>] lr : [<ffffffc00019814c>] pstate: 60000145
>> [ 182.643490 ] sp : ffffffc07963bca0
>> [ 182.643650 ] x29: ffffffc07963bca0 x28: ffffffc00075c000
>> [ 182.644024 ] x27: ffffffc00f275040 x26: ffffffc0006c7000
>> [ 182.644334 ] x25: 00e8000048800f51 x24: 0000000006400000
>> [ 182.644687 ] x23: 0000000000000002 x22: 0000000000000000
>> [ 182.644972 ] x21: 0000000000000000 x20: 0000000000000000
>> [ 182.645446 ] x19: 0000000000000000 x18: 0000007ff86d0990
>> [ 182.645931 ] x17: 00000000007ef9c8 x16: ffffffc000098390
>> [ 182.646236 ] x15: ffffffffffffffff x14: 00000000ffffffff
>> [ 182.646649 ] x13: 000000000000016a x12: 0000000000000000
>> [ 182.647046 ] x11: ffffffc07f025020 x10: 0000000000000000
>> [ 182.647395 ] x9 : 0000000000000048 x8 : ffffffc000721e28
>> [ 182.647872 ] x7 : 0000000000000000 x6 : ffffffc07f02d000
>> [ 182.648261 ] x5 : fffffffffffffe00 x4 : ffffffc00f275040
>> [ 182.648611 ] x3 : 0000000000000000 x2 : ffffffc00f2ad000
>> [ 182.648908 ] x1 : 0000000000000000 x0 : ffffffc000727000
>> [ 182.649147 ]
>> [ 182.649252 ] Process khugepaged (pid: 26, stack limit = 0xffffffc079638020)
>> [ 182.649724 ] Stack: (0xffffffc07963bca0 to 0xffffffc07963c000)
>> [ 182.650141 ] bca0: ffffffc07963be30 ffffffc0000b5044 ffffffc07961fb80 ffffffc00072e630
>> [ 182.650587 ] bcc0: ffffffc0005d5090 0000000000000000 ffffffc000197d34 0000000000000000
>> [ 182.651009 ] bce0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.651446 ] bd00: ffffffc07963bd90 ffffffc07f1cbf80 000000004f3be003 ffffffc00f2750a4
>> [ 182.651956 ] bd20: ffffffc00f3bf000 ffffffc000000001 0000000000000001 ffffffc07f085740
>> [ 182.652520 ] bd40: ffffffc00f2ad188 ffffffc000000000 0000000006200000 ffffffc00f275040
>> [ 182.652972 ] bd60: ffffffc0006b1a90 ffffffc079638000 ffffffc07963be20 ffffffc00f0144d0
>> [ 182.653357 ] bd80: ffffffc000000000 0000000006400000 ffffffc00f0144d0 00000a0800000001
>> [ 182.653793 ] bda0: 0000100000000001 ffffffc000000001 ffffffc07f025000 ffffffc00f2750a8
>> [ 182.654226 ] bdc0: 00000001000005f8 ffffffc00075a000 0000000006a00000 ffffffc000727000
>> [ 182.654522 ] bde0: ffffffc0006e8478 ffffffc000000000 0000000100000000 ffffffc078fb9000
>> [ 182.654869 ] be00: ffffffc07963be30 ffffffc000000000 ffffffc07957c080 ffffffc0000cfc4c
>> [ 182.655225 ] be20: ffffffc07963be20 ffffffc07963be20 0000000000000000 ffffffc000085c50
>> [ 182.655588 ] be40: ffffffc0000b4f64 ffffffc07961fb80 0000000000000000 0000000000000000
>> [ 182.656138 ] be60: 0000000000000000 ffffffc0000bee2c ffffffc0000b4f64 0000000000000000
>> [ 182.656609 ] be80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.657145 ] bea0: ffffffc07963bea0 ffffffc07963bea0 0000000000000000 ffffffc000000000
>> [ 182.657475 ] bec0: ffffffc07963bec0 ffffffc07963bec0 0000000000000000 0000000000000000
>> [ 182.657922 ] bee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.658558 ] bf00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.658972 ] bf20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.659291 ] bf40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.659722 ] bf60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.660122 ] bf80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.660654 ] bfa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.661064 ] bfc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000005
>> [ 182.661466 ] bfe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.661848 ] Call trace:
>> [ 182.662050 ] [<ffffffc0001980ac>] khugepaged+0x378/0x1af8
>> [ 182.662294 ] [<ffffffc0000b5040>] kthread+0xdc/0xf4
>> [ 182.662605 ] [<ffffffc000085c4c>] ret_from_fork+0xc/0x40
>> [ 182.663046 ] Code: 35001700 f0002c60 aa0703e3 f9009fa0 (f94000e0)
>> [ 182.663901 ] ---[ end trace 637503d8e28ae69e ]---
>> [ 182.664160 ] Kernel panic - not syncing: Fatal exception
>> [ 182.664571 ] CPU2: stopping
>> [ 182.664794 ] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D W 4.3.0-rc6-next-20151022ajb-00001-g32f3386-dirty #3
>> [ 182.665248 ] Hardware name: linux,dummy-virt (DT)
>>
>> Signed-off-by: yalin wang <yalin.wang2010@gmail.com>
>> ---
>> mm/huge_memory.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
>> index 4b3420a..a5f4d9c 100644
>> --- a/mm/huge_memory.c
>> +++ b/mm/huge_memory.c
>> @@ -2606,8 +2606,9 @@ out_unmap:
>> collapse_huge_page(mm, address, hpage, vma, node);
>> }
>> out:
>> - trace_mm_khugepaged_scan_pmd(mm, page_to_pfn(page), writable, referenced,
>> - none_or_zero, result, unmapped);
>> + if (page)
>> + trace_mm_khugepaged_scan_pmd(mm, page_to_pfn(page), writable,
>> + referenced, none_or_zero, result, unmapped);
>> return ret;
>> }
>
> What about this instead?
>
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 4b3420ade697..392ebba27fe2 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -2503,10 +2503,8 @@ static int khugepaged_scan_pmd(struct mm_struct *mm,
> VM_BUG_ON(address & ~HPAGE_PMD_MASK);
>
> pmd = mm_find_pmd(mm, address);
> - if (!pmd) {
> - result = SCAN_PMD_NULL;
> - goto out;
> - }
> + if (!pmd)
> + return 0;
it is not safe to add return here,
there is lots of place which goto out_unmap below mm_find_pmd() ,
like page = vm_normal_page(vma, _address, pteval);
if page == NULL here , will also result in NULL pointer deference crash .
Thanks
WARNING: multiple messages have this Message-ID (diff)
From: yalin wang <yalin.wang2010@gmail.com>
To: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Vlastimil Babka <vbabka@suse.cz>,
jmarchan@redhat.com, mgorman@techsingularity.net,
Ebru Akagunduz <ebru.akagunduz@gmail.com>,
willy@linux.intel.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm: fix kernel crash in khugepaged thread
Date: Sat, 24 Oct 2015 00:00:14 +0800 [thread overview]
Message-ID: <F58227A2-5E76-48B8-89CF-50EB40EA85B5@gmail.com> (raw)
In-Reply-To: <20151023101113.GA13604@node.shutemov.name>
> On Oct 23, 2015, at 18:11, Kirill A. Shutemov <kirill@shutemov.name> wrote:
>
> On Fri, Oct 23, 2015 at 05:38:49PM +0800, yalin wang wrote:
>> This crash is caused by NULL pointer deference:
>> [ 182.639154 ] Unable to handle kernel NULL pointer dereference at virtual address 00000000
>> [ 182.639491 ] pgd = ffffffc00077a000
>> [ 182.639761 ] [00000000] *pgd=00000000b9422003, *pud=00000000b9422003, *pmd=00000000b9423003, *pte=0060000008000707
>> [ 182.640749 ] Internal error: Oops: 94000006 [#1] SMP
>> [ 182.641197 ] Modules linked in:
>> [ 182.641580 ] CPU: 1 PID: 26 Comm: khugepaged Tainted: G W 4.3.0-rc6-next-20151022ajb-00001-g32f3386-dirty #3
>> [ 182.642077 ] Hardware name: linux,dummy-virt (DT)
>> [ 182.642227 ] task: ffffffc07957c080 ti: ffffffc079638000 task.ti: ffffffc079638000
>> [ 182.642598 ] PC is at khugepaged+0x378/0x1af8
>> [ 182.642826 ] LR is at khugepaged+0x418/0x1af8
>> [ 182.643047 ] pc : [<ffffffc0001980ac>] lr : [<ffffffc00019814c>] pstate: 60000145
>> [ 182.643490 ] sp : ffffffc07963bca0
>> [ 182.643650 ] x29: ffffffc07963bca0 x28: ffffffc00075c000
>> [ 182.644024 ] x27: ffffffc00f275040 x26: ffffffc0006c7000
>> [ 182.644334 ] x25: 00e8000048800f51 x24: 0000000006400000
>> [ 182.644687 ] x23: 0000000000000002 x22: 0000000000000000
>> [ 182.644972 ] x21: 0000000000000000 x20: 0000000000000000
>> [ 182.645446 ] x19: 0000000000000000 x18: 0000007ff86d0990
>> [ 182.645931 ] x17: 00000000007ef9c8 x16: ffffffc000098390
>> [ 182.646236 ] x15: ffffffffffffffff x14: 00000000ffffffff
>> [ 182.646649 ] x13: 000000000000016a x12: 0000000000000000
>> [ 182.647046 ] x11: ffffffc07f025020 x10: 0000000000000000
>> [ 182.647395 ] x9 : 0000000000000048 x8 : ffffffc000721e28
>> [ 182.647872 ] x7 : 0000000000000000 x6 : ffffffc07f02d000
>> [ 182.648261 ] x5 : fffffffffffffe00 x4 : ffffffc00f275040
>> [ 182.648611 ] x3 : 0000000000000000 x2 : ffffffc00f2ad000
>> [ 182.648908 ] x1 : 0000000000000000 x0 : ffffffc000727000
>> [ 182.649147 ]
>> [ 182.649252 ] Process khugepaged (pid: 26, stack limit = 0xffffffc079638020)
>> [ 182.649724 ] Stack: (0xffffffc07963bca0 to 0xffffffc07963c000)
>> [ 182.650141 ] bca0: ffffffc07963be30 ffffffc0000b5044 ffffffc07961fb80 ffffffc00072e630
>> [ 182.650587 ] bcc0: ffffffc0005d5090 0000000000000000 ffffffc000197d34 0000000000000000
>> [ 182.651009 ] bce0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.651446 ] bd00: ffffffc07963bd90 ffffffc07f1cbf80 000000004f3be003 ffffffc00f2750a4
>> [ 182.651956 ] bd20: ffffffc00f3bf000 ffffffc000000001 0000000000000001 ffffffc07f085740
>> [ 182.652520 ] bd40: ffffffc00f2ad188 ffffffc000000000 0000000006200000 ffffffc00f275040
>> [ 182.652972 ] bd60: ffffffc0006b1a90 ffffffc079638000 ffffffc07963be20 ffffffc00f0144d0
>> [ 182.653357 ] bd80: ffffffc000000000 0000000006400000 ffffffc00f0144d0 00000a0800000001
>> [ 182.653793 ] bda0: 0000100000000001 ffffffc000000001 ffffffc07f025000 ffffffc00f2750a8
>> [ 182.654226 ] bdc0: 00000001000005f8 ffffffc00075a000 0000000006a00000 ffffffc000727000
>> [ 182.654522 ] bde0: ffffffc0006e8478 ffffffc000000000 0000000100000000 ffffffc078fb9000
>> [ 182.654869 ] be00: ffffffc07963be30 ffffffc000000000 ffffffc07957c080 ffffffc0000cfc4c
>> [ 182.655225 ] be20: ffffffc07963be20 ffffffc07963be20 0000000000000000 ffffffc000085c50
>> [ 182.655588 ] be40: ffffffc0000b4f64 ffffffc07961fb80 0000000000000000 0000000000000000
>> [ 182.656138 ] be60: 0000000000000000 ffffffc0000bee2c ffffffc0000b4f64 0000000000000000
>> [ 182.656609 ] be80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.657145 ] bea0: ffffffc07963bea0 ffffffc07963bea0 0000000000000000 ffffffc000000000
>> [ 182.657475 ] bec0: ffffffc07963bec0 ffffffc07963bec0 0000000000000000 0000000000000000
>> [ 182.657922 ] bee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.658558 ] bf00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.658972 ] bf20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.659291 ] bf40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.659722 ] bf60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.660122 ] bf80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.660654 ] bfa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.661064 ] bfc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000005
>> [ 182.661466 ] bfe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [ 182.661848 ] Call trace:
>> [ 182.662050 ] [<ffffffc0001980ac>] khugepaged+0x378/0x1af8
>> [ 182.662294 ] [<ffffffc0000b5040>] kthread+0xdc/0xf4
>> [ 182.662605 ] [<ffffffc000085c4c>] ret_from_fork+0xc/0x40
>> [ 182.663046 ] Code: 35001700 f0002c60 aa0703e3 f9009fa0 (f94000e0)
>> [ 182.663901 ] ---[ end trace 637503d8e28ae69e ]---
>> [ 182.664160 ] Kernel panic - not syncing: Fatal exception
>> [ 182.664571 ] CPU2: stopping
>> [ 182.664794 ] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D W 4.3.0-rc6-next-20151022ajb-00001-g32f3386-dirty #3
>> [ 182.665248 ] Hardware name: linux,dummy-virt (DT)
>>
>> Signed-off-by: yalin wang <yalin.wang2010@gmail.com>
>> ---
>> mm/huge_memory.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
>> index 4b3420a..a5f4d9c 100644
>> --- a/mm/huge_memory.c
>> +++ b/mm/huge_memory.c
>> @@ -2606,8 +2606,9 @@ out_unmap:
>> collapse_huge_page(mm, address, hpage, vma, node);
>> }
>> out:
>> - trace_mm_khugepaged_scan_pmd(mm, page_to_pfn(page), writable, referenced,
>> - none_or_zero, result, unmapped);
>> + if (page)
>> + trace_mm_khugepaged_scan_pmd(mm, page_to_pfn(page), writable,
>> + referenced, none_or_zero, result, unmapped);
>> return ret;
>> }
>
> What about this instead?
>
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 4b3420ade697..392ebba27fe2 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -2503,10 +2503,8 @@ static int khugepaged_scan_pmd(struct mm_struct *mm,
> VM_BUG_ON(address & ~HPAGE_PMD_MASK);
>
> pmd = mm_find_pmd(mm, address);
> - if (!pmd) {
> - result = SCAN_PMD_NULL;
> - goto out;
> - }
> + if (!pmd)
> + return 0;
it is not safe to add return here,
there is lots of place which goto out_unmap below mm_find_pmd() ,
like page = vm_normal_page(vma, _address, pteval);
if page == NULL here , will also result in NULL pointer deference crash .
Thanks
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-10-23 16:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-23 9:38 [PATCH] mm: fix kernel crash in khugepaged thread yalin wang
2015-10-23 9:38 ` yalin wang
2015-10-23 10:11 ` Kirill A. Shutemov
2015-10-23 10:11 ` Kirill A. Shutemov
2015-10-23 16:00 ` yalin wang [this message]
2015-10-23 16:00 ` yalin wang
2015-10-23 19:28 ` Kirill A. Shutemov
2015-10-23 19:28 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F58227A2-5E76-48B8-89CF-50EB40EA85B5@gmail.com \
--to=yalin.wang2010@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=ebru.akagunduz@gmail.com \
--cc=jmarchan@redhat.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mgorman@techsingularity.net \
--cc=vbabka@suse.cz \
--cc=willy@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.