From: Thomas Gleixner <tglx@linutronix.de>
To: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>,
kernel test robot <xiaolong.ye@intel.com>,
Ingo Molnar <mingo@kernel.org>, Andy Lutomirski <luto@kernel.org>,
Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>,
Denys Vlasenko <dvlasenk@redhat.com>,
"H. Peter Anvin" <hpa@zytor.com>, Jiri Slaby <jslaby@suse.cz>,
Linus Torvalds <torvalds@linux-foundation.org>,
Mike Galbraith <efault@gmx.de>,
Peter Zijlstra <peterz@infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
lkp@01.org, linux-mm@kvack.org, Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Lameter <cl@linux.com>
Subject: Re: [lkp-robot] [x86/kconfig] 81d3871900: BUG:unable_to_handle_kernel
Date: Tue, 17 Oct 2017 09:50:04 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.20.1710170948550.1932@nanos> (raw)
In-Reply-To: <20171017073326.GA23865@js1304-P5Q-DELUXE>
On Tue, 17 Oct 2017, Joonsoo Kim wrote:
> On Wed, Oct 11, 2017 at 12:01:20PM -0500, Josh Poimboeuf wrote:
> > > Looking at the panic, the code in slob_free() was:
> > >
> > > 0: e8 8d f7 ff ff callq 0xfffffffffffff792
> > > 5: 48 ff 05 c9 8c 91 02 incq 0x2918cc9(%rip) # 0x2918cd5
> > > c: 85 c0 test %eax,%eax
> > > e: 75 51 jne 0x61
> > > 10: 49 0f bf c5 movswq %r13w,%rax
> > > 14: 48 ff 05 c2 8c 91 02 incq 0x2918cc2(%rip) # 0x2918cdd
> > > 1b: 48 8d 3c 43 lea (%rbx,%rax,2),%rdi
> > > 1f: 48 39 ef cmp %rbp,%rdi
> > > 22: 75 3d jne 0x61
> > > 24: 48 ff 05 ba 8c 91 02 incq 0x2918cba(%rip) # 0x2918ce5
> > > 2b:* 8b 6d 00 mov 0x0(%rbp),%ebp <-- trapping instruction
> > > 2e: 66 85 ed test %bp,%bp
> > > 31: 7e 09 jle 0x3c
> > > 33: 48 ff 05 b3 8c 91 02 incq 0x2918cb3(%rip) # 0x2918ced
> > > 3a: eb 05 jmp 0x41
> > > 3c: bd .byte 0xbd
> > > 3d: 01 00 add %eax,(%rax)
> > >
> > > The slob_free() code tried to read four bytes at ffff88001c4afffe, and
> > > ended up reading past the page into a bad area. I think the bad address
> > > (ffff88001c4afffe) was returned from slob_next() and it panicked trying
> > > to read s->units in slob_units().
>
> Hello,
>
> It looks like a compiler bug. The code of slob_units() try to read two
> bytes at ffff88001c4afffe. It's valid. But the compiler generates
> wrong code that try to read four bytes.
>
> static slobidx_t slob_units(slob_t *s)
> {
> if (s->units > 0)
> return s->units;
> return 1;
> }
>
> s->units is defined as two bytes in this setup.
>
> Wrongly generated code for this part.
>
> 'mov 0x0(%rbp), %ebp'
>
> %ebp is four bytes.
>
> I guess that this wrong four bytes read cross over the valid memory
> boundary and this issue happend.
>
> Proper code (two bytes read) is generated if different version of gcc
> is used.
Which version fails to generate proper code and which versions work?
Thanks,
tglx
WARNING: multiple messages have this Message-ID (diff)
From: Thomas Gleixner <tglx@linutronix.de>
To: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>,
kernel test robot <xiaolong.ye@intel.com>,
Ingo Molnar <mingo@kernel.org>, Andy Lutomirski <luto@kernel.org>,
Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>,
Denys Vlasenko <dvlasenk@redhat.com>,
"H. Peter Anvin" <hpa@zytor.com>, Jiri Slaby <jslaby@suse.cz>,
Linus Torvalds <torvalds@linux-foundation.org>,
Mike Galbraith <efault@gmx.de>,
Peter Zijlstra <peterz@infradead.org>,
LKML <linux-kernel@vger.kernel.org>,
lkp@01.org, linux-mm@kvack.org, Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Lameter <cl@linux.com>
Subject: Re: [lkp-robot] [x86/kconfig] 81d3871900: BUG:unable_to_handle_kernel
Date: Tue, 17 Oct 2017 09:50:04 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.20.1710170948550.1932@nanos> (raw)
In-Reply-To: <20171017073326.GA23865@js1304-P5Q-DELUXE>
On Tue, 17 Oct 2017, Joonsoo Kim wrote:
> On Wed, Oct 11, 2017 at 12:01:20PM -0500, Josh Poimboeuf wrote:
> > > Looking at the panic, the code in slob_free() was:
> > >
> > > 0: e8 8d f7 ff ff callq 0xfffffffffffff792
> > > 5: 48 ff 05 c9 8c 91 02 incq 0x2918cc9(%rip) # 0x2918cd5
> > > c: 85 c0 test %eax,%eax
> > > e: 75 51 jne 0x61
> > > 10: 49 0f bf c5 movswq %r13w,%rax
> > > 14: 48 ff 05 c2 8c 91 02 incq 0x2918cc2(%rip) # 0x2918cdd
> > > 1b: 48 8d 3c 43 lea (%rbx,%rax,2),%rdi
> > > 1f: 48 39 ef cmp %rbp,%rdi
> > > 22: 75 3d jne 0x61
> > > 24: 48 ff 05 ba 8c 91 02 incq 0x2918cba(%rip) # 0x2918ce5
> > > 2b:* 8b 6d 00 mov 0x0(%rbp),%ebp <-- trapping instruction
> > > 2e: 66 85 ed test %bp,%bp
> > > 31: 7e 09 jle 0x3c
> > > 33: 48 ff 05 b3 8c 91 02 incq 0x2918cb3(%rip) # 0x2918ced
> > > 3a: eb 05 jmp 0x41
> > > 3c: bd .byte 0xbd
> > > 3d: 01 00 add %eax,(%rax)
> > >
> > > The slob_free() code tried to read four bytes at ffff88001c4afffe, and
> > > ended up reading past the page into a bad area. I think the bad address
> > > (ffff88001c4afffe) was returned from slob_next() and it panicked trying
> > > to read s->units in slob_units().
>
> Hello,
>
> It looks like a compiler bug. The code of slob_units() try to read two
> bytes at ffff88001c4afffe. It's valid. But the compiler generates
> wrong code that try to read four bytes.
>
> static slobidx_t slob_units(slob_t *s)
> {
> if (s->units > 0)
> return s->units;
> return 1;
> }
>
> s->units is defined as two bytes in this setup.
>
> Wrongly generated code for this part.
>
> 'mov 0x0(%rbp), %ebp'
>
> %ebp is four bytes.
>
> I guess that this wrong four bytes read cross over the valid memory
> boundary and this issue happend.
>
> Proper code (two bytes read) is generated if different version of gcc
> is used.
Which version fails to generate proper code and which versions work?
Thanks,
tglx
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Thomas Gleixner <tglx@linutronix.de>
To: lkp@lists.01.org
Subject: Re: [lkp-robot] [x86/kconfig] 81d3871900: BUG:unable_to_handle_kernel
Date: Tue, 17 Oct 2017 09:50:04 +0200 [thread overview]
Message-ID: <alpine.DEB.2.20.1710170948550.1932@nanos> (raw)
In-Reply-To: <20171017073326.GA23865@js1304-P5Q-DELUXE>
[-- Attachment #1: Type: text/plain, Size: 2240 bytes --]
On Tue, 17 Oct 2017, Joonsoo Kim wrote:
> On Wed, Oct 11, 2017 at 12:01:20PM -0500, Josh Poimboeuf wrote:
> > > Looking at the panic, the code in slob_free() was:
> > >
> > > 0: e8 8d f7 ff ff callq 0xfffffffffffff792
> > > 5: 48 ff 05 c9 8c 91 02 incq 0x2918cc9(%rip) # 0x2918cd5
> > > c: 85 c0 test %eax,%eax
> > > e: 75 51 jne 0x61
> > > 10: 49 0f bf c5 movswq %r13w,%rax
> > > 14: 48 ff 05 c2 8c 91 02 incq 0x2918cc2(%rip) # 0x2918cdd
> > > 1b: 48 8d 3c 43 lea (%rbx,%rax,2),%rdi
> > > 1f: 48 39 ef cmp %rbp,%rdi
> > > 22: 75 3d jne 0x61
> > > 24: 48 ff 05 ba 8c 91 02 incq 0x2918cba(%rip) # 0x2918ce5
> > > 2b:* 8b 6d 00 mov 0x0(%rbp),%ebp <-- trapping instruction
> > > 2e: 66 85 ed test %bp,%bp
> > > 31: 7e 09 jle 0x3c
> > > 33: 48 ff 05 b3 8c 91 02 incq 0x2918cb3(%rip) # 0x2918ced
> > > 3a: eb 05 jmp 0x41
> > > 3c: bd .byte 0xbd
> > > 3d: 01 00 add %eax,(%rax)
> > >
> > > The slob_free() code tried to read four bytes at ffff88001c4afffe, and
> > > ended up reading past the page into a bad area. I think the bad address
> > > (ffff88001c4afffe) was returned from slob_next() and it panicked trying
> > > to read s->units in slob_units().
>
> Hello,
>
> It looks like a compiler bug. The code of slob_units() try to read two
> bytes at ffff88001c4afffe. It's valid. But the compiler generates
> wrong code that try to read four bytes.
>
> static slobidx_t slob_units(slob_t *s)
> {
> if (s->units > 0)
> return s->units;
> return 1;
> }
>
> s->units is defined as two bytes in this setup.
>
> Wrongly generated code for this part.
>
> 'mov 0x0(%rbp), %ebp'
>
> %ebp is four bytes.
>
> I guess that this wrong four bytes read cross over the valid memory
> boundary and this issue happend.
>
> Proper code (two bytes read) is generated if different version of gcc
> is used.
Which version fails to generate proper code and which versions work?
Thanks,
tglx
next prev parent reply other threads:[~2017-10-17 7:50 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-10 12:15 [lkp-robot] [x86/kconfig] 81d3871900: BUG:unable_to_handle_kernel kernel test robot
2017-10-10 12:15 ` kernel test robot
2017-10-11 2:31 ` Josh Poimboeuf
2017-10-11 2:31 ` Josh Poimboeuf
2017-10-11 2:31 ` Josh Poimboeuf
2017-10-11 17:01 ` Josh Poimboeuf
2017-10-11 17:01 ` Josh Poimboeuf
2017-10-11 17:01 ` Josh Poimboeuf
2017-10-12 17:05 ` Christopher Lameter
2017-10-12 17:05 ` Christopher Lameter
2017-10-12 17:54 ` Linus Torvalds
2017-10-12 17:54 ` Linus Torvalds
2017-10-12 17:54 ` Linus Torvalds
2017-10-12 18:48 ` Andrew Morton
2017-10-12 18:48 ` Andrew Morton
2017-10-12 18:48 ` Andrew Morton
2017-10-12 19:19 ` Geert Uytterhoeven
2017-10-12 19:19 ` Geert Uytterhoeven
2017-10-12 19:19 ` Geert Uytterhoeven
2017-10-12 17:54 ` Linus Torvalds
2017-10-12 17:54 ` Linus Torvalds
2017-10-12 17:54 ` Linus Torvalds
2017-10-13 4:45 ` Josh Poimboeuf
2017-10-13 4:45 ` Josh Poimboeuf
2017-10-13 4:45 ` Josh Poimboeuf
2017-10-13 13:56 ` Andrey Ryabinin
2017-10-13 13:56 ` Andrey Ryabinin
2017-10-13 13:56 ` Andrey Ryabinin
2017-10-13 16:19 ` Josh Poimboeuf
2017-10-13 16:19 ` Josh Poimboeuf
2017-10-13 16:19 ` Josh Poimboeuf
2017-10-13 19:09 ` Linus Torvalds
2017-10-13 19:09 ` Linus Torvalds
2017-10-13 19:09 ` Linus Torvalds
2017-10-13 19:09 ` Linus Torvalds
2017-10-13 20:01 ` Andy Lutomirski
2017-10-13 20:01 ` Andy Lutomirski
2017-10-13 20:01 ` Andy Lutomirski
2017-10-13 20:01 ` Andy Lutomirski
2017-10-13 20:17 ` Jeffrey Walton
2017-10-13 20:17 ` Jeffrey Walton
2017-10-13 20:17 ` Jeffrey Walton
2017-10-13 15:22 ` Christopher Lameter
2017-10-13 15:22 ` Christopher Lameter
2017-10-13 15:37 ` Josh Poimboeuf
2017-10-13 15:37 ` Josh Poimboeuf
2017-10-13 15:37 ` Josh Poimboeuf
2017-10-17 7:33 ` Joonsoo Kim
2017-10-17 7:33 ` Joonsoo Kim
2017-10-17 7:33 ` Joonsoo Kim
2017-10-17 7:50 ` Thomas Gleixner [this message]
2017-10-17 7:50 ` Thomas Gleixner
2017-10-17 7:50 ` Thomas Gleixner
2017-10-18 7:31 ` Joonsoo Kim
2017-10-18 7:31 ` Joonsoo Kim
2017-10-18 7:31 ` Joonsoo Kim
2017-10-18 10:40 ` Linus Torvalds
2017-10-18 10:40 ` Linus Torvalds
2017-10-18 10:40 ` Linus Torvalds
2017-10-18 13:15 ` Thomas Gleixner
2017-10-18 13:15 ` Thomas Gleixner
2017-10-18 13:15 ` Thomas Gleixner
2017-10-19 2:14 ` Joonsoo Kim
2017-10-19 2:14 ` Joonsoo Kim
2017-10-19 2:14 ` Joonsoo Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.20.1710170948550.1932@nanos \
--to=tglx@linutronix.de \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=cl@linux.com \
--cc=dvlasenk@redhat.com \
--cc=efault@gmx.de \
--cc=hpa@zytor.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jpoimboe@redhat.com \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lkp@01.org \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=penberg@kernel.org \
--cc=peterz@infradead.org \
--cc=rientjes@google.com \
--cc=torvalds@linux-foundation.org \
--cc=xiaolong.ye@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.