From: Jeremy Linton <jeremy.linton@arm.com> To: Andrew Morton <akpm@linux-foundation.org> Cc: linux-mm@kvack.org, cl@linux.com, penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, mhocko@suse.com, vbabka@suse.cz, Punit.Agrawal@arm.com, Lorenzo.Pieralisi@arm.com, linux-arm-kernel@lists.infradead.org, bhelgaas@google.com, linux-kernel@vger.kernel.org Subject: Re: [RFC 0/2] harden alloc_pages against bogus nid Date: Wed, 1 Aug 2018 17:56:46 -0500 [thread overview] Message-ID: <d9f8e9d1-2fb8-6016-5081-7e3213b23ed4@arm.com> (raw) In-Reply-To: <20180801145020.8c76a490c1bf9bef5f87078a@linux-foundation.org> Hi, On 08/01/2018 04:50 PM, Andrew Morton wrote: > On Wed, 1 Aug 2018 15:04:16 -0500 Jeremy Linton <jeremy.linton@arm.com> wrote: > >> The thread "avoid alloc memory on offline node" >> >> https://lkml.org/lkml/2018/6/7/251 >> >> Asked at one point why the kzalloc_node was crashing rather than >> returning memory from a valid node. The thread ended up fixing >> the immediate causes of the crash but left open the case of bad >> proximity values being in DSDT tables without corrisponding >> SRAT/SLIT entries as is happening on another machine. >> >> Its also easy to fix that, but we should also harden the allocator >> sufficiently that it doesn't crash when passed an invalid node id. >> There are a couple possible ways to do this, and i've attached two >> separate patches which individually fix that problem. >> >> The first detects the offline node before calling >> the new_slab code path when it becomes apparent that the allocation isn't >> going to succeed. The second actually hardens node_zonelist() and >> prepare_alloc_pages() in the face of NODE_DATA(nid) returning a NULL >> zonelist. This latter case happens if the node has never been initialized >> or is possibly out of range. There are other places (NODE_DATA & >> online_node) which should be checking if the node id's are > MAX_NUMNODES. >> > > What is it that leads to a caller requesting memory from an invalid > node? A race against offlining? If so then that's a lack of > appropriate locking, isn't it? There were a couple unrelated cases, both having to do with the PXN associated with a PCI port. The first case AFAIK, the domain wasn't really invalid if the entire SRAT was parsed and nodes created even when there weren't associated CPUs. The second case (a different machine) is simply a PXN value that is completely invalid (no associated SLIT/SRAT/etc entries) due to firmware making a mistake when a socket isn't populated. There have been a few other suggested or merged patches for the individual problems above, this set is just an attempt at avoiding a full crash if/when another similar problem happens. > > I don't see a problem with emitting a warning and then selecting a > different node so we can keep running. But we do want that warning, so > we can understand the root cause and fix it? Yes, we do want to know when an invalid id is passed, i will add the VM_WARN in the first one. The second one I wasn't sure about as failing prepare_alloc_pages() generates a couple of error messages, but the system then continues operation. I guess my question though is which method (or both/something else?) is the preferred way to harden this up? Thanks for looking at this.
WARNING: multiple messages have this Message-ID (diff)
From: jeremy.linton@arm.com (Jeremy Linton) To: linux-arm-kernel@lists.infradead.org Subject: [RFC 0/2] harden alloc_pages against bogus nid Date: Wed, 1 Aug 2018 17:56:46 -0500 [thread overview] Message-ID: <d9f8e9d1-2fb8-6016-5081-7e3213b23ed4@arm.com> (raw) In-Reply-To: <20180801145020.8c76a490c1bf9bef5f87078a@linux-foundation.org> Hi, On 08/01/2018 04:50 PM, Andrew Morton wrote: > On Wed, 1 Aug 2018 15:04:16 -0500 Jeremy Linton <jeremy.linton@arm.com> wrote: > >> The thread "avoid alloc memory on offline node" >> >> https://lkml.org/lkml/2018/6/7/251 >> >> Asked at one point why the kzalloc_node was crashing rather than >> returning memory from a valid node. The thread ended up fixing >> the immediate causes of the crash but left open the case of bad >> proximity values being in DSDT tables without corrisponding >> SRAT/SLIT entries as is happening on another machine. >> >> Its also easy to fix that, but we should also harden the allocator >> sufficiently that it doesn't crash when passed an invalid node id. >> There are a couple possible ways to do this, and i've attached two >> separate patches which individually fix that problem. >> >> The first detects the offline node before calling >> the new_slab code path when it becomes apparent that the allocation isn't >> going to succeed. The second actually hardens node_zonelist() and >> prepare_alloc_pages() in the face of NODE_DATA(nid) returning a NULL >> zonelist. This latter case happens if the node has never been initialized >> or is possibly out of range. There are other places (NODE_DATA & >> online_node) which should be checking if the node id's are > MAX_NUMNODES. >> > > What is it that leads to a caller requesting memory from an invalid > node? A race against offlining? If so then that's a lack of > appropriate locking, isn't it? There were a couple unrelated cases, both having to do with the PXN associated with a PCI port. The first case AFAIK, the domain wasn't really invalid if the entire SRAT was parsed and nodes created even when there weren't associated CPUs. The second case (a different machine) is simply a PXN value that is completely invalid (no associated SLIT/SRAT/etc entries) due to firmware making a mistake when a socket isn't populated. There have been a few other suggested or merged patches for the individual problems above, this set is just an attempt at avoiding a full crash if/when another similar problem happens. > > I don't see a problem with emitting a warning and then selecting a > different node so we can keep running. But we do want that warning, so > we can understand the root cause and fix it? Yes, we do want to know when an invalid id is passed, i will add the VM_WARN in the first one. The second one I wasn't sure about as failing prepare_alloc_pages() generates a couple of error messages, but the system then continues operation. I guess my question though is which method (or both/something else?) is the preferred way to harden this up? Thanks for looking at this.
next prev parent reply other threads:[~2018-08-01 22:56 UTC|newest] Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-08-01 20:04 [RFC 0/2] harden alloc_pages against bogus nid Jeremy Linton 2018-08-01 20:04 ` Jeremy Linton 2018-08-01 20:04 ` [RFC 1/2] slub: Avoid trying to allocate memory on offline nodes Jeremy Linton 2018-08-01 20:04 ` Jeremy Linton 2018-08-02 9:15 ` Michal Hocko 2018-08-02 9:15 ` Michal Hocko 2018-08-03 3:21 ` Jeremy Linton 2018-08-03 3:21 ` Jeremy Linton 2018-08-03 6:20 ` Michal Hocko 2018-08-03 6:20 ` Michal Hocko 2018-08-02 14:23 ` Christopher Lameter 2018-08-02 14:23 ` Christopher Lameter 2018-08-03 3:12 ` Jeremy Linton 2018-08-03 3:12 ` Jeremy Linton 2018-08-01 20:04 ` [RFC 2/2] mm: harden alloc_pages code paths against bogus nodes Jeremy Linton 2018-08-01 20:04 ` Jeremy Linton 2018-08-02 7:31 ` Michal Hocko 2018-08-02 7:31 ` Michal Hocko 2018-08-03 3:17 ` Jeremy Linton 2018-08-03 3:17 ` Jeremy Linton 2018-08-03 6:24 ` Michal Hocko 2018-08-03 6:24 ` Michal Hocko 2018-08-01 21:50 ` [RFC 0/2] harden alloc_pages against bogus nid Andrew Morton 2018-08-01 21:50 ` Andrew Morton 2018-08-01 22:56 ` Jeremy Linton [this message] 2018-08-01 22:56 ` Jeremy Linton 2018-08-02 0:14 ` Andrew Morton 2018-08-02 0:14 ` Andrew Morton 2018-08-03 3:15 ` Jeremy Linton 2018-08-03 3:15 ` Jeremy Linton
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=d9f8e9d1-2fb8-6016-5081-7e3213b23ed4@arm.com \ --to=jeremy.linton@arm.com \ --cc=Lorenzo.Pieralisi@arm.com \ --cc=Punit.Agrawal@arm.com \ --cc=akpm@linux-foundation.org \ --cc=bhelgaas@google.com \ --cc=cl@linux.com \ --cc=iamjoonsoo.kim@lge.com \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=mhocko@suse.com \ --cc=penberg@kernel.org \ --cc=rientjes@google.com \ --cc=vbabka@suse.cz \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.