From: Naoya Horiguchi <naoya.horiguchi@linux.dev>
To: linux-mm@kvack.org
Cc: Andrew Morton <akpm@linux-foundation.org>,
David Hildenbrand <david@redhat.com>,
Muchun Song <songmuchun@bytedance.com>,
Miaohe Lin <linmiaohe@huawei.com>,
Matthew Wilcox <willy@infradead.org>,
Michal Hocko <mhocko@suse.com>, Yang Shi <shy828301@gmail.com>,
Naoya Horiguchi <naoya.horiguchi@nec.com>
Subject: [BUG report] kernel NULL pointer dereference in split_huge_page with offlined memory block
Date: Wed, 7 Sep 2022 19:08:55 +0900 [thread overview]
Message-ID: <20220907100855.GA2894785@ik1-406-35019.vs.sakura.ne.jp> (raw)
Hi MM folks,
When I'm testing memory hotremove with various settings, I found the following
NULL-pointer dereference. It reproduces easily with the folloing steps:
$ echo offline > /sys/devices/system/memory/memoryN/state
$ echo 1 > /sys/kernel/debug/split_huge_pages
I don't check in which commit this was introduced yet (at least v6.0-rc1,
v6.0-rc4 and mm-everything-2022-09-05-23-30 are affected), but I expect that
someone might have clear idea about this, so let me share first.
Thanks,
Naoya Horiguchi
---
[ 309.947421] BUG: kernel NULL pointer dereference, address: 0000000000000032
[ 309.949600] #PF: supervisor read access in kernel mode
[ 309.951220] #PF: error_code(0x0000) - not-present page
[ 309.952819] PGD 0 P4D 0
[ 309.953649] Oops: 0000 [#1] PREEMPT SMP PTI
[ 309.954999] CPU: 1 PID: 846 Comm: bash Tainted: G E N 6.0.0-rc1-v6.0-rc1-220815-2254-000-rc1+ #62
[ 309.958170] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 04/01/2014
[ 309.960759] RIP: 0010:split_huge_pages_write.part.0+0x40c/0xe70
[ 309.962684] Code: 00 00 00 4d 8b ae 90 00 00 00 49 01 dd 4c 39 eb 72 47 eb c8 48 8b 41 08 a8 01 0f 85 57 08 00 00 0f 1f 44 00 00 0f 1f 44 00 00 <41> 8b 47 34 85 c0 0f 84 1c 09 00 00 f0 41 ff 4f 34 0f 94 c0 0f 1f
[ 309.968381] RSP: 0018:ffffb4d201d6bbd0 EFLAGS: 00010202
[ 309.970067] RAX: ffffffffffffffff RBX: 0000000000230000 RCX: ffffd6fac8c00000
[ 309.972262] RDX: 00000000000003ff RSI: 0000000000000014 RDI: ffffd6fac4fff300
[ 309.974475] RBP: ffffb4d201d6bc12 R08: 0000000000000054 R09: ffffd6fac46b7f88
[ 309.976725] R10: 00000000ffffffff R11: ffffff8000000000 R12: 0000000000001454
[ 309.978980] R13: 0000000000248000 R14: ffff93ce3ffd5d80 R15: fffffffffffffffe
[ 309.981267] FS: 00007fe2cd337740(0000) GS:ffff93ce3bc80000(0000) knlGS:0000000000000000
[ 309.983842] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 309.985672] CR2: 0000000000000032 CR3: 00000001018fc005 CR4: 0000000000170ee0
[ 309.987909] Call Trace:
[ 309.988794] <TASK>
[ 309.989461] ? _raw_spin_lock+0x13/0x40
[ 309.990578] ? __mark_inode_dirty+0x113/0x390
[ 309.991933] ? terminate_walk+0x90/0x100
[ 309.993186] ? path_openat+0x440/0x1070
[ 309.994421] ? do_filp_open+0x9f/0x130
[ 309.995610] full_proxy_write+0x53/0x80
[ 309.996820] vfs_write+0xb7/0x3a0
[ 309.997902] ? _raw_spin_unlock+0x15/0x30
[ 309.999190] ksys_write+0x4f/0xd0
[ 310.000249] do_syscall_64+0x3b/0x90
[ 310.001418] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 310.002938] RIP: 0033:0x7fe2cd1018b7
[ 310.004143] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
[ 310.009871] RSP: 002b:00007ffc625f63f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 310.012060] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fe2cd1018b7
[ 310.014250] RDX: 0000000000000002 RSI: 000055c1a80afc50 RDI: 0000000000000001
[ 310.016533] RBP: 000055c1a80afc50 R08: 0000000000000000 R09: 00007fe2cd1b64e0
[ 310.018782] R10: 00007fe2cd1b63e0 R11: 0000000000000246 R12: 0000000000000002
[ 310.021086] R13: 00007fe2cd1fb5a0 R14: 0000000000000002 R15: 00007fe2cd1fb7a0
[ 310.023169] </TASK>
[ 310.023844] Modules linked in: nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) ip_set(E) rfkill(E) nf_tables(E) nfnetlink(E) qrtr(E) sunrpc(E) 9p(E) fscache(E) netfs(E) intel_rapl_msr(E) intel_rapl_common(E) kvm_intel(E) kvm(E) irqbypass(E) virtio_balloon(E) rapl(E) 9pnet_virtio(E) i2c_piix4(E) 9pnet(E) joydev(E) pcspkr(E) fuse(E) zram(E) ip_tables(E) xfs(E) crc32c_intel(E) serio_raw(E) virtio_blk(E) e1000(E) ata_generic(E) pata_acpi(E) floppy(E) qemu_fw_cfg(E)
[ 310.040426] CR2: 0000000000000032
[ 310.041715] ---[ end trace 0000000000000000 ]---
[ 310.043196] RIP: 0010:split_huge_pages_write.part.0+0x40c/0xe70
[ 310.044953] Code: 00 00 00 4d 8b ae 90 00 00 00 49 01 dd 4c 39 eb 72 47 eb c8 48 8b 41 08 a8 01 0f 85 57 08 00 00 0f 1f 44 00 00 0f 1f 44 00 00 <41> 8b 47 34 85 c0 0f 84 1c 09 00 00 f0 41 ff 4f 34 0f 94 c0 0f 1f
[ 310.050051] RSP: 0018:ffffb4d201d6bbd0 EFLAGS: 00010202
[ 310.051593] RAX: ffffffffffffffff RBX: 0000000000230000 RCX: ffffd6fac8c00000
[ 310.053664] RDX: 00000000000003ff RSI: 0000000000000014 RDI: ffffd6fac4fff300
[ 310.056165] RBP: ffffb4d201d6bc12 R08: 0000000000000054 R09: ffffd6fac46b7f88
[ 310.059144] R10: 00000000ffffffff R11: ffffff8000000000 R12: 0000000000001454
[ 310.062033] R13: 0000000000248000 R14: ffff93ce3ffd5d80 R15: fffffffffffffffe
[ 310.069111] FS: 00007fe2cd337740(0000) GS:ffff93ce3bc80000(0000) knlGS:0000000000000000
[ 310.077141] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 310.079988] CR2: 0000000000000032 CR3: 00000001018fc005 CR4: 0000000000170ee0
[ 310.083292] Kernel panic - not syncing: Fatal exception
[ 310.086117] Kernel Offset: 0x1a000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 310.090607] Rebooting in 2 seconds..
next reply other threads:[~2022-09-07 10:09 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-07 10:08 Naoya Horiguchi [this message]
2022-09-07 10:23 ` [BUG report] kernel NULL pointer dereference in split_huge_page with offlined memory block David Hildenbrand
2022-09-07 10:26 ` David Hildenbrand
2022-09-07 12:11 ` [PATCH] mm/huge_memory: use pfn_to_online_page() in split_huge_pages_all() Naoya Horiguchi
2022-09-07 12:39 ` David Hildenbrand
2022-09-08 2:39 ` HORIGUCHI NAOYA(堀口 直也)
2022-09-07 17:10 ` Yang Shi
2022-09-07 17:32 ` Michal Hocko
2022-09-07 20:57 ` Andrew Morton
2022-09-08 2:47 ` HORIGUCHI NAOYA(堀口 直也)
2022-09-08 6:14 ` David Hildenbrand
2022-09-08 6:31 ` HORIGUCHI NAOYA(堀口 直也)
2022-09-08 2:19 ` Miaohe Lin
2022-09-08 3:06 ` HORIGUCHI NAOYA(堀口 直也)
2022-09-08 3:25 ` Miaohe Lin
2022-09-08 7:07 ` Michal Hocko
2022-09-09 0:27 ` Miaohe Lin
2022-09-09 9:03 ` David Hildenbrand
2022-09-08 3:28 ` Oscar Salvador
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220907100855.GA2894785@ik1-406-35019.vs.sakura.ne.jp \
--to=naoya.horiguchi@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=linmiaohe@huawei.com \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=naoya.horiguchi@nec.com \
--cc=shy828301@gmail.com \
--cc=songmuchun@bytedance.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).