* [PATCH] x86/numa: kernel stack corruption fix
@ 2015-04-01 4:53 Dave Young
2015-04-01 5:11 ` Dave Young
2015-04-02 19:36 ` Yasuaki Ishimatsu
0 siblings, 2 replies; 19+ messages in thread
From: Dave Young @ 2015-04-01 4:53 UTC (permalink / raw)
To: x86, linux-kernel; +Cc: tglx, dyoung, bhe, mingo, hpa, akpm
I got below kernel panic during kdump test on Thinkpad T420 laptop:
[ 0.000000] No NUMA configuration found
[ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff]
[ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor
upted in: ffffffff81d21910 r
[ 0.000000]
[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44
[ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/
5/2013 0
[ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c
a26 2
[ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b
8d2 c
[ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809
4f6 e
[ 0.000000] Call Trace:
[ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57
[ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204
[ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2
[ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20
[ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2
[ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520
[ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d
[ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb
[ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82
[ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
[ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b
[ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
[ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6
[ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
[ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
[ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c
[ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184
[ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta
k is corrupted in: ffffffff81d21910 c
[ 0.000000]
PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00
[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0
[ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/
5/2013 0
[ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c
a26 2
[ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000
084 0000000000000a0d 0000000000000a00 0
[ 0.000000] Call Trace:
[ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57
[ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7
[ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10
[ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204
[ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2
[ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20
[ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2
[ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520
[ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d
[ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb
[ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82
[ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
[ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b
[ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
[ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6
[ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
[ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120
[ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c
[ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184
[ 0.000000] RIP 0x46
This is caused by writing over end of numa mask bitmap.
numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all
reserved region and assume every regions have valid nid. It is not true because
There's an exception for graphic memory quirks. see function trim_snb_memory
in arch/x86/kernel/setup.c
It is easily to reproduce the bug in kdump kernel because kdump kernel use
prereserved memory instead of whole memory, but kexec pass other reserved memory
ranges to 2nd kernel as well. like below in my test:
kdump kernel ram 0x2d000000 - 0x37bfffff
One of the reserved regions: 0x40000000 - 0x40100000
The above reserved region includes 0x40004000, a page excluded in
trim_snb_memory. For this memblock reserved region the nid is not set it is
still default value MAX_NUMNODES. later node_set callback will set bit
MAX_NUMNODES in nodemask bitmap thus stack corruption happen.
Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES.
Signed-off-by: Dave Young <dyoung@redhat.com>
---
arch/x86/mm/numa.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- linux.orig/arch/x86/mm/numa.c
+++ linux/arch/x86/mm/numa.c
@@ -484,7 +484,8 @@ static void __init numa_clear_kernel_nod
/* Mark all kernel nodes. */
for_each_memblock(reserved, r)
- node_set(r->nid, numa_kernel_nodes);
+ if (r->nid != MAX_NUMNODES)
+ node_set(r->nid, numa_kernel_nodes);
/* Clear MEMBLOCK_HOTPLUG flag for memory in kernel nodes. */
for (i = 0; i < numa_meminfo.nr_blks; i++) {
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-01 4:53 [PATCH] x86/numa: kernel stack corruption fix Dave Young @ 2015-04-01 5:11 ` Dave Young 2015-04-01 7:27 ` Xishi Qiu 2015-04-02 1:51 ` Xishi Qiu 2015-04-02 19:36 ` Yasuaki Ishimatsu 1 sibling, 2 replies; 19+ messages in thread From: Dave Young @ 2015-04-01 5:11 UTC (permalink / raw) To: x86, linux-kernel; +Cc: tglx, bhe, mingo, hpa, akpm, qiuxishi Ccing Xishi Qiu who wrote the clear_kernel_node_hotplug code. On 04/01/15 at 12:53pm, Dave Young wrote: > I got below kernel panic during kdump test on Thinkpad T420 laptop: > > [ 0.000000] No NUMA configuration found > [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > upted in: ffffffff81d21910 r > [ 0.000000] > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > 5/2013 0 > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > a26 2 > [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > 8d2 c > [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > 4f6 e > [ 0.000000] Call Trace: > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > k is corrupted in: ffffffff81d21910 c > [ 0.000000] > PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > 5/2013 0 > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > a26 2 > [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > 084 0000000000000a0d 0000000000000a00 0 > [ 0.000000] Call Trace: > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > [ 0.000000] RIP 0x46 > > This is caused by writing over end of numa mask bitmap. > > numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > reserved region and assume every regions have valid nid. It is not true because > There's an exception for graphic memory quirks. see function trim_snb_memory > in arch/x86/kernel/setup.c > > It is easily to reproduce the bug in kdump kernel because kdump kernel use > prereserved memory instead of whole memory, but kexec pass other reserved memory > ranges to 2nd kernel as well. like below in my test: > kdump kernel ram 0x2d000000 - 0x37bfffff > One of the reserved regions: 0x40000000 - 0x40100000 > > The above reserved region includes 0x40004000, a page excluded in > trim_snb_memory. For this memblock reserved region the nid is not set it is > still default value MAX_NUMNODES. later node_set callback will set bit > MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > > Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. > > Signed-off-by: Dave Young <dyoung@redhat.com> > --- > arch/x86/mm/numa.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > --- linux.orig/arch/x86/mm/numa.c > +++ linux/arch/x86/mm/numa.c > @@ -484,7 +484,8 @@ static void __init numa_clear_kernel_nod > > /* Mark all kernel nodes. */ > for_each_memblock(reserved, r) > - node_set(r->nid, numa_kernel_nodes); > + if (r->nid != MAX_NUMNODES) > + node_set(r->nid, numa_kernel_nodes); > > /* Clear MEMBLOCK_HOTPLUG flag for memory in kernel nodes. */ > for (i = 0; i < numa_meminfo.nr_blks; i++) { > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-01 5:11 ` Dave Young @ 2015-04-01 7:27 ` Xishi Qiu 2015-04-01 7:41 ` Dave Young 2015-04-02 1:51 ` Xishi Qiu 1 sibling, 1 reply; 19+ messages in thread From: Xishi Qiu @ 2015-04-01 7:27 UTC (permalink / raw) To: Dave Young; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm On 2015/4/1 13:11, Dave Young wrote: > Ccing Xishi Qiu who wrote the clear_kernel_node_hotplug code. > > On 04/01/15 at 12:53pm, Dave Young wrote: >> I got below kernel panic during kdump test on Thinkpad T420 laptop: >> >> [ 0.000000] No NUMA configuration found >> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] >> [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor >> upted in: ffffffff81d21910 r >> [ 0.000000] >> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 >> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ >> 5/2013 0 >> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c >> a26 2 >> [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b >> 8d2 c >> [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 >> 4f6 e >> [ 0.000000] Call Trace: >> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 >> [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 >> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 >> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 >> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 >> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 >> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d >> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb >> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c >> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 >> [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta >> k is corrupted in: ffffffff81d21910 c >> [ 0.000000] >> PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 >> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 >> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ >> 5/2013 0 >> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c >> a26 2 >> [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 >> 084 0000000000000a0d 0000000000000a00 0 >> [ 0.000000] Call Trace: >> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 >> [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 >> [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 >> [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 >> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 >> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 >> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 >> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 >> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d >> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb >> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c >> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 >> [ 0.000000] RIP 0x46 >> >> This is caused by writing over end of numa mask bitmap. >> >> numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all >> reserved region and assume every regions have valid nid. It is not true because >> There's an exception for graphic memory quirks. see function trim_snb_memory >> in arch/x86/kernel/setup.c >> >> It is easily to reproduce the bug in kdump kernel because kdump kernel use >> prereserved memory instead of whole memory, but kexec pass other reserved memory >> ranges to 2nd kernel as well. like below in my test: >> kdump kernel ram 0x2d000000 - 0x37bfffff >> One of the reserved regions: 0x40000000 - 0x40100000 >> >> The above reserved region includes 0x40004000, a page excluded in >> trim_snb_memory. For this memblock reserved region the nid is not set it is >> still default value MAX_NUMNODES. later node_set callback will set bit >> MAX_NUMNODES in nodemask bitmap thus stack corruption happen. >> Hi Dave, Is it means, first reserved region 0x40000000 - 0x40100000, then boot the kdump kernel, so this region is not include in "numa_meminfo", and memblock.reserved (0x40004000) is still MAX_NUMNODES from trim_snb_memory(). numa_clear_kernel_node_hotplug { ... for (i = 0; i < numa_meminfo.nr_blks; i++) { struct numa_memblk *mb = &numa_meminfo.blk[i]; memblock_set_node(mb->start, mb->end - mb->start, &memblock.reserved, mb->nid); // this will not reset 0x40004000's node, right? } ... } Thanks Xishi Qiu >> Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. >> >> Signed-off-by: Dave Young <dyoung@redhat.com> >> --- >> arch/x86/mm/numa.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> --- linux.orig/arch/x86/mm/numa.c >> +++ linux/arch/x86/mm/numa.c >> @@ -484,7 +484,8 @@ static void __init numa_clear_kernel_nod >> >> /* Mark all kernel nodes. */ >> for_each_memblock(reserved, r) >> - node_set(r->nid, numa_kernel_nodes); >> + if (r->nid != MAX_NUMNODES) >> + node_set(r->nid, numa_kernel_nodes); >> >> /* Clear MEMBLOCK_HOTPLUG flag for memory in kernel nodes. */ >> for (i = 0; i < numa_meminfo.nr_blks; i++) { >> > > . > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-01 7:27 ` Xishi Qiu @ 2015-04-01 7:41 ` Dave Young 2015-04-01 8:21 ` Xishi Qiu 2015-04-02 19:15 ` Yasuaki Ishimatsu 0 siblings, 2 replies; 19+ messages in thread From: Dave Young @ 2015-04-01 7:41 UTC (permalink / raw) To: Xishi Qiu; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm On 04/01/15 at 03:27pm, Xishi Qiu wrote: > On 2015/4/1 13:11, Dave Young wrote: > > > Ccing Xishi Qiu who wrote the clear_kernel_node_hotplug code. > > > > On 04/01/15 at 12:53pm, Dave Young wrote: > >> I got below kernel panic during kdump test on Thinkpad T420 laptop: > >> > >> [ 0.000000] No NUMA configuration found > >> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > >> [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > >> upted in: ffffffff81d21910 r > >> [ 0.000000] > >> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > >> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > >> 5/2013 0 > >> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > >> a26 2 > >> [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > >> 8d2 c > >> [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > >> 4f6 e > >> [ 0.000000] Call Trace: > >> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > >> [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > >> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > >> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > >> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > >> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > >> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > >> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > >> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > >> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > >> [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > >> k is corrupted in: ffffffff81d21910 c > >> [ 0.000000] > >> PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > >> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > >> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > >> 5/2013 0 > >> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > >> a26 2 > >> [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > >> 084 0000000000000a0d 0000000000000a00 0 > >> [ 0.000000] Call Trace: > >> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > >> [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > >> [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > >> [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > >> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > >> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > >> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > >> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > >> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > >> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > >> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > >> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > >> [ 0.000000] RIP 0x46 > >> > >> This is caused by writing over end of numa mask bitmap. > >> > >> numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > >> reserved region and assume every regions have valid nid. It is not true because > >> There's an exception for graphic memory quirks. see function trim_snb_memory > >> in arch/x86/kernel/setup.c > >> > >> It is easily to reproduce the bug in kdump kernel because kdump kernel use > >> prereserved memory instead of whole memory, but kexec pass other reserved memory > >> ranges to 2nd kernel as well. like below in my test: > >> kdump kernel ram 0x2d000000 - 0x37bfffff > >> One of the reserved regions: 0x40000000 - 0x40100000 > >> > >> The above reserved region includes 0x40004000, a page excluded in > >> trim_snb_memory. For this memblock reserved region the nid is not set it is > >> still default value MAX_NUMNODES. later node_set callback will set bit > >> MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > >> > > Hi Dave, > > Is it means, first reserved region 0x40000000 - 0x40100000, then boot the kdump > kernel, so this region is not include in "numa_meminfo", and memblock.reserved > (0x40004000) is still MAX_NUMNODES from trim_snb_memory(). Right, btw, I booted kdump kernel with numa=off for saving memory. I suspect it will also be reproduced with mem=XYZ with normal kernel. > > numa_clear_kernel_node_hotplug > { > ... > for (i = 0; i < numa_meminfo.nr_blks; i++) { > struct numa_memblk *mb = &numa_meminfo.blk[i]; > > memblock_set_node(mb->start, mb->end - mb->start, > &memblock.reserved, mb->nid); // this will not reset 0x40004000's node, right? > } > ... > } > > Thanks > Xishi Qiu > > >> Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. > >> > >> Signed-off-by: Dave Young <dyoung@redhat.com> > >> --- > >> arch/x86/mm/numa.c | 3 ++- > >> 1 file changed, 2 insertions(+), 1 deletion(-) > >> > >> --- linux.orig/arch/x86/mm/numa.c > >> +++ linux/arch/x86/mm/numa.c > >> @@ -484,7 +484,8 @@ static void __init numa_clear_kernel_nod > >> > >> /* Mark all kernel nodes. */ > >> for_each_memblock(reserved, r) > >> - node_set(r->nid, numa_kernel_nodes); > >> + if (r->nid != MAX_NUMNODES) > >> + node_set(r->nid, numa_kernel_nodes); > >> > >> /* Clear MEMBLOCK_HOTPLUG flag for memory in kernel nodes. */ > >> for (i = 0; i < numa_meminfo.nr_blks; i++) { > >> > > > > . > > > > > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-01 7:41 ` Dave Young @ 2015-04-01 8:21 ` Xishi Qiu 2015-04-01 8:34 ` Xishi Qiu 2015-04-02 19:15 ` Yasuaki Ishimatsu 1 sibling, 1 reply; 19+ messages in thread From: Xishi Qiu @ 2015-04-01 8:21 UTC (permalink / raw) To: Dave Young; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm, Tang Chen On 2015/4/1 15:41, Dave Young wrote: > On 04/01/15 at 03:27pm, Xishi Qiu wrote: >> On 2015/4/1 13:11, Dave Young wrote: >> >>> Ccing Xishi Qiu who wrote the clear_kernel_node_hotplug code. >>> >>> On 04/01/15 at 12:53pm, Dave Young wrote: >>>> I got below kernel panic during kdump test on Thinkpad T420 laptop: >>>> >>>> [ 0.000000] No NUMA configuration found >>>> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] >>>> [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor >>>> upted in: ffffffff81d21910 r >>>> [ 0.000000] >>>> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 >>>> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ >>>> 5/2013 0 >>>> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c >>>> a26 2 >>>> [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b >>>> 8d2 c >>>> [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 >>>> 4f6 e >>>> [ 0.000000] Call Trace: >>>> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 >>>> [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 >>>> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 >>>> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 >>>> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d >>>> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb >>>> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 >>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b >>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 >>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c >>>> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 >>>> [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta >>>> k is corrupted in: ffffffff81d21910 c >>>> [ 0.000000] >>>> PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 >>>> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 >>>> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ >>>> 5/2013 0 >>>> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c >>>> a26 2 >>>> [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 >>>> 084 0000000000000a0d 0000000000000a00 0 >>>> [ 0.000000] Call Trace: >>>> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 >>>> [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 >>>> [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 >>>> [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 >>>> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 >>>> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 >>>> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d >>>> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb >>>> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 >>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b >>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 >>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c >>>> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 >>>> [ 0.000000] RIP 0x46 >>>> >>>> This is caused by writing over end of numa mask bitmap. >>>> >>>> numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all >>>> reserved region and assume every regions have valid nid. It is not true because >>>> There's an exception for graphic memory quirks. see function trim_snb_memory >>>> in arch/x86/kernel/setup.c >>>> >>>> It is easily to reproduce the bug in kdump kernel because kdump kernel use >>>> prereserved memory instead of whole memory, but kexec pass other reserved memory >>>> ranges to 2nd kernel as well. like below in my test: >>>> kdump kernel ram 0x2d000000 - 0x37bfffff >>>> One of the reserved regions: 0x40000000 - 0x40100000 >>>> >>>> The above reserved region includes 0x40004000, a page excluded in >>>> trim_snb_memory. For this memblock reserved region the nid is not set it is >>>> still default value MAX_NUMNODES. later node_set callback will set bit >>>> MAX_NUMNODES in nodemask bitmap thus stack corruption happen. >>>> >> >> Hi Dave, >> >> Is it means, first reserved region 0x40000000 - 0x40100000, then boot the kdump >> kernel, so this region is not include in "numa_meminfo", and memblock.reserved >> (0x40004000) is still MAX_NUMNODES from trim_snb_memory(). > > Right, btw, I booted kdump kernel with numa=off for saving memory. > > I suspect it will also be reproduced with mem=XYZ with normal kernel. > cc Tang Chen, numa_clear_kernel_node_hotplug() is original written by him. Hi Dave, I tested the problem, and find the kdump's "numa_meminfo" is the same as the first kernel. I did not set "numa=off" in kdump kernel, maybe this will lead to the difference of "numa_meminfo" Thanks, Xishi Qiu >> >> numa_clear_kernel_node_hotplug >> { >> ... >> for (i = 0; i < numa_meminfo.nr_blks; i++) { >> struct numa_memblk *mb = &numa_meminfo.blk[i]; >> >> memblock_set_node(mb->start, mb->end - mb->start, >> &memblock.reserved, mb->nid); // this will not reset 0x40004000's node, right? >> } >> ... >> } >> >> Thanks >> Xishi Qiu >> ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-01 8:21 ` Xishi Qiu @ 2015-04-01 8:34 ` Xishi Qiu 2015-04-01 9:17 ` Dave Young 0 siblings, 1 reply; 19+ messages in thread From: Xishi Qiu @ 2015-04-01 8:34 UTC (permalink / raw) To: Dave Young; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm, Tang Chen On 2015/4/1 16:21, Xishi Qiu wrote: > On 2015/4/1 15:41, Dave Young wrote: > >> On 04/01/15 at 03:27pm, Xishi Qiu wrote: >>> On 2015/4/1 13:11, Dave Young wrote: >>> >>>> Ccing Xishi Qiu who wrote the clear_kernel_node_hotplug code. >>>> >>>> On 04/01/15 at 12:53pm, Dave Young wrote: >>>>> I got below kernel panic during kdump test on Thinkpad T420 laptop: >>>>> >>>>> [ 0.000000] No NUMA configuration found >>>>> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] >>>>> [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor >>>>> upted in: ffffffff81d21910 r >>>>> [ 0.000000] >>>>> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 >>>>> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ >>>>> 5/2013 0 >>>>> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c >>>>> a26 2 >>>>> [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b >>>>> 8d2 c >>>>> [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 >>>>> 4f6 e >>>>> [ 0.000000] Call Trace: >>>>> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 >>>>> [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 >>>>> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>>> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 >>>>> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>>> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 >>>>> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d >>>>> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb >>>>> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c >>>>> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 >>>>> [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta >>>>> k is corrupted in: ffffffff81d21910 c >>>>> [ 0.000000] >>>>> PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 >>>>> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 >>>>> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ >>>>> 5/2013 0 >>>>> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c >>>>> a26 2 >>>>> [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 >>>>> 084 0000000000000a0d 0000000000000a00 0 >>>>> [ 0.000000] Call Trace: >>>>> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 >>>>> [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 >>>>> [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 >>>>> [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 >>>>> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>>> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 >>>>> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>>> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 >>>>> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d >>>>> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb >>>>> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c >>>>> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 >>>>> [ 0.000000] RIP 0x46 >>>>> >>>>> This is caused by writing over end of numa mask bitmap. >>>>> >>>>> numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all >>>>> reserved region and assume every regions have valid nid. It is not true because >>>>> There's an exception for graphic memory quirks. see function trim_snb_memory >>>>> in arch/x86/kernel/setup.c >>>>> >>>>> It is easily to reproduce the bug in kdump kernel because kdump kernel use >>>>> prereserved memory instead of whole memory, but kexec pass other reserved memory >>>>> ranges to 2nd kernel as well. like below in my test: >>>>> kdump kernel ram 0x2d000000 - 0x37bfffff >>>>> One of the reserved regions: 0x40000000 - 0x40100000 >>>>> >>>>> The above reserved region includes 0x40004000, a page excluded in >>>>> trim_snb_memory. For this memblock reserved region the nid is not set it is >>>>> still default value MAX_NUMNODES. later node_set callback will set bit >>>>> MAX_NUMNODES in nodemask bitmap thus stack corruption happen. >>>>> >>> >>> Hi Dave, >>> >>> Is it means, first reserved region 0x40000000 - 0x40100000, then boot the kdump >>> kernel, so this region is not include in "numa_meminfo", and memblock.reserved >>> (0x40004000) is still MAX_NUMNODES from trim_snb_memory(). >> >> Right, btw, I booted kdump kernel with numa=off for saving memory. >> >> I suspect it will also be reproduced with mem=XYZ with normal kernel. >> > > cc Tang Chen, numa_clear_kernel_node_hotplug() is original written by him. > > Hi Dave, > I tested the problem, and find the kdump's "numa_meminfo" is the same as the first > kernel. I did not set "numa=off" in kdump kernel, maybe this will lead to the > difference of "numa_meminfo" > Hi Dave, I find the reason, it's "dummy_numa_init() -> numa_add_memblk(0, 0, PFN_PHYS(max_pfn));", this lead to the difference of "numa_meminfo" when set "numa=off". However we should fix the bug when set "numa=off". Thanks, Xishi Qiu ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-01 8:34 ` Xishi Qiu @ 2015-04-01 9:17 ` Dave Young 2015-04-01 9:33 ` Xishi Qiu 0 siblings, 1 reply; 19+ messages in thread From: Dave Young @ 2015-04-01 9:17 UTC (permalink / raw) To: Xishi Qiu; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm, Tang Chen On 04/01/15 at 04:34pm, Xishi Qiu wrote: > On 2015/4/1 16:21, Xishi Qiu wrote: > > > On 2015/4/1 15:41, Dave Young wrote: > > > >> On 04/01/15 at 03:27pm, Xishi Qiu wrote: > >>> On 2015/4/1 13:11, Dave Young wrote: > >>> > >>>> Ccing Xishi Qiu who wrote the clear_kernel_node_hotplug code. > >>>> > >>>> On 04/01/15 at 12:53pm, Dave Young wrote: > >>>>> I got below kernel panic during kdump test on Thinkpad T420 laptop: > >>>>> > >>>>> [ 0.000000] No NUMA configuration found > >>>>> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > >>>>> [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > >>>>> upted in: ffffffff81d21910 r > >>>>> [ 0.000000] > >>>>> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > >>>>> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > >>>>> 5/2013 0 > >>>>> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > >>>>> a26 2 > >>>>> [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > >>>>> 8d2 c > >>>>> [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > >>>>> 4f6 e > >>>>> [ 0.000000] Call Trace: > >>>>> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > >>>>> [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > >>>>> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > >>>>> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > >>>>> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > >>>>> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > >>>>> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > >>>>> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > >>>>> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >>>>> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >>>>> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >>>>> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > >>>>> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > >>>>> [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > >>>>> k is corrupted in: ffffffff81d21910 c > >>>>> [ 0.000000] > >>>>> PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > >>>>> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > >>>>> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > >>>>> 5/2013 0 > >>>>> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > >>>>> a26 2 > >>>>> [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > >>>>> 084 0000000000000a0d 0000000000000a00 0 > >>>>> [ 0.000000] Call Trace: > >>>>> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > >>>>> [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > >>>>> [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > >>>>> [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > >>>>> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > >>>>> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > >>>>> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > >>>>> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > >>>>> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > >>>>> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > >>>>> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >>>>> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >>>>> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > >>>>> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > >>>>> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > >>>>> [ 0.000000] RIP 0x46 > >>>>> > >>>>> This is caused by writing over end of numa mask bitmap. > >>>>> > >>>>> numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > >>>>> reserved region and assume every regions have valid nid. It is not true because > >>>>> There's an exception for graphic memory quirks. see function trim_snb_memory > >>>>> in arch/x86/kernel/setup.c > >>>>> > >>>>> It is easily to reproduce the bug in kdump kernel because kdump kernel use > >>>>> prereserved memory instead of whole memory, but kexec pass other reserved memory > >>>>> ranges to 2nd kernel as well. like below in my test: > >>>>> kdump kernel ram 0x2d000000 - 0x37bfffff > >>>>> One of the reserved regions: 0x40000000 - 0x40100000 > >>>>> > >>>>> The above reserved region includes 0x40004000, a page excluded in > >>>>> trim_snb_memory. For this memblock reserved region the nid is not set it is > >>>>> still default value MAX_NUMNODES. later node_set callback will set bit > >>>>> MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > >>>>> > >>> > >>> Hi Dave, > >>> > >>> Is it means, first reserved region 0x40000000 - 0x40100000, then boot the kdump > >>> kernel, so this region is not include in "numa_meminfo", and memblock.reserved > >>> (0x40004000) is still MAX_NUMNODES from trim_snb_memory(). > >> > >> Right, btw, I booted kdump kernel with numa=off for saving memory. > >> > >> I suspect it will also be reproduced with mem=XYZ with normal kernel. > >> > > > > cc Tang Chen, numa_clear_kernel_node_hotplug() is original written by him. > > > > Hi Dave, > > I tested the problem, and find the kdump's "numa_meminfo" is the same as the first > > kernel. I did not set "numa=off" in kdump kernel, maybe this will lead to the > > difference of "numa_meminfo" > > > > Hi Dave, > > I find the reason, it's "dummy_numa_init() -> numa_add_memblk(0, 0, PFN_PHYS(max_pfn));", > this lead to the difference of "numa_meminfo" when set "numa=off". > > However we should fix the bug when set "numa=off". So do you means MAXPFN should include non system ram region at the end? The case like below, I believe max_pfn is set to the end of system ram currently: [what ever] [ system ram ] [ bios reserved region ] Thanks Dave ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-01 9:17 ` Dave Young @ 2015-04-01 9:33 ` Xishi Qiu 0 siblings, 0 replies; 19+ messages in thread From: Xishi Qiu @ 2015-04-01 9:33 UTC (permalink / raw) To: Dave Young; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm, Tang Chen On 2015/4/1 17:17, Dave Young wrote: > On 04/01/15 at 04:34pm, Xishi Qiu wrote: >> On 2015/4/1 16:21, Xishi Qiu wrote: >> >>> On 2015/4/1 15:41, Dave Young wrote: >>> >>>> On 04/01/15 at 03:27pm, Xishi Qiu wrote: >>>>> On 2015/4/1 13:11, Dave Young wrote: >>>>> >>>>>> Ccing Xishi Qiu who wrote the clear_kernel_node_hotplug code. >>>>>> >>>>>> On 04/01/15 at 12:53pm, Dave Young wrote: >>>>>>> I got below kernel panic during kdump test on Thinkpad T420 laptop: >>>>>>> >>>>>>> [ 0.000000] No NUMA configuration found >>>>>>> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] >>>>>>> [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor >>>>>>> upted in: ffffffff81d21910 r >>>>>>> [ 0.000000] >>>>>>> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 >>>>>>> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ >>>>>>> 5/2013 0 >>>>>>> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c >>>>>>> a26 2 >>>>>>> [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b >>>>>>> 8d2 c >>>>>>> [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 >>>>>>> 4f6 e >>>>>>> [ 0.000000] Call Trace: >>>>>>> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 >>>>>>> [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 >>>>>>> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>>>>> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 >>>>>>> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>>>>> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 >>>>>>> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d >>>>>>> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb >>>>>>> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 >>>>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>>>> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b >>>>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>>>> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 >>>>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>>>> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c >>>>>>> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 >>>>>>> [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta >>>>>>> k is corrupted in: ffffffff81d21910 c >>>>>>> [ 0.000000] >>>>>>> PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 >>>>>>> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 >>>>>>> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ >>>>>>> 5/2013 0 >>>>>>> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c >>>>>>> a26 2 >>>>>>> [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 >>>>>>> 084 0000000000000a0d 0000000000000a00 0 >>>>>>> [ 0.000000] Call Trace: >>>>>>> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 >>>>>>> [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 >>>>>>> [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 >>>>>>> [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 >>>>>>> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>>>>> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 >>>>>>> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 >>>>>>> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 >>>>>>> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d >>>>>>> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb >>>>>>> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 >>>>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>>>> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b >>>>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>>>> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 >>>>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>>>> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >>>>>>> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c >>>>>>> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 >>>>>>> [ 0.000000] RIP 0x46 >>>>>>> >>>>>>> This is caused by writing over end of numa mask bitmap. >>>>>>> >>>>>>> numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all >>>>>>> reserved region and assume every regions have valid nid. It is not true because >>>>>>> There's an exception for graphic memory quirks. see function trim_snb_memory >>>>>>> in arch/x86/kernel/setup.c >>>>>>> >>>>>>> It is easily to reproduce the bug in kdump kernel because kdump kernel use >>>>>>> prereserved memory instead of whole memory, but kexec pass other reserved memory >>>>>>> ranges to 2nd kernel as well. like below in my test: >>>>>>> kdump kernel ram 0x2d000000 - 0x37bfffff >>>>>>> One of the reserved regions: 0x40000000 - 0x40100000 >>>>>>> >>>>>>> The above reserved region includes 0x40004000, a page excluded in >>>>>>> trim_snb_memory. For this memblock reserved region the nid is not set it is >>>>>>> still default value MAX_NUMNODES. later node_set callback will set bit >>>>>>> MAX_NUMNODES in nodemask bitmap thus stack corruption happen. >>>>>>> >>>>> >>>>> Hi Dave, >>>>> >>>>> Is it means, first reserved region 0x40000000 - 0x40100000, then boot the kdump >>>>> kernel, so this region is not include in "numa_meminfo", and memblock.reserved >>>>> (0x40004000) is still MAX_NUMNODES from trim_snb_memory(). >>>> >>>> Right, btw, I booted kdump kernel with numa=off for saving memory. >>>> >>>> I suspect it will also be reproduced with mem=XYZ with normal kernel. >>>> >>> >>> cc Tang Chen, numa_clear_kernel_node_hotplug() is original written by him. >>> >>> Hi Dave, >>> I tested the problem, and find the kdump's "numa_meminfo" is the same as the first >>> kernel. I did not set "numa=off" in kdump kernel, maybe this will lead to the >>> difference of "numa_meminfo" >>> >> >> Hi Dave, >> >> I find the reason, it's "dummy_numa_init() -> numa_add_memblk(0, 0, PFN_PHYS(max_pfn));", >> this lead to the difference of "numa_meminfo" when set "numa=off". >> >> However we should fix the bug when set "numa=off". > > So do you means MAXPFN should include non system ram region at the end? > No, I means when set "numa=off", numa_meminfo comes from max_pfn, this makes the difference. and max_pfn is come from e820, not SRAT tables. if no "numa=off", SRAT tables will fill the numa_meminfo. Thanks, Xishi Qiu > The case like below, I believe max_pfn is set to the end of system ram currently: > [what ever] [ system ram ] [ bios reserved region ] > > Thanks > Dave > > . > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-01 7:41 ` Dave Young 2015-04-01 8:21 ` Xishi Qiu @ 2015-04-02 19:15 ` Yasuaki Ishimatsu 2015-04-03 7:03 ` Dave Young 1 sibling, 1 reply; 19+ messages in thread From: Yasuaki Ishimatsu @ 2015-04-02 19:15 UTC (permalink / raw) To: Dave Young; +Cc: Xishi Qiu, x86, linux-kernel, tglx, bhe, mingo, hpa, akpm On Wed, 1 Apr 2015 15:41:20 +0800 Dave Young <dyoung@redhat.com> wrote: > On 04/01/15 at 03:27pm, Xishi Qiu wrote: > > On 2015/4/1 13:11, Dave Young wrote: > > > > > Ccing Xishi Qiu who wrote the clear_kernel_node_hotplug code. > > > > > > On 04/01/15 at 12:53pm, Dave Young wrote: > > >> I got below kernel panic during kdump test on Thinkpad T420 laptop: > > >> > > >> [ 0.000000] No NUMA configuration found > > >> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > > >> [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > > >> upted in: ffffffff81d21910 r > > >> [ 0.000000] > > >> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > > >> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > >> 5/2013 0 > > >> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > > >> a26 2 > > >> [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > > >> 8d2 c > > >> [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > > >> 4f6 e > > >> [ 0.000000] Call Trace: > > >> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > >> [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > > >> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > >> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > >> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > >> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > >> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > >> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > >> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > >> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > >> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > >> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > >> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > >> [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > > >> k is corrupted in: ffffffff81d21910 c > > >> [ 0.000000] > > >> PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > > >> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > > >> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > >> 5/2013 0 > > >> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > > >> a26 2 > > >> [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > > >> 084 0000000000000a0d 0000000000000a00 0 > > >> [ 0.000000] Call Trace: > > >> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > >> [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > > >> [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > > >> [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > > >> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > >> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > >> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > >> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > >> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > >> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > >> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > >> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > >> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > >> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > >> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > >> [ 0.000000] RIP 0x46 > > >> > > >> This is caused by writing over end of numa mask bitmap. > > >> > > >> numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > > >> reserved region and assume every regions have valid nid. It is not true because > > >> There's an exception for graphic memory quirks. see function trim_snb_memory > > >> in arch/x86/kernel/setup.c > > >> > > >> It is easily to reproduce the bug in kdump kernel because kdump kernel use > > >> prereserved memory instead of whole memory, but kexec pass other reserved memory > > >> ranges to 2nd kernel as well. like below in my test: > > >> kdump kernel ram 0x2d000000 - 0x37bfffff > > >> One of the reserved regions: 0x40000000 - 0x40100000 > > >> > > >> The above reserved region includes 0x40004000, a page excluded in > > >> trim_snb_memory. For this memblock reserved region the nid is not set it is > > >> still default value MAX_NUMNODES. later node_set callback will set bit > > >> MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > > >> > > > > Hi Dave, > > > > Is it means, first reserved region 0x40000000 - 0x40100000, then boot the kdump > > kernel, so this region is not include in "numa_meminfo", and memblock.reserved > > (0x40004000) is still MAX_NUMNODES from trim_snb_memory(). > > Right, btw, I booted kdump kernel with numa=off for saving memory. > > I suspect it will also be reproduced with mem=XYZ with normal kernel. Does the issue occur on your system with mem=0x40000000? I think the issue occurs when reserved memory range is not includes in system ram which informed by e820 or SRAT table. On your system, 0x40004000 is reserved by trim_snb_memory(). But if you use mem=0x40000000, the system ram is limited within 0x40000000. So the issue will occur. Thanks, Yasuaki Ishimatsu > > > > > numa_clear_kernel_node_hotplug > > { > > ... > > for (i = 0; i < numa_meminfo.nr_blks; i++) { > > struct numa_memblk *mb = &numa_meminfo.blk[i]; > > > > memblock_set_node(mb->start, mb->end - mb->start, > > &memblock.reserved, mb->nid); // this will not reset 0x40004000's node, right? > > } > > ... > > } > > > > Thanks > > Xishi Qiu > > > > >> Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. > > >> > > >> Signed-off-by: Dave Young <dyoung@redhat.com> > > >> --- > > >> arch/x86/mm/numa.c | 3 ++- > > >> 1 file changed, 2 insertions(+), 1 deletion(-) > > >> > > >> --- linux.orig/arch/x86/mm/numa.c > > >> +++ linux/arch/x86/mm/numa.c > > >> @@ -484,7 +484,8 @@ static void __init numa_clear_kernel_nod > > >> > > >> /* Mark all kernel nodes. */ > > >> for_each_memblock(reserved, r) > > >> - node_set(r->nid, numa_kernel_nodes); > > >> + if (r->nid != MAX_NUMNODES) > > >> + node_set(r->nid, numa_kernel_nodes); > > >> > > >> /* Clear MEMBLOCK_HOTPLUG flag for memory in kernel nodes. */ > > >> for (i = 0; i < numa_meminfo.nr_blks; i++) { > > >> > > > > > > . > > > > > > > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-02 19:15 ` Yasuaki Ishimatsu @ 2015-04-03 7:03 ` Dave Young 0 siblings, 0 replies; 19+ messages in thread From: Dave Young @ 2015-04-03 7:03 UTC (permalink / raw) To: Yasuaki Ishimatsu Cc: Xishi Qiu, x86, linux-kernel, tglx, bhe, mingo, hpa, akpm > > > >> > > > >> The above reserved region includes 0x40004000, a page excluded in > > > >> trim_snb_memory. For this memblock reserved region the nid is not set it is > > > >> still default value MAX_NUMNODES. later node_set callback will set bit > > > >> MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > > > >> > > > > > > Hi Dave, > > > > > > Is it means, first reserved region 0x40000000 - 0x40100000, then boot the kdump > > > kernel, so this region is not include in "numa_meminfo", and memblock.reserved > > > (0x40004000) is still MAX_NUMNODES from trim_snb_memory(). > > > > Right, btw, I booted kdump kernel with numa=off for saving memory. > > > > I suspect it will also be reproduced with mem=XYZ with normal kernel. > > Does the issue occur on your system with mem=0x40000000? > > I think the issue occurs when reserved memory range is not includes > in system ram which informed by e820 or SRAT table. On your system, > 0x40004000 is reserved by trim_snb_memory(). But if you use mem=0x40000000, > the system ram is limited within 0x40000000. So the issue will occur. It does occur with mem=800M during my previous test, I think it will occur with mem=0x40000000 as well though I did not test mem=0x40000000. Thanks Dave ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-01 5:11 ` Dave Young 2015-04-01 7:27 ` Xishi Qiu @ 2015-04-02 1:51 ` Xishi Qiu 2015-04-02 3:24 ` Dave Young 1 sibling, 1 reply; 19+ messages in thread From: Xishi Qiu @ 2015-04-02 1:51 UTC (permalink / raw) To: Dave Young; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm, Tang Chen On 2015/4/1 13:11, Dave Young wrote: > Ccing Xishi Qiu who wrote the clear_kernel_node_hotplug code. > > On 04/01/15 at 12:53pm, Dave Young wrote: >> I got below kernel panic during kdump test on Thinkpad T420 laptop: >> >> [ 0.000000] No NUMA configuration found >> [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] >> [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor >> upted in: ffffffff81d21910 r >> [ 0.000000] >> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 >> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ >> 5/2013 0 >> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c >> a26 2 >> [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b >> 8d2 c >> [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 >> 4f6 e >> [ 0.000000] Call Trace: >> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 >> [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 >> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 >> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 >> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 >> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 >> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d >> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb >> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c >> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 >> [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta >> k is corrupted in: ffffffff81d21910 c >> [ 0.000000] >> PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 >> [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 >> [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ >> 5/2013 0 >> [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c >> a26 2 >> [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 >> 084 0000000000000a0d 0000000000000a00 0 >> [ 0.000000] Call Trace: >> [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 >> [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 >> [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 >> [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 >> [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 >> [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 >> [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 >> [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 >> [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d >> [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb >> [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 >> [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c >> [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 >> [ 0.000000] RIP 0x46 >> >> This is caused by writing over end of numa mask bitmap. >> >> numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all >> reserved region and assume every regions have valid nid. It is not true because >> There's an exception for graphic memory quirks. see function trim_snb_memory >> in arch/x86/kernel/setup.c >> >> It is easily to reproduce the bug in kdump kernel because kdump kernel use >> prereserved memory instead of whole memory, but kexec pass other reserved memory >> ranges to 2nd kernel as well. like below in my test: >> kdump kernel ram 0x2d000000 - 0x37bfffff >> One of the reserved regions: 0x40000000 - 0x40100000 >> >> The above reserved region includes 0x40004000, a page excluded in >> trim_snb_memory. For this memblock reserved region the nid is not set it is >> still default value MAX_NUMNODES. later node_set callback will set bit >> MAX_NUMNODES in nodemask bitmap thus stack corruption happen. >> >> Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. >> >> Signed-off-by: Dave Young <dyoung@redhat.com> >> --- >> arch/x86/mm/numa.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> --- linux.orig/arch/x86/mm/numa.c >> +++ linux/arch/x86/mm/numa.c >> @@ -484,7 +484,8 @@ static void __init numa_clear_kernel_nod >> >> /* Mark all kernel nodes. */ >> for_each_memblock(reserved, r) >> - node_set(r->nid, numa_kernel_nodes); Hi Dave, How about add some comment here? if set numa=off, numa_meminfo may not include all the memblock.reserved memory. e.g. trim_snb_memory() Thanks, Xishi Qiu >> + if (r->nid != MAX_NUMNODES) >> + node_set(r->nid, numa_kernel_nodes); >> >> /* Clear MEMBLOCK_HOTPLUG flag for memory in kernel nodes. */ >> for (i = 0; i < numa_meminfo.nr_blks; i++) { >> > > . > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-02 1:51 ` Xishi Qiu @ 2015-04-02 3:24 ` Dave Young 0 siblings, 0 replies; 19+ messages in thread From: Dave Young @ 2015-04-02 3:24 UTC (permalink / raw) To: Xishi Qiu; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm, Tang Chen Hi, Xishi [snip] > >> arch/x86/mm/numa.c | 3 ++- > >> 1 file changed, 2 insertions(+), 1 deletion(-) > >> > >> --- linux.orig/arch/x86/mm/numa.c > >> +++ linux/arch/x86/mm/numa.c > >> @@ -484,7 +484,8 @@ static void __init numa_clear_kernel_nod > >> > >> /* Mark all kernel nodes. */ > >> for_each_memblock(reserved, r) > >> - node_set(r->nid, numa_kernel_nodes); > > Hi Dave, > > How about add some comment here? if set numa=off, numa_meminfo may not include > all the memblock.reserved memory. e.g. trim_snb_memory() Sure, I can do that. I will send an update if there's no other comments. > >> + if (r->nid != MAX_NUMNODES) > >> + node_set(r->nid, numa_kernel_nodes); > >> > >> /* Clear MEMBLOCK_HOTPLUG flag for memory in kernel nodes. */ > >> for (i = 0; i < numa_meminfo.nr_blks; i++) { > >> > > > Thanks Dave > ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-01 4:53 [PATCH] x86/numa: kernel stack corruption fix Dave Young 2015-04-01 5:11 ` Dave Young @ 2015-04-02 19:36 ` Yasuaki Ishimatsu 2015-04-03 7:15 ` Dave Young 1 sibling, 1 reply; 19+ messages in thread From: Yasuaki Ishimatsu @ 2015-04-02 19:36 UTC (permalink / raw) To: Dave Young; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm On Wed, 1 Apr 2015 12:53:46 +0800 Dave Young <dyoung@redhat.com> wrote: > I got below kernel panic during kdump test on Thinkpad T420 laptop: > > [ 0.000000] No NUMA configuration found > [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > upted in: ffffffff81d21910 r > [ 0.000000] > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > 5/2013 0 > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > a26 2 > [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > 8d2 c > [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > 4f6 e > [ 0.000000] Call Trace: > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > k is corrupted in: ffffffff81d21910 c > [ 0.000000] > PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > 5/2013 0 > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > a26 2 > [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > 084 0000000000000a0d 0000000000000a00 0 > [ 0.000000] Call Trace: > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > [ 0.000000] RIP 0x46 > > This is caused by writing over end of numa mask bitmap. > > numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > reserved region and assume every regions have valid nid. It is not true because > There's an exception for graphic memory quirks. see function trim_snb_memory > in arch/x86/kernel/setup.c > > It is easily to reproduce the bug in kdump kernel because kdump kernel use > prereserved memory instead of whole memory, but kexec pass other reserved memory > ranges to 2nd kernel as well. like below in my test: > kdump kernel ram 0x2d000000 - 0x37bfffff > One of the reserved regions: 0x40000000 - 0x40100000 > > The above reserved region includes 0x40004000, a page excluded in > trim_snb_memory. For this memblock reserved region the nid is not set it is > still default value MAX_NUMNODES. later node_set callback will set bit > MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > > Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. > > Signed-off-by: Dave Young <dyoung@redhat.com> > --- Looks good to me. Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> Thanks, Yasuaki Ishimatsu > arch/x86/mm/numa.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > --- linux.orig/arch/x86/mm/numa.c > +++ linux/arch/x86/mm/numa.c > @@ -484,7 +484,8 @@ static void __init numa_clear_kernel_nod > > /* Mark all kernel nodes. */ > for_each_memblock(reserved, r) > - node_set(r->nid, numa_kernel_nodes); > + if (r->nid != MAX_NUMNODES) > + node_set(r->nid, numa_kernel_nodes); > > /* Clear MEMBLOCK_HOTPLUG flag for memory in kernel nodes. */ > for (i = 0; i < numa_meminfo.nr_blks; i++) { > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-02 19:36 ` Yasuaki Ishimatsu @ 2015-04-03 7:15 ` Dave Young 2015-04-03 7:17 ` Ingo Molnar 2015-04-06 14:26 ` Yasuaki Ishimatsu 0 siblings, 2 replies; 19+ messages in thread From: Dave Young @ 2015-04-03 7:15 UTC (permalink / raw) To: Yasuaki Ishimatsu; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm Hi, On 04/02/15 at 12:36pm, Yasuaki Ishimatsu wrote: > > On Wed, 1 Apr 2015 12:53:46 +0800 > Dave Young <dyoung@redhat.com> wrote: > > > I got below kernel panic during kdump test on Thinkpad T420 laptop: > > > > [ 0.000000] No NUMA configuration found > > [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > > [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > > upted in: ffffffff81d21910 r > > [ 0.000000] > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > 5/2013 0 > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > > a26 2 > > [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > > 8d2 c > > [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > > 4f6 e > > [ 0.000000] Call Trace: > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > > k is corrupted in: ffffffff81d21910 c > > [ 0.000000] > > PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > 5/2013 0 > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > > a26 2 > > [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > > 084 0000000000000a0d 0000000000000a00 0 > > [ 0.000000] Call Trace: > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > > [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > > [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > [ 0.000000] RIP 0x46 > > > > This is caused by writing over end of numa mask bitmap. > > > > numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > > reserved region and assume every regions have valid nid. It is not true because > > There's an exception for graphic memory quirks. see function trim_snb_memory > > in arch/x86/kernel/setup.c > > > > It is easily to reproduce the bug in kdump kernel because kdump kernel use > > prereserved memory instead of whole memory, but kexec pass other reserved memory > > ranges to 2nd kernel as well. like below in my test: > > kdump kernel ram 0x2d000000 - 0x37bfffff > > One of the reserved regions: 0x40000000 - 0x40100000 > > > > The above reserved region includes 0x40004000, a page excluded in > > trim_snb_memory. For this memblock reserved region the nid is not set it is > > still default value MAX_NUMNODES. later node_set callback will set bit > > MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > > > > Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. > > > > Signed-off-by: Dave Young <dyoung@redhat.com> > > --- > > Looks good to me. > > Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> Per suggestion from Xishi Qiu, I would like to add below comment in code and repost Could I carry with your Reviewed-by line? /* In case booting with numa=off and only using part of system ram * ie. mem=nn[kMG] or in kdump kernel, numa_meminfo may not include all the * memblock.reserved memory because trim_snb_memory() reserves specific pages * for Sandy Bridge graphics. */ Thanks Dave ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-03 7:15 ` Dave Young @ 2015-04-03 7:17 ` Ingo Molnar 2015-04-03 7:23 ` Dave Young 2015-04-06 14:26 ` Yasuaki Ishimatsu 1 sibling, 1 reply; 19+ messages in thread From: Ingo Molnar @ 2015-04-03 7:17 UTC (permalink / raw) To: Dave Young Cc: Yasuaki Ishimatsu, x86, linux-kernel, tglx, bhe, mingo, hpa, akpm * Dave Young <dyoung@redhat.com> wrote: > Hi, > > On 04/02/15 at 12:36pm, Yasuaki Ishimatsu wrote: > > > > On Wed, 1 Apr 2015 12:53:46 +0800 > > Dave Young <dyoung@redhat.com> wrote: > > > > > I got below kernel panic during kdump test on Thinkpad T420 laptop: > > > > > > [ 0.000000] No NUMA configuration found > > > [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > > > [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > > > upted in: ffffffff81d21910 r > > > [ 0.000000] > > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > > 5/2013 0 > > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > > > a26 2 > > > [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > > > 8d2 c > > > [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > > > 4f6 e > > > [ 0.000000] Call Trace: > > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > > [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > > [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > > > k is corrupted in: ffffffff81d21910 c > > > [ 0.000000] > > > PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > > 5/2013 0 > > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > > > a26 2 > > > [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > > > 084 0000000000000a0d 0000000000000a00 0 > > > [ 0.000000] Call Trace: > > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > > [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > > > [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > > > [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > > [ 0.000000] RIP 0x46 > > > > > > This is caused by writing over end of numa mask bitmap. > > > > > > numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > > > reserved region and assume every regions have valid nid. It is not true because > > > There's an exception for graphic memory quirks. see function trim_snb_memory > > > in arch/x86/kernel/setup.c > > > > > > It is easily to reproduce the bug in kdump kernel because kdump kernel use > > > prereserved memory instead of whole memory, but kexec pass other reserved memory > > > ranges to 2nd kernel as well. like below in my test: > > > kdump kernel ram 0x2d000000 - 0x37bfffff > > > One of the reserved regions: 0x40000000 - 0x40100000 > > > > > > The above reserved region includes 0x40004000, a page excluded in > > > trim_snb_memory. For this memblock reserved region the nid is not set it is > > > still default value MAX_NUMNODES. later node_set callback will set bit > > > MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > > > > > > Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. > > > > > > Signed-off-by: Dave Young <dyoung@redhat.com> > > > --- > > > > Looks good to me. > > > > Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> > > Per suggestion from Xishi Qiu, I would like to add below comment in code and repost > Could I carry with your Reviewed-by line? > > /* In case booting with numa=off and only using part of system ram > * ie. mem=nn[kMG] or in kdump kernel, numa_meminfo may not include all the > * memblock.reserved memory because trim_snb_memory() reserves specific pages > * for Sandy Bridge graphics. */ Nit: please use the customary (multi-line) comment style: /* * Comment ..... * ...... goes here. */ specified in Documentation/CodingStyle. Thanks, Ingo ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-03 7:17 ` Ingo Molnar @ 2015-04-03 7:23 ` Dave Young 0 siblings, 0 replies; 19+ messages in thread From: Dave Young @ 2015-04-03 7:23 UTC (permalink / raw) To: Ingo Molnar Cc: Yasuaki Ishimatsu, x86, linux-kernel, tglx, bhe, mingo, hpa, akpm On 04/03/15 at 09:17am, Ingo Molnar wrote: > > * Dave Young <dyoung@redhat.com> wrote: > > > Hi, > > > > On 04/02/15 at 12:36pm, Yasuaki Ishimatsu wrote: > > > > > > On Wed, 1 Apr 2015 12:53:46 +0800 > > > Dave Young <dyoung@redhat.com> wrote: > > > > > > > I got below kernel panic during kdump test on Thinkpad T420 laptop: > > > > > > > > [ 0.000000] No NUMA configuration found > > > > [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > > > > [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > > > > upted in: ffffffff81d21910 r > > > > [ 0.000000] > > > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > > > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > > > 5/2013 0 > > > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > > > > a26 2 > > > > [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > > > > 8d2 c > > > > [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > > > > 4f6 e > > > > [ 0.000000] Call Trace: > > > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > > > [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > > > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > > > [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > > > > k is corrupted in: ffffffff81d21910 c > > > > [ 0.000000] > > > > PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > > > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > > > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > > > 5/2013 0 > > > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > > > > a26 2 > > > > [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > > > > 084 0000000000000a0d 0000000000000a00 0 > > > > [ 0.000000] Call Trace: > > > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > > > [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > > > > [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > > > > [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > > > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > > > [ 0.000000] RIP 0x46 > > > > > > > > This is caused by writing over end of numa mask bitmap. > > > > > > > > numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > > > > reserved region and assume every regions have valid nid. It is not true because > > > > There's an exception for graphic memory quirks. see function trim_snb_memory > > > > in arch/x86/kernel/setup.c > > > > > > > > It is easily to reproduce the bug in kdump kernel because kdump kernel use > > > > prereserved memory instead of whole memory, but kexec pass other reserved memory > > > > ranges to 2nd kernel as well. like below in my test: > > > > kdump kernel ram 0x2d000000 - 0x37bfffff > > > > One of the reserved regions: 0x40000000 - 0x40100000 > > > > > > > > The above reserved region includes 0x40004000, a page excluded in > > > > trim_snb_memory. For this memblock reserved region the nid is not set it is > > > > still default value MAX_NUMNODES. later node_set callback will set bit > > > > MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > > > > > > > > Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. > > > > > > > > Signed-off-by: Dave Young <dyoung@redhat.com> > > > > --- > > > > > > Looks good to me. > > > > > > Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> > > > > Per suggestion from Xishi Qiu, I would like to add below comment in code and repost > > Could I carry with your Reviewed-by line? > > > > /* In case booting with numa=off and only using part of system ram > > * ie. mem=nn[kMG] or in kdump kernel, numa_meminfo may not include all the > > * memblock.reserved memory because trim_snb_memory() reserves specific pages > > * for Sandy Bridge graphics. */ > > Nit: please use the customary (multi-line) comment style: > > /* > * Comment ..... > * ...... goes here. > */ > > specified in Documentation/CodingStyle. Sure, will do. Thanks for telling me. Dave ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-03 7:15 ` Dave Young 2015-04-03 7:17 ` Ingo Molnar @ 2015-04-06 14:26 ` Yasuaki Ishimatsu 2015-04-07 3:33 ` Dave Young 1 sibling, 1 reply; 19+ messages in thread From: Yasuaki Ishimatsu @ 2015-04-06 14:26 UTC (permalink / raw) To: Dave Young; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm Hi, On Fri, 3 Apr 2015 15:15:13 +0800 Dave Young <dyoung@redhat.com> wrote: > Hi, > > On 04/02/15 at 12:36pm, Yasuaki Ishimatsu wrote: > > > > On Wed, 1 Apr 2015 12:53:46 +0800 > > Dave Young <dyoung@redhat.com> wrote: > > > > > I got below kernel panic during kdump test on Thinkpad T420 laptop: > > > > > > [ 0.000000] No NUMA configuration found > > > [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > > > [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > > > upted in: ffffffff81d21910 r > > > [ 0.000000] > > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > > 5/2013 0 > > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > > > a26 2 > > > [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > > > 8d2 c > > > [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > > > 4f6 e > > > [ 0.000000] Call Trace: > > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > > [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > > [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > > > k is corrupted in: ffffffff81d21910 c > > > [ 0.000000] > > > PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > > 5/2013 0 > > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > > > a26 2 > > > [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > > > 084 0000000000000a0d 0000000000000a00 0 > > > [ 0.000000] Call Trace: > > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > > [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > > > [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > > > [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > > [ 0.000000] RIP 0x46 > > > > > > This is caused by writing over end of numa mask bitmap. > > > > > > numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > > > reserved region and assume every regions have valid nid. It is not true because > > > There's an exception for graphic memory quirks. see function trim_snb_memory > > > in arch/x86/kernel/setup.c > > > > > > It is easily to reproduce the bug in kdump kernel because kdump kernel use > > > prereserved memory instead of whole memory, but kexec pass other reserved memory > > > ranges to 2nd kernel as well. like below in my test: > > > kdump kernel ram 0x2d000000 - 0x37bfffff > > > One of the reserved regions: 0x40000000 - 0x40100000 > > > > > > The above reserved region includes 0x40004000, a page excluded in > > > trim_snb_memory. For this memblock reserved region the nid is not set it is > > > still default value MAX_NUMNODES. later node_set callback will set bit > > > MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > > > > > > Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. > > > > > > Signed-off-by: Dave Young <dyoung@redhat.com> > > > --- > > > > Looks good to me. > > > > Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> > > Per suggestion from Xishi Qiu, I would like to add below comment in code and repost > Could I carry with your Reviewed-by line? > > /* In case booting with numa=off and only using part of system ram > * ie. mem=nn[kMG] or in kdump kernel, numa_meminfo may not include all the > * memblock.reserved memory because trim_snb_memory() reserves specific pages > * for Sandy Bridge graphics. */ I don't think the issue is related to numa=off. If we use numa=off, all memory ranges which are informed by e820 are managed to Node 0. The issue occurs when reserved memory ranges are not included in system ram which informed by e820. Thanks, Yasuaki Ishimatsu > > Thanks > Dave ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-06 14:26 ` Yasuaki Ishimatsu @ 2015-04-07 3:33 ` Dave Young 2015-04-07 14:15 ` Yasuaki Ishimatsu 0 siblings, 1 reply; 19+ messages in thread From: Dave Young @ 2015-04-07 3:33 UTC (permalink / raw) To: Yasuaki Ishimatsu; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm On 04/06/15 at 07:26am, Yasuaki Ishimatsu wrote: > Hi, > > On Fri, 3 Apr 2015 15:15:13 +0800 > Dave Young <dyoung@redhat.com> wrote: > > > Hi, > > > > On 04/02/15 at 12:36pm, Yasuaki Ishimatsu wrote: > > > > > > On Wed, 1 Apr 2015 12:53:46 +0800 > > > Dave Young <dyoung@redhat.com> wrote: > > > > > > > I got below kernel panic during kdump test on Thinkpad T420 laptop: > > > > > > > > [ 0.000000] No NUMA configuration found > > > > [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > > > > [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > > > > upted in: ffffffff81d21910 r > > > > [ 0.000000] > > > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > > > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > > > 5/2013 0 > > > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > > > > a26 2 > > > > [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > > > > 8d2 c > > > > [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > > > > 4f6 e > > > > [ 0.000000] Call Trace: > > > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > > > [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > > > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > > > [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > > > > k is corrupted in: ffffffff81d21910 c > > > > [ 0.000000] > > > > PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > > > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > > > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > > > 5/2013 0 > > > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > > > > a26 2 > > > > [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > > > > 084 0000000000000a0d 0000000000000a00 0 > > > > [ 0.000000] Call Trace: > > > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > > > [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > > > > [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > > > > [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > > > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > > > [ 0.000000] RIP 0x46 > > > > > > > > This is caused by writing over end of numa mask bitmap. > > > > > > > > numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > > > > reserved region and assume every regions have valid nid. It is not true because > > > > There's an exception for graphic memory quirks. see function trim_snb_memory > > > > in arch/x86/kernel/setup.c > > > > > > > > It is easily to reproduce the bug in kdump kernel because kdump kernel use > > > > prereserved memory instead of whole memory, but kexec pass other reserved memory > > > > ranges to 2nd kernel as well. like below in my test: > > > > kdump kernel ram 0x2d000000 - 0x37bfffff > > > > One of the reserved regions: 0x40000000 - 0x40100000 > > > > > > > > The above reserved region includes 0x40004000, a page excluded in > > > > trim_snb_memory. For this memblock reserved region the nid is not set it is > > > > still default value MAX_NUMNODES. later node_set callback will set bit > > > > MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > > > > > > > > Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. > > > > > > > > Signed-off-by: Dave Young <dyoung@redhat.com> > > > > --- > > > > > > Looks good to me. > > > > > > Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> > > > > > Per suggestion from Xishi Qiu, I would like to add below comment in code and repost > > Could I carry with your Reviewed-by line? > > > > /* In case booting with numa=off and only using part of system ram > > * ie. mem=nn[kMG] or in kdump kernel, numa_meminfo may not include all the > > * memblock.reserved memory because trim_snb_memory() reserves specific pages > > * for Sandy Bridge graphics. */ > > I don't think the issue is related to numa=off. If we use numa=off, > all memory ranges which are informed by e820 are managed to Node 0. > > The issue occurs when reserved memory ranges are not included > in system ram which informed by e820. Maybe in theory it is possible that it occurs without numa=off so that numa meminfo does not include some reserved regions, but I think I can only reproduce it with numa=off. But ok, I can use the comment below instead: /* * In case booting with mem=nn[kMG] or in kdump kernel, numa_meminfo may not * include all the memblock.reserved memory ranges because trim_snb_memory() * reserves specific pages for Sandy Bridge graphics. */ Thanks Dave ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH] x86/numa: kernel stack corruption fix 2015-04-07 3:33 ` Dave Young @ 2015-04-07 14:15 ` Yasuaki Ishimatsu 0 siblings, 0 replies; 19+ messages in thread From: Yasuaki Ishimatsu @ 2015-04-07 14:15 UTC (permalink / raw) To: Dave Young; +Cc: x86, linux-kernel, tglx, bhe, mingo, hpa, akpm Hi Dave, On Tue, 7 Apr 2015 11:33:55 +0800 Dave Young <dyoung@redhat.com> wrote: > On 04/06/15 at 07:26am, Yasuaki Ishimatsu wrote: > > Hi, > > > > On Fri, 3 Apr 2015 15:15:13 +0800 > > Dave Young <dyoung@redhat.com> wrote: > > > > > Hi, > > > > > > On 04/02/15 at 12:36pm, Yasuaki Ishimatsu wrote: > > > > > > > > On Wed, 1 Apr 2015 12:53:46 +0800 > > > > Dave Young <dyoung@redhat.com> wrote: > > > > > > > > > I got below kernel panic during kdump test on Thinkpad T420 laptop: > > > > > > > > > > [ 0.000000] No NUMA configuration found > > > > > [ 0.000000] Faking a node at [mem 0x0000000000000000-0x0000000037ba4fff] > > > > > [ 0.000000] Kernel panic - not syncing: stack-protector: Kernel stack is cor > > > > > upted in: ffffffff81d21910 r > > > > > [ 0.000000] > > > > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 > > > > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > > > > 5/2013 0 > > > > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67ce8 ffffffff817c > > > > > a26 2 > > > > > [ 0.000000] 0000000000000000 ffffffff81a61c90 ffffffff81b67d68 ffffffff817b > > > > > 8d2 c > > > > > [ 0.000000] 0000000000000010 ffffffff81b67d78 ffffffff81b67d18 c70296ddd809 > > > > > 4f6 e > > > > > [ 0.000000] Call Trace: > > > > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > > > > [ 0.000000] [<ffffffff817bc8d2>] panic+0xd0/0x204 > > > > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > > > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > > > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > > > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > > > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > > > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > > > > [ 0.000000] ---[ end Kernel panic - not syncing: stack-protector: Kernel sta > > > > > k is corrupted in: ffffffff81d21910 c > > > > > [ 0.000000] > > > > > PANIC: early exception 0d rip 10:ffffffff8105d2a6 error 7eb cr2 ffff8800371dd00 > > > > > [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.0.0-rc6+ #44 0 > > > > > [ 0.000000] Hardware name: LENOVO 4236NUC/4236NUC, BIOS 83ET76WW (1.46 ) 07/ > > > > > 5/2013 0 > > > > > [ 0.000000] 0000000000000000 c70296ddd809e4f6 ffffffff81b67c60 ffffffff817c > > > > > a26 2 > > > > > [ 0.000000] 0000000000000096 ffffffff81a61c90 ffffffff81b67d68 fffffff00000 > > > > > 084 0000000000000a0d 0000000000000a00 0 > > > > > [ 0.000000] Call Trace: > > > > > [ 0.000000] [<ffffffff817c2a26>] dump_stack+0x45/0x57 > > > > > [ 0.000000] [<ffffffff81d051b0>] early_idt_handler+0x90/0xb7 > > > > > [ 0.000000] [<ffffffff8105d2a6>] ? native_irq_enable+0x6/0x10 > > > > > [ 0.000000] [<ffffffff817bc9c5>] ? panic+0x1c3/0x204 > > > > > [ 0.000000] [<ffffffff81d21910>] ? numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > > [ 0.000000] [<ffffffff8107741b>] __stack_chk_fail+0x1b/0x20 > > > > > [ 0.000000] [<ffffffff81d21910>] numa_clear_kernel_node_hotplug+0xe6/0xf2 > > > > > [ 0.000000] [<ffffffff81d21e5d>] numa_init+0x1a5/0x520 > > > > > [ 0.000000] [<ffffffff81d222b1>] x86_numa_init+0x19/0x3d > > > > > [ 0.000000] [<ffffffff81d22460>] initmem_init+0x9/0xb > > > > > [ 0.000000] [<ffffffff81d0d00c>] setup_arch+0x94f/0xc82 > > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > > [ 0.000000] [<ffffffff817bd0bb>] ? printk+0x55/0x6b > > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > > [ 0.000000] [<ffffffff81d05d9b>] start_kernel+0xe8/0x4d6 > > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > > [ 0.000000] [<ffffffff81d05120>] ? early_idt_handlers+0x120/0x120 > > > > > [ 0.000000] [<ffffffff81d055ee>] x86_64_start_reservations+0x2a/0x2c > > > > > [ 0.000000] [<ffffffff81d05751>] x86_64_start_kernel+0x161/0x184 > > > > > [ 0.000000] RIP 0x46 > > > > > > > > > > This is caused by writing over end of numa mask bitmap. > > > > > > > > > > numa_clear_kernel_node try to set node id in a mask bitmap, it iterating all > > > > > reserved region and assume every regions have valid nid. It is not true because > > > > > There's an exception for graphic memory quirks. see function trim_snb_memory > > > > > in arch/x86/kernel/setup.c > > > > > > > > > > It is easily to reproduce the bug in kdump kernel because kdump kernel use > > > > > prereserved memory instead of whole memory, but kexec pass other reserved memory > > > > > ranges to 2nd kernel as well. like below in my test: > > > > > kdump kernel ram 0x2d000000 - 0x37bfffff > > > > > One of the reserved regions: 0x40000000 - 0x40100000 > > > > > > > > > > The above reserved region includes 0x40004000, a page excluded in > > > > > trim_snb_memory. For this memblock reserved region the nid is not set it is > > > > > still default value MAX_NUMNODES. later node_set callback will set bit > > > > > MAX_NUMNODES in nodemask bitmap thus stack corruption happen. > > > > > > > > > > Fixing this by adding a check, do not call node_set in case nid is MAX_NUMNODES. > > > > > > > > > > Signed-off-by: Dave Young <dyoung@redhat.com> > > > > > --- > > > > > > > > Looks good to me. > > > > > > > > Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com> > > > > > > > > Per suggestion from Xishi Qiu, I would like to add below comment in code and repost > > > Could I carry with your Reviewed-by line? > > > > > > /* In case booting with numa=off and only using part of system ram > > > * ie. mem=nn[kMG] or in kdump kernel, numa_meminfo may not include all the > > > * memblock.reserved memory because trim_snb_memory() reserves specific pages > > > * for Sandy Bridge graphics. */ > > > > I don't think the issue is related to numa=off. If we use numa=off, > > all memory ranges which are informed by e820 are managed to Node 0. > > > > The issue occurs when reserved memory ranges are not included > > in system ram which informed by e820. > > Maybe in theory it is possible that it occurs without numa=off so that numa > meminfo does not include some reserved regions, but I think I can only > reproduce it with numa=off. > > But ok, I can use the comment below instead: > > /* > * In case booting with mem=nn[kMG] or in kdump kernel, numa_meminfo may not > * include all the memblock.reserved memory ranges because trim_snb_memory() > * reserves specific pages for Sandy Bridge graphics. > */ Looks good to me. Feel free to add my reviewed by. Thanks, Yasuaki Ishimatsu > > Thanks > Dave ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2015-04-07 14:15 UTC | newest] Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-04-01 4:53 [PATCH] x86/numa: kernel stack corruption fix Dave Young 2015-04-01 5:11 ` Dave Young 2015-04-01 7:27 ` Xishi Qiu 2015-04-01 7:41 ` Dave Young 2015-04-01 8:21 ` Xishi Qiu 2015-04-01 8:34 ` Xishi Qiu 2015-04-01 9:17 ` Dave Young 2015-04-01 9:33 ` Xishi Qiu 2015-04-02 19:15 ` Yasuaki Ishimatsu 2015-04-03 7:03 ` Dave Young 2015-04-02 1:51 ` Xishi Qiu 2015-04-02 3:24 ` Dave Young 2015-04-02 19:36 ` Yasuaki Ishimatsu 2015-04-03 7:15 ` Dave Young 2015-04-03 7:17 ` Ingo Molnar 2015-04-03 7:23 ` Dave Young 2015-04-06 14:26 ` Yasuaki Ishimatsu 2015-04-07 3:33 ` Dave Young 2015-04-07 14:15 ` Yasuaki Ishimatsu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).