[SRU][Trusty/Utopic][PATCH 0/2] Fixes for LP:#1572562

Stefan Bader stefan.bader at canonical.com
Fri May 20 08:53:06 UTC 2016 

On 16.05.2016 08:43, Gavin Guo wrote:
> BugLink: http://bugs.launchpad.net/bugs/1572562
> 
> [Impact]
> In the v3.13.0-76 kernel with KASan backported.
> The following error message could be observed during the kernel
> building stress test of the command[1]: "./parallel-73670.sh -r 2 -k 40"
> That means building 40 kernels in the same time with 2 rounds.

I guess its okayish since the first patch is marked stable for 3.7+ (and I think
I just saw it in a stable announcement for 3.12). I just wished I could remember
what KASan is and why we want it working. For me "ballon" rather triggers
thoughts of VMs but the rest does not sound like it.

-Stefan

> 
> Bad access happens when we read page->mapping->flags, and
> page->mapping is a pointer to anon_vma which is already freed
> in the do_exit path.
> 
> ==================================================================
> BUG: KASan: out of bounds access in isolate_migratepages_range+0x663/0xb30 at addr ffff880279cc76d1
> Read of size 8 by task cc1/27473
> =============================================================================
> BUG anon_vma (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------
> 
> Disabling lock debugging due to kernel taint
> INFO: Allocated in anon_vma_prepare+0x189/0x250 age=7323 cpu=16 pid=31029
>         __slab_alloc+0x4f8/0x560
>         kmem_cache_alloc+0x18b/0x1e0
>         anon_vma_prepare+0x189/0x250
>         do_wp_page+0x837/0xb10
>         handle_mm_fault+0x884/0x1160
>         __do_page_fault+0x218/0x750
>         do_page_fault+0x1a/0x70
>         page_fault+0x28/0x30
> INFO: Freed in __put_anon_vma+0x69/0xe0 age=8588 cpu=4 pid=29418
>         __slab_free+0x2ab/0x3f0
>         kmem_cache_free+0x1c1/0x200
>         __put_anon_vma+0x69/0xe0
>         unlink_anon_vmas+0x2a8/0x320
>         free_pgtables+0x50/0x1c0
>         exit_mmap+0xca/0x1e0
>         mmput+0x82/0x1b0
>         do_exit+0x391/0x1060
>         do_group_exit+0x86/0x130
>         SyS_exit_group+0x1d/0x20
>         system_call_fastpath+0x1a/0x1f
> <...>
> Call Trace:
>  [<ffffffff81a6e195>] dump_stack+0x45/0x56
>  [<ffffffff81244c1d>] print_trailer+0xfd/0x170
>  [<ffffffff8124ad66>] object_err+0x36/0x40
>  [<ffffffff8124cd29>] kasan_report_error+0x1e9/0x3a0
>  [<ffffffff8125d9f8>] ? memcg_check_events+0x28/0x380
>  [<ffffffff81221c2d>] ? rmap_walk+0x32d/0x340
>  [<ffffffff8124d390>] kasan_report+0x40/0x50
>  [<ffffffff81205ee3>] ? isolate_migratepages_range+0x663/0xb30
>  [<ffffffff8124c019>] __asan_load8+0x69/0xa0
>  [<ffffffff81205ee3>] isolate_migratepages_range+0x663/0xb30
>  [<ffffffff811dc5e7>] ? zone_watermark_ok+0x57/0x70
>  [<ffffffff812067c6>] compact_zone+0x416/0x700
>  [<ffffffff81206b45>] compact_zone_order+0x95/0x100
>  [<ffffffff81207002>] try_to_compact_pages+0x102/0x1a0
>  [<ffffffff811e21e6>] __alloc_pages_direct_compact+0x96/0x290
>  [<ffffffff811e2d5e>] __alloc_pages_nodemask+0x97e/0xc40
>  [<ffffffff8123ce24>] alloc_pages_vma+0xb4/0x200
>  [<ffffffff812572ca>] do_huge_pmd_anonymous_page+0x13a/0x490
>  [<ffffffff8120f072>] ? do_numa_page+0x192/0x200
>  [<ffffffff81210c07>] handle_mm_fault+0x267/0x1160
>  [<ffffffff81a7d028>] __do_page_fault+0x218/0x750
>  [<ffffffff8121aead>] ? do_mmap_pgoff+0x47d/0x500
>  [<ffffffff811fd699>] ? vm_mmap_pgoff+0xa9/0xd0
>  [<ffffffff81a7d57a>] do_page_fault+0x1a/0x70
>  [<ffffffff81a785a8>] page_fault+0x28/0x30
> 
> [Fix]
> - The first patach is the solution commit which moves the PageBalloon
>   check to page->_mapcount.
> d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management")
> - The second one is the patch to remove the isolation check when the
>   CONFIG_BALLOON_COMPACTION is not defined.
> 4d88e6f7d5ff ("mm/balloon_compaction: fix deflation when compaction is disabled")
> 
> [Test Case]
> Running the following command on the Trusty
> kernel(Ubuntu-3.13.0-86.130) with KASan backported. The bug error
> messages cannot be observed in the dmesg.
> "./parallel-73670.sh -r 2 -k 40"
> That means building 40 kernels in the same time with 2 rounds.
> 
> Reference:
> [1]. http://kernel.ubuntu.com/git/gavinguo/stress-test.git/
> 
> Konstantin Khlebnikov (2):
>   mm/balloon_compaction: redesign ballooned pages management
>   mm/balloon_compaction: fix deflation when compaction is disabled
> 
>  drivers/virtio/virtio_balloon.c    | 15 +++---
>  include/linux/balloon_compaction.h | 97 ++++++++++----------------------------
>  include/linux/migrate.h            | 11 +----
>  include/linux/mm.h                 | 20 ++++++++
>  mm/balloon_compaction.c            | 30 ++++++------
>  mm/compaction.c                    |  2 +-
>  mm/migrate.c                       | 24 ++++------
>  7 files changed, 77 insertions(+), 122 deletions(-)
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20160520/df90e0e0/attachment.sig>

More information about the kernel-team mailing list