[SRU][Trusty/Utopic][PATCH 0/2] Fixes for LP:#1572562

Gavin Guo gavin.guo at canonical.com
Fri May 20 10:08:28 UTC 2016 

On Fri, May 20, 2016 at 4:53 PM, Stefan Bader
<stefan.bader at canonical.com> wrote:
> On 16.05.2016 08:43, Gavin Guo wrote:
>> BugLink: http://bugs.launchpad.net/bugs/1572562
>>
>> [Impact]
>> In the v3.13.0-76 kernel with KASan backported.
>> The following error message could be observed during the kernel
>> building stress test of the command[1]: "./parallel-73670.sh -r 2 -k 40"
>> That means building 40 kernels in the same time with 2 rounds.
>
> I guess its okayish since the first patch is marked stable for 3.7+ (and I think
> I just saw it in a stable announcement for 3.12). I just wished I could remember
> what KASan is and why we want it working. For me "ballon" rather triggers
> thoughts of VMs but the rest does not sound like it.

KASan is the new debugging feature which was introduced in the
v4.0-rc1 and is used to debug the invalid memory access. In order to
debug some invalid memory access bugs, I backported the mechanism to
the v3.13 Trusty kernel.

And the bug happens when the kernel is trying to compact the pages and
need to check if the pages are the balloon pages. So, it may not
necessarily be related to the VMs.

>
> -Stefan
>
>>
>> Bad access happens when we read page->mapping->flags, and
>> page->mapping is a pointer to anon_vma which is already freed
>> in the do_exit path.
>>
>> ==================================================================
>> BUG: KASan: out of bounds access in isolate_migratepages_range+0x663/0xb30 at addr ffff880279cc76d1
>> Read of size 8 by task cc1/27473
>> =============================================================================
>> BUG anon_vma (Not tainted): kasan: bad access detected
>> -----------------------------------------------------------------------------
>>
>> Disabling lock debugging due to kernel taint
>> INFO: Allocated in anon_vma_prepare+0x189/0x250 age=7323 cpu=16 pid=31029
>>         __slab_alloc+0x4f8/0x560
>>         kmem_cache_alloc+0x18b/0x1e0
>>         anon_vma_prepare+0x189/0x250
>>         do_wp_page+0x837/0xb10
>>         handle_mm_fault+0x884/0x1160
>>         __do_page_fault+0x218/0x750
>>         do_page_fault+0x1a/0x70
>>         page_fault+0x28/0x30
>> INFO: Freed in __put_anon_vma+0x69/0xe0 age=8588 cpu=4 pid=29418
>>         __slab_free+0x2ab/0x3f0
>>         kmem_cache_free+0x1c1/0x200
>>         __put_anon_vma+0x69/0xe0
>>         unlink_anon_vmas+0x2a8/0x320
>>         free_pgtables+0x50/0x1c0
>>         exit_mmap+0xca/0x1e0
>>         mmput+0x82/0x1b0
>>         do_exit+0x391/0x1060
>>         do_group_exit+0x86/0x130
>>         SyS_exit_group+0x1d/0x20
>>         system_call_fastpath+0x1a/0x1f
>> <...>
>> Call Trace:
>>  [<ffffffff81a6e195>] dump_stack+0x45/0x56
>>  [<ffffffff81244c1d>] print_trailer+0xfd/0x170
>>  [<ffffffff8124ad66>] object_err+0x36/0x40
>>  [<ffffffff8124cd29>] kasan_report_error+0x1e9/0x3a0
>>  [<ffffffff8125d9f8>] ? memcg_check_events+0x28/0x380
>>  [<ffffffff81221c2d>] ? rmap_walk+0x32d/0x340
>>  [<ffffffff8124d390>] kasan_report+0x40/0x50
>>  [<ffffffff81205ee3>] ? isolate_migratepages_range+0x663/0xb30
>>  [<ffffffff8124c019>] __asan_load8+0x69/0xa0
>>  [<ffffffff81205ee3>] isolate_migratepages_range+0x663/0xb30
>>  [<ffffffff811dc5e7>] ? zone_watermark_ok+0x57/0x70
>>  [<ffffffff812067c6>] compact_zone+0x416/0x700
>>  [<ffffffff81206b45>] compact_zone_order+0x95/0x100
>>  [<ffffffff81207002>] try_to_compact_pages+0x102/0x1a0
>>  [<ffffffff811e21e6>] __alloc_pages_direct_compact+0x96/0x290
>>  [<ffffffff811e2d5e>] __alloc_pages_nodemask+0x97e/0xc40
>>  [<ffffffff8123ce24>] alloc_pages_vma+0xb4/0x200
>>  [<ffffffff812572ca>] do_huge_pmd_anonymous_page+0x13a/0x490
>>  [<ffffffff8120f072>] ? do_numa_page+0x192/0x200
>>  [<ffffffff81210c07>] handle_mm_fault+0x267/0x1160
>>  [<ffffffff81a7d028>] __do_page_fault+0x218/0x750
>>  [<ffffffff8121aead>] ? do_mmap_pgoff+0x47d/0x500
>>  [<ffffffff811fd699>] ? vm_mmap_pgoff+0xa9/0xd0
>>  [<ffffffff81a7d57a>] do_page_fault+0x1a/0x70
>>  [<ffffffff81a785a8>] page_fault+0x28/0x30
>>
>> [Fix]
>> - The first patach is the solution commit which moves the PageBalloon
>>   check to page->_mapcount.
>> d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management")
>> - The second one is the patch to remove the isolation check when the
>>   CONFIG_BALLOON_COMPACTION is not defined.
>> 4d88e6f7d5ff ("mm/balloon_compaction: fix deflation when compaction is disabled")
>>
>> [Test Case]
>> Running the following command on the Trusty
>> kernel(Ubuntu-3.13.0-86.130) with KASan backported. The bug error
>> messages cannot be observed in the dmesg.
>> "./parallel-73670.sh -r 2 -k 40"
>> That means building 40 kernels in the same time with 2 rounds.
>>
>> Reference:
>> [1]. http://kernel.ubuntu.com/git/gavinguo/stress-test.git/
>>
>> Konstantin Khlebnikov (2):
>>   mm/balloon_compaction: redesign ballooned pages management
>>   mm/balloon_compaction: fix deflation when compaction is disabled
>>
>>  drivers/virtio/virtio_balloon.c    | 15 +++---
>>  include/linux/balloon_compaction.h | 97 ++++++++++----------------------------
>>  include/linux/migrate.h            | 11 +----
>>  include/linux/mm.h                 | 20 ++++++++
>>  mm/balloon_compaction.c            | 30 ++++++------
>>  mm/compaction.c                    |  2 +-
>>  mm/migrate.c                       | 24 ++++------
>>  7 files changed, 77 insertions(+), 122 deletions(-)
>>
>
>

More information about the kernel-team mailing list