From: Ingo Molnar <mingo@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Fengguang Wu <fengguang.wu@intel.com>,
Russell King - ARM Linux <linux@arm.linux.org.uk>,
xen-devel@lists.xenproject.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [xen] double fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Date: Tue, 8 Oct 2013 09:58:16 +0200 [thread overview]
Message-ID: <20131008075816.GA6346@gmail.com> (raw)
In-Reply-To: <CA+55aFzknXawREZRBrr0Hs+crKt62fPf+S8SubJHXk84U8AFaw@mail.gmail.com>
* Linus Torvalds <torvalds@linux-foundation.org> wrote:
> On Mon, Oct 7, 2013 at 1:35 AM, Fengguang Wu <fengguang.wu@intel.com> wrote:
> > On Mon, Oct 07, 2013 at 01:12:17AM -0700, Linus Torvalds wrote:
> >
> > My pleasure! Here are 100 randomly selected call traces. Also attached
> > several full dmesgs and the kconfig.
>
> Ok, they may be randomly selected, but they are all the same. Which is
> good, I guess, we're only talking about one bug.
>
> Anyway, they all have RIP:run_timer_softirq+0x12c/0x1b8, and the code is
>
> 0: 8b 65 c8 mov -0x38(%rbp),%esp
> 3: 4d 39 ec cmp %r13,%r12
> 6: 0f 84 2f ff ff ff je 0xffffffffffffff3b
> c: 41 8b 4c 24 18 mov 0x18(%r12),%ecx
> 11: 4d 8b 74 24 20 mov 0x20(%r12),%r14
> 16: 4d 8b 7c 24 28 mov 0x28(%r12),%r15
> 1b: 4c 89 63 38 mov %r12,0x38(%rbx)
> 1f: 49 8b 44 24 08 mov 0x8(%r12),%rax
> 24: 49 8b 14 24 mov (%r12),%rdx
> 28: 83 e1 02 and $0x2,%ecx
> 2b:* 48 89 42 08 mov %rax,0x8(%rdx) <-- trapping instruction
> 2f: 48 89 10 mov %rdx,(%rax)
> 32: 48 b8 00 02 20 00 00 movabs $0xdead000000200200,%rax
>
> where that constant is LIST_POISON2 and the "and $2" seems to be
> TIMER_IRQSAFE. So the trapping instruction *looks* like it's doing
> __list_del() on the timer, and timer->next is NULL.
>
> So somebody added a timer, and then deallocated/cleared the structure
> before it triggered. The problem is, I can't see a way to figure out
> _who_ did that.
I think CONFIG_DEBUG_OBJECTS_TIMERS=y should be able to detect that?
Debugobjects hooks into deallocation paths and complains immediately if a
live timer is zapped that way.
If the corrupion does not involve deallocation then it might be more
difficult to detect but not impossible either: for example if an object is
not freed but reused incorrectly then a repeat use of any timer function
will cause the debugobjects (and/or the timer code) to complain.
So I'd suggest trying debugobjects, it should catch a fair number of
non-exotic object corruption patterns.
Thanks,
Ingo
next prev parent reply other threads:[~2013-10-08 7:58 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-06 8:23 [xen] double fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Fengguang Wu
2013-10-06 17:26 ` Linus Torvalds
2013-10-06 17:26 ` Linus Torvalds
2013-10-07 2:11 ` Fengguang Wu
2013-10-07 2:11 ` Fengguang Wu
2013-10-07 5:10 ` Fengguang Wu
2013-10-07 5:10 ` Fengguang Wu
2013-10-07 8:12 ` Linus Torvalds
2013-10-07 8:35 ` Fengguang Wu
2013-10-07 22:14 ` Linus Torvalds
2013-10-07 22:14 ` Linus Torvalds
2013-10-07 22:29 ` Russell King - ARM Linux
2013-10-07 22:29 ` Russell King - ARM Linux
2013-10-07 23:33 ` Russell King - ARM Linux
2013-10-07 23:33 ` Russell King - ARM Linux
2013-10-07 23:47 ` Linus Torvalds
2013-10-08 2:09 ` Fengguang Wu
2013-10-08 2:14 ` Fengguang Wu
2013-10-08 2:36 ` Fengguang Wu
2013-10-08 2:36 ` Fengguang Wu
2013-10-08 3:07 ` Linus Torvalds
2013-10-08 3:07 ` Linus Torvalds
2013-10-08 2:51 ` Linus Torvalds
2013-10-08 3:11 ` Fengguang Wu
2013-10-08 3:11 ` Fengguang Wu
2013-10-08 3:29 ` Linus Torvalds
2013-10-08 3:29 ` Linus Torvalds
2013-10-08 3:35 ` Fengguang Wu
2013-10-08 3:35 ` Fengguang Wu
2013-10-08 4:35 ` [DRM_CURRUS_QEMU/timer] WARNING: CPU: 0 PID: 1 at debug_print_object() Fengguang Wu
2013-10-08 4:35 ` Fengguang Wu
2013-10-08 12:17 ` [xen] double fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Fengguang Wu
2013-10-08 22:14 ` Russell King - ARM Linux
2013-10-08 22:48 ` Greg Kroah-Hartman
2013-10-08 22:48 ` Greg Kroah-Hartman
2013-10-09 0:45 ` Linus Torvalds
2013-10-09 0:45 ` Linus Torvalds
2013-10-09 1:18 ` Dave Jones
2013-10-09 1:26 ` [PATCH] kobject: show debug info on delayed kobject release Fengguang Wu
2013-10-09 1:26 ` Fengguang Wu
2013-10-09 14:47 ` Russell King - ARM Linux
2013-10-09 14:47 ` Russell King - ARM Linux
2013-10-09 1:18 ` [xen] double fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Dave Jones
2013-10-09 14:12 ` Josh Boyer
2013-10-09 14:12 ` Josh Boyer
2013-10-09 0:46 ` Fengguang Wu
2013-10-09 0:46 ` Fengguang Wu
2013-10-08 22:14 ` Russell King - ARM Linux
2013-10-08 12:17 ` Fengguang Wu
2013-10-08 2:51 ` Linus Torvalds
2013-10-08 8:06 ` Russell King - ARM Linux
2013-10-10 2:23 ` Dave Airlie
2013-10-10 2:23 ` Dave Airlie
2013-10-10 2:38 ` Linus Torvalds
2013-10-10 2:38 ` Linus Torvalds
2013-10-10 9:19 ` Russell King - ARM Linux
2013-10-10 10:53 ` Russell King - ARM Linux
2013-10-10 10:53 ` Russell King - ARM Linux
2013-10-11 3:55 ` Dave Airlie
2013-10-11 4:28 ` Dave Airlie
2013-10-11 4:28 ` Dave Airlie
2013-10-11 3:55 ` Dave Airlie
2013-10-11 5:14 ` Fengguang Wu
2013-10-11 5:14 ` Fengguang Wu
2013-10-23 11:20 ` Xiong Zhou
2013-10-23 11:20 ` Xiong Zhou
2013-10-10 9:19 ` Russell King - ARM Linux
2013-10-08 8:06 ` Russell King - ARM Linux
2013-10-08 2:14 ` Fengguang Wu
2013-10-08 2:43 ` Linus Torvalds
2013-10-08 2:43 ` Linus Torvalds
2013-10-08 2:09 ` Fengguang Wu
2013-10-07 23:47 ` Linus Torvalds
2013-10-08 7:58 ` Ingo Molnar
2013-10-08 7:58 ` Ingo Molnar [this message]
2013-10-08 8:20 ` Fengguang Wu
2013-10-08 8:20 ` Fengguang Wu
2013-10-08 8:26 ` Ingo Molnar
2013-10-08 8:26 ` Ingo Molnar
2013-10-08 9:34 ` Ingo Molnar
2013-10-08 9:34 ` Ingo Molnar
2013-10-07 8:12 ` Linus Torvalds
-- strict thread matches above, loose matches on Subject: below --
2013-10-06 8:23 Fengguang Wu
2013-10-06 22:14 Boris Ostrovsky
2013-10-06 22:14 Boris Ostrovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131008075816.GA6346@gmail.com \
--to=mingo@kernel.org \
--cc=fengguang.wu@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@arm.linux.org.uk \
--cc=torvalds@linux-foundation.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.