From: Johannes Weiner <hannes@cmpxchg.org>
To: Dave Jones <davej@codemonkey.org.uk>
Cc: Jan Kara <jack@suse.cz>, linux-mm@kvack.org
Subject: Re: 4.10-rc2 list_lru_isolate list corruption
Date: Fri, 6 Jan 2017 11:59:41 -0500 [thread overview]
Message-ID: <20170106165941.GA19083@cmpxchg.org> (raw)
In-Reply-To: <20170106052056.jihy5denyxsnfuo5@codemonkey.org.uk>
Dave, can you reproduce this by any chance with this patch applied?
diff --git a/lib/radix-tree.c b/lib/radix-tree.c
index 6f382e07de77..0783af1c0ebb 100644
--- a/lib/radix-tree.c
+++ b/lib/radix-tree.c
@@ -640,6 +640,8 @@ static inline void radix_tree_shrink(struct radix_tree_root *root,
update_node(node, private);
}
+ WARN_ON_ONCE(!list_empty(&node->private_list));
+
radix_tree_node_free(node);
}
}
@@ -666,6 +668,8 @@ static void delete_node(struct radix_tree_root *root,
root->rnode = NULL;
}
+ WARN_ON_ONCE(!list_empty(&node->private_list));
+
radix_tree_node_free(node);
node = parent;
@@ -767,6 +771,7 @@ static void radix_tree_free_nodes(struct radix_tree_node *node)
struct radix_tree_node *old = child;
offset = child->offset + 1;
child = child->parent;
+ WARN_ON_ONCE(!list_empty(&node->private_list));
radix_tree_node_free(old);
if (old == entry_to_node(node))
return;
On Fri, Jan 06, 2017 at 12:20:56AM -0500, Dave Jones wrote:
> While fuzzing today, I triggered list corruption in the mm code twice.
>
> Exhibit a:
>
> WARNING: CPU: 1 PID: 53 at lib/list_debug.c:55 __list_del_entry_valid+0x5c/0xc0
> list_del corruption. next->prev should be ffff8804c31b8e60, but was ffffffff813d2dc0
> CPU: 1 PID: 53 Comm: kswapd0 Not tainted 4.10.0-rc2-think+ #2
> Call Trace:
> dump_stack+0x4f/0x73
> __warn+0xcb/0xf0
> warn_slowpath_fmt+0x5f/0x80
> ? warn_slowpath_fmt+0x5/0x80
> ? radix_tree_free_nodes+0xa0/0xa0
> __list_del_entry_valid+0x5c/0xc0
> list_lru_isolate+0x1a/0x40
> shadow_lru_isolate+0x3e/0x220
> __list_lru_walk_one.isra.4+0x9b/0x190
> ? memcg_drain_all_list_lrus+0x1d0/0x1d0
> list_lru_walk_one+0x23/0x30
> scan_shadow_nodes+0x2e/0x40
> shrink_slab.part.44+0x23d/0x5d0
> ? 0xffffffffa0285077
> shrink_node+0x22c/0x330
> kswapd+0x392/0x8f0
> kthread+0x10f/0x150
> ? mem_cgroup_shrink_node+0x2e0/0x2e0
> ? kthread_create_on_node+0x60/0x60
> ret_from_fork+0x22/0x30
>
>
> Exhibit b:
>
>
> WARNING: CPU: 0 PID: 17728 at lib/list_debug.c:55 __list_del_entry_valid+0x5c/0xc0
> list_del corruption. next->prev should be ffff8804f8972030, but was ffffffff813d2dc0
> CPU: 0 PID: 17728 Comm: trinity-c28 Not tainted 4.10.0-rc2-think+ #2
> Call Trace:
> dump_stack+0x4f/0x73
> __warn+0xcb/0xf0
> warn_slowpath_fmt+0x5f/0x80
> ? warn_slowpath_fmt+0x5/0x80
> ? radix_tree_free_nodes+0xa0/0xa0
> __list_del_entry_valid+0x5c/0xc0
> list_lru_isolate+0x1a/0x40
> shadow_lru_isolate+0x3e/0x220
> __list_lru_walk_one.isra.4+0x9b/0x190
> ? memcg_drain_all_list_lrus+0x1d0/0x1d0
> list_lru_walk_one+0x23/0x30
> scan_shadow_nodes+0x2e/0x40
> shrink_slab.part.44+0x23d/0x5d0
> ? 0xffffffffa0333077
> shrink_node+0x22c/0x330
> do_try_to_free_pages+0xf5/0x330
> try_to_free_pages+0x132/0x310
> __alloc_pages_slowpath+0x357/0xaa0
> __alloc_pages_nodemask+0x3cc/0x460
> __do_page_cache_readahead+0x165/0x370
> ? __do_page_cache_readahead+0xed/0x370
> ? __do_page_cache_readahead+0x5/0x370
> ondemand_readahead+0x112/0x350
> ? page_cache_sync_readahead+0x5/0x50
> page_cache_sync_readahead+0x31/0x50
> generic_file_read_iter+0x724/0x960
> ? rw_copy_check_uvector+0x8e/0x190
> ? generic_file_read_iter+0x5/0x960
> do_iter_readv_writev+0xb8/0x120
> do_readv_writev+0x1a4/0x250
> ? do_readv_writev+0x5/0x250
> ? vfs_readv+0x5/0x50
> vfs_readv+0x3c/0x50
> do_preadv+0xb5/0xd0
> SyS_preadv+0x11/0x20
> do_syscall_64+0x61/0x170
> entry_SYSCALL64_slow_path+0x25/0x25
> RIP: 0033:0x7f5cb7c1e119
> RSP: 002b:00007ffc7e7d2758 EFLAGS: 00000246
> [CONT START] ORIG_RAX: 0000000000000127
> RAX: ffffffffffffffda RBX: 0000000000000127 RCX: 00007f5cb7c1e119
> RDX: 0000000000000037 RSI: 00005561d7798a70 RDI: 000000000000000c
> RBP: 00007f5cb8228000 R08: 00000000a0000033 R09: 0000000000000030
> R10: 0000000000400000 R11: 0000000000000246 R12: 0000000000000002
> R13: 00007f5cb8228048 R14: 00007f5cb82f3ad8 R15: 00007f5cb8228000
>
>
> Interesting that the 'but was' value is the same on two seperate boots.
>
>
> It looks like mm/list_lru.c didn't change recently, but mm/workingset.c did,
> which calls into this.. Johannes ?
>
> Dave
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next parent reply other threads:[~2017-01-06 16:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20170106052056.jihy5denyxsnfuo5@codemonkey.org.uk>
2017-01-06 16:59 ` Johannes Weiner [this message]
2017-01-06 19:58 ` 4.10-rc2 list_lru_isolate list corruption Dave Jones
2017-01-07 1:19 ` Johannes Weiner
2017-01-08 0:07 ` Dave Jones
2017-01-08 0:37 ` Hugh Dickins
2017-01-08 2:02 ` Johannes Weiner
2017-01-08 20:30 ` Hugh Dickins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170106165941.GA19083@cmpxchg.org \
--to=hannes@cmpxchg.org \
--cc=davej@codemonkey.org.uk \
--cc=jack@suse.cz \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.