From: Sasha Levin <levinsasha928@gmail.com>
To: Rafael Aquini <aquini@redhat.com>
Cc: Rik van Riel <riel@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Minchan Kim <minchan@kernel.org>,
linux-kernel@vger.kernel.org,
virtualization@lists.linux-foundation.org, linux-mm@kvack.org,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH v12 4/7] mm: introduce compaction and migration for ballooned pages
Date: Tue, 20 Nov 2012 20:18:04 -0500 [thread overview]
Message-ID: <50AC2BCC.6050507@gmail.com> (raw)
In-Reply-To: <20121120141438.GA21672@x61.redhat.com>
On 11/20/2012 09:14 AM, Rafael Aquini wrote:
> On Sun, Nov 18, 2012 at 09:59:47AM -0500, Sasha Levin wrote:
>> On Sat, Nov 17, 2012 at 4:54 PM, Rafael Aquini <aquini@redhat.com> wrote:
>>> On Sat, Nov 17, 2012 at 01:01:30PM -0500, Sasha Levin wrote:
>>>>
>>>> I'm getting the following while fuzzing using trinity inside a KVM tools guest,
>>>> on latest -next:
>>>>
>>>> [ 1642.783728] BUG: unable to handle kernel NULL pointer dereference at 0000000000000194
>>>> [ 1642.785083] IP: [<ffffffff8122b354>] isolate_migratepages_range+0x344/0x7b0
>>>>
>>>> My guess is that we see those because of a race during the check in
>>>> isolate_migratepages_range().
>>>>
>>>>
>>>> Thanks,
>>>> Sasha
>>>
>>> Sasha, could you share your .config and steps you did used with trinity? So I
>>> can attempt to reproduce this issue you reported.
>>
>> Basically try running trinity (with ./trinity -m --quiet --dangerous
>> -l off) inside a disposable guest as root.
>>
>> I manage to hit that every couple of hours.
>>
>> Config attached.
>>
>
> Howdy Sasha,
>
> After several hours since last Sunday running trinity tests on a traditional
> KVM-QEMU guest as well as running it on a lkvm guest (both running
> next-20121115) I couldn't hit a single time the crash you've reported,
> (un)fortunately.
Odd... I can see it happening here every couple of hours.
> Also, the .config you gave me, applied on top of next-20121115, haven't produced
> the same bin you've running and hitting the mentioned bug, apparently.
>
> Here's the RIP for your crash:
> [ 1642.783728] BUG: unable to handle kernel NULL pointer dereference at
> 0000000000000194
> [ 1642.785083] IP: [<ffffffff8122b354>] isolate_migratepages_range+0x344/0x7b0
>
>
> And here's the symbol address for the next-20121115 with your .config I've been
> running tests on:
> [raquini@x61 linux]$ nm -n vmlinux | grep isolate_migratepages_range
> ffffffff8122d890 T isolate_migratepages_range
>
> Also, it seems quite clear I'm missing something from your tree, as applying the
> RIP displacement (0x344) to my local isolate_migratepages_range sym addr leads
> me to the _middle_ of a instruction opcode that does not dereference any
> pointers at all.
Yup, I carry another small fix to mpol (which is unrelated to this one).
> So, if you're consistently reproducing the same crash, consider to share with us
> a disassembled dump from the isolate_migratepages_range() you're running along
> with the crash stack-dump, please.
Sure!
The call chain is:
isolate_migratepages_range
balloon_page_movable
__is_movable_balloon_page
mapping_balloon
mapping_balloon() fails because it checks for mapping to be non-null (and it is -
it's usually a small value like 0x50), and then it dereferences that.
The relevant assembly is:
static inline int mapping_balloon(struct address_space *mapping)
{
return mapping && test_bit(AS_BALLOON_MAP, &mapping->flags);
17ab: 48 85 c0 test %rax,%rax
17ae: 0f 84 4c 02 00 00 je 1a00 <isolate_migratepages_range+0x590>
17b4: 48 8b 80 40 01 00 00 mov 0x140(%rax),%rax
17bb: a9 00 00 00 20 test $0x20000000,%eax
17c0: 0f 84 3a 02 00 00 je 1a00 <isolate_migratepages_range+0x590>
It dies on 17b4.
Let me know if you need anything else from me, I can also add debug code into the
kernel if it would help you...
Thanks,
Sasha
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <levinsasha928@gmail.com>
To: Rafael Aquini <aquini@redhat.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
virtualization@lists.linux-foundation.org,
Andrew Morton <akpm@linux-foundation.org>,
Mel Gorman <mel@csn.ul.ie>, "Michael S. Tsirkin" <mst@redhat.com>,
Minchan Kim <minchan@kernel.org>, Rik van Riel <riel@redhat.com>,
Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: [PATCH v12 4/7] mm: introduce compaction and migration for ballooned pages
Date: Tue, 20 Nov 2012 20:18:04 -0500 [thread overview]
Message-ID: <50AC2BCC.6050507@gmail.com> (raw)
In-Reply-To: <20121120141438.GA21672@x61.redhat.com>
On 11/20/2012 09:14 AM, Rafael Aquini wrote:
> On Sun, Nov 18, 2012 at 09:59:47AM -0500, Sasha Levin wrote:
>> On Sat, Nov 17, 2012 at 4:54 PM, Rafael Aquini <aquini@redhat.com> wrote:
>>> On Sat, Nov 17, 2012 at 01:01:30PM -0500, Sasha Levin wrote:
>>>>
>>>> I'm getting the following while fuzzing using trinity inside a KVM tools guest,
>>>> on latest -next:
>>>>
>>>> [ 1642.783728] BUG: unable to handle kernel NULL pointer dereference at 0000000000000194
>>>> [ 1642.785083] IP: [<ffffffff8122b354>] isolate_migratepages_range+0x344/0x7b0
>>>>
>>>> My guess is that we see those because of a race during the check in
>>>> isolate_migratepages_range().
>>>>
>>>>
>>>> Thanks,
>>>> Sasha
>>>
>>> Sasha, could you share your .config and steps you did used with trinity? So I
>>> can attempt to reproduce this issue you reported.
>>
>> Basically try running trinity (with ./trinity -m --quiet --dangerous
>> -l off) inside a disposable guest as root.
>>
>> I manage to hit that every couple of hours.
>>
>> Config attached.
>>
>
> Howdy Sasha,
>
> After several hours since last Sunday running trinity tests on a traditional
> KVM-QEMU guest as well as running it on a lkvm guest (both running
> next-20121115) I couldn't hit a single time the crash you've reported,
> (un)fortunately.
Odd... I can see it happening here every couple of hours.
> Also, the .config you gave me, applied on top of next-20121115, haven't produced
> the same bin you've running and hitting the mentioned bug, apparently.
>
> Here's the RIP for your crash:
> [ 1642.783728] BUG: unable to handle kernel NULL pointer dereference at
> 0000000000000194
> [ 1642.785083] IP: [<ffffffff8122b354>] isolate_migratepages_range+0x344/0x7b0
>
>
> And here's the symbol address for the next-20121115 with your .config I've been
> running tests on:
> [raquini@x61 linux]$ nm -n vmlinux | grep isolate_migratepages_range
> ffffffff8122d890 T isolate_migratepages_range
>
> Also, it seems quite clear I'm missing something from your tree, as applying the
> RIP displacement (0x344) to my local isolate_migratepages_range sym addr leads
> me to the _middle_ of a instruction opcode that does not dereference any
> pointers at all.
Yup, I carry another small fix to mpol (which is unrelated to this one).
> So, if you're consistently reproducing the same crash, consider to share with us
> a disassembled dump from the isolate_migratepages_range() you're running along
> with the crash stack-dump, please.
Sure!
The call chain is:
isolate_migratepages_range
balloon_page_movable
__is_movable_balloon_page
mapping_balloon
mapping_balloon() fails because it checks for mapping to be non-null (and it is -
it's usually a small value like 0x50), and then it dereferences that.
The relevant assembly is:
static inline int mapping_balloon(struct address_space *mapping)
{
return mapping && test_bit(AS_BALLOON_MAP, &mapping->flags);
17ab: 48 85 c0 test %rax,%rax
17ae: 0f 84 4c 02 00 00 je 1a00 <isolate_migratepages_range+0x590>
17b4: 48 8b 80 40 01 00 00 mov 0x140(%rax),%rax
17bb: a9 00 00 00 20 test $0x20000000,%eax
17c0: 0f 84 3a 02 00 00 je 1a00 <isolate_migratepages_range+0x590>
It dies on 17b4.
Let me know if you need anything else from me, I can also add debug code into the
kernel if it would help you...
Thanks,
Sasha
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <levinsasha928@gmail.com>
To: Rafael Aquini <aquini@redhat.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
virtualization@lists.linux-foundation.org,
Andrew Morton <akpm@linux-foundation.org>,
Mel Gorman <mel@csn.ul.ie>, "Michael S. Tsirkin" <mst@redhat.com>,
Minchan Kim <minchan@kernel.org>, Rik van Riel <riel@redhat.com>,
Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: [PATCH v12 4/7] mm: introduce compaction and migration for ballooned pages
Date: Tue, 20 Nov 2012 20:18:04 -0500 [thread overview]
Message-ID: <50AC2BCC.6050507@gmail.com> (raw)
In-Reply-To: <20121120141438.GA21672@x61.redhat.com>
On 11/20/2012 09:14 AM, Rafael Aquini wrote:
> On Sun, Nov 18, 2012 at 09:59:47AM -0500, Sasha Levin wrote:
>> On Sat, Nov 17, 2012 at 4:54 PM, Rafael Aquini <aquini@redhat.com> wrote:
>>> On Sat, Nov 17, 2012 at 01:01:30PM -0500, Sasha Levin wrote:
>>>>
>>>> I'm getting the following while fuzzing using trinity inside a KVM tools guest,
>>>> on latest -next:
>>>>
>>>> [ 1642.783728] BUG: unable to handle kernel NULL pointer dereference at 0000000000000194
>>>> [ 1642.785083] IP: [<ffffffff8122b354>] isolate_migratepages_range+0x344/0x7b0
>>>>
>>>> My guess is that we see those because of a race during the check in
>>>> isolate_migratepages_range().
>>>>
>>>>
>>>> Thanks,
>>>> Sasha
>>>
>>> Sasha, could you share your .config and steps you did used with trinity? So I
>>> can attempt to reproduce this issue you reported.
>>
>> Basically try running trinity (with ./trinity -m --quiet --dangerous
>> -l off) inside a disposable guest as root.
>>
>> I manage to hit that every couple of hours.
>>
>> Config attached.
>>
>
> Howdy Sasha,
>
> After several hours since last Sunday running trinity tests on a traditional
> KVM-QEMU guest as well as running it on a lkvm guest (both running
> next-20121115) I couldn't hit a single time the crash you've reported,
> (un)fortunately.
Odd... I can see it happening here every couple of hours.
> Also, the .config you gave me, applied on top of next-20121115, haven't produced
> the same bin you've running and hitting the mentioned bug, apparently.
>
> Here's the RIP for your crash:
> [ 1642.783728] BUG: unable to handle kernel NULL pointer dereference at
> 0000000000000194
> [ 1642.785083] IP: [<ffffffff8122b354>] isolate_migratepages_range+0x344/0x7b0
>
>
> And here's the symbol address for the next-20121115 with your .config I've been
> running tests on:
> [raquini@x61 linux]$ nm -n vmlinux | grep isolate_migratepages_range
> ffffffff8122d890 T isolate_migratepages_range
>
> Also, it seems quite clear I'm missing something from your tree, as applying the
> RIP displacement (0x344) to my local isolate_migratepages_range sym addr leads
> me to the _middle_ of a instruction opcode that does not dereference any
> pointers at all.
Yup, I carry another small fix to mpol (which is unrelated to this one).
> So, if you're consistently reproducing the same crash, consider to share with us
> a disassembled dump from the isolate_migratepages_range() you're running along
> with the crash stack-dump, please.
Sure!
The call chain is:
isolate_migratepages_range
balloon_page_movable
__is_movable_balloon_page
mapping_balloon
mapping_balloon() fails because it checks for mapping to be non-null (and it is -
it's usually a small value like 0x50), and then it dereferences that.
The relevant assembly is:
static inline int mapping_balloon(struct address_space *mapping)
{
return mapping && test_bit(AS_BALLOON_MAP, &mapping->flags);
17ab: 48 85 c0 test %rax,%rax
17ae: 0f 84 4c 02 00 00 je 1a00 <isolate_migratepages_range+0x590>
17b4: 48 8b 80 40 01 00 00 mov 0x140(%rax),%rax
17bb: a9 00 00 00 20 test $0x20000000,%eax
17c0: 0f 84 3a 02 00 00 je 1a00 <isolate_migratepages_range+0x590>
It dies on 17b4.
Let me know if you need anything else from me, I can also add debug code into the
kernel if it would help you...
Thanks,
Sasha
next prev parent reply other threads:[~2012-11-21 1:18 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-11 19:01 [PATCH v12 0/7] make balloon pages movable by compaction Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` [PATCH v12 1/7] mm: adjust address_space_operations.migratepage() return code Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` [PATCH v12 2/7] mm: redefine address_space.assoc_mapping Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` [PATCH v12 3/7] mm: introduce a common interface for balloon pages mobility Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` [PATCH v12 4/7] mm: introduce compaction and migration for ballooned pages Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-17 18:01 ` Sasha Levin
2012-11-17 18:01 ` Sasha Levin
2012-11-17 18:01 ` Sasha Levin
2012-11-17 21:54 ` Rafael Aquini
2012-11-17 21:54 ` Rafael Aquini
2012-11-17 21:54 ` Rafael Aquini
2012-11-18 14:59 ` Sasha Levin
2012-11-18 14:59 ` Sasha Levin
2012-11-20 14:14 ` Rafael Aquini
2012-11-20 14:14 ` Rafael Aquini
2012-11-20 14:14 ` Rafael Aquini
2012-11-21 1:18 ` Sasha Levin [this message]
2012-11-21 1:18 ` Sasha Levin
2012-11-21 1:18 ` Sasha Levin
2012-11-22 0:01 ` Rafael Aquini
2012-11-22 0:01 ` Rafael Aquini
2012-11-22 0:01 ` Rafael Aquini
2012-11-22 14:19 ` Sasha Levin
2012-11-22 14:19 ` Sasha Levin
2012-11-22 15:10 ` Rafael Aquini
2012-11-22 15:10 ` Rafael Aquini
2012-11-22 15:10 ` Rafael Aquini
2012-11-26 15:57 ` Sasha Levin
2012-11-26 15:57 ` Sasha Levin
2012-11-26 15:57 ` Sasha Levin
2012-11-22 14:19 ` Sasha Levin
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` [PATCH v12 5/7] virtio_balloon: introduce migration primitives to balloon pages Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` [PATCH v12 6/7] mm: introduce putback_movable_pages() Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` [PATCH v12 7/7] mm: add vm event counters for balloon pages compaction Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:01 ` Rafael Aquini
2012-11-11 19:18 ` [PATCH v12 0/7] make balloon pages movable by compaction Rafael Aquini
2012-11-11 19:18 ` Rafael Aquini
2012-11-11 19:18 ` Rafael Aquini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50AC2BCC.6050507@gmail.com \
--to=levinsasha928@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=aquini@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=minchan@kernel.org \
--cc=mst@redhat.com \
--cc=riel@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.