From: Daniel Borkmann <daniel@iogearbox.net>
To: lkp@lists.01.org
Subject: Re: [net/bpf] 3051bf36c2 BUG: unable to handle kernel paging request at 0000a7cf
Date: Thu, 09 Mar 2017 14:04:49 +0100 [thread overview]
Message-ID: <58C152F1.9090004@iogearbox.net> (raw)
In-Reply-To: <CAGXu5jLm3jbJoQAsBsTiiQGK1==JTnSkN_GLsuBGqFvAz5B3AQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1910 bytes --]
On 03/09/2017 06:36 AM, Kees Cook wrote:
> On Wed, Mar 8, 2017 at 3:55 PM, Laura Abbott <labbott@redhat.com> wrote:
>> On 03/08/2017 02:36 PM, Kees Cook wrote:
>>> On Wed, Mar 8, 2017 at 2:27 PM, Daniel Borkmann <daniel@iogearbox.net> wrote:
>>>> [ 28.474232] rodata_test: test data was not read only
>>>> [...]
>>>
>>> In my tests so far, I've never been able to get rodata_test to fail
>>> (Qemu 2.5.0, Ubuntu). I'll retry with your .config and see if I can
>>> recheck under Qemu 2.7.1. Do you see these failures on real hardware?
>>>
>>> -Kees
>>
>> FWIW, I'm seeing the same issue with qemu 2.6.2 and 2.8.0 on Fedora 24
>> and rawhide respectively.
>>
>> I also notice that CONFIG_X86_PAE is turned off in the defconfig. If
>> I set CONFIG_HIGHMEM_64G which turns on CONFIG_X86_PAE the problem
>> goes away. I can't tell if this is an indication of magically hiding
>> the TLB problem or if there is an issue with !X86_PAE invalidation.
>
> I found my difference. I normally run qemu with "-cpu host" which
> makes the failure go away. With "-cpu kvm64", I see the rodata_test
> failure immediately. Seems like this may be a kvm cpu feature
> emulation bug? I'll see if I can find the specific cpu feature in the
> morning...
Interesting! Changing to "-cpu host" makes rodata_test succeed plus
my test_setmem and the test_bpf suite runs fine as well. Haven't seen
a corruption since. Switching back to "-cpu kvm64" I immediately see
mentioned issues again.
With regard to CPA_FLUSHTLB that Linus mentioned, when I investigated
code paths in change_page_attr_set_clr(), I did see that CPA_FLUSHTLB
was set each time we switched attrs and a cpa_flush_range() was
performed (with the correct number of pages and cache set to 0). That
would be a __flush_tlb_all() eventually.
Hmm, it indeed might seem likely that this could be an emulation bug.
Thanks,
Daniel
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Borkmann <daniel@iogearbox.net>
To: Kees Cook <keescook@chromium.org>, Laura Abbott <labbott@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@kernel.org>, Peter Anvin <hpa@zytor.com>,
Fengguang Wu <fengguang.wu@intel.com>,
Network Development <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>, LKP <lkp@01.org>,
ast@fb.com, the arch/x86 maintainers <x86@kernel.org>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [net/bpf] 3051bf36c2 BUG: unable to handle kernel paging request at 0000a7cf
Date: Thu, 09 Mar 2017 14:04:49 +0100 [thread overview]
Message-ID: <58C152F1.9090004@iogearbox.net> (raw)
In-Reply-To: <CAGXu5jLm3jbJoQAsBsTiiQGK1==JTnSkN_GLsuBGqFvAz5B3AQ@mail.gmail.com>
On 03/09/2017 06:36 AM, Kees Cook wrote:
> On Wed, Mar 8, 2017 at 3:55 PM, Laura Abbott <labbott@redhat.com> wrote:
>> On 03/08/2017 02:36 PM, Kees Cook wrote:
>>> On Wed, Mar 8, 2017 at 2:27 PM, Daniel Borkmann <daniel@iogearbox.net> wrote:
>>>> [ 28.474232] rodata_test: test data was not read only
>>>> [...]
>>>
>>> In my tests so far, I've never been able to get rodata_test to fail
>>> (Qemu 2.5.0, Ubuntu). I'll retry with your .config and see if I can
>>> recheck under Qemu 2.7.1. Do you see these failures on real hardware?
>>>
>>> -Kees
>>
>> FWIW, I'm seeing the same issue with qemu 2.6.2 and 2.8.0 on Fedora 24
>> and rawhide respectively.
>>
>> I also notice that CONFIG_X86_PAE is turned off in the defconfig. If
>> I set CONFIG_HIGHMEM_64G which turns on CONFIG_X86_PAE the problem
>> goes away. I can't tell if this is an indication of magically hiding
>> the TLB problem or if there is an issue with !X86_PAE invalidation.
>
> I found my difference. I normally run qemu with "-cpu host" which
> makes the failure go away. With "-cpu kvm64", I see the rodata_test
> failure immediately. Seems like this may be a kvm cpu feature
> emulation bug? I'll see if I can find the specific cpu feature in the
> morning...
Interesting! Changing to "-cpu host" makes rodata_test succeed plus
my test_setmem and the test_bpf suite runs fine as well. Haven't seen
a corruption since. Switching back to "-cpu kvm64" I immediately see
mentioned issues again.
With regard to CPA_FLUSHTLB that Linus mentioned, when I investigated
code paths in change_page_attr_set_clr(), I did see that CPA_FLUSHTLB
was set each time we switched attrs and a cpa_flush_range() was
performed (with the correct number of pages and cache set to 0). That
would be a __flush_tlb_all() eventually.
Hmm, it indeed might seem likely that this could be an emulation bug.
Thanks,
Daniel
next prev parent reply other threads:[~2017-03-09 13:04 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-01 12:54 [net/bpf] 3051bf36c2 BUG: unable to handle kernel paging request at 0000a7cf Fengguang Wu
2017-03-01 12:54 ` Fengguang Wu
2017-03-02 20:23 ` Fengguang Wu
2017-03-02 20:23 ` Fengguang Wu
2017-03-02 20:40 ` Daniel Borkmann
2017-03-02 20:40 ` Daniel Borkmann
2017-03-08 19:25 ` Linus Torvalds
2017-03-08 19:25 ` Linus Torvalds
2017-03-08 22:27 ` Daniel Borkmann
2017-03-08 22:27 ` Daniel Borkmann
2017-03-08 22:36 ` Kees Cook
2017-03-08 22:36 ` Kees Cook
2017-03-08 22:51 ` Daniel Borkmann
2017-03-08 22:51 ` Daniel Borkmann
2017-03-08 23:55 ` Laura Abbott
2017-03-08 23:55 ` Laura Abbott
2017-03-09 5:36 ` Kees Cook
2017-03-09 5:36 ` Kees Cook
2017-03-09 13:04 ` Daniel Borkmann [this message]
2017-03-09 13:04 ` Daniel Borkmann
2017-03-09 13:10 ` Thomas Gleixner
2017-03-09 13:10 ` Thomas Gleixner
2017-03-09 13:25 ` Daniel Borkmann
2017-03-09 13:25 ` Daniel Borkmann
2017-03-09 14:49 ` Thomas Gleixner
2017-03-09 14:49 ` Thomas Gleixner
2017-03-09 17:51 ` Daniel Borkmann
2017-03-09 17:51 ` Daniel Borkmann
2017-03-09 18:08 ` David Miller
2017-03-09 18:08 ` David Miller
2017-03-09 18:10 ` Linus Torvalds
2017-03-09 18:10 ` Linus Torvalds
2017-03-09 18:15 ` Linus Torvalds
2017-03-09 18:15 ` Linus Torvalds
2017-03-09 18:31 ` Daniel Borkmann
2017-03-09 18:31 ` Daniel Borkmann
2017-03-09 21:32 ` Daniel Borkmann
2017-03-09 21:32 ` Daniel Borkmann
2017-03-09 21:32 ` Daniel Borkmann
2017-03-09 21:55 ` Borislav Petkov
2017-03-09 21:55 ` Borislav Petkov
2017-03-09 22:07 ` Borislav Petkov
2017-03-09 22:07 ` Borislav Petkov
2017-03-09 22:11 ` Daniel Borkmann
2017-03-09 22:11 ` Daniel Borkmann
2017-03-09 22:48 ` Borislav Petkov
2017-03-09 22:48 ` Borislav Petkov
2017-03-09 23:26 ` Linus Torvalds
2017-03-09 23:26 ` Linus Torvalds
2017-03-09 23:44 ` Borislav Petkov
2017-03-09 23:44 ` Borislav Petkov
2017-03-10 0:13 ` Daniel Borkmann
2017-03-10 0:13 ` Daniel Borkmann
2017-03-12 21:40 ` Borislav Petkov
2017-03-12 21:40 ` Borislav Petkov
2017-03-09 14:53 ` Daniel Borkmann
2017-03-09 14:53 ` Daniel Borkmann
2017-03-09 17:48 ` Linus Torvalds
2017-03-09 17:48 ` Linus Torvalds
2017-03-08 22:43 ` Linus Torvalds
2017-03-08 22:43 ` Linus Torvalds
2017-03-09 1:34 ` Fengguang Wu
2017-03-09 1:34 ` Fengguang Wu
2017-03-09 13:09 ` Thomas Gleixner
2017-03-09 13:09 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58C152F1.9090004@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=lkp@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.