From: levinsasha928@gmail.com (Sasha Levin)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 03/16] mm: check rb_subtree_gap correctness
Date: Fri, 09 Nov 2012 09:13:26 -0500 [thread overview]
Message-ID: <509D0F86.30607@gmail.com> (raw)
In-Reply-To: <1352155633-8648-4-git-send-email-walken@google.com>
On 11/05/2012 05:47 PM, Michel Lespinasse wrote:
> When CONFIG_DEBUG_VM_RB is enabled, check that rb_subtree_gap is
> correctly set for every vma and that mm->highest_vm_end is also correct.
>
> Also add an explicit 'bug' variable to track if browse_rb() detected any
> invalid condition.
>
> Signed-off-by: Michel Lespinasse <walken@google.com>
> Reviewed-by: Rik van Riel <riel@redhat.com>
>
> ---
Hi all,
While fuzzing with trinity inside a KVM tools (lkvm) guest, using today's -next
kernel, I'm getting these:
[ 117.007714] free gap 7fba0dd1c000, correct 7fba0dcfb000
[ 117.019773] map_count 750 rb -1
[ 117.028362] ------------[ cut here ]------------
[ 117.029813] kernel BUG at mm/mmap.c:439!
[ 117.031024] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 117.032933] Dumping ftrace buffer:
[ 117.033972] (ftrace buffer empty)
[ 117.035085] CPU 4
[ 117.035676] Pid: 6859, comm: trinity-child46 Tainted: G W 3.7.0-rc4-next-20121109-sasha-00013-g9407f3c #124
[ 117.038217] RIP: 0010:[<ffffffff81236687>] [<ffffffff81236687>] validate_mm+0x297/0x2c0
[ 117.041056] RSP: 0018:ffff880016a4fdf8 EFLAGS: 00010296
[ 117.041056] RAX: 0000000000000013 RBX: 00000000ffffffff RCX: 0000000000000006
[ 117.041056] RDX: 0000000000005270 RSI: ffff880024120910 RDI: 0000000000000286
[ 117.052131] RBP: ffff880016a4fe48 R08: 0000000000000000 R09: 0000000000000000
[ 117.052131] R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000002ee
[ 117.052131] R13: 00007fffea1fc000 R14: ffff88002412c000 R15: 0000000000000000
[ 117.052131] FS: 00007fba129db700(0000) GS:ffff880063600000(0000) knlGS:0000000000000000
[ 117.052131] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 117.052131] CR2: 0000000003323288 CR3: 00000000169b2000 CR4: 00000000000406e0
[ 117.052131] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 117.052131] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 117.052131] Process trinity-child46 (pid: 6859, threadinfo ffff880016a4e000, task ffff880024120000)
[ 117.052131] Stack:
[ 117.052131] ffffffff8489e201 ffffffff81235aa0 ffff88000885cac8 0000000100000000
[ 117.052131] ffffffff812361b9 ffff88002412c000 ffff88000885cac8 ffff88000885cdc8
[ 117.052131] ffff88000885cdd0 ffff88002412c000 ffff880016a4fe98 ffffffff812367b4
[ 117.052131] Call Trace:
[ 117.052131] [<ffffffff81235aa0>] ? vma_compute_subtree_gap+0x40/0x40
[ 117.052131] [<ffffffff812361b9>] ? vma_gap_update+0x19/0x30
[ 117.052131] [<ffffffff812367b4>] vma_link+0x94/0xe0
[ 117.052131] [<ffffffff812386c4>] do_brk+0x2c4/0x380
[ 117.052131] [<ffffffff812387bf>] ? sys_brk+0x3f/0x190
[ 117.052131] [<ffffffff812388ce>] sys_brk+0x14e/0x190
[ 117.052131] [<ffffffff83be2618>] tracesys+0xe1/0xe6
[ 117.052131] Code: d8 41 8b 76 60 39 de 74 1b 89 da 48 c7 c7 c6 d9 89 84 31 c0 e8 01 76 94 02 eb 10 66 0f 1f 84 00 00 00 00 00
8b 45 c8 85 c0 74 18 <0f> 0b 4c 8d 48 e0 48 8b 70 e0 31 db c7 45 cc 00 00 00 00 e9 f4
[ 117.052131] RIP [<ffffffff81236687>] validate_mm+0x297/0x2c0
[ 117.052131] RSP <ffff880016a4fdf8>
[ 117.136092] ---[ end trace 5ce250e0bf6d040c ]---
Note that they are very easy to reproduce.
Also, I see that lots of the code there has a local variable named 'bug' thats tracking
whether we should BUG() later on. Why does it work that way and the BUG() isn't immediate?
Thanks,
Sasha
next prev parent reply other threads:[~2012-11-09 14:13 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-05 22:46 [PATCH 00/16] mm: use augmented rbtrees for finding unmapped areas Michel Lespinasse
2012-11-05 22:46 ` [PATCH 01/16] mm: add anon_vma_lock to validate_mm() Michel Lespinasse
2012-11-05 23:06 ` Rik van Riel
2012-11-05 22:46 ` [PATCH 02/16] mm: augment vma rbtree with rb_subtree_gap Michel Lespinasse
2012-11-05 22:47 ` [PATCH 03/16] mm: check rb_subtree_gap correctness Michel Lespinasse
2012-11-06 22:38 ` Andrew Morton
2012-11-09 14:13 ` Sasha Levin [this message]
2012-11-09 20:06 ` Hugh Dickins
2012-11-12 11:55 ` Michel Lespinasse
2012-11-05 22:47 ` [PATCH 04/16] mm: rearrange vm_area_struct for fewer cache misses Michel Lespinasse
2012-11-05 22:47 ` [PATCH 05/16] mm: vm_unmapped_area() lookup function Michel Lespinasse
2012-11-05 22:47 ` [PATCH 06/16] mm: use vm_unmapped_area() on x86_64 architecture Michel Lespinasse
2012-11-05 22:47 ` [PATCH 07/16] mm: fix cache coloring " Michel Lespinasse
2012-11-06 22:38 ` Andrew Morton
2012-11-05 22:47 ` [PATCH 08/16] mm: use vm_unmapped_area() in hugetlbfs Michel Lespinasse
2012-11-05 23:33 ` Rik van Riel
2012-11-05 22:47 ` [PATCH 09/16] mm: use vm_unmapped_area() in hugetlbfs on i386 architecture Michel Lespinasse
2012-11-05 23:07 ` Rik van Riel
2012-11-06 22:38 ` Andrew Morton
2012-11-06 22:48 ` Rik van Riel
2012-11-05 22:47 ` [PATCH 10/16] mm: use vm_unmapped_area() on mips architecture Michel Lespinasse
2012-11-05 23:34 ` Rik van Riel
2012-11-06 22:38 ` Andrew Morton
2012-11-05 22:47 ` [PATCH 11/16] mm: use vm_unmapped_area() on arm architecture Michel Lespinasse
2012-11-05 23:35 ` Rik van Riel
2012-11-06 22:38 ` Andrew Morton
2012-11-05 22:47 ` [PATCH 12/16] mm: use vm_unmapped_area() on sh architecture Michel Lespinasse
2012-11-05 23:35 ` Rik van Riel
2012-11-05 22:47 ` [PATCH 13/16] mm: use vm_unmapped_area() on sparc64 architecture Michel Lespinasse
2012-11-05 23:36 ` Rik van Riel
2012-11-05 22:47 ` [PATCH 14/16] mm: use vm_unmapped_area() in hugetlbfs " Michel Lespinasse
2012-11-05 23:36 ` Rik van Riel
2012-11-05 22:47 ` [PATCH 15/16] mm: use vm_unmapped_area() on sparc32 architecture Michel Lespinasse
2012-11-05 23:37 ` Rik van Riel
2012-11-06 1:25 ` David Miller
2012-11-06 3:13 ` Michel Lespinasse
2012-11-06 7:30 ` Rik van Riel
2012-11-06 17:41 ` David Miller
2012-11-05 22:47 ` [PATCH 16/16] mm: use vm_unmapped_area() in hugetlbfs on tile architecture Michel Lespinasse
2012-11-05 23:37 ` Rik van Riel
2012-11-06 22:11 ` [PATCH 00/16] mm: use augmented rbtrees for finding unmapped areas Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=509D0F86.30607@gmail.com \
--to=levinsasha928@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).