From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
To: Liang Yang <liang.yang@amlogic.com>
Cc: Matthew Wilcox <willy@infradead.org>,
mhocko@suse.com, linux@armlinux.org.uk,
linux-kernel@vger.kernel.org, rppt@linux.ibm.com,
linux-mm@kvack.org, linux-mtd@lists.infradead.org,
linux-amlogic@lists.infradead.org, akpm@linux-foundation.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: 32-bit Amlogic (ARM) SoC: kernel BUG in kfree()
Date: Mon, 25 Mar 2019 19:31:26 +0100 [thread overview]
Message-ID: <CAFBinCA=0XSSVmzfTgb4eSiVFr=XRHqLOVFGyK0++XRty6VjnQ@mail.gmail.com> (raw)
In-Reply-To: <5cad2529-8776-687e-58d0-4fb9e2ec59b1@amlogic.com>
[-- Attachment #1: Type: text/plain, Size: 4426 bytes --]
Hi Liang,
On Mon, Mar 25, 2019 at 11:03 AM Liang Yang <liang.yang@amlogic.com> wrote:
>
> Hi Martin,
>
> On 2019/3/23 5:07, Martin Blumenstingl wrote:
> > Hi Matthew,
> >
> > On Thu, Mar 21, 2019 at 10:44 PM Matthew Wilcox <willy@infradead.org> wrote:
> >>
> >> On Thu, Mar 21, 2019 at 09:17:34PM +0100, Martin Blumenstingl wrote:
> >>> Hello,
> >>>
> >>> I am experiencing the following crash:
> >>> ------------[ cut here ]------------
> >>> kernel BUG at mm/slub.c:3950!
> >>
> >> if (unlikely(!PageSlab(page))) {
> >> BUG_ON(!PageCompound(page));
> >>
> >> You called kfree() on the address of a page which wasn't allocated by slab.
> >>
> >>> I have traced this crash to the kfree() in meson_nfc_read_buf().
> >>> my observation is as follows:
> >>> - meson_nfc_read_buf() is called 7 times without any crash, the
> >>> kzalloc() call returns 0xe9e6c600 (virtual address) / 0x29e6c600
> >>> (physical address)
> >>> - the eight time meson_nfc_read_buf() is called kzalloc() call returns
> >>> 0xee39a38b (virtual address) / 0x2e39a38b (physical address) and the
> >>> final kfree() crashes
> >>> - changing the size in the kzalloc() call from PER_INFO_BYTE (= 8) to
> >>> PAGE_SIZE works around that crash
> >>
> >> I suspect you're doing something which corrupts memory. Overrunning
> >> the end of your allocation or something similar. Have you tried KASAN
> >> or even the various slab debugging (eg redzones)?
> > KASAN is not available on 32-bit ARM. there was some progress last
> > year [0] but it didn't make it into mainline. I tried to make the
> > patches apply again and got it to compile (and my kernel is still
> > booting) but I have no idea if it's still working. for anyone
> > interested, my patches are here: [1] (I consider this a HACK because I
> > don't know anything about the code which is being touched in the
> > patches, I only made it compile)
> >
> > SLAB debugging (redzones) were a great hint, thank you very much for
> > that Matthew! I enabled:
> > CONFIG_SLUB_DEBUG=y
> > CONFIG_SLUB_DEBUG_ON=y
> > and with that I now get "BUG kmalloc-64 (Not tainted): Redzone
> > overwritten" (a larger kernel log extract is attached).
> >
> > I'm starting to wonder if the NAND controller (hardware) writes more
> > than 8 bytes.
> > some context: the "info" buffer allocated in meson_nfc_read_buf is
> > then passed to the NAND controller IP (after using dma_map_single).
> >
> > Liang, how does the NAND controller know that it only has to send
> > PER_INFO_BYTE (= 8) bytes when called from meson_nfc_read_buf? all
> > other callers of meson_nfc_dma_buffer_setup (which passes the info
> > buffer to the hardware) are using (nand->ecc.steps * PER_INFO_BYTE)
> > bytes?
> >
> NFC_CMD_N2M and CMDRWGEN are different commands. CMDRWGEN needs to set
> the ecc page size (1KB or 512B) and Pages(2, 4, 8, ...), so
> PER_INFO_BYTE(= 8) bytes for each ecc page.
> I have never used NFC_CMD_N2M to transfer data before, because it is
> very low efficient. And I do a experiment with the attachment and find
> on overwritten on my meson axg platform.
>
> Martin, I would appreciate it very much if you would try the attachment
> on your meson m8b platform.
thank you for your debug patch! on my board 2 * PER_INFO_BYTE is not enough.
I took the idea from your patch and adapted it so I could print a
buffer with 256 bytes (which seems to be "big enough" for my board).
see the attached, modified patch
in the output I see that sometimes the first 32 bytes are not touched
by the controller, but everything beyond 32 bytes is modified in the
info buffer.
I also tried to increase the buffer size to 512, but that didn't make
a difference (I never saw any info buffer modification beyond 256
bytes).
also I just noticed that I didn't give you much details on my NAND chip yet.
from Amlogic vendor u-boot on Meson8m2 (all my Meson8b boards have
eMMC flash, but I believe the NAND controller on Meson8 to GXBB is
identical):
m8m2_n200_v1#amlnf chipinfo
flash info
name:B revision 20nm NAND 8GiB H27UCG8T2B, id:ad de 94 eb 74 44 0 0
pagesize:0x4000, blocksize:0x400000, oobsize:0x500, chipsize:0x2000,
option:0x8, T_REA:16, T_RHOH:15
hw controller info
chip_num:1, onfi_mode:0, page_shift:14, block_shift:22, option:0xc2
ecc_unit:1024, ecc_bytes:70, ecc_steps:16, ecc_max:40
bch_mode:5, user_mode:2, oobavail:32, oobtail:64384
Regards
Martin
[-- Attachment #2: debug-256-buffer-output.txt --]
[-- Type: text/plain, Size: 8077 bytes --]
...
[ 2.716885] 00000000: 0000 8005 2800 2945 fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.720464] 00000020: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.729689] 00000040: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.738847] 00000060: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.748065] 00000080: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.757228] 000000a0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.766404] 000000c0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.775602] 000000e0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.784780]
[ 2.786306] 00000000: 0000 801b 2800 2945 fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.795455] 00000020: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.804638] 00000040: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.813828] 00000060: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.823014] 00000080: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.832203] 000000a0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.841390] 000000c0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.850580] 000000e0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.859759]
[ 2.861303] 00000000: 0000 8011 3d00 295e fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.870435] 00000020: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.879618] 00000040: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.888812] 00000060: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.897996] 00000080: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.907184] 000000a0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.916364] 000000c0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.925559] 000000e0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.934741]
[ 2.936367] 00000000: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 2.945413] 00000020: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 2.954600] 00000040: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 2.963803] 00000060: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 2.972978] 00000080: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 2.982163] 000000a0: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 2.991352] 000000c0: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.000539] 000000e0: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b a56b
[ 3.009722]
[ 3.011233] 00000000: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.020390] 00000020: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.029580] 00000040: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.038766] 00000060: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.047971] 00000080: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.057145] 000000a0: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.066325] 000000c0: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.075521] 000000e0: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b a56b
[ 3.084700]
[ 3.086213] 00000000: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.095373] 00000020: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.104558] 00000040: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.113748] 00000060: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.122934] 00000080: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.132124] 000000a0: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.141311] 000000c0: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b
[ 3.150505] 000000e0: 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b 6b6b a56b
[ 3.159681]
[ 3.161171] Could not find a valid ONFI parameter page, trying bit-wise majority to recover it
[ 3.169786] ONFI parameter recovery failed, aborting
[ 3.174740] 00000000: 0000 8010 3d00 295e fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.183877] 00000020: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.193064] 00000040: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.202249] 00000060: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.211439] 00000080: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.220626] 000000a0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.229815] 000000c0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.239002] 000000e0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.248184]
[ 3.249743] 00000000: 0000 8010 22c0 295e fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.258857] 00000020: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.268044] 00000040: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.277231] 00000060: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.286411] 00000080: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.295607] 000000a0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.304794] 000000c0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.313984] 000000e0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.323163]
[ 3.324657] nand: device found, Manufacturer ID: 0xad, Chip ID: 0xde
[ 3.330968] nand: Hynix NAND 8GiB 3,3V 8-bit
[ 3.335210] nand: 8192 MiB, MLC, erase size: 4096 KiB, page size: 16384, OOB size: 1280
[ 3.343274] 00000000: 0000 8010 2400 295e fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.352390] 00000020: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.361572] 00000040: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.370762] 00000060: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.379963] 00000080: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.389140] 000000a0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.398326] 000000c0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.407519] 000000e0: fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd fdfd
[ 3.416695]
...
[-- Attachment #3: nand_debug_martin.patch --]
[-- Type: application/x-patch, Size: 986 bytes --]
next prev parent reply other threads:[~2019-03-25 18:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-21 20:17 32-bit Amlogic (ARM) SoC: kernel BUG in kfree() Martin Blumenstingl
2019-03-21 21:44 ` Matthew Wilcox
2019-03-22 21:07 ` Martin Blumenstingl
2019-03-25 10:04 ` Liang Yang
2019-03-25 18:31 ` Martin Blumenstingl [this message]
2019-03-27 8:53 ` Liang Yang
2019-03-28 18:03 ` Martin Blumenstingl
2019-03-29 7:44 ` Liang Yang
2019-04-05 4:30 ` Martin Blumenstingl
2019-04-10 11:08 ` Liang Yang
2019-04-10 17:54 ` Martin Blumenstingl
2019-04-11 3:00 ` Liang Yang
2019-06-08 20:00 ` Martin Blumenstingl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFBinCA=0XSSVmzfTgb4eSiVFr=XRHqLOVFGyK0++XRty6VjnQ@mail.gmail.com' \
--to=martin.blumenstingl@googlemail.com \
--cc=akpm@linux-foundation.org \
--cc=liang.yang@amlogic.com \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux@armlinux.org.uk \
--cc=mhocko@suse.com \
--cc=rppt@linux.ibm.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).