From: rtm@csail.mit.edu
To: Alexandre Ghiti <alex@ghiti.fr>
Cc: Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
linux-riscv@lists.infradead.org
Subject: Re: futex(0x1ffffff81300000) on risc-v -> mm panic
Date: Thu, 19 Jun 2025 09:30:41 -0400 [thread overview]
Message-ID: <3900.1750339841@localhost> (raw)
In-Reply-To: Your message of "Thu, 19 Jun 2025 14:35:21 +0200." <21e7809a-ef55-4b4d-aa29-f6ef2bb429ee@ghiti.fr>
Alex,
Deleting
#define TASK_SIZE_MAX LONG_MAX
from arch/riscv/include/asm/pgtable.h does indeed make the problem
go away.
Robert
> Date: Thu, 19 Jun 2025 14:35:21 +0200
> Subject: Re: futex(0x1ffffff81300000) on risc-v -> mm panic
> To: rtm@csail.mit.edu, Paul Walmsley <paul.walmsley@sifive.com>,
> Palmer Dabbelt <palmer@dabbelt.com>, Albert Ou <aou@eecs.berkeley.edu>
> Cc: linux-riscv@lists.infradead.org
> From: Alexandre Ghiti <alex@ghiti.fr>
>
> On 6/18/25 12:10, rtm@csail.mit.edu wrote:
> > This program on risc-v:
> >
> > main(){
> > futex((void*) 0x1ffffff81300000, FUTEX_WAIT, 0, 0, 0, 0);
>
>
> This address is far beyond what userspace is supposed to be able to
> access, even in sv57, see Documentation/arch/riscv/vm-layout.rst.
>
> The problem is that access_ok() lets it go through and then gup
> returns a kernel mapping, which isn't good at all.
>
> I can't reproduce the issue, but it seems like commit ad5643cf2f69
> ("riscv: Define TASK_SIZE_MAX for __access_ok()") is the culprit, can
> you try reverting it?
>
> Thanks,
>
> Alex
>
>
> > }
> >
> > results in:
> >
> > BUG: Bad page state in process a.out pfn:81500
> > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81500
> > flags: 0x2000(reserved|zone=0)
> > raw: 0000000000002000 ff1c000000054008 ff1c000000054008 0000000000000000
> > raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
> > Modules linked in:
> > CPU: 0 UID: 0 PID: 105 Comm: a.out Not tainted 6.16.0-rc2-00067-gb61aa0e0059b #566 NONE
> > Hardware name: riscv-virtio,qemu (DT)
> > Call Trace:
> > [<ffffffff80025b62>] dump_backtrace+0x1c/0x24
> > [<ffffffff800023b8>] show_stack+0x28/0x34
> > [<ffffffff800205d2>] dump_stack_lvl+0x48/0x66
> > [<ffffffff80020604>] dump_stack+0x14/0x1c
> > [<ffffffff80262098>] bad_page+0x118/0x15c
> > [<ffffffff80264e96>] __free_frozen_pages+0x494/0x650
> > [<ffffffff80266fe2>] free_frozen_pages+0xe/0x16
> > [<ffffffff8020926c>] __folio_put+0x60/0xae
> > [<ffffffff800ec23a>] get_futex_key+0x2da/0x44e
> > [<ffffffff800f0474>] futex_wait_setup+0x52/0x23a
> > [<ffffffff800f06da>] __futex_wait+0x7e/0xd8
> > [<ffffffff800f0782>] futex_wait+0x4e/0xbc
> > [<ffffffff800ed3a0>] do_futex+0x74/0x100
> > [<ffffffff800ed4f4>] __riscv_sys_futex+0xc8/0x148
> > [<ffffffff811e4930>] do_trap_ecall_u+0x84/0x11a
> > [<ffffffff811f0b0e>] handle_exception+0x146/0x152
> > Disabling lock debugging due to kernel taint
> >
> > and after running this program a few more times:
> >
> > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81500
> > flags: 0x2000(reserved|zone=0)
> > raw: 0000000000002000 ff1c000000054008 ff1c000000054008 0000000000000000
> > raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> > page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
> > ------------[ cut here ]------------
> > kernel BUG at ./include/linux/mm.h:1034!
> > Kernel BUG [#1]
> > Modules linked in:
> > CPU: 0 UID: 0 PID: 110 Comm: a.out Tainted: G B 6.16.0-rc2-00067-gb61aa0e0059b #566 NONE
> > Tainted: [B]=BAD_PAGE
> > Hardware name: riscv-virtio,qemu (DT)
> > epc : get_futex_key+0x23c/0x44e
> > ra : get_futex_key+0x23c/0x44e
> > ...
> > [<ffffffff800ec19c>] get_futex_key+0x23c/0x44e
> > [<ffffffff800f0474>] futex_wait_setup+0x52/0x23a
> > [<ffffffff800f06da>] __futex_wait+0x7e/0xd8
> > [<ffffffff800f0782>] futex_wait+0x4e/0xbc
> > [<ffffffff800ed3a0>] do_futex+0x74/0x100
> > [<ffffffff800ed4f4>] __riscv_sys_futex+0xc8/0x148
> > [<ffffffff811e4930>] do_trap_ecall_u+0x84/0x11a
> > [<ffffffff811f0b0e>] handle_exception+0x146/0x152
> > Code: bdad a597 017c 8593 fa65 8526 7097 0014 80e7 a4a0 (9002) 8785
> > ---[ end trace 0000000000000000 ]---
> > Kernel panic - not syncing: Fatal exception in interrupt
> >
> > get_futex_key() calls get_user_pages_fast(), which returns a
> > PG_reserved page in one of the reserve_bootmem_region() areas. Beyond
> > that I do not understand the situation.
> >
> > Robert Morris
> > rtm@mit.edu
> >
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2025-06-19 17:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-18 11:10 futex(0x1ffffff81300000) on risc-v -> mm panic rtm
2025-06-18 13:25 ` Nam Cao
2025-06-18 18:27 ` rtm
2025-06-18 19:58 ` Palmer Dabbelt
2025-06-18 21:32 ` Nam Cao
2025-06-19 12:35 ` Alexandre Ghiti
2025-06-19 13:30 ` rtm [this message]
2025-06-19 16:02 ` Nam Cao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3900.1750339841@localhost \
--to=rtm@csail.mit.edu \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=linux-riscv@lists.infradead.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox