From: Andrew Morton <akpm@linux-foundation.org>
To: Mike Galbraith <efault@gmx.de>
Cc: Alexey Dobriyan <adobriyan@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
Christoph Lameter <clameter@sgi.com>
Subject: Re: 2.6.23-rc1: BUG_ON in kmap_atomic_prot()
Date: Tue, 24 Jul 2007 09:28:39 -0700 [thread overview]
Message-ID: <20070724092839.f0556948.akpm@linux-foundation.org> (raw)
In-Reply-To: <1185271269.6479.7.camel@Homer.simpson.net>
On Tue, 24 Jul 2007 12:01:09 +0200 Mike Galbraith <efault@gmx.de> wrote:
> On Mon, 2007-07-23 at 13:24 -0700, Andrew Morton wrote:
>
> > You're using DEBUG_PAGEALLOC, but I was not, so I think we can rule that out.
>
> My box bugged during boot the first time I booted 23-rc1, but nothing
> made it to the console, and I didn't have a serial console running. I
> didn't have DEBUG_PAGEALLOC or friends set.
>
> > I haven't worked out where that kmap_atomic() call is coming from yet.
> > Both traces point up into the page allocator, but I _think_ that's stack
> > gunk.
>
> I just enabled all debug options, and was just rewarded with the below.
doh. It's a slab bug.
> [ 119.079531] eth1: link up, 100Mbps, full-duplex, lpa 0x45E1
> [ 119.558867] ------------[ cut here ]------------
> [ 119.572197] kernel BUG at arch/i386/mm/highmem.c:38!
> [ 119.585804] invalid opcode: 0000 [#1]
> [ 119.598013] PREEMPT SMP DEBUG_PAGEALLOC
> [ 119.610103] Modules linked in: edd button battery ac ip6t_REJECT xt_tcpudp ipt_REJECT xt_state iptable_mangle iptable_nat nf_nat iptable_filter ip6table_mangle nf_conntrack_ipv4 nf_conntrack nfnetlink ip_tables ip6table_filter ip6_tables x_tables nls_iso8859_1 nls_cp437 nls_utf8 snd_intel8x0 snd_ac97_codec ac97_bus snd_mpu401 snd_pcm prism54 snd_timer snd_mpu401_uart snd_rawmidi snd_seq_device snd intel_agp agpgart soundcore snd_page_alloc i2c_i801 fan thermal processor
> [ 119.698063] CPU: 1
> [ 119.698065] EIP: 0060:[<c011cd2d>] Not tainted VLI
> [ 119.698067] EFLAGS: 00010006 (2.6.23-rc1-smp #75)
> [ 119.736358] EIP is at kmap_atomic_prot+0xa7/0xab
> [ 119.749647] eax: 3d07f163 ebx: c166db80 ecx: c0750e60 edx: 00000007
> [ 119.765417] esi: 00000022 edi: 00000163 ebp: c069dcd4 esp: c069dcc8
> [ 119.781273] ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068
> [ 119.796378] Process udevd (pid: 4775, ti=c069d000 task=f31aea60 task.ti=f477d000)
> [ 119.804068] Stack: c166db80 00000000 c166db80 c069dcdc c011cd3f c069dd40 c015b6e0 00000001
> [ 119.822272] 00000044 00000163 00000000 00000001 c165f4e0 00000001 c165f4e0 00000001
> [ 119.840762] 00000000 00028020 c061e71c c166db80 00000046 00000080 00000001 c011e4de
> [ 119.859389] Call Trace:
> [ 119.881302] [<c0105144>] show_trace_log_lvl+0x1a/0x30
> [ 119.896319] [<c01051ff>] show_stack_log_lvl+0xa5/0xca
> [ 119.911171] [<c0105420>] show_registers+0x1fc/0x343
> [ 119.925756] [<c0105689>] die+0x122/0x249
> [ 119.939241] [<c0105834>] do_trap+0x84/0xad
> [ 119.952897] [<c0105b1c>] do_invalid_op+0x88/0x92
> [ 119.967118] [<c04cf3c2>] error_code+0x72/0x78
> [ 119.980948] [<c011cd3f>] kmap_atomic+0xe/0x10
> [ 119.994642] [<c015b6e0>] get_page_from_freelist+0x39e/0x45e
> [ 120.009485] [<c015b7fb>] __alloc_pages+0x5b/0x2db
> [ 120.023342] [<c0172872>] cache_alloc_refill+0x380/0x6f2
> [ 120.037623] [<c0172e7a>] kmem_cache_alloc+0xa1/0xa5
> [ 120.051426] [<c03fb397>] neigh_create+0x5f/0x506
> [ 120.064894] [<c046e25d>] ndisc_dst_alloc+0x122/0x151
> [ 120.078769] [<c0471b0b>] __ndisc_send+0x8d/0x4fa
> [ 120.092340] [<c0472915>] ndisc_send_ns+0x5f/0x7d
> [ 120.105848] [<c0469ff5>] addrconf_dad_timer+0xdb/0xe0
> [ 120.119758] [<c012f8a0>] run_timer_softirq+0x130/0x191
> [ 120.133717] [<c012c06d>] __do_softirq+0x76/0xe4
> [ 120.147475] [<c0106b48>] do_softirq+0x63/0xac
> [ 120.147488] [<c012bff5>]
> (gdb) list *neigh_create+0x5f
> 0xc03fb397 is in neigh_create (include/linux/slab.h:259).
> 254 /*
> 255 * Shortcuts
> 256 */
> 257 static inline void *kmem_cache_zalloc(struct kmem_cache *k, gfp_t flags)
> 258 {
> 259 return kmem_cache_alloc(k, flags | __GFP_ZERO);
> 260 }
See, networking's kmem_cache_alloc(..., __GFP_ZERO) ended up calling into
the page allocator with __GFP_ZERO. This is the bug - slab isn't supposed
to do that: the __GFP_ZERO is supposed to be removed.
Now, it's not a highmem page, so prep_zero_page() won't actually establish
a kmap, but it will check that the kmap slot is presently unused on this
CPU.
But networking calls in here from softirq context (illegal for KM_USER0)
and sometimes that KM_USER0 slot *will* be in use, so kmap_atomic_prot()
will go BUG.
I must say it's really really scary that such a low-level function as
prep_zero_page() is using KM_USER0. I don't think it has enough debugging
checks in there to prevent Bad Stuff from going undetected.
I guess this was the bug:
--- a/mm/slab.c~a
+++ a/mm/slab.c
@@ -2776,7 +2776,7 @@ static int cache_grow(struct kmem_cache
* 'nodeid'.
*/
if (!objp)
- objp = kmem_getpages(cachep, flags, nodeid);
+ objp = kmem_getpages(cachep, local_flags, nodeid);
if (!objp)
goto failed;
_
I don't see why you later got fs corruption - afacit we won't actually
modify the KM_USER0 slot in this scenario.
> 262 /**
> 263 * kzalloc - allocate memory. The memory is set to zero.
> (gdb) list *kmem_cache_alloc+0xa1
> 0xc0172e7a is in kmem_cache_alloc (mm/slab.c:3176).
> 3171 STATS_INC_ALLOCHIT(cachep);
> 3172 ac->touched = 1;
> 3173 objp = ac->entry[--ac->avail];
> 3174 } else {
> 3175 STATS_INC_ALLOCMISS(cachep);
> 3176 objp = cache_alloc_refill(cachep, flags);
> 3177 }
> 3178 return objp;
> 3179 }
> 3180
> (gdb) list *cache_alloc_refill+0x380
> 0xc0172872 is in cache_alloc_refill (include/linux/gfp.h:154).
> 149
> 150 /* Unknown node is current node */
> 151 if (nid < 0)
> 152 nid = numa_node_id();
> 153
> 154 return __alloc_pages(gfp_mask, order,
> 155 NODE_DATA(nid)->node_zonelists + gfp_zone(gfp_mask));
> 156 }
> 157
> 158 #ifdef CONFIG_NUMA
> (gdb) list *__alloc_pages+0x5b
> 0xc015b7fb is in __alloc_pages (mm/page_alloc.c:1248).
> 1243 if (unlikely(*z == NULL)) {
> 1244 /* Should this ever happen?? */
> 1245 return NULL;
> 1246 }
> 1247
> 1248 page = get_page_from_freelist(gfp_mask|__GFP_HARDWALL, order,
> 1249 zonelist, ALLOC_WMARK_LOW|ALLOC_CPUSET);
> 1250 if (page)
> 1251 goto got_pg;
> 1252
> (gdb) list *get_page_from_freelist+0x39e
> 0xc015b6e0 is in get_page_from_freelist (include/linux/highmem.h:122).
> 117 return __alloc_zeroed_user_highpage(__GFP_MOVABLE, vma, vaddr);
> 118 }
> 119
> 120 static inline void clear_highpage(struct page *page)
> 121 {
> 122 void *kaddr = kmap_atomic(page, KM_USER0);
> 123 clear_page(kaddr);
> 124 kunmap_atomic(kaddr, KM_USER0);
> 125 }
> 126
>
>
next prev parent reply other threads:[~2007-07-24 16:29 UTC|newest]
Thread overview: 227+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-22 21:04 Linus 2.6.23-rc1 Linus Torvalds
2007-07-22 22:10 ` Andre Noll
2007-07-22 22:22 ` Andi Kleen
2007-07-22 23:23 ` Andre Noll
2007-07-22 23:31 ` Andi Kleen
[not found] ` <20070722233840.GJ30660@skl-net.de>
2007-07-22 23:56 ` vdso.so mislinked by buggy linker was " Andi Kleen
2007-07-23 6:03 ` Jakub Jelinek
2007-07-23 8:02 ` Andi Kleen
2007-07-23 12:45 ` Jakub Jelinek
2007-07-23 14:44 ` Andi Kleen
2007-07-23 6:07 ` Jakub Jelinek
2007-07-22 23:33 ` Alistair John Strachan
2007-07-22 23:51 ` Roland McGrath
2007-07-23 0:07 ` Adrian Bunk
2007-07-23 0:31 ` Roland McGrath
2007-07-23 1:43 ` Adrian Bunk
2007-07-23 1:20 ` Gabriel C
2007-07-23 1:23 ` Paul Mundt
2007-07-23 1:27 ` Gabriel C
2007-07-23 1:40 ` Paul Mundt
2007-07-23 4:11 ` Greg KH
[not found] ` <46A40BC7.9030209@googlemail.com>
2007-07-23 2:42 ` Gabriel C
2007-07-23 15:47 ` Bob Picco
2007-07-23 15:54 ` Luck, Tony
2007-07-23 2:48 ` Gabriel C
2007-07-23 7:14 ` alpha, i386,mips,powerpc,ppc,xtensa compile brakage (was Re: Linus 2.6.23-rc1) Jan Dittmer
2007-07-23 7:56 ` Stephen Rothwell
2007-07-23 13:57 ` Josh Boyer
2007-07-23 14:02 ` Gabriel C
2007-07-23 9:50 ` Linus 2.6.23-rc1: ACPI-related oops on x86_64 Mel Gorman
2007-07-23 17:15 ` Len Brown
2007-07-24 10:37 ` Mel Gorman
2007-07-23 15:52 ` Linus 2.6.23-rc1, xen fix Ingo Molnar
2007-07-23 16:43 ` Linus 2.6.23-rc1 Gabriel C
2007-07-23 16:57 ` Ismail Dönmez
2007-07-23 20:44 ` Alessandro Suardi
2007-07-24 14:49 ` Len Brown
2007-07-23 18:38 ` 2.6.23-rc1: BUG_ON in kmap_atomic_prot() Alexey Dobriyan
2007-07-23 19:01 ` Alexey Dobriyan
2007-07-23 20:24 ` Andrew Morton
2007-07-23 20:40 ` Alexey Dobriyan
2007-07-23 21:01 ` Alexey Dobriyan
2007-07-23 21:11 ` Andrew Morton
2007-07-23 21:28 ` Linus Torvalds
2007-07-23 21:37 ` Sam Ravnborg
2007-07-24 17:59 ` Adrian Bunk
2007-07-24 18:14 ` Linus Torvalds
2007-07-24 18:28 ` Andrew Morton
2007-07-24 19:15 ` Linus Torvalds
2007-07-24 19:40 ` Adrian Bunk
2007-07-24 19:48 ` Linus Torvalds
2007-07-26 18:07 ` Adrian Bunk
2007-07-26 18:19 ` Linus Torvalds
2007-07-24 20:27 ` Andi Kleen
2007-07-24 19:45 ` Linus Torvalds
2007-07-26 6:09 ` commit 7e92b4fc34 - x86, serial: convert legacy COM ports to platform devices - broke my serial console H. Peter Anvin
2007-07-23 22:04 ` 2.6.23-rc1: BUG_ON in kmap_atomic_prot() Alexey Dobriyan
2007-07-23 22:27 ` Andrew Morton
2007-07-24 5:20 ` Alexey Dobriyan
2007-07-24 8:17 ` Jens Axboe
2007-07-24 8:22 ` Jens Axboe
2007-07-24 8:34 ` Andrew Morton
2007-07-24 14:00 ` Dan Williams
2007-07-24 13:55 ` Dan Williams
2007-07-24 10:01 ` Mike Galbraith
2007-07-24 10:37 ` Mike Galbraith
2007-07-24 16:28 ` Andrew Morton [this message]
2007-07-24 18:25 ` Linus Torvalds
2007-07-24 20:05 ` Alexey Dobriyan
2007-07-25 17:44 ` Cyrill Gorcunov
2007-07-25 5:09 ` Mike Galbraith
2007-07-27 11:43 ` SD still better than CFS for 3d \b(was Re: 2.6.23-rc1) Kasper Sandberg
2007-07-29 17:06 ` SD still better than CFS for 3d ?(was " Ingo Molnar
[not found] ` <930f95dc0707291154j102494d9m58f4cc452c7ff17c@mail.gmail.com>
2007-07-29 20:47 ` [ck] " Ingo Molnar
[not found] ` <930f95dc0707291431j4e50214di3c01cd44b5597502@mail.gmail.com>
2007-07-30 1:20 ` Matthew Hawkins
2007-07-30 11:46 ` Ingo Molnar
2007-07-30 16:04 ` Miguel Figueiredo
2007-07-30 18:38 ` Ingo Molnar
2007-07-30 21:05 ` Miguel Figueiredo
2007-07-31 16:36 ` Ingo Molnar
2007-07-30 16:19 ` david
2007-07-30 19:01 ` Ingo Molnar
2007-07-30 19:03 ` david
2007-07-30 19:08 ` Ingo Molnar
[not found] ` <op.tv90xghwatcbto@linux.site>
[not found] ` <d3380cee0707300831m33d896aufcbdb188576940a2@mail.gmail.com>
2007-07-30 16:25 ` Matthew Hawkins
2007-07-30 16:50 ` Peter Zijlstra
2007-07-30 17:09 ` Kyle Rose
2007-07-30 16:50 ` Martin Schwidefsky
2007-07-30 16:58 ` Rashkae
2007-07-30 17:51 ` Arjan van de Ven
2007-07-30 18:29 ` Christoph Hellwig
2007-07-30 19:53 ` [ck] Re: SD still better than CFS for 3d ? Roland Dreier
2007-07-30 21:26 ` Christoph Hellwig
2007-07-31 3:07 ` Matthew Hawkins
2007-07-31 7:01 ` Martin Schwidefsky
2007-07-31 12:13 ` Christoph Hellwig
2007-08-01 5:25 ` Adrian Bunk
2007-08-01 6:19 ` Matthew Hawkins
2007-08-01 7:50 ` Adrian Bunk
2007-07-30 17:54 ` [ck] Re: SD still better than CFS for 3d ?(was Re: 2.6.23-rc1) Kenneth Prugh
2007-07-30 19:10 ` Ingo Molnar
2007-07-30 21:24 ` Kenneth Prugh
2007-07-30 21:34 ` Miguel Figueiredo
2007-07-30 22:45 ` Kenneth Prugh
2007-07-31 9:45 ` Ingo Molnar
2007-07-31 13:16 ` Matthew Hawkins
2007-07-31 13:32 ` Miguel Figueiredo
2007-07-31 14:09 ` Ingo Molnar
2007-07-31 15:57 ` Matthew Hawkins
2007-07-31 16:23 ` Miguel Figueiredo
2007-07-31 17:02 ` Matthew Hawkins
2007-07-31 14:18 ` Ingo Molnar
2007-07-31 16:14 ` Matthew Hawkins
2007-07-31 16:45 ` Ingo Molnar
2007-07-30 23:46 ` Kasper Sandberg
2007-07-31 6:31 ` Peter Zijlstra
2007-07-31 8:57 ` Ingo Molnar
2007-07-31 9:11 ` Alan Cox
2007-07-31 9:13 ` Ingo Molnar
2007-07-31 9:19 ` Avi Kivity
2007-07-31 9:44 ` Alan Cox
2007-08-01 23:43 ` Kasper Sandberg
2007-08-02 12:10 ` Ingo Molnar
2007-08-02 15:42 ` Ingo Molnar
2007-08-08 14:38 ` Kasper Sandberg
2007-08-03 6:31 ` Ingo Molnar
2007-08-02 2:35 ` Lee Revell
2007-08-02 11:45 ` Ingo Molnar
2007-08-02 13:39 ` Trond Myklebust
2007-08-02 13:03 ` J. Bruce Fields
[not found] ` <op.twbll7ugatcbto@linux.site>
2007-07-31 8:32 ` [ck] " Ingo Molnar
2007-07-28 2:04 ` Linus 2.6.23-rc1 Kasper Sandberg
2007-07-28 2:35 ` Linus Torvalds
2007-07-28 7:09 ` [ck] " Grzegorz Kulewski
[not found] ` <954c7c800707280045t4607cebfj532ef025a7a57c05@mail.gmail.com>
2007-07-28 17:12 ` Linus Torvalds
2007-07-28 17:33 ` Jan Engelhardt
2007-07-28 18:05 ` Linus Torvalds
2007-07-28 20:51 ` Diego Calleja
2007-07-28 20:59 ` Jan Engelhardt
2007-07-29 5:04 ` Roland Dreier
2007-07-28 21:09 ` Linus Torvalds
2007-07-28 22:16 ` Alex Besogonov
2007-07-29 9:37 ` Martin Steigerwald
2007-07-29 9:04 ` Martin Steigerwald
2007-07-29 10:28 ` Sam Ravnborg
2007-07-29 10:56 ` Martin Steigerwald
2007-07-29 17:42 ` Sam Ravnborg
2007-07-29 18:23 ` Martin Steigerwald
2007-07-29 18:54 ` Satyam Sharma
2007-07-29 19:18 ` Martin Steigerwald
2007-07-31 1:15 ` Carlo Florendo
2007-07-31 9:57 ` Bill Huey
2007-07-31 12:00 ` Mike Galbraith
2007-08-01 2:54 ` Carlo Florendo
2007-07-29 20:24 ` Ingo Molnar
2007-07-29 19:25 ` Sam Ravnborg
2007-07-29 8:42 ` Martin Steigerwald
2007-07-29 9:25 ` Tomas Carnecky
2007-07-28 7:36 ` Matthew Hawkins
2007-07-28 10:40 ` Martin Steigerwald
2007-07-28 16:10 ` Reporting bugs (was Re: [ck] Re: Linus 2.6.23-rc1) Stefan Richter
2007-07-28 16:21 ` Michal Piotrowski
2007-07-28 9:44 ` Linus 2.6.23-rc1 Kasper Sandberg
2007-07-28 17:50 ` Linus Torvalds
2007-07-28 18:07 ` Kasper Sandberg
2007-07-28 19:13 ` Jan Engelhardt
2007-07-28 19:34 ` Linus Torvalds
2007-07-28 21:33 ` Linus Torvalds
2007-07-28 21:55 ` Jan Engelhardt
2007-07-28 22:22 ` Linus Torvalds
2007-08-01 9:21 ` Jan Engelhardt
2007-07-28 10:05 ` [ck] " Martin Steigerwald
2007-07-28 11:06 ` Dirk Schoebel
2007-07-28 13:18 ` Michael Chang
2007-07-28 17:25 ` Linus Torvalds
2007-07-28 18:03 ` jos poortvliet
2007-07-28 18:28 ` Linus Torvalds
2007-07-28 19:28 ` jos poortvliet
2007-07-28 20:07 ` Bill Huey
2007-07-28 21:06 ` Diego Calleja
2007-07-28 21:32 ` Bill Huey
2007-07-28 22:18 ` Linus Torvalds
2007-07-29 1:00 ` Bill Huey
2007-07-29 14:31 ` Diego Calleja
2007-07-29 18:31 ` Martin Steigerwald
2007-07-29 20:25 ` Mike Galbraith
2007-07-29 21:48 ` Bill Huey
2007-07-30 5:03 ` Mike Galbraith
2007-08-07 6:55 ` Daniel Phillips
2007-08-07 15:33 ` Alan Cox
2007-07-28 20:31 ` Linus Torvalds
2007-07-29 0:03 ` Con Kolivas
2007-07-29 1:23 ` Charles philip Chan
2007-08-01 4:17 ` Roman Zippel
2007-08-01 5:46 ` Carlo Florendo
2007-08-01 6:16 ` Hua Zhong
2007-08-01 7:05 ` [ck] Re: Linus 2.6.23-rc1 -- It does not matter who's code gets merged! Arjan van de Ven
2007-08-01 7:12 ` Carlo Florendo
2007-08-01 8:14 ` jos
2007-08-01 14:02 ` Arjan van de Ven
2007-08-01 18:40 ` Hua Zhong
2007-08-01 22:04 ` Arjan van de Ven
2007-08-02 15:22 ` Andrea Arcangeli
2007-08-02 20:03 ` Frank Ch. Eigler
2007-08-02 20:05 ` Arjan van de Ven
2007-08-02 20:33 ` Frank Ch. Eigler
2007-08-04 8:04 ` [ck] Re: Linus 2.6.23-rc1 -- It does not matter whose " Daniel Phillips
2007-08-01 7:09 ` [ck] Re: Linus 2.6.23-rc1 Carlo Florendo
2007-08-01 12:31 ` Alan Cox
2007-07-28 21:07 ` Jory A. Pratt
2007-07-29 15:04 ` Ingo Molnar
2007-07-29 23:04 ` George Sescher
2007-07-29 23:18 ` Linus Torvalds
2007-07-29 23:38 ` George Sescher
2007-07-29 23:58 ` Linus Torvalds
2007-07-30 5:12 ` [ck] " Matthew Hawkins
2007-07-31 10:05 ` Bill Huey
2007-07-31 14:04 ` Ingo Molnar
2007-07-31 15:44 ` Linus Torvalds
2007-07-30 6:44 ` Ingo Molnar
2007-07-30 7:06 ` George Sescher
2007-07-30 7:55 ` Ingo Molnar
2007-07-30 9:26 ` George Sescher
2007-07-30 10:26 ` Ingo Molnar
2007-07-30 16:13 ` Kasper Sandberg
2007-07-28 14:52 ` Ronni Nielsen
2007-07-28 17:30 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070724092839.f0556948.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=adobriyan@gmail.com \
--cc=clameter@sgi.com \
--cc=efault@gmx.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox