From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Guenter Roeck <linux@roeck-us.net>, davem@davemloft.net
Cc: Mel Gorman <mgorman@suse.de>,
Stephen Rothwell <sfr@canb.auug.org.au>,
linux-next@vger.kernel.org, linux-kernel@vger.kernel.org,
Paul Moore <pmoore@redhat.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>
Subject: Re: linux-next: Tree for Jan 20 -- sparc32: fix broken set_pte()
Date: Thu, 22 Jan 2015 19:13:38 +0200 [thread overview]
Message-ID: <20150122171338.GA1039@node.dhcp.inet.fi> (raw)
In-Reply-To: <54C06B19.8060305@roeck-us.net>
On Wed, Jan 21, 2015 at 07:14:33PM -0800, Guenter Roeck wrote:
> On 01/21/2015 02:43 AM, Kirill A. Shutemov wrote:
>
> >>BUG: Bad page state in process init.sh pfn:00000
> >>page:f05e7460 count:0 mapcount:-1 mapping: (null) index:0x0
> >>flags: 0x400(reserved)
> >>page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
> >>bad because of flags:
> >>flags: 0x400(reserved)
> >>CPU: 0 PID: 1 Comm: init.sh Not tainted 3.19.0-rc5-next-20150120 #1
> >>[f0076010 : bad_page+0xdc/0xfc ] [f00760c0 : free_pages_prepare+0x90/0x1f8 ] [f00775cc : free_hot_cold_page+0x20/0x160 ] [f00919e8 : do_wp_page+0x680/0x6ac ] [f00939f4 : handle_mm_fault+0xc94/0xd08 ] [f0015900 : do_sparc_fault+0xfc/0x3ec ] [f000af90 : srmmu_fault+0x58/0x68 ] [f00e74f4 : load_elf_binary+0x9a8/0xe94 ] [f00b0cac : search_binary_handler+0x68/0x12c ] [f00e67d0 : load_script+0x214/0x224 ] [f00b0cac : search_binary_handler+0x68/0x12c ] [f00b11a4 : do_execveat_common+0x434/0x584 ] [f00b1310 : do_execve+0x1c/0x2c ] [f02b50b0 : kernel_init+0x70/0xf0 ] [f000b200 : ret_from_kernel_thread+0xc/0x38 ] [00000000 : (null) ]
> >>Disabling lock debugging due to kernel taint
> >>: applet not found
> >>Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
> >
> >It doesn't make much sense to me. It tries to free page with pfn==0 on
> >handling wp-fault. How it got mapped in the first place?
> >
> If I comment out the added call to vm_normal_page(), the code works fine.
> If the call to vm_local_page() is there but everything else from your patch
> is commented out, the crash occurs. Also, any log message added to the new
> code patch (inside the if statements) is not getting printed, meaning the
> new code (besides the call to vm_local_page) is not reached.
>
> I guess that means that something in the call to vm_normal_page() appears
> to go wrong. No idea what that might be, though.
vm_normal_page() is never called in this case, since prot_numa is always
zero.
I tracked the bug down. It's a sparc bug. The commit only triggers it,
because affect how GCC optimize the code around faulty point.
Please, test.
>From 5b9232753217412116a4cdc2897be0db818371ca Mon Sep 17 00:00:00 2001
From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Date: Thu, 22 Jan 2015 18:42:13 +0200
Subject: [PATCH] sparc32: fix broken set_pte()
32-bit sparc uses swap instruction to implement set_pte(). It called
using GCC inline assembler. But it misses the "memory" clobber to
indicate that pte value will be updated in memory.
As result GCC doesn't know that it cannot postpone pte pointer
dereference which occurs before set_pte() to post-set_pte() time.
It leads to real-world bugs -- [1]. In this situation we have code:
ptent = ptep_modify_prot_start(mm, addr, pte);
ptent = pte_modify(ptent, newprot);
...
ptep_modify_prot_commit(mm, addr, pte, ptent);
ptep_modify_prot_start() in sparc case is just 'pte' dereference plus
pte_clear(). pte_clear() calls broken set_pte(). GCC thinks it's valid
to dereference 'pte' again on pte_modify() and gets cleared pte.
ptep_modify_prot_commit() puts 'pteent' with pfn==0 back to page table,
which eventually leads to the crash.
[1] http://lkml.kernel.org/r/54C06B19.8060305@roeck-us.net
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Guenter Roeck <linux@roeck-us.net>
---
arch/sparc/include/asm/pgtable_32.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h
index b2f7dc46a7d1..9912eb0b499a 100644
--- a/arch/sparc/include/asm/pgtable_32.h
+++ b/arch/sparc/include/asm/pgtable_32.h
@@ -102,7 +102,8 @@ extern unsigned long empty_zero_page;
*/
static inline unsigned long srmmu_swap(unsigned long *addr, unsigned long value)
{
- __asm__ __volatile__("swap [%2], %0" : "=&r" (value) : "0" (value), "r" (addr));
+ __asm__ __volatile__("swap [%2], %0" :
+ "=&r" (value) : "0" (value), "r" (addr) : "memory");
return value;
}
--
Kirill A. Shutemov
next prev parent reply other threads:[~2015-01-22 17:14 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-20 7:53 linux-next: Tree for Jan 20 Stephen Rothwell
2015-01-20 14:16 ` Guenter Roeck
2015-01-20 16:56 ` linux-next: Tree for Jan 20 -- Kernel panic - Unable to mount root fs Sabrina Dubroca
2015-01-20 17:39 ` Paul Moore
2015-01-20 17:51 ` Sabrina Dubroca
2015-01-20 19:54 ` Al Viro
2015-01-20 20:45 ` Sabrina Dubroca
2015-01-20 21:02 ` Al Viro
2015-01-20 21:38 ` Sabrina Dubroca
2015-01-20 21:58 ` Al Viro
2015-01-20 22:08 ` Sabrina Dubroca
2015-01-20 22:13 ` Guenter Roeck
2015-01-20 22:50 ` Al Viro
2015-01-20 23:17 ` Al Viro
2015-01-20 23:27 ` Sabrina Dubroca
2015-01-21 0:04 ` Paul Moore
2015-01-21 0:14 ` Paul Moore
2015-01-21 0:41 ` Al Viro
2015-01-21 2:44 ` Guenter Roeck
2015-01-21 3:36 ` Al Viro
2015-01-21 4:01 ` Guenter Roeck
2015-01-21 4:36 ` Al Viro
2015-01-21 11:05 ` Sabrina Dubroca
2015-01-21 13:32 ` Guenter Roeck
2015-01-21 18:29 ` Al Viro
2015-01-21 19:06 ` Guenter Roeck
2015-01-21 20:06 ` Al Viro
2015-01-21 21:03 ` Guenter Roeck
2015-01-21 21:28 ` Al Viro
2015-01-21 21:38 ` Guenter Roeck
2015-01-21 21:40 ` Sabrina Dubroca
2015-01-21 21:54 ` Paul Walmsley
2015-01-22 2:28 ` Paul Moore
2015-01-22 4:12 ` Al Viro
2015-01-22 4:49 ` Paul Moore
2015-01-21 21:30 ` Sabrina Dubroca
2015-01-21 14:42 ` Thierry Reding
2015-01-21 15:24 ` Paul Moore
2015-01-21 15:39 ` Thierry Reding
2015-01-21 15:54 ` Sabrina Dubroca
2015-01-21 16:16 ` Paul Moore
2015-01-21 17:38 ` Al Viro
2015-01-21 17:51 ` Guenter Roeck
2015-01-21 16:21 ` Guenter Roeck
2015-01-21 15:06 ` Paul Moore
2015-01-20 21:43 ` Guenter Roeck
2015-01-20 17:54 ` Fabio Estevam
2015-01-20 19:00 ` Ross Zwisler
2015-01-20 19:16 ` Fabio Estevam
2015-01-20 19:24 ` Paul Moore
2015-01-20 19:43 ` Fabio Estevam
2015-01-20 20:10 ` Paul Moore
2015-01-20 20:26 ` linux-next: Tree for Jan 20 Guenter Roeck
2015-01-20 22:54 ` Kirill A. Shutemov
2015-01-21 3:05 ` Guenter Roeck
2015-01-21 10:43 ` Kirill A. Shutemov
2015-01-21 23:34 ` Guenter Roeck
2015-01-22 3:14 ` Guenter Roeck
2015-01-22 17:13 ` Kirill A. Shutemov [this message]
2015-01-22 17:27 ` linux-next: Tree for Jan 20 -- sparc32: fix broken set_pte() Kirill A. Shutemov
2015-01-22 19:34 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150122171338.GA1039@node.dhcp.inet.fi \
--to=kirill@shutemov.name \
--cc=davem@davemloft.net \
--cc=iamjoonsoo.kim@lge.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=mgorman@suse.de \
--cc=pmoore@redhat.com \
--cc=sfr@canb.auug.org.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).