Building the Linux kernel with Clang and LLVM
 help / color / mirror / Atom feed
From: Bert Karwatzki <spasswolf@web.de>
To: Jason Xing <kerneljasonxing@gmail.com>
Cc: Johannes Berg <johannes@sipsolutions.net>,
	"linux-kernel@vger.kernel.org"	 <linux-kernel@vger.kernel.org>,
	"linux-next@vger.kernel.org"	 <linux-next@vger.kernel.org>,
	"llvm@lists.linux.dev" <llvm@lists.linux.dev>,
	 Thomas Gleixner <tglx@linutronix.de>,
	linux-wireless@vger.kernel.org, spasswolf@web.de
Subject: Re: lockup and kernel panic in linux-next-202505{09,12} when compiled with clang
Date: Sun, 18 May 2025 16:41:48 +0200	[thread overview]
Message-ID: <f109986d1c25c794f7f6a470722f1ea878d10b33.camel@web.de> (raw)
In-Reply-To: <c343c12be42195aaeeb572ddc76ed41369904d79.camel@web.de>

Am Sonntag, dem 18.05.2025 um 16:15 +0200 schrieb Bert Karwatzki:
> Am Sonntag, dem 18.05.2025 um 14:43 +0200 schrieb Bert Karwatzki:
> > Am Sonntag, dem 18.05.2025 um 14:12 +0200 schrieb Bert Karwatzki:
> > > > > > 
> > > 
> > > I even tried this version of your patch, to keep the offset of skc_refcnt at 128,
> > > but it doesn't  work, either.
> > > 
> > > commit fca84c5cde713be480544a64ed6680afc3319670
> > > Author: Bert Karwatzki <spasswolf@web.de>
> > > Date:   Sun May 18 13:32:36 2025 +0200
> > > 
> > >     include: net: sock: move skc_flags out of the union
> > >     
> > >     Signed-off-by: Bert Karwatzki <spasswolf@web.de>
> > > 
> > > diff --git a/include/net/sock.h b/include/net/sock.h
> > > index 3e15d7105ad2..e73929a4da6e 100644
> > > --- a/include/net/sock.h
> > > +++ b/include/net/sock.h
> > > @@ -195,7 +195,6 @@ struct sock_common {
> > >  	 * for different kind of 'sockets'
> > >  	 */
> > >  	union {
> > > -		unsigned long	skc_flags;
> > >  		struct sock	*skc_listener; /* request_sock */
> > >  		struct inet_timewait_death_row *skc_tw_dr; /* inet_timewait_sock */
> > >  	};
> > > @@ -221,6 +220,9 @@ struct sock_common {
> > >  	};
> > >  
> > >  	refcount_t		skc_refcnt;
> > > +
> > > +	/* place skc_flags here to keep offset(struct sock, sk_refcnt) == 128 */
> > > +	unsigned long	skc_flags;
> > >  	/* private: */
> > >  	int                     skc_dontcopy_end[0];
> > >  	union {
> > > 
> > 
> > In the patch above I accidently put skc_flags in the part of struct sock_common
> > which does not get copied, but putting it below skc_dontcopy_end[0] does not work,
> > either:
> > 
> > diff --git a/include/net/sock.h b/include/net/sock.h
> > index 3e15d7105ad2..6d69753a205a 100644
> > --- a/include/net/sock.h
> > +++ b/include/net/sock.h
> > @@ -195,7 +195,6 @@ struct sock_common {
> >          * for different kind of 'sockets'
> >          */
> >         union {
> > -               unsigned long   skc_flags;
> >                 struct sock     *skc_listener; /* request_sock */
> >                 struct inet_timewait_death_row *skc_tw_dr; /* inet_timewait_sock */
> >         };
> > @@ -221,8 +220,12 @@ struct sock_common {
> >         };
> >  
> >         refcount_t              skc_refcnt;
> > +
> >         /* private: */
> >         int                     skc_dontcopy_end[0];
> > +       /* place skc_flags here to keep offset(struct sock, sk_refcnt) == 128 
> > +        * Also place it below skc_dontcopy_end[0] */
> > +       unsigned long   skc_flags;
> >         union {
> >                 u32             skc_rxhash;
> >                 u32             skc_window_clamp;
> > 
> > This locks up as usual.
> > 
> > Bert Karwatzki
> 
> So I did some more monitoring and found that even though skc_flags is removed from the union
> it can take strange values, e.g.:
> 
> Here the value is not even a pointer (perhaps unitialized memory?):
> [  T572] ieee80211_8023_xmit_clang_debug_helper: skb->sk = ffff88fc2abf4cc0 skb->sk->sk_flags = 0xa00f7fe57b16f7e1
> These could be pointers, but as pointers would only be aligned to a 2-byte boundary ...
> [  T572] ieee80211_8023_xmit_clang_debug_helper: skb->sk = ffff88fbd0bd3210 skb->sk->sk_flags = 0xffffc0f1c62dcc4e
> [  T572] ieee80211_8023_xmit_clang_debug_helper: skb->sk = ffff88fbd0bd3210 skb->sk->sk_flags = 0xffffc0f1c62dcc4e
> 
> Bert Karwatzki

I tried to set sk_flags to 0 in sk_prot_alloc() like this:

commit 269f21266477e74321e32e0b022dda8e98785589 (HEAD -> clang_panic)
Author: Bert Karwatzki <spasswolf@web.de>
Date:   Sun May 18 16:28:39 2025 +0200

    net: core: sock: set initial sk_flags to 0 in sk_prot_alloc()
    
    Signed-off-by: Bert Karwatzki <spasswolf@web.de>

diff --git a/net/core/sock.c b/net/core/sock.c
index f6589ad5ba36..acaa39ad18be 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2216,6 +2216,7 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
                        goto out_free_sec;
        }
 
+       sk->sk_flags = 0;
        return sk;
 
 out_free_sec:

But that didn't work:
[   13.832282] [    T579] ieee80211_8023_xmit_clang_debug_helper: skb->sk = ffff8962805faee0 skb->sk->sk_flags = 0x4472000044f00000
[...]
[  124.165094] [    T579] ieee80211_8023_xmit_clang_debug_helper: skb->sk = ffff896280760550 skb->sk->sk_flags = 0x726f2e65746f7571
[...]
[  185.138202] [    T579] ieee80211_8023_xmit_clang_debug_helper: skb->sk = ffff8960c78b7a90 skb->sk->sk_flags = 0x8000000000000025
[...]
[  290.623998] [    T579] ieee80211_8023_xmit_clang_debug_helper: skb->sk = ffff8961936b7870 skb->sk->sk_flags = 0xffff8961936b78f0

Bert Karwatzki

  reply	other threads:[~2025-05-18 14:41 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-13 16:48 lockup and kernel panic in linux-next-202505{09,12} when compiled with clang Bert Karwatzki
2025-05-13 22:33 ` Thomas Gleixner
2025-05-14  0:11   ` Bert Karwatzki
2025-05-14  9:32     ` Bert Karwatzki
2025-05-14 10:23       ` Johannes Berg
2025-05-14 13:46         ` Bert Karwatzki
2025-05-14 17:49           ` Johannes Berg
2025-05-14 18:56           ` Johannes Berg
2025-05-14 22:27             ` Bert Karwatzki
2025-05-15  6:30               ` Johannes Berg
2025-05-15  9:10                 ` Bert Karwatzki
2025-05-16 18:19                   ` Bert Karwatzki
2025-05-17 11:34                     ` Bert Karwatzki
2025-05-17 19:49                       ` Bert Karwatzki
2025-05-18  1:30                         ` Jason Xing
2025-05-18 12:12                           ` Bert Karwatzki
2025-05-18 12:43                             ` Bert Karwatzki
2025-05-18 14:15                               ` Bert Karwatzki
2025-05-18 14:41                                 ` Bert Karwatzki [this message]
  -- strict thread matches above, loose matches on Subject: below --
2025-05-13 22:15 Bert Karwatzki

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f109986d1c25c794f7f6a470722f1ea878d10b33.camel@web.de \
    --to=spasswolf@web.de \
    --cc=johannes@sipsolutions.net \
    --cc=kerneljasonxing@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-next@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox