From: Al Viro <viro@ZenIV.linux.org.uk>
To: Vince Weaver <vincent.weaver@maine.edu>
Cc: linux-kernel@vger.kernel.org,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Paul Mackerras <paulus@samba.org>, Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@ghostprotocols.net>,
trinity@vger.kernel.org
Subject: Re: OOPS in perf_mmap_close()
Date: Thu, 23 May 2013 05:48:03 +0100 [thread overview]
Message-ID: <20130523044803.GA25399@ZenIV.linux.org.uk> (raw)
In-Reply-To: <alpine.DEB.2.10.1305222344060.12929@vincent-weaver-1.um.maine.edu>
On Wed, May 22, 2013 at 11:48:51PM -0400, Vince Weaver wrote:
>
> In case anyone cares, the Oops is happening here:
>
> 1a56: 48 c1 e8 0c shr $0xc,%rax
> 1a5a: 48 ff c0 inc %rax
> > 1a5d: f0 48 29 45 60 lock sub %rax,0x60(%rbp)
> 1a62: 49 8b 46 40 mov 0x40(%r14),%rax
>
> Which maps to this in perf_mmap_close() in kernel/events/core.c:
>
> atomic_long_sub((size >> PAGE_SHIFT) + 1, &user->locked_vm);
>
> And "user" (%rbp) is RBP: 0000000000000000, hence the problem.
>
> I'm having trouble tracking the problem back any further as the code is a
> bit covoluted and is not commented at all.
FWIW, at least part of perf_mmap_close() is obvious garbage - increment of
->pinned_vm happens in mmap(), decrement - on the ->close() of the last
VMA clonal to one we'd created in that mmap(), regardless of the address
space it's in. Not that handling of ->pinned_vm made any sense wrt fork()...
Actually... What happens if you mmap() the same opened file of that
kind several times, each time with the same size? AFAICS, on all
subsequent calls we'll get
mutex_lock(&event->mmap_mutex);
if (event->rb) {
if (event->rb->nr_pages == nr_pages)
atomic_inc(&event->rb->refcount);
else
...
goto unlock;
unlock:
if (!ret)
atomic_inc(&event->mmap_count);
mutex_unlock(&event->mmap_mutex);
i.e. we bump event->mmap_count *and* event->rb->refcount. munmap()
all of them and each will generate a call of perf_mmap_close(); ->mmap_count
will go down to zero and on all but the last call we'll have nothing else
done. On the last call we'll hit ring_buffer_put(), which will decrement
event->rb->refcount once. Note that by that point we simply don't know
how many times we'd incremented it in those mmap() calls - it's too late
to clean up. IOW, unless I'm misreading that code, we've got a leak in
there. Not the same bug, but...
next prev parent reply other threads:[~2013-05-23 4:48 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-22 19:35 OOPS in perf_mmap_close() Vince Weaver
2013-05-22 23:56 ` Vince Weaver
2013-05-23 3:48 ` Vince Weaver
2013-05-23 4:48 ` Al Viro [this message]
2013-05-23 10:41 ` Peter Zijlstra
2013-05-23 14:09 ` Christoph Lameter
2013-05-23 15:24 ` Peter Zijlstra
2013-05-23 16:12 ` Christoph Lameter
2013-05-23 16:39 ` Peter Zijlstra
2013-05-23 17:59 ` Christoph Lameter
2013-05-23 19:24 ` Peter Zijlstra
2013-05-24 14:01 ` [RFC][PATCH] mm: Fix RLIMIT_MEMLOCK Peter Zijlstra
2013-05-24 15:40 ` Christoph Lameter
2013-05-26 1:11 ` KOSAKI Motohiro
2013-05-28 16:19 ` Christoph Lameter
2013-05-27 6:48 ` Peter Zijlstra
2013-05-28 16:37 ` Christoph Lameter
2013-05-29 7:58 ` [regression] " Ingo Molnar
2013-05-29 19:53 ` KOSAKI Motohiro
2013-05-30 6:32 ` Ingo Molnar
2013-05-30 20:42 ` KOSAKI Motohiro
2013-05-31 9:27 ` Ingo Molnar
2013-05-30 18:30 ` Peter Zijlstra
2013-05-30 19:59 ` Pekka Enberg
2013-05-30 21:00 ` KOSAKI Motohiro
2013-05-23 12:52 ` OOPS in perf_mmap_close() Peter Zijlstra
2013-05-23 14:10 ` Vince Weaver
2013-05-23 15:26 ` Peter Zijlstra
2013-05-23 15:47 ` Vince Weaver
2013-05-23 23:40 ` Vince Weaver
2013-05-24 9:21 ` Peter Zijlstra
2013-05-28 8:55 ` Peter Zijlstra
2013-05-28 16:19 ` Vince Weaver
2013-05-28 18:22 ` Vince Weaver
2013-05-29 7:44 ` Peter Zijlstra
2013-05-29 13:17 ` Vince Weaver
2013-05-29 19:18 ` Vince Weaver
2013-05-30 7:25 ` Peter Zijlstra
2013-05-30 12:51 ` Vince Weaver
2013-05-31 15:46 ` Peter Zijlstra
2013-06-03 13:26 ` Peter Zijlstra
2013-06-03 17:18 ` Peter Zijlstra
2013-06-03 19:25 ` Peter Zijlstra
2013-06-05 15:54 ` Vince Weaver
2013-06-05 16:54 ` Peter Zijlstra
2013-05-29 8:07 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130523044803.GA25399@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@ghostprotocols.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=paulus@samba.org \
--cc=trinity@vger.kernel.org \
--cc=vincent.weaver@maine.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox