| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Feb 2011 10:48:18 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Michal Hocko <mhocko@...e.cz>, Ingo Molnar <mingo@...e.hu>,
linux-mm@...ck.org, LKML <linux-kernel@...r.kernel.org>,
David Miller <davem@...emloft.net>,
Eric Dumazet <eric.dumazet@...il.com>, netdev@...r.kernel.org,
Arnaldo Carvalho de Melo <acme@...hat.com>
Subject: Re: BUG: Bad page map in process udevd (anon_vma: (null)) in 2.6.38-rc4
On Fri, Feb 18, 2011 at 10:08 AM, Eric W. Biederman
<ebiederm@...ssion.com> wrote:
>
> I am still getting programs segfaulting but that is happening on other
> machines running on older kernels so I am going to chalk that up to a
> buggy test and a false positive.
Ok.
> I am have OOM problems getting my tests run to complete. On a good
> day that happens about 1 time in 3 right now. I'm guess I will have
> to turn off DEBUG_PAGEALLOC to get everything to complete.
> DEBUG_PAGEALLOC causes us to use more memory doesn't it?
It does use a bit more memory, but it shouldn't be _that_ noticeable.
The real cost of DEBUG_PAGEALLOC is all the crazy page table
operations and TLB flushes we do for each allocation/deallocation. So
DEBUG_PAGEALLOC is very CPU-intensive, but it shouldn't have _that_
much of a memory overhead - just some trivial overhead due to not
being able to use largepages for the normal kernel identity mappings.
But there might be some other interaction with OOM that I haven't thought about.
> The most interesting thing I have right now is a networking lockdep
> issue. Does anyone know what is going on there?
This seems to be a fairly straightforward bug.
In net/ipv4/inet_timewait_sock.c we have this:
/* These are always called from BH context. See callers in
* tcp_input.c to verify this.
*/
/* This is for handling early-kills of TIME_WAIT sockets. */
void inet_twsk_deschedule(struct inet_timewait_sock *tw,
struct inet_timewait_death_row *twdr)
{
spin_lock(&twdr->death_lock);
..
and the intention is clearly that that spin_lock is BH-safe because
it's called from BH context.
Except that clearly isn't true. It's called from a worker thread:
> stack backtrace:
> Pid: 10833, comm: kworker/u:1 Not tainted 2.6.38-rc4-359399.2010AroraKernelBeta.fc14.x86_64 #1
> Call Trace:
> [<ffffffff81460e69>] ? inet_twsk_deschedule+0x29/0xa0
> [<ffffffff81460fd6>] ? inet_twsk_purge+0xf6/0x180
> [<ffffffff81460f10>] ? inet_twsk_purge+0x30/0x180
> [<ffffffff814760fc>] ? tcp_sk_exit_batch+0x1c/0x20
> [<ffffffff8141c1d3>] ? ops_exit_list.clone.0+0x53/0x60
> [<ffffffff8141c520>] ? cleanup_net+0x100/0x1b0
> [<ffffffff81068c47>] ? process_one_work+0x187/0x4b0
> [<ffffffff81068be1>] ? process_one_work+0x121/0x4b0
> [<ffffffff8141c420>] ? cleanup_net+0x0/0x1b0
> [<ffffffff8106a65c>] ? worker_thread+0x15c/0x330
so it can deadlock with a BH happening at the same time, afaik.
The code (and comment) is all from 2005, it looks like the BH->worker
thread has broken the code. But somebody who knows that code better
should take a deeper look at it.
Added acme to the cc, since the code is attributed to him back in 2005
;). Although I don't know how active he's been in networking lately
(seems to be all perf-related). Whatever, it can't hurt.
Linus
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists