lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080419184137.79957a07@daedalus.pq.iki.fi>
Date:	Sat, 19 Apr 2008 18:41:37 +0300
From:	Pekka Paalanen <pq@....fi>
To:	linux-kernel@...r.kernel.org
Cc:	Ingo Molnar <mingo@...e.hu>, Steven Rostedt <rostedt@...dmis.org>,
	mathieu.desnoyers@...ymtl.ca
Subject: [BUG] kmalloc_node(GFP_KERNEL) while smp_alt spinlocked

On Mon, 14 Apr 2008 08:57:13 +0200
Ingo Molnar <mingo@...e.hu> wrote:

> Pekka Paalanen wrote:
> > When I tested this patch on Intel Core 2 Duo, enter_uniprocessor() 
> > triggered the following kernel bug:
> > 
> > Linux version 2.6.25-rc8-sched-devel.git-x86-latest.git (paalanen@...00006)
> > (gcc version 4.1.2 (Gentoo 4.1.2 p1.0.1)) #2 SMP PREEMPT Sun Apr 13
> > 22:09:03 EEST 2008
> > ...
> > in mmio_trace_init
> > mmiotrace: Disabling non-boot CPUs...
> > CPU 1 is now offline
> > lockdep: fixing up alternatives.
> > SMP alternatives: switching to UP code
> > BUG: sleeping function called from invalid context at mm/slab.c:3053
> > in_atomic():1, irqs_disabled():0
> > 5 locks held by bash/4423:
> >  #0:  (trace_types_lock){--..}, at: [<ffffffff8026442f>] tracing_set_trace_write+0x93/0x11a
> >  #1:  (mmiotrace_mutex){--..}, at: [<ffffffff802251e0>] enable_mmiotrace+0x17/0x142
> >  #2:  (cpu_add_remove_lock){--..}, at: [<ffffffff802580e5>] cpu_maps_update_begin+0x12/0x14
> >  #3:  (&cpu_hotplug.lock){--..}, at: [<ffffffff8025814f>] cpu_hotplug_begin+0x39/0x9f
> >  #4:  (smp_alt){--..}, at: [<ffffffff80211bd9>] alternatives_smp_switch+0x66/0x1ab
> > Pid: 4423, comm: bash Not tainted 2.6.25-rc8-sched-devel.git-x86-latest.git #2
> > 
> > Call Trace:
> >  [<ffffffff802520c0>] ? __debug_show_held_locks+0x22/0x24
> >  [<ffffffff8022d292>] __might_sleep+0xd9/0xdb
> >  [<ffffffff80287326>] cache_alloc_debugcheck_before+0x23/0x32
> >  [<ffffffff80287a32>] __kmalloc+0x34/0xa5
> >  [<ffffffff80209393>] ? clear_ti_thread_flag+0x10/0x17
> >  [<ffffffff8027d7f6>] kmalloc_node+0x9/0xb
> >  [<ffffffff8027d8e0>] __get_vm_area_node+0xa2/0x1cb
> >  [<ffffffff80209393>] ? clear_ti_thread_flag+0x10/0x17
> >  [<ffffffff8027da41>] __get_vm_area+0x13/0x15
> >  [<ffffffff8027da60>] get_vm_area+0x1d/0x1f
> >  [<ffffffff8027e14c>] vmap+0x2a/0x5c
> >  [<ffffffff8021191b>] text_poke+0xaa/0x136
> >  [<ffffffff804cba2b>] ? _etext+0x0/0x5
> >  [<ffffffff802119f6>] alternatives_smp_unlock+0x4f/0x63
> >  [<ffffffff80211ce1>] alternatives_smp_switch+0x16e/0x1ab
> >  [<ffffffff8021b163>] __cpu_die+0x53/0x7d
> >  [<ffffffff802583e2>] _cpu_down+0x195/0x26c
> >  [<ffffffff802585ca>] cpu_down+0x26/0x36
> >  [<ffffffff80225270>] enable_mmiotrace+0xa7/0x142
> >  [<ffffffff80266b8d>] mmio_trace_init+0x3c/0x40
> >  [<ffffffff8026448e>] tracing_set_trace_write+0xf2/0x11a
> >  [<ffffffff80327fac>] ? security_file_permission+0x11/0x13
> >  [<ffffffff8028b047>] vfs_write+0xa7/0xe1
> >  [<ffffffff8028b13b>] sys_write+0x47/0x6d
> >  [<ffffffff8020b4db>] system_call_after_swapgs+0x7b/0x80
> > 
> > mmiotrace: CPU1 is down.
> > mmiotrace: enabled.
> > 
> > Is this my fault, or is there a bug somewhere else? The kernel tree is 
> > sched-devel/latest git from 12th April, IIRC.
> 
> there's no known bug of sched-devel/latest of this kind (or any known 
> bug for that matter).
> 
> i suspect the bug is that you bring the CPU down from an atomic 
> (spinlocked or irq disabled) context.

I have been eyeballing the code in current sched-devel/latest and there's
something I think I found.

This is the beginning of my enter_uniprocessor() which is called from
enable_mmiotrace() seen in the backtrace.

static void enter_uniprocessor(void)
{
	int cpu;
	int err;

	get_online_cpus();
	downed_cpus = cpu_online_map;
	cpu_clear(first_cpu(cpu_online_map), downed_cpus);
	if (num_online_cpus() > 1)
		pr_notice(NAME "Disabling non-boot CPUs...\n");
	put_online_cpus();

	for_each_cpu_mask(cpu, downed_cpus) {
		err = cpu_down(cpu);

The function get_online_cpus() calls might_sleep(), so at that
point everything is fine.

Following the backtrace, we come to alternatives_smp_switch(),
which does
	spin_lock(&smp_alt);
and then continues eventually into this function:

void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
{
        unsigned long flags;
        char *vaddr;
        int nr_pages = 2;

        BUG_ON(len > sizeof(long));
        BUG_ON((((long)addr + len - 1) & ~(sizeof(long) - 1))
                - ((long)addr & ~(sizeof(long) - 1)));
        if (kernel_text_address((unsigned long)addr)) {
                struct page *pages[2] = { virt_to_page(addr),
                        virt_to_page(addr + PAGE_SIZE) };
                if (!pages[1])
                        nr_pages = 1;
                vaddr = vmap(pages, nr_pages, VM_MAP, PAGE_KERNEL);

After which we find ourselves in

struct vm_struct *__get_vm_area(unsigned long size, unsigned long flags,
                                unsigned long start, unsigned long end)
{
	return __get_vm_area_node(size, flags, start, end, -1, GFP_KERNEL);

and in __get_vm_area_node() there is
area = kmalloc_node(sizeof(*area), gfp_mask & GFP_RECLAIM_MASK, node);

where gfp_mask is now GFP_KERNEL. As far as I can tell, using SLAB,
kmalloc_node() here is actually kmalloc(). Anyway, looks like we end up
in __kmalloc with such flags that it may sleep.

I have followed the code so that the path up to kmalloc_node() is
possible, unless there are some "should never happen" conditions
along the way, which I just cannot know of.

Is this the bug?


Thanks.

-- 
Pekka Paalanen
http://www.iki.fi/pq/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ