lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090407045857.GA14481@elte.hu>
Date:	Tue, 7 Apr 2009 06:58:57 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Tejun Heo <tj@...nel.org>, "H. Peter Anvin" <hpa@...or.com>,
	Rusty Russell <rusty@...tcorp.com.au>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Vegard Nossum <vegard.nossum@...il.com>
Cc:	linux-kernel@...r.kernel.org,
	Pekka Enberg <penberg@...helsinki.fi>,
	Steven Rostedt <rostedt@...dmis.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Eduard - Gabriel Munteanu <eduard.munteanu@...ux360.ro>
Subject: Re: [GIT PULL] SLAB include file dependency fixes + kmemtrace
	updates


(more folks Cc:-ed)

* Linus Torvalds <torvalds@...ux-foundation.org> wrote:

> >    git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip.git kmemtrace-for-linus
> > 
> > We kept this topic separate from the main tracing tree due to 
> > the unexpectedly wide and messy-looking scope of the fixes Pekka 
> > needed to do to untangle various slab*.h, rcu*.h and fs.h 
> > dependency chains.
> 
> I'm not sure this is the tree that brings in the problem, but my 
> wife's Mac Mini won't boot any more, and it looks like some slub 
> or percpu issue, so regardless, roughly the right people are 
> involved in the cc here already.
> 
> I get odd NUL page faults or GP faults in either __kmalloc, 
> __kmalloc_track_caller or kmem_cache_alloc, and they all seem to 
> happen on roughly the same code, ie it's something like this:
> 
>         movq    752(%r13,%rax,8), %rdx  # <variable>.cpu_slab, c
>         movl    24(%rdx), %eax  # <variable>.objsize,
>         movl    %eax, -44(%rbp) #, objsize
>         movq    (%rdx), %r12    # <variable>.freelist, object
>         testq   %r12, %r12      # object
>         je      .L617   #,
>         mov     20(%rdx), %eax  # <variable>.offset, <variable>.offset
> ->      movq    (%r12,%rax,8), %rax     #* object, tmp79
>         movq    %rax, (%rdx)    # tmp79, <variable>.freelist
> 
> where that arrow points to the instruction that seems to be faulting.
> 
> I think it's this code:
> 
>                 object = c->freelist;
>                 c->freelist = object[c->offset];
> 
> and that "object[c->offset]" in particular.
> 
> I have not tried to bisect it yet, and I'll do that, but if this 
> sounds familiar to anybody, please holler before I waste a lot of 
> time on it.

Hm, this would suggest some sort of memory or data structure 
corruption.

There's no such pending bug (we wouldnt have pushed if there was 
anything of this severity). The historic track record:

 - the kmemtrace hooks have been 100% problem free since last 
   August. I mismerged them two times as SLUB changed upstream 
   frequently them but there was no runtime failure that i can 
   remember.

 - percpu changes have a more spotty past: and the #GP might
   suggest something there: we can get a #GP if we go outside the 
   %gs offset range and get a non-canonical address. All sorts of 
   bugs have been observed here: runtime failures with #GP and 
   memory corruption as well and linker bugs.

   To investigate+exclude this angle, a precise .config, sha1, gcc 
   and binutils version would be needed, to reproduce your exact
   kernel image. A dmesg would be helpful too - it's probably an EFI 
   bootup which is rare, but i can try to take your bootup memory 
   map dump in the dmesg and stuff it into an exactmap=<...> set of
   simulated memory environment - maybe that tickles the bug here 
   too.

 - [ stackprotector connects to percpu and got re-enabled - please
     double check you have it off in your config. ]

 - [ cpumask changes have sometimes produced runtime crashes, and 
     once a memory corruption - but only with 
     CONFIG_CPUMASK_OFFSTACK=y which i doubt you have enabled. ]

So unless you have a good crash pattern with a smoking gun, and if 
it's reproducible but bisection does not lead anywhere (which your 
later mails suggest), it might make sense to boot up with the full 
array of memory related debugging checks enabled:

  CONFIG_DEBUG_PAGEALLOC=y
  CONFIG_SLUB_DEBUG=y
  CONFIG_SLUB_DEBUG_ON=y

If the bug is timing or kernel image layout sensitive, this might 
hide it though.

Does it reproduce with maxcpus=1? If yes, it would weaken the percpu 
angle - paradoxially most of the percpu trouble we had during 
development was uniform and affected UP too.

Plus if it's a genuine memory corruptor and not timing sensitive and 
all other efforts fail, then there's also kmemcheck to try:

   git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip.git kmemcheck

( Note: i merged this branch up to latest -git 30 seconds ago with 5 
  conflict resolutions half awake, but it will all be perfect, rest 
  assured. [ If not - a build failure or so - have a look at the 
  conflict resolutions ] If you try this you might have to tweak the 
  .config a bit to make CONFIG_KMEMCHECK appear - it's dependent on 
  a few things. Also - a kmemcheck false positive might hit the 
  bootup sooner than a genuine memory corruption so even if it emits 
  something, it might not be genuinely interesting. )

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ