lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110619204329.GA4771@joi.lan>
Date:	Sun, 19 Jun 2011 22:43:29 +0200
From:	Marcin Slusarz <marcin.slusarz@...il.com>
To:	Thomas Gleixner <tglx@...utronix.de>
Cc:	Catalin Marinas <catalin.marinas@....com>,
	Tejun Heo <tj@...nel.org>, LKML <linux-kernel@...r.kernel.org>,
	Dipankar Sarma <dipankar@...ibm.com>,
	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH] debugobjects: fix boot crash when both kmemleak and
 debugobjects are enabled (was: Re: early kernel crash when kmemleak is
 enabled)

On Sat, May 28, 2011 at 01:23:42PM +0200, Marcin Slusarz wrote:
> On Fri, May 27, 2011 at 10:37:54PM +0200, Thomas Gleixner wrote:
> > On Fri, 27 May 2011, Marcin Slusarz wrote:
> > > On Thu, May 19, 2011 at 03:08:53PM +0100, Catalin Marinas wrote:
> > > > On Thu, 2011-05-19 at 14:54 +0100, Tejun Heo wrote:
> > > > > On Thu, May 19, 2011 at 02:48:44PM +0100, Catalin Marinas wrote:
> > > > > > Thanks for tracking this down. Untested (I can add a log afterwards):
> > > > > >
> > > > > > diff --git a/init/main.c b/init/main.c
> > > > > > index 4a9479e..48df882 100644
> > > > > > --- a/init/main.c
> > > > > > +++ b/init/main.c
> > > > > > @@ -580,8 +580,8 @@ asmlinkage void __init start_kernel(void)
> > > > > >  #endif
> > > > > >       page_cgroup_init();
> > > > > >       enable_debug_pagealloc();
> > > > > > -     kmemleak_init();
> > > > > >       debug_objects_mem_init();
> > > > > > +     kmemleak_init();
> > > > > >       setup_per_cpu_pageset();
> > > > > >       numa_policy_init();
> > > > > >       if (late_time_init)
> > > > > 
> > > > > Heh, that was swift.  Yeap, seems to work here.  Please feel free to
> > > > > add my Tested-by.
> > > > 
> > > > Thanks. I have two other minor kmemleak fixes, so I'll send Linus a pull
> > > > request in the next day or so.
> > > > 
> > > 
> > > With this patch applied kernel didn't panic, but kmemleak did not work either:
> > > 
> > > kmemleak: Early log buffer exceeded, please increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE
> > > kmemleak: Kernel memory leak detector disabled
> > > 
> > > I increased DEBUG_KMEMLEAK_EARLY_LOG_SIZE from 400 to 1000, and it crashed in
> > > exactly the same way:
> > 
> > ...
> >  
> > > The problem is: debugobjects want to use workqueues (system_wq actually), but they
> > > are initialized much later in a boot process.
> > > 
> > > Attached patch fixes this issue for me.
> > > 
> > > 
> > > diff --git a/lib/debugobjects.c b/lib/debugobjects.c
> > > index 9d86e45..a78b7c6 100644
> > > --- a/lib/debugobjects.c
> > > +++ b/lib/debugobjects.c
> > > @@ -198,7 +198,7 @@ static void free_object(struct debug_obj *obj)
> > >  	 * initialized:
> > >  	 */
> > >  	if (obj_pool_free > ODEBUG_POOL_SIZE && obj_cache)
> > > -		sched = !work_pending(&debug_obj_work);
> > > +		sched = keventd_up() && !work_pending(&debug_obj_work);
> > >  	hlist_add_head(&obj->node, &obj_pool);
> > >  	obj_pool_free++;
> > >  	obj_pool_used--;
> > > 
> > 
> > Sigh, yes. Care to resend with changelog and signed-off-by ?
> > 
> 
> Sure.
> 
> ---
> From: Marcin Slusarz <marcin.slusarz@...il.com>
> Subject: [PATCH] debugobjects: fix boot crash when both kmemleak and debugobjects are enabled
> 
> order of initialization look like this:
> 
> ...
> debugobjects
> kmemleak
> ...(lots of other subsystems)...
> workqueues (through early initcall)
> ...
> 
> debugobjects use schedule_work for batch freeing of its data and kmemleak
> heavily use debugobjects, so when it comes to freeing and workqueues were
> not initialized yet, kernel crashes:
> 
> BUG: unable to handle kernel NULL pointer dereference at           (null)
> IP: [<ffffffff810854d1>] __queue_work+0x29/0x41a
> PGD 0
> Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> (...)
> Pid: 1, comm: swapper Not tainted 2.6.39-rc4-nv+ #721 Bochs Bochs
> RIP: 0010:[<ffffffff810854d1>]  [<ffffffff810854d1>] __queue_work+0x29/0x41a
> (...)
> Call Trace:
>  <IRQ>
>  [<ffffffff81085910>] queue_work_on+0x16/0x1d
>  [<ffffffff81085abc>] queue_work+0x29/0x55
>  [<ffffffff81085afb>] schedule_work+0x13/0x15
>  [<ffffffff81242de1>] free_object+0x90/0x95
>  [<ffffffff81242f6d>] debug_check_no_obj_freed+0x187/0x1d3
>  [<ffffffff814b6504>] ? _raw_spin_unlock_irqrestore+0x30/0x4d
>  [<ffffffff8110bd14>] ? free_object_rcu+0x68/0x6d
>  [<ffffffff8110890c>] kmem_cache_free+0x64/0x12c
>  [<ffffffff8110bd14>] free_object_rcu+0x68/0x6d
>  [<ffffffff810b58bc>] __rcu_process_callbacks+0x1b6/0x2d9
>  [<ffffffff81095c9f>] ? tick_handle_periodic+0x1f/0x6c
>  [<ffffffff810b5a5a>] rcu_process_callbacks+0x7b/0x83
>  [<ffffffff810733b2>] __do_softirq+0x117/0x207
>  [<ffffffff810b05d3>] ? handle_irq_event+0x47/0x5c
>  [<ffffffff814bd0cc>] call_softirq+0x1c/0x30
>  [<ffffffff81034bc4>] do_softirq+0x38/0x80
>  [<ffffffff810730ed>] irq_exit+0x4e/0xa0
>  [<ffffffff8103429a>] do_IRQ+0x97/0xae
>  [<ffffffff814b6853>] common_interrupt+0x13/0x13
>  <EOI>
>  [<ffffffff8123d25f>] ? delay_tsc+0x48/0xcb
>  [<ffffffff8123d32a>] __const_udelay+0x25/0x27
>  [<ffffffff81aaae16>] timer_irq_works+0x3c/0x77
>  [<ffffffff81aab422>] setup_IO_APIC+0x337/0x755
>  [<ffffffff81aa956c>] native_smp_prepare_cpus+0x3a0/0x451
>  [<ffffffff814b64b9>] ? _raw_spin_unlock_irq+0x19/0x34
>  [<ffffffff81a9e52b>] kernel_init+0x4e/0x135
>  [<ffffffff8123e0fe>] ? trace_hardirqs_on_thunk+0x3a/0x3c
>  [<ffffffff814bcfd4>] kernel_thread_helper+0x4/0x10
>  [<ffffffff81063d70>] ? finish_task_switch+0x5a/0xcb
>  [<ffffffff814b64b9>] ? _raw_spin_unlock_irq+0x19/0x34
>  [<ffffffff814b68b1>] ? retint_restore_args+0xe/0xe
>  [<ffffffff81a9e4dd>] ? parse_early_options+0x20/0x20
>  [<ffffffff814bcfd0>] ? gs_change+0xb/0xb
> Code: c9 c3 55 48 89 e5 41 57 41 56 41 55 49 89 f5 41 54 48 c7 c6 a0 b7 a3 81 53 41 89 fc 48 83 ec 28 48 89 d3 48 89 d7 e8 63 d7 1b 00
>  f6 45 00 40 0f 84 6b 01 00 00 b8 09 00 00 00 83 3d 28 10 a0
> RIP  [<ffffffff810854d1>] __queue_work+0x29/0x41a
>  RSP <ffff880007c03c90>
> CR2: 0000000000000000
> ---[ end trace 4eaa2a86a8e2da22 ]---
> Kernel panic - not syncing: Fatal exception in interrupt
> 
> ...because system_wq is NULL.
> 
> Fix it by checking if workqueues susbystem was initialized before using.
> 
> Signed-off-by: Marcin Slusarz <marcin.slusarz@...il.com>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: Tejun Heo <tj@...nel.org>
> Cc: Catalin Marinas <catalin.marinas@....com>
> Cc: stable@...nel.org
> ---
>  lib/debugobjects.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/lib/debugobjects.c b/lib/debugobjects.c
> index 9d86e45..a78b7c6 100644
> --- a/lib/debugobjects.c
> +++ b/lib/debugobjects.c
> @@ -198,7 +198,7 @@ static void free_object(struct debug_obj *obj)
>  	 * initialized:
>  	 */
>  	if (obj_pool_free > ODEBUG_POOL_SIZE && obj_cache)
> -		sched = !work_pending(&debug_obj_work);
> +		sched = keventd_up() && !work_pending(&debug_obj_work);
>  	hlist_add_head(&obj->node, &obj_pool);
>  	obj_pool_free++;
>  	obj_pool_used--;
> -- 


What's up with this patch? I can't find it in -next...

Marcin

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ