lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAGXD9Of=ByWJFv7fXb2g_uzufhw-P=nCSkYnGOA8BpNOP_YgRw@mail.gmail.com>
Date:	Fri, 11 Jan 2013 12:53:30 -0800
From:	Prasad Koya <prasad.koya@...il.com>
To:	Max Filippov <jcmvbkbc@...il.com>
Cc:	LKML <linux-kernel@...r.kernel.org>, linux-mm@...ck.org,
	Andrew Morton <akpm@...ux-foundation.org>,
	Johannes Weiner <hannes@...xchg.org>,
	"David S. Miller" <davem@...emloft.net>, Tejun Heo <tj@...nel.org>,
	Joonsoo Kim <js1304@...il.com>
Subject: Re: [PATCH v3] mm: bootmem: fix free_all_bootmem_core with odd bitmap alignment

Hi

I am seeing similar issue with 2.6.38 as well.

[    0.000000] Your BIOS doesn't leave a aperture memory hole
[    0.000000] Please enable the IOMMU option in the BIOS setup
[    0.000000] This costs you 64 MB of RAM
[    0.000000] Mapping aperture over 65536 KB of RAM @ b4000000
[    0.000000] BUG: Bad page state in process swapper  pfn:73676
[    0.000000] page:ffffea0002ee1ff0 count:0 mapcount:0
mapping:0040000054000045 index:0xdb0a0008120411ac
[    0.000000] page flags: 0x4000000000000000()
[    0.000000] Pid: 0, comm: swapper Not tainted
2.6.38.8.Ar-1049552.2012kernelmainline.2 #1
[    0.000000] Call Trace:
[    0.000000] [<ffffffff81077ac8>] ? dump_page+0xd3/0xd8
[    0.000000] [<ffffffff81078ac4>] ? bad_page+0xef/0x105
[    0.000000] [<ffffffff81078b37>] ? free_pages_prepare+0x5d/0x98
[    0.000000] [<ffffffff8107946f>] ? __free_pages_ok+0x1e/0x94
[    0.000000] [<ffffffff81079673>] ? __free_pages+0x22/0x24
[    0.000000] [<ffffffff816b2f79>] ? __free_pages_bootmem+0x54/0x56
[    0.000000] [<ffffffff81698a35>] ? free_all_memory_core_early+0xd4/0x134
[    0.000000] [<ffffffff81393e40>] ? _etext+0x0/0x2f01c0
[    0.000000] [<ffffffff81698aa3>] ? free_all_bootmem+0xe/0x10
[    0.000000] [<ffffffff816932ff>] ? mem_init+0x1e/0xec
[    0.000000] [<ffffffff81684af3>] ? start_kernel+0x1a0/0x362
[    0.000000] [<ffffffff816842a8>] ? x86_64_start_reservations+0xb8/0xbc
[    0.000000] [<ffffffff8168439e>] ? x86_64_start_kernel+0xf2/0xf9
[    0.000000] Disabling lock debugging due to kernel taint
[    0.000000] BUG: Bad page state in process swapper  pfn:73677
[    0.000000] page:ffffea0002ee2058 count:0 mapcount:0 mapping:
   (null) index:0x0
[    0.000000] page flags:
0x5b1a191817161114(referenced|dirty|owner_priv_1|private_2|mappedtodisk|reclaim|unevictable)
[    0.000000] Pid: 0, comm: swapper Tainted: G    B
2.6.38.8.Ar-1049552.2012kernelmainline.2 #1
[    0.000000] Call Trace:
[    0.000000] [<ffffffff81077ac8>] ? dump_page+0xd3/0xd8
[    0.000000] [<ffffffff81078ac4>] ? bad_page+0xef/0x105
[    0.000000] [<ffffffff81078b37>] ? free_pages_prepare+0x5d/0x98
[    0.000000] [<ffffffff8107946f>] ? __free_pages_ok+0x1e/0x94
[    0.000000] [<ffffffff81079673>] ? __free_pages+0x22/0x24
[    0.000000] [<ffffffff816b2f79>] ? __free_pages_bootmem+0x54/0x56
[    0.000000] [<ffffffff81698a35>] ? free_all_memory_core_early+0xd4/0x134
[    0.000000] [<ffffffff81393e40>] ? _etext+0x0/0x2f01c0
[    0.000000] [<ffffffff81698aa3>] ? free_all_bootmem+0xe/0x10
[    0.000000] [<ffffffff816932ff>] ? mem_init+0x1e/0xec
[    0.000000] [<ffffffff81684af3>] ? start_kernel+0x1a0/0x362
[    0.000000] [<ffffffff816842a8>] ? x86_64_start_reservations+0xb8/0xbc
[    0.000000] [<ffffffff8168439e>] ? x86_64_start_kernel+0xf2/0xf9
[    0.000000] BUG: Bad page state in process swapper  pfn:73d8a
[    0.000000] page:ffffea0002f10010 count:0 mapcount:0
mapping:0b0a09080001f1c5 index:0x1b1a191817161514
[    0.000000] page flags: 0x4000000000000000()
[    0.000000] Pid: 0, comm: swapper Tainted: G    B
2.6.38.8.Ar-1049552.2012kernelmainline.2 #1
[    0.000000] Call Trace:
[    0.000000] [<ffffffff81077ac8>] ? dump_page+0xd3/0xd8
[    0.000000] [<ffffffff81078ac4>] ? bad_page+0xef/0x105
[    0.000000] [<ffffffff81078b37>] ? free_pages_prepare+0x5d/0x98
[    0.000000] [<ffffffff8107946f>] ? __free_pages_ok+0x1e/0x94
[    0.000000] [<ffffffff81079673>] ? __free_pages+0x22/0x24
[    0.000000] [<ffffffff816b2f79>] ? __free_pages_bootmem+0x54/0x56
[    0.000000] [<ffffffff81698a35>] ? free_all_memory_core_early+0xd4/0x134
[    0.000000] [<ffffffff81393e40>] ? _etext+0x0/0x2f01c0
[    0.000000] [<ffffffff81698aa3>] ? free_all_bootmem+0xe/0x10
[    0.000000] [<ffffffff816932ff>] ? mem_init+0x1e/0xec
[    0.000000] [<ffffffff81684af3>] ? start_kernel+0x1a0/0x362
[    0.000000] [<ffffffff816842a8>] ? x86_64_start_reservations+0xb8/0xbc
[    0.000000] [<ffffffff8168439e>] ? x86_64_start_kernel+0xf2/0xf9
[    0.000000] BUG: Bad page state in process swapper  pfn:73d8b
[    0.000000] page:ffffea0002f10078 count:0 mapcount:0 mapping:
   (null) index:0x0
[    0.000000] page flags:
0x7d78d20b37363134(referenced|dirty|lru|owner_priv_1|private_2|writeback|mappedtodisk|reclaim|unevictable|mlocked)
[    0.000000] Pid: 0, comm: swapper Tainted: G    B
2.6.38.8.Ar-1049552.2012kernelmainline.2 #1
[    0.000000] Call Trace:
[    0.000000] [<ffffffff81077ac8>] ? dump_page+0xd3/0xd8
[    0.000000] [<ffffffff81078ac4>] ? bad_page+0xef/0x105
[    0.000000] [<ffffffff81078b37>] ? free_pages_prepare+0x5d/0x98
[    0.000000] [<ffffffff8107946f>] ? __free_pages_ok+0x1e/0x94
[    0.000000] [<ffffffff81079673>] ? __free_pages+0x22/0x24
[    0.000000] [<ffffffff816b2f79>] ? __free_pages_bootmem+0x54/0x56
[    0.000000] [<ffffffff81698a35>] ? free_all_memory_core_early+0xd4/0x134
[    0.000000] [<ffffffff81393e40>] ? _etext+0x0/0x2f01c0
[    0.000000] [<ffffffff81698aa3>] ? free_all_bootmem+0xe/0x10
[    0.000000] [<ffffffff816932ff>] ? mem_init+0x1e/0xec
[    0.000000] [<ffffffff81684af3>] ? start_kernel+0x1a0/0x362
[    0.000000] [<ffffffff816842a8>] ? x86_64_start_reservations+0xb8/0xbc
[    0.000000] [<ffffffff8168439e>] ? x86_64_start_kernel+0xf2/0xf9
[    0.000000] Memory: 3891076k/5242880k available (3663k kernel code,
1049088k absent, 302204k reserved, 2930k data, 416k init)

On Sat, Jan 5, 2013 at 1:49 AM, Max Filippov <jcmvbkbc@...il.com> wrote:
> Currently free_all_bootmem_core ignores that node_min_pfn may be not
> multiple of BITS_PER_LONG. E.g. commit 6dccdcbe "mm: bootmem: fix
> checking the bitmap when finally freeing bootmem" shifts vec by lower
> bits of start instead of lower bits of idx. Also
>
>   if (IS_ALIGNED(start, BITS_PER_LONG) && vec == ~0UL)
>
> assumes that vec bit 0 corresponds to start pfn, which is only true when
> node_min_pfn is a multiple of BITS_PER_LONG. Also loop in the else
> clause can double-free pages (e.g. with node_min_pfn == start == 1,
> map[0] == ~0 on 32-bit machine page 32 will be double-freed).
>
> This bug causes the following message during xtensa kernel boot:
>
> [    0.000000] bootmem::free_all_bootmem_core nid=0 start=1 end=8000
> [    0.000000] BUG: Bad page state in process swapper  pfn:00001
> [    0.000000] page:d04bd020 count:0 mapcount:-127 mapping:  (null) index:0x2
> [    0.000000] page flags: 0x0()
> [    0.000000]
> [    0.000000] Stack: 00000000 00000002 00000004 ffffffff d0193e44 ffffff81 00000000 00000002
> [    0.000000]        90038c66 d0193e90 d04bd020 000001a8 00000000 ffffffff 00000000 00000020
> [    0.000000]        90039a4c d0193eb0 d04bd020 00000001 d04b7b20 ffff8ad0 00000000 00000000
> [    0.000000] Call Trace:
> [    0.000000]  [<d0038bf8>] bad_page+0x8c/0x9c
> [    0.000000]  [<d0038c66>] free_pages_prepare+0x5e/0x88
> [    0.000000]  [<d0039a4c>] free_hot_cold_page+0xc/0xa0
> [    0.000000]  [<d0039b28>] __free_pages+0x24/0x38
> [    0.000000]  [<d01b8230>] __free_pages_bootmem+0x54/0x56
> [    0.000000]  [<d01b1667>] free_all_bootmem_core$part$11+0xeb/0x138
> [    0.000000]  [<d01b179e>] free_all_bootmem+0x46/0x58
> [    0.000000]  [<d01ae7a9>] mem_init+0x25/0xa4
> [    0.000000]  [<d01ad13e>] start_kernel+0x11e/0x25c
> [    0.000000]  [<d01a9121>] should_never_return+0x0/0x3be7
>
> The fix is the following:
> - always align vec so that its bit 0 corresponds to start
> - provide BITS_PER_LONG bits in vec, if those bits are available in the map
> - don't free pages past next start position in the else clause.
>
> Signed-off-by: Max Filippov <jcmvbkbc@...il.com>
> ---
> Arrrgh, I no longer send patches at 4am, sorry ):
> v1 didn't build, v2 else loop initialization was wrong.
>
>  mm/bootmem.c |   24 ++++++++++++++++++------
>  1 files changed, 18 insertions(+), 6 deletions(-)
>
> diff --git a/mm/bootmem.c b/mm/bootmem.c
> index 1324cd7..b93376c 100644
> --- a/mm/bootmem.c
> +++ b/mm/bootmem.c
> @@ -185,10 +185,23 @@ static unsigned long __init free_all_bootmem_core(bootmem_data_t *bdata)
>
>         while (start < end) {
>                 unsigned long *map, idx, vec;
> +               unsigned shift;
>
>                 map = bdata->node_bootmem_map;
>                 idx = start - bdata->node_min_pfn;
> +               shift = idx & (BITS_PER_LONG - 1);
> +               /*
> +                * vec holds at most BITS_PER_LONG map bits,
> +                * bit 0 corresponds to start.
> +                */
>                 vec = ~map[idx / BITS_PER_LONG];
> +
> +               if (shift) {
> +                       vec >>= shift;
> +                       if (end - start >= BITS_PER_LONG)
> +                               vec |= ~map[idx / BITS_PER_LONG + 1] <<
> +                                       (BITS_PER_LONG - shift);
> +               }
>                 /*
>                  * If we have a properly aligned and fully unreserved
>                  * BITS_PER_LONG block of pages in front of us, free
> @@ -201,19 +214,18 @@ static unsigned long __init free_all_bootmem_core(bootmem_data_t *bdata)
>                         count += BITS_PER_LONG;
>                         start += BITS_PER_LONG;
>                 } else {
> -                       unsigned long off = 0;
> +                       unsigned long cur = start;
>
> -                       vec >>= start & (BITS_PER_LONG - 1);
> -                       while (vec) {
> +                       start = ALIGN(start + 1, BITS_PER_LONG);
> +                       while (vec && cur != start) {
>                                 if (vec & 1) {
> -                                       page = pfn_to_page(start + off);
> +                                       page = pfn_to_page(cur);
>                                         __free_pages_bootmem(page, 0);
>                                         count++;
>                                 }
>                                 vec >>= 1;
> -                               off++;
> +                               ++cur;
>                         }
> -                       start = ALIGN(start + 1, BITS_PER_LONG);
>                 }
>         }
>
> --
> 1.7.7.6
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists