Linaro Stable Kernel (LSK)

  1. Bug #1320782
  2. Activity log

Activity log for bug #1320782

Date Who What changed Old value New value Message
2014-05-19 07:43:09 Naresh Kamboju bug added bug
2014-05-19 07:43:09 Naresh Kamboju attachment added ltp-huge-page-bug-on-lsk-Juno.log https://bugs.launchpad.net/bugs/1320782/+attachment/4115348/+files/ltp-huge-page-bug-on-lsk-Juno.log
2014-05-19 07:43:46 Naresh Kamboju bug added subscriber Steve Capper
2014-05-19 08:09:14 Naresh Kamboju description While testing LTP test suite and memory stress tests the following bug found. Test case name: thp03 Error log: -------------- thp02 0 TINFO : mremap 0x7f90e01000 to 0x7f8fa01000 thp02 1 TPASS : Still alive. [ 2525.441528] BUG: failure at /home/buildslave/workspace/linux-linaro-stable-lsk-pre-merge/mm/huge_memory.c:1490/change_huge_pmd()! [ 2525.455612] Kernel panic - not syncing: BUG! [ 2525.459900] CPU: 5 PID: 5959 Comm: thp03 Not tainted 3.10.39+ #1 [ 2525.465924] Call trace: [ 2525.468388] [<ffffffc000087464>] dump_backtrace+0x0/0x12c [ 2525.473807] [<ffffffc0000875a0>] show_stack+0x10/0x1c [ 2525.478879] [<ffffffc0005f36c4>] dump_stack+0x1c/0x28 [ 2525.483950] [<ffffffc0005ef0f4>] panic+0xe4/0x208 [ 2525.488673] [<ffffffc00016fffc>] change_huge_pmd+0xf0/0xf4 [ 2525.494178] [<ffffffc000156d7c>] change_protection+0x39c/0x49c [ 2525.500031] [<ffffffc000156f5c>] mprotect_fixup+0xe0/0x204 [ 2525.505534] [<ffffffc000157180>] SyS_mprotect+0x100/0x210 [ 2525.510953] CPU0: stopping [ 2525.513677] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.10.39+ #1 [ 2525.519787] Call trace: [ 2525.522249] [<ffffffc000087464>] dump_backtrace+0x0/0x12c [ 2525.527667] [<ffffffc0000875a0>] show_stack+0x10/0x1c [ 2525.532737] [<ffffffc0005f36c4>] dump_stack+0x1c/0x28 [ 2525.537808] [<ffffffc00008dea0>] handle_IPI+0x15c/0x174 [ 2525.543050] [<ffffffc0000812cc>] gic_handle_irq+0x74/0x7c [ 2525.548464] Exception stack(0xffffffc000827df0 to 0xffffffc000827f10) ... Complete Error log attached to this bug and same can be found in this link. https://validation.linaro.org/scheduler/job/127011/log_file#L_27_9641 Bug reported kernel code snippet ------------------------------------------------- File: mm/huge_memory.c 1479 int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, 1480 unsigned long addr, pgprot_t newprot, int prot_numa) 1481 { 1482 struct mm_struct *mm = vma->vm_mm; 1483 int ret = 0; 1484 1485 if (__pmd_trans_huge_lock(pmd, vma) == 1) { 1486 pmd_t entry; 1487 entry = pmdp_get_and_clear(mm, addr, pmd); 1488 if (!prot_numa) { 1489 entry = pmd_modify(entry, newprot); 1490 BUG_ON(pmd_write(entry)); Test case description: Test case link: http://people.linaro.org/~naresh.kamboju/ltp/testcases/kernel/mem/thp/thp03.c /* * thp03 - Case for spliting unaligned memory. * - System will panic if failed. * * Modified form a reproducer for * https://patchwork.kernel.org/patch/1358441/ * Kernel Commit id: 027ef6c87853b0a9df53175063028edb4950d476 * There was a bug in THP, will crash happened due to the following * reason according to developers: * * most VM places are using pmd_none but a few are still using * pmd_present. The meaning is about the same for the pmd. However * pmd_present would return the wrong value on PROT_NONE ranges or in * case of a non reproducible race with split_huge_page. * When the code using pmd_present gets a false negative, the kernel will * crash. It's just an annoying DoS with a BUG_ON triggering: no memory * corruption and no data corruption (nor userland nor kernel). */ Please let know if you need more information regarding this bug While testing LTP test suite and memory stress tests the following bug found. Test case name: thp03 Error log: --------------  thp02 0 TINFO : mremap 0x7f90e01000 to 0x7f8fa01000  thp02 1 TPASS : Still alive.  [ 2525.441528] BUG: failure at /home/buildslave/workspace/linux-linaro-stable-lsk-pre-merge/mm/huge_memory.c:1490/change_huge_pmd()!  [ 2525.455612] Kernel panic - not syncing: BUG!  [ 2525.459900] CPU: 5 PID: 5959 Comm: thp03 Not tainted 3.10.39+ #1  [ 2525.465924] Call trace:  [ 2525.468388] [<ffffffc000087464>] dump_backtrace+0x0/0x12c  [ 2525.473807] [<ffffffc0000875a0>] show_stack+0x10/0x1c  [ 2525.478879] [<ffffffc0005f36c4>] dump_stack+0x1c/0x28  [ 2525.483950] [<ffffffc0005ef0f4>] panic+0xe4/0x208  [ 2525.488673] [<ffffffc00016fffc>] change_huge_pmd+0xf0/0xf4  [ 2525.494178] [<ffffffc000156d7c>] change_protection+0x39c/0x49c  [ 2525.500031] [<ffffffc000156f5c>] mprotect_fixup+0xe0/0x204  [ 2525.505534] [<ffffffc000157180>] SyS_mprotect+0x100/0x210  [ 2525.510953] CPU0: stopping  [ 2525.513677] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.10.39+ #1  [ 2525.519787] Call trace:  [ 2525.522249] [<ffffffc000087464>] dump_backtrace+0x0/0x12c  [ 2525.527667] [<ffffffc0000875a0>] show_stack+0x10/0x1c  [ 2525.532737] [<ffffffc0005f36c4>] dump_stack+0x1c/0x28  [ 2525.537808] [<ffffffc00008dea0>] handle_IPI+0x15c/0x174  [ 2525.543050] [<ffffffc0000812cc>] gic_handle_irq+0x74/0x7c  [ 2525.548464] Exception stack(0xffffffc000827df0 to 0xffffffc000827f10) ... Complete Error log attached to this bug and same can be found in this link. https://validation.linaro.org/scheduler/job/127011/log_file#L_27_9641 Bug reported kernel code snippet ------------------------------------------------- File: mm/huge_memory.c 1479 int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, 1480 unsigned long addr, pgprot_t newprot, int prot_numa) 1481 { 1482 struct mm_struct *mm = vma->vm_mm; 1483 int ret = 0; 1484 1485 if (__pmd_trans_huge_lock(pmd, vma) == 1) { 1486 pmd_t entry; 1487 entry = pmdp_get_and_clear(mm, addr, pmd); 1488 if (!prot_numa) { 1489 entry = pmd_modify(entry, newprot); 1490 BUG_ON(pmd_write(entry)); Test case description: Test case link: http://people.linaro.org/~naresh.kamboju/ltp/testcases/kernel/mem/thp/thp03.c /*  * thp03 - Case for spliting unaligned memory.  * - System will panic if failed.  *  * Modified form a reproducer for  * https://patchwork.kernel.org/patch/1358441/  * Kernel Commit id: 027ef6c87853b0a9df53175063028edb4950d476  * There was a bug in THP, will crash happened due to the following  * reason according to developers:  *  * most VM places are using pmd_none but a few are still using  * pmd_present. The meaning is about the same for the pmd. However  * pmd_present would return the wrong value on PROT_NONE ranges or in  * case of a non reproducible race with split_huge_page.  * When the code using pmd_present gets a false negative, the kernel will  * crash. It's just an annoying DoS with a BUG_ON triggering: no memory  * corruption and no data corruption (nor userland nor kernel).  */ Linux kernel version: --------------------- Linux version 3.10.39+ (buildslave@x86-64-07) (gcc version 4.8.3 20140203 (prerelease) (crosstool-NG linaro-1.13.1-4.8-2014.02 - Linaro GCC 2014.02) ) #1 SMP Fri May 16 08:37:37 UTC 2014 CPU: AArch64 Processor [410fd030] revision 0 Machine: Juno Please let know if you need more information regarding this bug
2014-06-12 17:30:07 Mark Brown linaro-stable-kernel: status New Fix Committed