Linaro Stable Kernel (LSK)

  1. Bug #1320782
  2. Comment #0

Comment 0 for bug 1320782

Revision history for this message
Naresh Kamboju (naresh-kamboju) wrote :

While testing LTP test suite and memory stress tests the following bug found.

Test case name: thp03

Error log:
--------------
 thp02 0 TINFO : mremap 0x7f90e01000 to 0x7f8fa01000
 thp02 1 TPASS : Still alive.
 [ 2525.441528] BUG: failure at /home/buildslave/workspace/linux-linaro-stable-lsk-pre-merge/mm/huge_memory.c:1490/change_huge_pmd()!
 [ 2525.455612] Kernel panic - not syncing: BUG!
 [ 2525.459900] CPU: 5 PID: 5959 Comm: thp03 Not tainted 3.10.39+ #1
 [ 2525.465924] Call trace:
 [ 2525.468388] [<ffffffc000087464>] dump_backtrace+0x0/0x12c
 [ 2525.473807] [<ffffffc0000875a0>] show_stack+0x10/0x1c
 [ 2525.478879] [<ffffffc0005f36c4>] dump_stack+0x1c/0x28
 [ 2525.483950] [<ffffffc0005ef0f4>] panic+0xe4/0x208
 [ 2525.488673] [<ffffffc00016fffc>] change_huge_pmd+0xf0/0xf4
 [ 2525.494178] [<ffffffc000156d7c>] change_protection+0x39c/0x49c
 [ 2525.500031] [<ffffffc000156f5c>] mprotect_fixup+0xe0/0x204
 [ 2525.505534] [<ffffffc000157180>] SyS_mprotect+0x100/0x210
 [ 2525.510953] CPU0: stopping
 [ 2525.513677] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.10.39+ #1
 [ 2525.519787] Call trace:
 [ 2525.522249] [<ffffffc000087464>] dump_backtrace+0x0/0x12c
 [ 2525.527667] [<ffffffc0000875a0>] show_stack+0x10/0x1c
 [ 2525.532737] [<ffffffc0005f36c4>] dump_stack+0x1c/0x28
 [ 2525.537808] [<ffffffc00008dea0>] handle_IPI+0x15c/0x174
 [ 2525.543050] [<ffffffc0000812cc>] gic_handle_irq+0x74/0x7c
 [ 2525.548464] Exception stack(0xffffffc000827df0 to 0xffffffc000827f10)
...
Complete Error log attached to this bug and same can be found in this link.
https://validation.linaro.org/scheduler/job/127011/log_file#L_27_9641

Bug reported kernel code snippet
-------------------------------------------------
File: mm/huge_memory.c

1479 int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
1480 unsigned long addr, pgprot_t newprot, int prot_numa)
1481 {
1482 struct mm_struct *mm = vma->vm_mm;
1483 int ret = 0;
1484
1485 if (__pmd_trans_huge_lock(pmd, vma) == 1) {
1486 pmd_t entry;
1487 entry = pmdp_get_and_clear(mm, addr, pmd);
1488 if (!prot_numa) {
1489 entry = pmd_modify(entry, newprot);
1490 BUG_ON(pmd_write(entry));

Test case description:
Test case link: http://people.linaro.org/~naresh.kamboju/ltp/testcases/kernel/mem/thp/thp03.c

/*
 * thp03 - Case for spliting unaligned memory.
 * - System will panic if failed.
 *
 * Modified form a reproducer for
 * https://patchwork.kernel.org/patch/1358441/
 * Kernel Commit id: 027ef6c87853b0a9df53175063028edb4950d476
 * There was a bug in THP, will crash happened due to the following
 * reason according to developers:
 *
 * most VM places are using pmd_none but a few are still using
 * pmd_present. The meaning is about the same for the pmd. However
 * pmd_present would return the wrong value on PROT_NONE ranges or in
 * case of a non reproducible race with split_huge_page.
 * When the code using pmd_present gets a false negative, the kernel will
 * crash. It's just an annoying DoS with a BUG_ON triggering: no memory
 * corruption and no data corruption (nor userland nor kernel).
 */

Please let know if you need more information regarding this bug