The following error message could be observed during the kernel
building stress test of the command: "./parallel-73670.sh -r 2 -k 40"
That means building 40 kernels in the same time with 2 rounds.
Bad access happens when we read page->mapping->flags, and
page->mapping is a pointer to anon_vma which is already freed
in the do_exit path.
==================================================================
BUG: KASan: out of bounds access in isolate_migratepages_range+0x663/0xb30 at addr ffff880279cc76d1
Read of size 8 by task cc1/27473
=============================================================================
BUG anon_vma (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Bytes b4 ffff880279cc7648: 10 00 00 00 5b 17 00 00 ef 25 6b 03 01 00 00 00 ....[....%k.....
Object ffff880279cc7658: 58 76 cc 79 02 88 ff ff 00 00 00 00 00 00 00 00 Xv.y............
Object ffff880279cc7668: 00 00 00 00 5a 5a 5a 5a 70 76 cc 79 02 88 ff ff ....ZZZZpv.y....
Object ffff880279cc7678: 70 76 cc 79 02 88 ff ff 01 00 00 00 03 00 00 00 pv.y............
Object ffff880279cc7688: 58 76 cc 79 02 88 ff ff b8 2a 20 31 02 88 ff ff Xv.y.....* 1....
CPU: 8 PID: 27473 Comm: cc1 Tainted: G B 3.13.0-76-generic #120hf00073670v20160120b0h5d3e6ab
Hardware name: Cisco Systems Inc UCSC-C220-M3L/UCSC-C220-M3L, BIOS C220M3.2.0.3.0.080120140402 08/01/2014
ffffea0009e73100 ffff880736bbf750 ffffffff81a6e195 ffff8804e881b840
ffff880736bbf780 ffffffff81244c1d ffff8804e881b840 ffffea0009e73100
ffff880279cc7658 ffffea001aa99c98 ffff880736bbf7a8 ffffffff8124ad66
Call Trace:
[<ffffffff81a6e195>] dump_stack+0x45/0x56
[<ffffffff81244c1d>] print_trailer+0xfd/0x170
[<ffffffff8124ad66>] object_err+0x36/0x40
[<ffffffff8124cd29>] kasan_report_error+0x1e9/0x3a0
[<ffffffff8125d9f8>] ? memcg_check_events+0x28/0x380
[<ffffffff81221c2d>] ? rmap_walk+0x32d/0x340
[<ffffffff8124d390>] kasan_report+0x40/0x50
[<ffffffff81205ee3>] ? isolate_migratepages_range+0x663/0xb30
[<ffffffff8124c019>] __asan_load8+0x69/0xa0
[<ffffffff81205ee3>] isolate_migratepages_range+0x663/0xb30
[<ffffffff811dc5e7>] ? zone_watermark_ok+0x57/0x70
[<ffffffff812067c6>] compact_zone+0x416/0x700
[<ffffffff81206b45>] compact_zone_order+0x95/0x100
[<ffffffff81207002>] try_to_compact_pages+0x102/0x1a0
[<ffffffff811e21e6>] __alloc_pages_direct_compact+0x96/0x290
[<ffffffff811e2d5e>] __alloc_pages_nodemask+0x97e/0xc40
[<ffffffff8123ce24>] alloc_pages_vma+0xb4/0x200
[<ffffffff812572ca>] do_huge_pmd_anonymous_page+0x13a/0x490
[<ffffffff8120f072>] ? do_numa_page+0x192/0x200
[<ffffffff81210c07>] handle_mm_fault+0x267/0x1160
[<ffffffff81a7d028>] __do_page_fault+0x218/0x750
[<ffffffff8121aead>] ? do_mmap_pgoff+0x47d/0x500
[<ffffffff811fd699>] ? vm_mmap_pgoff+0xa9/0xd0
[<ffffffff81a7d57a>] do_page_fault+0x1a/0x70
[<ffffffff81a785a8>] page_fault+0x28/0x30
Memory state around the buggy address:
ffff880279cc7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880279cc7600: fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00
>ffff880279cc7680: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc ^
ffff880279cc7700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880279cc7780: fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00 00
==================================================================
The following error message could be observed during the kernel 73670.sh -r 2 -k 40"
building stress test of the command: "./parallel-
That means building 40 kernels in the same time with 2 rounds.
Bad access happens when we read page->mapping- >flags, and
page->mapping is a pointer to anon_vma which is already freed
in the do_exit path.
======= ======= ======= ======= ======= ======= ======= ======= ======= === migratepages_ range+0x663/ 0xb30 at addr ffff880279cc76d1 ======= ======= ======= ======= ======= ======= ======= ======= ======= ======= ------- ------- ------- ------- ------- ------- ------- ------- ------- -------
BUG: KASan: out of bounds access in isolate_
Read of size 8 by task cc1/27473
=======
BUG anon_vma (Not tainted): kasan: bad access detected
-------
Disabling lock debugging due to kernel taint prepare+ 0x189/0x250 age=7323 cpu=16 pid=31029
__slab_ alloc+0x4f8/ 0x560
kmem_cache_ alloc+0x18b/ 0x1e0
anon_vma_ prepare+ 0x189/0x250
do_wp_ page+0x837/ 0xb10
handle_ mm_fault+ 0x884/0x1160
__do_page_ fault+0x218/ 0x750
do_page_ fault+0x1a/ 0x70
page_fault+ 0x28/0x30 vma+0x69/ 0xe0 age=8588 cpu=4 pid=29418
__slab_ free+0x2ab/ 0x3f0
kmem_cache_ free+0x1c1/ 0x200
__put_ anon_vma+ 0x69/0xe0
unlink_ anon_vmas+ 0x2a8/0x320
free_pgtables+ 0x50/0x1c0
exit_mmap+ 0xca/0x1e0
mmput+ 0x82/0x1b0
do_exit+ 0x391/0x1060
do_group_ exit+0x86/ 0x130
SyS_exit_ group+0x1d/ 0x20
system_ call_fastpath+ 0x1a/0x1f cc67a8 flags=0x2ffff00 00004080 cc7c38
INFO: Allocated in anon_vma_
INFO: Freed in __put_anon_
INFO: Slab 0xffffea0009e73100 objects=43 used=30 fp=0xffff880279
INFO: Object 0xffff880279cc7658 @offset=13912 fp=0xffff880279
Bytes b4 ffff880279cc7648: 10 00 00 00 5b 17 00 00 ef 25 6b 03 01 00 00 00 ....[....%k..... 20160120b0h5d3e 6ab M3L/UCSC- C220-M3L, BIOS C220M3. 2.0.3.0. 080120140402 08/01/2014 e195>] dump_stack+ 0x45/0x56 4c1d>] print_trailer+ 0xfd/0x170 ad66>] object_ err+0x36/ 0x40 cd29>] kasan_report_ error+0x1e9/ 0x3a0 d9f8>] ? memcg_check_ events+ 0x28/0x380 1c2d>] ? rmap_walk+ 0x32d/0x340 d390>] kasan_report+ 0x40/0x50 5ee3>] ? isolate_ migratepages_ range+0x663/ 0xb30 c019>] __asan_ load8+0x69/ 0xa0 5ee3>] isolate_ migratepages_ range+0x663/ 0xb30 c5e7>] ? zone_watermark_ ok+0x57/ 0x70 67c6>] compact_ zone+0x416/ 0x700 6b45>] compact_ zone_order+ 0x95/0x100 7002>] try_to_ compact_ pages+0x102/ 0x1a0 21e6>] __alloc_ pages_direct_ compact+ 0x96/0x290 2d5e>] __alloc_ pages_nodemask+ 0x97e/0xc40 ce24>] alloc_pages_ vma+0xb4/ 0x200 72ca>] do_huge_ pmd_anonymous_ page+0x13a/ 0x490 f072>] ? do_numa_ page+0x192/ 0x200 0c07>] handle_ mm_fault+ 0x267/0x1160 d028>] __do_page_ fault+0x218/ 0x750 aead>] ? do_mmap_ pgoff+0x47d/ 0x500 d699>] ? vm_mmap_ pgoff+0xa9/ 0xd0 d57a>] do_page_ fault+0x1a/ 0x70 85a8>] page_fault+ 0x28/0x30
^ ======= ======= ======= ======= ======= ======= ======= ======= ===
Object ffff880279cc7658: 58 76 cc 79 02 88 ff ff 00 00 00 00 00 00 00 00 Xv.y............
Object ffff880279cc7668: 00 00 00 00 5a 5a 5a 5a 70 76 cc 79 02 88 ff ff ....ZZZZpv.y....
Object ffff880279cc7678: 70 76 cc 79 02 88 ff ff 01 00 00 00 03 00 00 00 pv.y............
Object ffff880279cc7688: 58 76 cc 79 02 88 ff ff b8 2a 20 31 02 88 ff ff Xv.y.....* 1....
CPU: 8 PID: 27473 Comm: cc1 Tainted: G B 3.13.0-76-generic #120hf00073670v
Hardware name: Cisco Systems Inc UCSC-C220-
ffffea0009e73100 ffff880736bbf750 ffffffff81a6e195 ffff8804e881b840
ffff880736bbf780 ffffffff81244c1d ffff8804e881b840 ffffea0009e73100
ffff880279cc7658 ffffea001aa99c98 ffff880736bbf7a8 ffffffff8124ad66
Call Trace:
[<ffffffff81a6
[<ffffffff8124
[<ffffffff8124
[<ffffffff8124
[<ffffffff8125
[<ffffffff8122
[<ffffffff8124
[<ffffffff8120
[<ffffffff8124
[<ffffffff8120
[<ffffffff811d
[<ffffffff8120
[<ffffffff8120
[<ffffffff8120
[<ffffffff811e
[<ffffffff811e
[<ffffffff8123
[<ffffffff8125
[<ffffffff8120
[<ffffffff8121
[<ffffffff81a7
[<ffffffff8121
[<ffffffff811f
[<ffffffff81a7
[<ffffffff81a7
Memory state around the buggy address:
ffff880279cc7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880279cc7600: fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00
>ffff880279cc7680: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880279cc7700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880279cc7780: fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00 00
=======
gavin@rotom: ~/ddebs/ ddebs-3. 13.0-76. 120hf00073670v2 0160120b0h5d3e6 ab$ addr2line 0xffffffff81205ee3 -e usr/lib/ debug/boot/ vmlinux- 3.13.0- 76-generic -fi ubuntu- trusty- amd64/arch/ x86/include/ asm/bitops. h:313 ubuntu- trusty- amd64/include/ linux/pagemap. h:69 balloon_ page ubuntu- trusty- amd64/include/ linux/balloon_ compaction. h:131 page_movable ubuntu- trusty- amd64/include/ linux/balloon_ compaction. h:156 migratepages_ range ubuntu- trusty- amd64/mm/ compaction. c:554
constant_test_bit
/home/gavin/
mapping_balloon
/home/gavin/
__is_movable_
/home/gavin/
balloon_
/home/gavin/
isolate_
/home/gavin/
>8----- ------- ------8< ubuntu- trusty- amd64/arch/ x86/include/ asm/bitops. h:313 test_bit( long nr, const volatile unsigned long *addr) LONG_SHIFT] )) != 0;
/home/gavin/
310 static __always_inline int constant_
311 {
312 return ((1UL << (nr & (BITS_PER_LONG-1))) &
313 (addr[nr >> _BITOPS_
314 }