Since CMA is getting used more widely, it's more important to
keep monitoring CMA statistics for system health since it's
directly related to user experience.
This patch introduces sysfs statistics for CMA, in order to provide
some basic monitoring of the CMA allocator.
* the number of CMA page allocation attempts
* the number of CMA page allocation failures
These two values allow the user to calcuate the allocation
failure rate for each CMA area.
e.g.)
/sys/kernel/mm/cma/WIFI/cma_alloc_pages_[attempts|fails]
/sys/kernel/mm/cma/SENSOR/cma_alloc_pages_[attempts|fails]
/sys/kernel/mm/cma/BLUETOOTH/cma_alloc_pages_[attempts|fails]
The cma_stat was intentionally allocated by dynamic allocation
to harmonize with kobject lifetime management.
https://lore.kernel.org/linux-mm/[email protected]/
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Reviewed-by: John Hubbard <[email protected]>
Signed-off-by: Minchan Kim <[email protected]>
---
From v3 - https://lore.kernel.org/linux-mm/[email protected]/
* kmalloc_array - akpm
* add why cma_stat was implemented by dynamic allocation - akpm
* use !__GFP_NOWARN facility to print error - akpm
From v2 - https://lore.kernel.org/linux-mm/[email protected]/
* sysfs doc and description modification - jhubbard
From v1 - https://lore.kernel.org/linux-mm/[email protected]/
* fix sysfs build and refactoring - willy
* rename and drop some attributes - jhubbard
Documentation/ABI/testing/sysfs-kernel-mm-cma | 25 ++++
mm/Kconfig | 7 ++
mm/Makefile | 1 +
mm/cma.c | 6 +-
mm/cma.h | 18 +++
mm/cma_sysfs.c | 110 ++++++++++++++++++
6 files changed, 166 insertions(+), 1 deletion(-)
create mode 100644 Documentation/ABI/testing/sysfs-kernel-mm-cma
create mode 100644 mm/cma_sysfs.c
diff --git a/Documentation/ABI/testing/sysfs-kernel-mm-cma b/Documentation/ABI/testing/sysfs-kernel-mm-cma
new file mode 100644
index 000000000000..f518af819cee
--- /dev/null
+++ b/Documentation/ABI/testing/sysfs-kernel-mm-cma
@@ -0,0 +1,25 @@
+What: /sys/kernel/mm/cma/
+Date: Feb 2021
+Contact: Minchan Kim <[email protected]>
+Description:
+ /sys/kernel/mm/cma/ contains a subdirectory for each CMA
+ heap name (also sometimes called CMA areas).
+
+ Each CMA heap subdirectory (that is, each
+ /sys/kernel/mm/cma/<cma-heap-name> directory) contains the
+ following items:
+
+ cma_alloc_pages_attempts
+ cma_alloc_pages_fails
+
+What: /sys/kernel/mm/cma/<cma-heap-name>/cma_alloc_pages_attempts
+Date: Feb 2021
+Contact: Minchan Kim <[email protected]>
+Description:
+ the number of pages CMA API tried to allocate
+
+What: /sys/kernel/mm/cma/<cma-heap-name>/cma_alloc_pages_fails
+Date: Feb 2021
+Contact: Minchan Kim <[email protected]>
+Description:
+ the number of pages CMA API failed to allocate
diff --git a/mm/Kconfig b/mm/Kconfig
index 24c045b24b95..febb7e8e24de 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -513,6 +513,13 @@ config CMA_DEBUGFS
help
Turns on the DebugFS interface for CMA.
+config CMA_SYSFS
+ bool "CMA information through sysfs interface"
+ depends on CMA && SYSFS
+ help
+ This option exposes some sysfs attributes to get information
+ from CMA.
+
config CMA_AREAS
int "Maximum count of the CMA areas"
depends on CMA
diff --git a/mm/Makefile b/mm/Makefile
index 72227b24a616..56968b23ed7a 100644
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -109,6 +109,7 @@ obj-$(CONFIG_CMA) += cma.o
obj-$(CONFIG_MEMORY_BALLOON) += balloon_compaction.o
obj-$(CONFIG_PAGE_EXTENSION) += page_ext.o
obj-$(CONFIG_CMA_DEBUGFS) += cma_debug.o
+obj-$(CONFIG_CMA_SYSFS) += cma_sysfs.o
obj-$(CONFIG_USERFAULTFD) += userfaultfd.o
obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o
obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o
diff --git a/mm/cma.c b/mm/cma.c
index 54eee2119822..551b704faeaf 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -447,9 +447,10 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align,
offset = cma_bitmap_aligned_offset(cma, align);
bitmap_maxno = cma_bitmap_maxno(cma);
bitmap_count = cma_bitmap_pages_to_bits(cma, count);
+ cma_sysfs_alloc_count(cma, count);
if (bitmap_count > bitmap_maxno)
- return NULL;
+ goto out;
for (;;) {
mutex_lock(&cma->lock);
@@ -504,6 +505,9 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align,
__func__, cma->name, count, ret);
cma_debug_show_areas(cma);
}
+out:
+ if (!page)
+ cma_sysfs_fail_count(cma, count);
pr_debug("%s(): returned %p\n", __func__, page);
return page;
diff --git a/mm/cma.h b/mm/cma.h
index 42ae082cb067..24a1d61eabc7 100644
--- a/mm/cma.h
+++ b/mm/cma.h
@@ -3,6 +3,14 @@
#define __MM_CMA_H__
#include <linux/debugfs.h>
+#include <linux/kobject.h>
+
+struct cma_stat {
+ spinlock_t lock;
+ unsigned long pages_attempts; /* the number of CMA page allocation attempts */
+ unsigned long pages_fails; /* the number of CMA page allocation failures */
+ struct kobject kobj;
+};
struct cma {
unsigned long base_pfn;
@@ -16,6 +24,9 @@ struct cma {
struct debugfs_u32_array dfs_bitmap;
#endif
char name[CMA_MAX_NAME];
+#ifdef CONFIG_CMA_SYSFS
+ struct cma_stat *stat;
+#endif
};
extern struct cma cma_areas[MAX_CMA_AREAS];
@@ -26,4 +37,11 @@ static inline unsigned long cma_bitmap_maxno(struct cma *cma)
return cma->count >> cma->order_per_bit;
}
+#ifdef CONFIG_CMA_SYSFS
+void cma_sysfs_alloc_count(struct cma *cma, size_t count);
+void cma_sysfs_fail_count(struct cma *cma, size_t count);
+#else
+static inline void cma_sysfs_alloc_count(struct cma *cma, size_t count) {};
+static inline void cma_sysfs_fail_count(struct cma *cma, size_t count) {};
+#endif
#endif
diff --git a/mm/cma_sysfs.c b/mm/cma_sysfs.c
new file mode 100644
index 000000000000..67b63167eaf5
--- /dev/null
+++ b/mm/cma_sysfs.c
@@ -0,0 +1,110 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * CMA SysFS Interface
+ *
+ * Copyright (c) 2021 Minchan Kim <[email protected]>
+ */
+
+#include <linux/cma.h>
+#include <linux/kernel.h>
+#include <linux/slab.h>
+
+#include "cma.h"
+
+static struct cma_stat *cma_stats;
+
+void cma_sysfs_alloc_count(struct cma *cma, size_t count)
+{
+ spin_lock(&cma->stat->lock);
+ cma->stat->pages_attempts += count;
+ spin_unlock(&cma->stat->lock);
+}
+
+void cma_sysfs_fail_count(struct cma *cma, size_t count)
+{
+ spin_lock(&cma->stat->lock);
+ cma->stat->pages_fails += count;
+ spin_unlock(&cma->stat->lock);
+}
+
+#define CMA_ATTR_RO(_name) \
+ static struct kobj_attribute _name##_attr = __ATTR_RO(_name)
+
+static struct kobject *cma_kobj;
+
+static ssize_t cma_alloc_pages_attempts_show(struct kobject *kobj,
+ struct kobj_attribute *attr, char *buf)
+{
+ struct cma_stat *stat = container_of(kobj, struct cma_stat, kobj);
+
+ return sysfs_emit(buf, "%lu\n", stat->pages_attempts);
+}
+CMA_ATTR_RO(cma_alloc_pages_attempts);
+
+static ssize_t cma_alloc_pages_fails_show(struct kobject *kobj,
+ struct kobj_attribute *attr, char *buf)
+{
+ struct cma_stat *stat = container_of(kobj, struct cma_stat, kobj);
+
+ return sysfs_emit(buf, "%lu\n", stat->pages_fails);
+}
+CMA_ATTR_RO(cma_alloc_pages_fails);
+
+static void cma_kobj_release(struct kobject *kobj)
+{
+ struct cma_stat *stat = container_of(kobj, struct cma_stat, kobj);
+
+ kfree(stat);
+}
+
+static struct attribute *cma_attrs[] = {
+ &cma_alloc_pages_attempts_attr.attr,
+ &cma_alloc_pages_fails_attr.attr,
+ NULL,
+};
+ATTRIBUTE_GROUPS(cma);
+
+static struct kobj_type cma_ktype = {
+ .release = cma_kobj_release,
+ .sysfs_ops = &kobj_sysfs_ops,
+ .default_groups = cma_groups
+};
+
+static int __init cma_sysfs_init(void)
+{
+ int i = 0;
+ struct cma *cma;
+
+ cma_kobj = kobject_create_and_add("cma", mm_kobj);
+ if (!cma_kobj)
+ return -ENOMEM;
+
+ cma_stats = kmalloc_array(cma_area_count, sizeof(struct cma_stat),
+ GFP_KERNEL|__GFP_ZERO);
+ if (!cma_stats)
+ goto out;
+
+ do {
+ cma = &cma_areas[i];
+ cma->stat = &cma_stats[i];
+ spin_lock_init(&cma->stat->lock);
+ if (kobject_init_and_add(&cma->stat->kobj, &cma_ktype,
+ cma_kobj, "%s", cma->name)) {
+ kobject_put(&cma->stat->kobj);
+ goto out;
+ }
+ } while (++i < cma_area_count);
+
+ return 0;
+out:
+ while (--i >= 0) {
+ cma = &cma_areas[i];
+ kobject_put(&cma->stat->kobj);
+ }
+
+ kfree(cma_stats);
+ kobject_put(cma_kobj);
+
+ return -ENOMEM;
+}
+subsys_initcall(cma_sysfs_init);
--
2.30.1.766.gb4fecdf3b7-goog
On 04.03.21 17:17, Minchan Kim wrote:
> Since CMA is getting used more widely, it's more important to
> keep monitoring CMA statistics for system health since it's
> directly related to user experience.
>
> This patch introduces sysfs statistics for CMA, in order to provide
> some basic monitoring of the CMA allocator.
>
> * the number of CMA page allocation attempts
> * the number of CMA page allocation failures
>
> These two values allow the user to calcuate the allocation
> failure rate for each CMA area.
>
> e.g.)
> /sys/kernel/mm/cma/WIFI/cma_alloc_pages_[attempts|fails]
> /sys/kernel/mm/cma/SENSOR/cma_alloc_pages_[attempts|fails]
> /sys/kernel/mm/cma/BLUETOOTH/cma_alloc_pages_[attempts|fails]
>
> The cma_stat was intentionally allocated by dynamic allocation
> to harmonize with kobject lifetime management.
> https://lore.kernel.org/linux-mm/[email protected]/
>
> Reviewed-by: Greg Kroah-Hartman <[email protected]>
> Reviewed-by: John Hubbard <[email protected]>
> Signed-off-by: Minchan Kim <[email protected]>
> ---
> From v3 - https://lore.kernel.org/linux-mm/[email protected]/
> * kmalloc_array - akpm
> * add why cma_stat was implemented by dynamic allocation - akpm
> * use !__GFP_NOWARN facility to print error - akpm
>
> From v2 - https://lore.kernel.org/linux-mm/[email protected]/
> * sysfs doc and description modification - jhubbard
>
> From v1 - https://lore.kernel.org/linux-mm/[email protected]/
> * fix sysfs build and refactoring - willy
> * rename and drop some attributes - jhubbard
>
> Documentation/ABI/testing/sysfs-kernel-mm-cma | 25 ++++
> mm/Kconfig | 7 ++
> mm/Makefile | 1 +
> mm/cma.c | 6 +-
> mm/cma.h | 18 +++
> mm/cma_sysfs.c | 110 ++++++++++++++++++
> 6 files changed, 166 insertions(+), 1 deletion(-)
> create mode 100644 Documentation/ABI/testing/sysfs-kernel-mm-cma
> create mode 100644 mm/cma_sysfs.c
>
> diff --git a/Documentation/ABI/testing/sysfs-kernel-mm-cma b/Documentation/ABI/testing/sysfs-kernel-mm-cma
> new file mode 100644
> index 000000000000..f518af819cee
> --- /dev/null
> +++ b/Documentation/ABI/testing/sysfs-kernel-mm-cma
> @@ -0,0 +1,25 @@
> +What: /sys/kernel/mm/cma/
> +Date: Feb 2021
> +Contact: Minchan Kim <[email protected]>
> +Description:
> + /sys/kernel/mm/cma/ contains a subdirectory for each CMA
> + heap name (also sometimes called CMA areas).
> +
> + Each CMA heap subdirectory (that is, each
> + /sys/kernel/mm/cma/<cma-heap-name> directory) contains the
> + following items:
> +
> + cma_alloc_pages_attempts
> + cma_alloc_pages_fails
Nit: why "cma_" again when we are already under "/cma/" ?
I'd simply go with something like
"total_alloc_attempts"
"failed_alloc_attempts"
But maybe this has been discussed already.
> +
> +What: /sys/kernel/mm/cma/<cma-heap-name>/cma_alloc_pages_attempts
> +Date: Feb 2021
> +Contact: Minchan Kim <[email protected]>
> +Description:
> + the number of pages CMA API tried to allocate
> +
> +What: /sys/kernel/mm/cma/<cma-heap-name>/cma_alloc_pages_fails
> +Date: Feb 2021
> +Contact: Minchan Kim <[email protected]>
> +Description:
> + the number of pages CMA API failed to allocate
This will be useful.
--
Thanks,
David / dhildenb
On Fri, Mar 05, 2021 at 06:34:22PM +0100, David Hildenbrand wrote:
> On 04.03.21 17:17, Minchan Kim wrote:
> > Since CMA is getting used more widely, it's more important to
> > keep monitoring CMA statistics for system health since it's
> > directly related to user experience.
> >
> > This patch introduces sysfs statistics for CMA, in order to provide
> > some basic monitoring of the CMA allocator.
> >
> > * the number of CMA page allocation attempts
> > * the number of CMA page allocation failures
> >
> > These two values allow the user to calcuate the allocation
> > failure rate for each CMA area.
> >
> > e.g.)
> > /sys/kernel/mm/cma/WIFI/cma_alloc_pages_[attempts|fails]
> > /sys/kernel/mm/cma/SENSOR/cma_alloc_pages_[attempts|fails]
> > /sys/kernel/mm/cma/BLUETOOTH/cma_alloc_pages_[attempts|fails]
> >
> > The cma_stat was intentionally allocated by dynamic allocation
> > to harmonize with kobject lifetime management.
> > https://lore.kernel.org/linux-mm/[email protected]/
> >
> > Reviewed-by: Greg Kroah-Hartman <[email protected]>
> > Reviewed-by: John Hubbard <[email protected]>
> > Signed-off-by: Minchan Kim <[email protected]>
> > ---
> > From v3 - https://lore.kernel.org/linux-mm/[email protected]/
> > * kmalloc_array - akpm
> > * add why cma_stat was implemented by dynamic allocation - akpm
> > * use !__GFP_NOWARN facility to print error - akpm
> >
> > From v2 - https://lore.kernel.org/linux-mm/[email protected]/
> > * sysfs doc and description modification - jhubbard
> >
> > From v1 - https://lore.kernel.org/linux-mm/[email protected]/
> > * fix sysfs build and refactoring - willy
> > * rename and drop some attributes - jhubbard
> >
> > Documentation/ABI/testing/sysfs-kernel-mm-cma | 25 ++++
> > mm/Kconfig | 7 ++
> > mm/Makefile | 1 +
> > mm/cma.c | 6 +-
> > mm/cma.h | 18 +++
> > mm/cma_sysfs.c | 110 ++++++++++++++++++
> > 6 files changed, 166 insertions(+), 1 deletion(-)
> > create mode 100644 Documentation/ABI/testing/sysfs-kernel-mm-cma
> > create mode 100644 mm/cma_sysfs.c
> >
> > diff --git a/Documentation/ABI/testing/sysfs-kernel-mm-cma b/Documentation/ABI/testing/sysfs-kernel-mm-cma
> > new file mode 100644
> > index 000000000000..f518af819cee
> > --- /dev/null
> > +++ b/Documentation/ABI/testing/sysfs-kernel-mm-cma
> > @@ -0,0 +1,25 @@
> > +What: /sys/kernel/mm/cma/
> > +Date: Feb 2021
> > +Contact: Minchan Kim <[email protected]>
> > +Description:
> > + /sys/kernel/mm/cma/ contains a subdirectory for each CMA
> > + heap name (also sometimes called CMA areas).
> > +
> > + Each CMA heap subdirectory (that is, each
> > + /sys/kernel/mm/cma/<cma-heap-name> directory) contains the
> > + following items:
> > +
> > + cma_alloc_pages_attempts
> > + cma_alloc_pages_fails
>
> Nit: why "cma_" again when we are already under "/cma/" ?
Originally, there was desire to add cma_alloc_attempts as well as
cma_alloc_pages_attempts.
>
> I'd simply go with something like
>
> "total_alloc_attempts"
> "failed_alloc_attempts"
If we really want to remove the cma prefix, maybe,
alloc_pages_attempts
alloc_pages_fails
If someone want to count cma_alloc itself, Then
alloc_success
alloc_fail
Does that make sense?
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 9ddc8abf031750362cda61a9fb8a28be8871eaae ("[PATCH v4] mm: cma: support sysfs")
url: https://github.com/0day-ci/linux/commits/Minchan-Kim/mm-cma-support-sysfs/20210305-002050
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git f69d02e37a85645aa90d18cacfff36dba370f797
in testcase: trinity
version: trinity-i386-4d2343bd-1_20200320
with following parameters:
group: group-01
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-------------------------------------------------------------------------+------------+------------+
| | f69d02e37a | 9ddc8abf03 |
+-------------------------------------------------------------------------+------------+------------+
| BUG:KASAN:null-ptr-deref_in_lockdep_init_map_type | 0 | 12 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 12 |
| Oops:#[##] | 0 | 12 |
| RIP:lockdep_init_map_type | 0 | 12 |
+-------------------------------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>
[ 16.842917] BUG: KASAN: null-ptr-deref in lockdep_init_map_type (kbuild/src/consumer/kernel/locking/lockdep.c:4654)
[ 16.844311] Write of size 8 at addr 0000000000000030 by task swapper/0/1
[ 16.844311]
[ 16.844311] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1-00023-g9ddc8abf0317 #1
[ 16.844311] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 16.844311] Call Trace:
[ 16.844311] dump_stack (kbuild/src/consumer/lib/dump_stack.c:122)
[ 16.844311] ? lockdep_init_map_type (kbuild/src/consumer/kernel/locking/lockdep.c:4654)
[ 16.844311] kasan_report.cold (kbuild/src/consumer/mm/kasan/report.c:403 kbuild/src/consumer/mm/kasan/report.c:416)
[ 16.844311] ? lockdep_init_map_type (kbuild/src/consumer/kernel/locking/lockdep.c:4654)
[ 16.844311] lockdep_init_map_type (kbuild/src/consumer/kernel/locking/lockdep.c:4654)
[ 16.844311] __raw_spin_lock_init (kbuild/src/consumer/kernel/locking/spinlock_debug.c:26)
[ 16.844311] cma_sysfs_init (kbuild/src/consumer/mm/cma_sysfs.c:91)
[ 16.844311] ? cma_debugfs_init (kbuild/src/consumer/mm/cma_sysfs.c:74)
[ 16.844311] do_one_initcall (kbuild/src/consumer/init/main.c:1226)
[ 16.844311] ? perf_trace_initcall_level (kbuild/src/consumer/init/main.c:1217)
[ 16.844311] ? rcu_read_lock_sched_held (kbuild/src/consumer/kernel/rcu/update.c:125)
[ 16.844311] ? trace_event_raw_event_rcu_torture_read (kbuild/src/consumer/kernel/rcu/update.c:120)
[ 16.844311] ? write_comp_data (kbuild/src/consumer/kernel/kcov.c:218)
[ 16.844311] ? __sanitizer_cov_trace_pc (kbuild/src/consumer/kernel/kcov.c:197)
[ 16.844311] kernel_init_freeable (kbuild/src/consumer/init/main.c:1298 kbuild/src/consumer/init/main.c:1315 kbuild/src/consumer/init/main.c:1335 kbuild/src/consumer/init/main.c:1537)
[ 16.844311] ? console_on_rootfs (kbuild/src/consumer/init/main.c:1503)
[ 16.844311] ? tracer_hardirqs_on (kbuild/src/consumer/kernel/trace/trace_irqsoff.c:57 kbuild/src/consumer/kernel/trace/trace_irqsoff.c:610)
[ 16.844311] ? mark_held_locks (kbuild/src/consumer/kernel/locking/lockdep.c:4067)
[ 16.844311] ? rest_init (kbuild/src/consumer/init/main.c:1421)
[ 16.844311] kernel_init (kbuild/src/consumer/init/main.c:1426)
[ 16.844311] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:300)
[ 16.844311] ==================================================================
[ 16.844311] Disabling lock debugging due to kernel taint
[ 16.844425] BUG: kernel NULL pointer dereference, address: 0000000000000030
[ 16.845925] #PF: supervisor write access in kernel mode
[ 16.847149] #PF: error_code(0x0002) - not-present page
[ 16.848311] PGD 0 P4D 0
[ 16.848311] Oops: 0002 [#1] SMP KASAN PTI
[ 16.848311] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 5.12.0-rc1-00023-g9ddc8abf0317 #1
[ 16.848311] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 16.848311] RIP: 0010:lockdep_init_map_type (kbuild/src/consumer/kernel/locking/lockdep.c:4654)
[ 16.848311] Code: 89 ce 41 55 41 54 49 89 d4 55 48 89 fd 48 83 c7 08 53 48 89 f3 48 83 ec 08 8b 44 24 40 44 89 04 24 89 44 24 04 e8 0e 2b 4b 00 <48> c7 45 08 00 00 00 00 48 8d 7d 10 e8 fd 2a 4b 00 48 c7 45 10 00
All code
========
0: 89 ce mov %ecx,%esi
2: 41 55 push %r13
4: 41 54 push %r12
6: 49 89 d4 mov %rdx,%r12
9: 55 push %rbp
a: 48 89 fd mov %rdi,%rbp
d: 48 83 c7 08 add $0x8,%rdi
11: 53 push %rbx
12: 48 89 f3 mov %rsi,%rbx
15: 48 83 ec 08 sub $0x8,%rsp
19: 8b 44 24 40 mov 0x40(%rsp),%eax
1d: 44 89 04 24 mov %r8d,(%rsp)
21: 89 44 24 04 mov %eax,0x4(%rsp)
25: e8 0e 2b 4b 00 callq 0x4b2b38
2a:* 48 c7 45 08 00 00 00 movq $0x0,0x8(%rbp) <-- trapping instruction
31: 00
32: 48 8d 7d 10 lea 0x10(%rbp),%rdi
36: e8 fd 2a 4b 00 callq 0x4b2b38
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: 45 10 00 adc %r8b,(%r8)
Code starting with the faulting instruction
===========================================
0: 48 c7 45 08 00 00 00 movq $0x0,0x8(%rbp)
7: 00
8: 48 8d 7d 10 lea 0x10(%rbp),%rdi
c: e8 fd 2a 4b 00 callq 0x4b2b0e
11: 48 rex.W
12: c7 .byte 0xc7
13: 45 10 00 adc %r8b,(%r8)
[ 16.848311] RSP: 0000:ffffc9000006fc98 EFLAGS: 00010282
[ 16.848311] RAX: 0000000000000001 RBX: ffffffff9f3a9fc0 RCX: ffffffff9e875dcf
[ 16.848311] RDX: dffffc0000000000 RSI: ffff888101489000 RDI: ffffffffa43ce860
[ 16.848311] RBP: 0000000000000028 R08: 0000000000000000 R09: 0000000000000000
[ 16.848311] R10: ffffffffa7c5de03 R11: fffffbfff4f8bbc0 R12: ffffffffafea6da0
[ 16.848311] R13: 0000000000000002 R14: 0000000000000000 R15: 0000000000000000
[ 16.848311] FS: 0000000000000000(0000) GS:ffff8881c5c00000(0000) knlGS:0000000000000000
[ 16.848311] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 16.848311] CR2: 0000000000000030 CR3: 000000022eeba000 CR4: 00000000000406f0
[ 16.848311] Call Trace:
[ 16.848311] __raw_spin_lock_init (kbuild/src/consumer/kernel/locking/spinlock_debug.c:26)
[ 16.848311] cma_sysfs_init (kbuild/src/consumer/mm/cma_sysfs.c:91)
[ 16.848311] ? cma_debugfs_init (kbuild/src/consumer/mm/cma_sysfs.c:74)
[ 16.848311] do_one_initcall (kbuild/src/consumer/init/main.c:1226)
[ 16.848311] ? perf_trace_initcall_level (kbuild/src/consumer/init/main.c:1217)
[ 16.848311] ? rcu_read_lock_sched_held (kbuild/src/consumer/kernel/rcu/update.c:125)
[ 16.848311] ? trace_event_raw_event_rcu_torture_read (kbuild/src/consumer/kernel/rcu/update.c:120)
[ 16.848311] ? write_comp_data (kbuild/src/consumer/kernel/kcov.c:218)
[ 16.848311] ? __sanitizer_cov_trace_pc (kbuild/src/consumer/kernel/kcov.c:197)
[ 16.848311] kernel_init_freeable (kbuild/src/consumer/init/main.c:1298 kbuild/src/consumer/init/main.c:1315 kbuild/src/consumer/init/main.c:1335 kbuild/src/consumer/init/main.c:1537)
[ 16.848311] ? console_on_rootfs (kbuild/src/consumer/init/main.c:1503)
[ 16.848311] ? tracer_hardirqs_on (kbuild/src/consumer/kernel/trace/trace_irqsoff.c:57 kbuild/src/consumer/kernel/trace/trace_irqsoff.c:610)
[ 16.848311] ? mark_held_locks (kbuild/src/consumer/kernel/locking/lockdep.c:4067)
[ 16.848311] ? rest_init (kbuild/src/consumer/init/main.c:1421)
[ 16.848311] kernel_init (kbuild/src/consumer/init/main.c:1426)
[ 16.848311] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:300)
[ 16.848311] Modules linked in:
[ 16.848311] CR2: 0000000000000030
[ 16.848311] ---[ end trace 29b158f4fb30e312 ]---
[ 16.848311] RIP: 0010:lockdep_init_map_type (kbuild/src/consumer/kernel/locking/lockdep.c:4654)
[ 16.848311] Code: 89 ce 41 55 41 54 49 89 d4 55 48 89 fd 48 83 c7 08 53 48 89 f3 48 83 ec 08 8b 44 24 40 44 89 04 24 89 44 24 04 e8 0e 2b 4b 00 <48> c7 45 08 00 00 00 00 48 8d 7d 10 e8 fd 2a 4b 00 48 c7 45 10 00
All code
========
0: 89 ce mov %ecx,%esi
2: 41 55 push %r13
4: 41 54 push %r12
6: 49 89 d4 mov %rdx,%r12
9: 55 push %rbp
a: 48 89 fd mov %rdi,%rbp
d: 48 83 c7 08 add $0x8,%rdi
11: 53 push %rbx
12: 48 89 f3 mov %rsi,%rbx
15: 48 83 ec 08 sub $0x8,%rsp
19: 8b 44 24 40 mov 0x40(%rsp),%eax
1d: 44 89 04 24 mov %r8d,(%rsp)
21: 89 44 24 04 mov %eax,0x4(%rsp)
25: e8 0e 2b 4b 00 callq 0x4b2b38
2a:* 48 c7 45 08 00 00 00 movq $0x0,0x8(%rbp) <-- trapping instruction
31: 00
32: 48 8d 7d 10 lea 0x10(%rbp),%rdi
36: e8 fd 2a 4b 00 callq 0x4b2b38
3b: 48 rex.W
3c: c7 .byte 0xc7
3d: 45 10 00 adc %r8b,(%r8)
Code starting with the faulting instruction
===========================================
0: 48 c7 45 08 00 00 00 movq $0x0,0x8(%rbp)
7: 00
8: 48 8d 7d 10 lea 0x10(%rbp),%rdi
c: e8 fd 2a 4b 00 callq 0x4b2b0e
11: 48 rex.W
12: c7 .byte 0xc7
13: 45 10 00 adc %r8b,(%r8)
To reproduce:
# build kernel
cd linux
cp config-5.12.0-rc1-00023-g9ddc8abf0317 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation
Thanks,
Oliver Sang
On Mon, Mar 08, 2021 at 11:26:20PM +0800, kernel test robot wrote:
>
> Greeting,
>
> FYI, we noticed the following commit (built with gcc-9):
>
> commit: 9ddc8abf031750362cda61a9fb8a28be8871eaae ("[PATCH v4] mm: cma: support sysfs")
> url: https://github.com/0day-ci/linux/commits/Minchan-Kim/mm-cma-support-sysfs/20210305-002050
> base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git f69d02e37a85645aa90d18cacfff36dba370f797
>
> in testcase: trinity
> version: trinity-i386-4d2343bd-1_20200320
> with following parameters:
>
> group: group-01
>
> test-description: Trinity is a linux system call fuzz tester.
> test-url: http://codemonkey.org.uk/projects/trinity/
>
>
> on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
>
> caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
>
>
> +-------------------------------------------------------------------------+------------+------------+
> | | f69d02e37a | 9ddc8abf03 |
> +-------------------------------------------------------------------------+------------+------------+
> | BUG:KASAN:null-ptr-deref_in_lockdep_init_map_type | 0 | 12 |
> | BUG:kernel_NULL_pointer_dereference,address | 0 | 12 |
> | Oops:#[##] | 0 | 12 |
> | RIP:lockdep_init_map_type | 0 | 12 |
> +-------------------------------------------------------------------------+------------+------------+
>
>
> If you fix the issue, kindly add following tag
> Reported-by: kernel test robot <[email protected]>
>
>
> [ 16.842917] BUG: KASAN: null-ptr-deref in lockdep_init_map_type (kbuild/src/consumer/kernel/locking/lockdep.c:4654)
> [ 16.844311] Write of size 8 at addr 0000000000000030 by task swapper/0/1
> [ 16.844311]
> [ 16.844311] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1-00023-g9ddc8abf0317 #1
> [ 16.844311] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
> [ 16.844311] Call Trace:
> [ 16.844311] dump_stack (kbuild/src/consumer/lib/dump_stack.c:122)
> [ 16.844311] ? lockdep_init_map_type (kbuild/src/consumer/kernel/locking/lockdep.c:4654)
> [ 16.844311] kasan_report.cold (kbuild/src/consumer/mm/kasan/report.c:403 kbuild/src/consumer/mm/kasan/report.c:416)
> [ 16.844311] ? lockdep_init_map_type (kbuild/src/consumer/kernel/locking/lockdep.c:4654)
> [ 16.844311] lockdep_init_map_type (kbuild/src/consumer/kernel/locking/lockdep.c:4654)
> [ 16.844311] __raw_spin_lock_init (kbuild/src/consumer/kernel/locking/spinlock_debug.c:26)
> [ 16.844311] cma_sysfs_init (kbuild/src/consumer/mm/cma_sysfs.c:91)
> [ 16.844311] ? cma_debugfs_init (kbuild/src/consumer/mm/cma_sysfs.c:74)
> [ 16.844311] do_one_initcall (kbuild/src/consumer/init/main.c:1226)
> [ 16.844311] ? perf_trace_initcall_level (kbuild/src/consumer/init/main.c:1217)
> [ 16.844311] ? rcu_read_lock_sched_held (kbuild/src/consumer/kernel/rcu/update.c:125)
> [ 16.844311] ? trace_event_raw_event_rcu_torture_read (kbuild/src/consumer/kernel/rcu/update.c:120)
> [ 16.844311] ? write_comp_data (kbuild/src/consumer/kernel/kcov.c:218)
> [ 16.844311] ? __sanitizer_cov_trace_pc (kbuild/src/consumer/kernel/kcov.c:197)
> [ 16.844311] kernel_init_freeable (kbuild/src/consumer/init/main.c:1298 kbuild/src/consumer/init/main.c:1315 kbuild/src/consumer/init/main.c:1335 kbuild/src/consumer/init/main.c:1537)
> [ 16.844311] ? console_on_rootfs (kbuild/src/consumer/init/main.c:1503)
> [ 16.844311] ? tracer_hardirqs_on (kbuild/src/consumer/kernel/trace/trace_irqsoff.c:57 kbuild/src/consumer/kernel/trace/trace_irqsoff.c:610)
> [ 16.844311] ? mark_held_locks (kbuild/src/consumer/kernel/locking/lockdep.c:4067)
> [ 16.844311] ? rest_init (kbuild/src/consumer/init/main.c:1421)
> [ 16.844311] kernel_init (kbuild/src/consumer/init/main.c:1426)
> [ 16.844311] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:300)
> [ 16.844311] ==================================================================
> [ 16.844311] Disabling lock debugging due to kernel taint
> [ 16.844425] BUG: kernel NULL pointer dereference, address: 0000000000000030
> [ 16.845925] #PF: supervisor write access in kernel mode
> [ 16.847149] #PF: error_code(0x0002) - not-present page
> [ 16.848311] PGD 0 P4D 0
> [ 16.848311] Oops: 0002 [#1] SMP KASAN PTI
> [ 16.848311] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 5.12.0-rc1-00023-g9ddc8abf0317 #1
From 758182a763fbc0fbd6b5e143ca64a4eb31d22a1a Mon Sep 17 00:00:00 2001
From: Minchan Kim <[email protected]>
Date: Mon, 8 Mar 2021 11:33:47 -0800
Subject: [PATCH] mm: cma: fix ZERO_SIZE_PTR check
If there is no cma instance, cma_area_count will be zero and
kmalloc_arrary will return ZERO_SITE_PTR instead of NULL.
Use ZERO_OR_NULL_PTR to check both cases.
Link: https://lore.kernel.org/linux-mm/20210308152620.GE4324@xsang-OptiPlex-9020/
Reported-by: kernel test robot <[email protected]>
Signed-off-by: Minchan Kim <[email protected]>
---
mm/cma_sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/cma_sysfs.c b/mm/cma_sysfs.c
index 67b63167eaf5..fdcb952ff13f 100644
--- a/mm/cma_sysfs.c
+++ b/mm/cma_sysfs.c
@@ -81,7 +81,7 @@ static int __init cma_sysfs_init(void)
cma_stats = kmalloc_array(cma_area_count, sizeof(struct cma_stat),
GFP_KERNEL|__GFP_ZERO);
- if (!cma_stats)
+ if (ZERO_OR_NULL_PTR(cma_stats))
goto out;
do {
--
2.30.1.766.gb4fecdf3b7-goog