Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755273AbcC1RSF (ORCPT ); Mon, 28 Mar 2016 13:18:05 -0400 Received: from arcturus.aphlor.org ([188.246.204.175]:46394 "EHLO arcturus.aphlor.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754022AbcC1RSA (ORCPT ); Mon, 28 Mar 2016 13:18:00 -0400 Date: Mon, 28 Mar 2016 13:17:57 -0400 From: Dave Jones To: Linux Kernel Cc: linux-mm@kvack.org Subject: 4.5 shmem lockdep/out-of-bound/list corruption disaster Message-ID: <20160328171757.GA21665@codemonkey.org.uk> Mail-Followup-To: Dave Jones , Linux Kernel , linux-mm@kvack.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-Spam-Score: -2.9 (--) X-Spam-Report: Spam detection software, running on the system "arcturus.aphlor.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I hit this a few days ago. I'm not 100% what kernel it was running, but I'm pretty sure it was a post 4.5 kernel from this merge window. WARNING: CPU: 2 PID: 28919 at kernel/locking/lockdep.c:3198 __lock_acquire+0x74d/0x1c60 DEBUG_LOCKS_WARN_ON(class_idx > MAX_LOCKDEP_KEYS) CPU: 2 PID: 28919 Comm: trinity-c30 Not tainted 4.5.0-think+ #6 ffffffffba141ccd 000000001ded0b05 ffff8803e4b67480 ffffffffba575c0b ffff8803e4b674f8 0000000000000000 ffff8803e4b674c8 ffffffffba0b3eb1 ffff88045fbe37c0 00000c7ee4b674e0 ffffed007c96ce9b 0000000000000000 Call Trace: [] ? __lock_acquire+0x74d/0x1c60 [] dump_stack+0x68/0x9d [] __warn+0x111/0x130 [] warn_slowpath_fmt+0xb4/0xf0 [] ? __warn+0x130/0x130 [] ? mark_lock+0x45b/0x800 [] __lock_acquire+0x74d/0x1c60 [] ? debug_lockdep_rcu_enabled.part.18+0x1a/0x30 [] ? debug_lockdep_rcu_enabled+0x35/0x40 [] ? debug_check_no_locks_freed+0x1b0/0x1b0 [] ? debug_check_no_locks_freed+0x1b0/0x1b0 [] ? _raw_spin_unlock_irq+0x32/0x50 [] ? preempt_count_sub+0x1a/0x130 [] lock_acquire+0xcf/0x2a0 [] ? finish_wait+0x68/0xc0 [] _raw_spin_lock_irqsave+0x4c/0x90 [] ? finish_wait+0x68/0xc0 [] finish_wait+0x68/0xc0 [] shmem_fault+0x323/0x390 [] ? shmem_file_splice_read+0x720/0x720 [] ? prepare_to_wait_event+0x200/0x200 [] ? debug_lockdep_rcu_enabled+0x35/0x40 [] ? mark_lock+0xcf/0x800 [] __do_fault+0x138/0x2e0 [] ? wp_page_copy.isra.79+0x850/0x850 [] handle_mm_fault+0x42b/0x2400 [] ? __lock_acquire+0x8b8/0x1c60 [] ? mark_lock+0xcf/0x800 [] ? debug_lockdep_rcu_enabled.part.18+0x1a/0x30 [] ? native_sched_clock+0x66/0x160 [] ? copy_page_range+0xec0/0xec0 [] ? [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 9175 Lines: 173 I hit this a few days ago. I'm not 100% what kernel it was running, but I'm pretty sure it was a post 4.5 kernel from this merge window. WARNING: CPU: 2 PID: 28919 at kernel/locking/lockdep.c:3198 __lock_acquire+0x74d/0x1c60 DEBUG_LOCKS_WARN_ON(class_idx > MAX_LOCKDEP_KEYS) CPU: 2 PID: 28919 Comm: trinity-c30 Not tainted 4.5.0-think+ #6 ffffffffba141ccd 000000001ded0b05 ffff8803e4b67480 ffffffffba575c0b ffff8803e4b674f8 0000000000000000 ffff8803e4b674c8 ffffffffba0b3eb1 ffff88045fbe37c0 00000c7ee4b674e0 ffffed007c96ce9b 0000000000000000 Call Trace: [] ? __lock_acquire+0x74d/0x1c60 [] dump_stack+0x68/0x9d [] __warn+0x111/0x130 [] warn_slowpath_fmt+0xb4/0xf0 [] ? __warn+0x130/0x130 [] ? mark_lock+0x45b/0x800 [] __lock_acquire+0x74d/0x1c60 [] ? debug_lockdep_rcu_enabled.part.18+0x1a/0x30 [] ? debug_lockdep_rcu_enabled+0x35/0x40 [] ? debug_check_no_locks_freed+0x1b0/0x1b0 [] ? debug_check_no_locks_freed+0x1b0/0x1b0 [] ? _raw_spin_unlock_irq+0x32/0x50 [] ? preempt_count_sub+0x1a/0x130 [] lock_acquire+0xcf/0x2a0 [] ? finish_wait+0x68/0xc0 [] _raw_spin_lock_irqsave+0x4c/0x90 [] ? finish_wait+0x68/0xc0 [] finish_wait+0x68/0xc0 [] shmem_fault+0x323/0x390 [] ? shmem_file_splice_read+0x720/0x720 [] ? prepare_to_wait_event+0x200/0x200 [] ? debug_lockdep_rcu_enabled+0x35/0x40 [] ? mark_lock+0xcf/0x800 [] __do_fault+0x138/0x2e0 [] ? wp_page_copy.isra.79+0x850/0x850 [] handle_mm_fault+0x42b/0x2400 [] ? __lock_acquire+0x8b8/0x1c60 [] ? mark_lock+0xcf/0x800 [] ? debug_lockdep_rcu_enabled.part.18+0x1a/0x30 [] ? native_sched_clock+0x66/0x160 [] ? copy_page_range+0xec0/0xec0 [] ? ___might_sleep.part.86+0x1de/0x2c0 [] ? vmacache_find+0xed/0x140 [] __do_page_fault+0x1d2/0x5a0 [] ? SyS_shmget+0x100/0x100 [] do_page_fault+0x20/0x70 [] ? native_iret+0x7/0x7 [] page_fault+0x1f/0x30 [] ? SyS_shmget+0x100/0x100 [] ? copy_user_enhanced_fast_string+0x2/0x10 [] ? shmctl_nolock.constprop.24+0x5ff/0x690 [] ? shmctl_nolock.constprop.24+0x2c7/0x690 [] ? debug_check_no_locks_freed+0x1b0/0x1b0 [] ? newseg+0x5e0/0x5e0 [] ? debug_smp_processor_id+0x17/0x20 [] ? preempt_count_sub+0xb9/0x130 [] ? SyS_shmget+0x100/0x100 [] SyS_shmctl+0x342/0x490 [] do_syscall_64+0xf4/0x240 [] entry_SYSCALL64_slow_path+0x25/0x25 ---[ end trace 638c142c3cb9ddb1 ]--- ================================================================== BUG: KASAN: stack-out-of-bounds in do_raw_spin_trylock+0x14/0x70 at addr ffff8803ee067ba0 Read of size 4 by task trinity-c30/28919 page:ffffea000fb819c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000000() page dumped because: kasan: bad access detected CPU: 2 PID: 28919 Comm: trinity-c30 Tainted: G W 4.5.0-think+ #6 ffff8803e4b678b0 000000001ded0b05 ffff8803e4b676a0 ffffffffba575c0b ffff8803e4b67738 ffff8803ee067ba0 ffff8803e4b67728 ffffffffba308cb3 0000000000000003 dffffc0000000000 0000000000000082 0000000000000001 Call Trace: [] dump_stack+0x68/0x9d [] kasan_report_error+0x503/0x530 [] ? _raw_spin_unlock_irq+0x32/0x50 [] ? preempt_count_sub+0x1a/0x130 [] kasan_report+0x58/0x60 [] ? do_raw_spin_trylock+0x14/0x70 [] __asan_load4+0x6a/0x70 [] do_raw_spin_trylock+0x14/0x70 [] _raw_spin_lock_irqsave+0x54/0x90 [] ? finish_wait+0x68/0xc0 [] finish_wait+0x68/0xc0 [] shmem_fault+0x323/0x390 [] ? shmem_file_splice_read+0x720/0x720 [] ? prepare_to_wait_event+0x200/0x200 [] ? debug_lockdep_rcu_enabled+0x35/0x40 [] ? mark_lock+0xcf/0x800 [] __do_fault+0x138/0x2e0 [] ? wp_page_copy.isra.79+0x850/0x850 [] handle_mm_fault+0x42b/0x2400 [] ? __lock_acquire+0x8b8/0x1c60 [] ? mark_lock+0xcf/0x800 [] ? debug_lockdep_rcu_enabled.part.18+0x1a/0x30 [] ? native_sched_clock+0x66/0x160 [] ? copy_page_range+0xec0/0xec0 [] ? ___might_sleep.part.86+0x1de/0x2c0 [] ? vmacache_find+0xed/0x140 [] __do_page_fault+0x1d2/0x5a0 [] ? SyS_shmget+0x100/0x100 [] do_page_fault+0x20/0x70 [] ? native_iret+0x7/0x7 [] page_fault+0x1f/0x30 [] ? SyS_shmget+0x100/0x100 [] ? copy_user_enhanced_fast_string+0x2/0x10 [] ? shmctl_nolock.constprop.24+0x5ff/0x690 [] ? shmctl_nolock.constprop.24+0x2c7/0x690 [] ? debug_check_no_locks_freed+0x1b0/0x1b0 [] ? newseg+0x5e0/0x5e0 [] ? debug_smp_processor_id+0x17/0x20 [] ? preempt_count_sub+0xb9/0x130 [] ? SyS_shmget+0x100/0x100 [] SyS_shmctl+0x342/0x490 [] do_syscall_64+0xf4/0x240 [] entry_SYSCALL64_slow_path+0x25/0x25 Memory state around the buggy address: ffff8803ee067a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8803ee067b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8803ee067b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8803ee067c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8803ee067c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ------------[ cut here ]------------ WARNING: CPU: 2 PID: 28919 at lib/list_debug.c:59 __list_del_entry+0xdc/0x100 list_del corruption. prev->next should be ffff8803e4b678a8, but was 0000000041b58ab3 CPU: 2 PID: 28919 Comm: trinity-c30 Tainted: G B W 4.5.0-think+ #6 ffffffffba5a743c 000000001ded0b05 ffff8803e4b67690 ffffffffba575c0b ffff8803e4b67708 0000000000000000 ffff8803e4b676d8 ffffffffba0b3eb1 ffff88045fbe37c0 0000003bba308c0c ffffed007c96cedd ffff8803ee067be8 Call Trace: [] ? __list_del_entry+0xdc/0x100 [] dump_stack+0x68/0x9d [] __warn+0x111/0x130 [] warn_slowpath_fmt+0xb4/0xf0 [] ? __warn+0x130/0x130 [] ? delay_tsc+0x94/0xc0 [] ? finish_wait+0x68/0xc0 [] __list_del_entry+0xdc/0x100 [] finish_wait+0x73/0xc0 [] shmem_fault+0x323/0x390 [] ? shmem_file_splice_read+0x720/0x720 [] ? prepare_to_wait_event+0x200/0x200 [] ? debug_lockdep_rcu_enabled+0x35/0x40 [] ? mark_lock+0xcf/0x800 [] __do_fault+0x138/0x2e0 [] ? wp_page_copy.isra.79+0x850/0x850 [] handle_mm_fault+0x42b/0x2400 [] ? __lock_acquire+0x8b8/0x1c60 [] ? mark_lock+0xcf/0x800 [] ? debug_lockdep_rcu_enabled.part.18+0x1a/0x30 [] ? native_sched_clock+0x66/0x160 [] ? copy_page_range+0xec0/0xec0 [] ? ___might_sleep.part.86+0x1de/0x2c0 [] ? vmacache_find+0xed/0x140 [] __do_page_fault+0x1d2/0x5a0 [] ? SyS_shmget+0x100/0x100 [] do_page_fault+0x20/0x70 [] ? native_iret+0x7/0x7 [] page_fault+0x1f/0x30 [] ? SyS_shmget+0x100/0x100 [] ? copy_user_enhanced_fast_string+0x2/0x10 [] ? shmctl_nolock.constprop.24+0x5ff/0x690 [] ? shmctl_nolock.constprop.24+0x2c7/0x690 [] ? debug_check_no_locks_freed+0x1b0/0x1b0 [] ? newseg+0x5e0/0x5e0 [] ? debug_smp_processor_id+0x17/0x20 [] ? preempt_count_sub+0xb9/0x130 [] ? SyS_shmget+0x100/0x100 [] SyS_shmctl+0x342/0x490 [] do_syscall_64+0xf4/0x240 [] entry_SYSCALL64_slow_path+0x25/0x25 ---[ end trace 638c142c3cb9ddb2 ]---