Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3065483img; Mon, 25 Mar 2019 03:05:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqzpsWohCHgqmZwy2j2Q/SROEtQxUlRtUqLc5PX39BXuVtFLMFcb53ngLtfrWYJuzlhE76hF X-Received: by 2002:a65:614f:: with SMTP id o15mr22309870pgv.383.1553508329083; Mon, 25 Mar 2019 03:05:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553508329; cv=none; d=google.com; s=arc-20160816; b=cdSPvVUZcCQY9zhWIvbmTRkD4tM/qg9cU7EW6sIubVq/Ip1LGtLolHwrrkN4ikjOt/ Wt3x7YEGpqGhJkqjIpyowAKju4wYe02hAOOf0Oi3K8GubQ6RR2Bb6wYAwwSpW9ThGnTT GX3+C251LU3Y1Q+9Xfa1bwEa/0xk2Y9lYd3HllbjDbFhBZJjSaQeBQEbqKkh9eZVeJvW vl+Z9YvDTcu3Q9GQlUXwecqo8o/R/IVZQLqWTZ+Xz+uXVnnnG0fYSpiJz2GhdyR/CLH9 hHq6KRjdiDcr9vAzR/nxaMk/RvRld1IC36GDNnA4KonNViHf2bO5ZvcL/cXiBXHaWQ4L qBEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject; bh=H/TXXkpMF4fv6EzUiHz0Hdoa9suBA7BKlJSHnpen/vI=; b=vOOnkn21xoXiLPcBcHt7XKQTvOXpC1w8lxgJnf+GD8UZ72Mg49XLCMUEPbEBCdXDWS uE5pQKRpd3g3nN+wtJN7afK8JnQ8zEnDiIGA1exsHAgcD6BFJp811FoKs26Zgx/1RTnx 5PiqLa9qTJ/o/TX/XBwTF6rMblrk25rAKFe9IgoOpeyjFaYSWbftzJ/oB3jegv8BiQsa HABnQu/PNeex3sYJgmERC0uX6jxc2Sd4Sz6OGh78V4pSNWFqmyPcuqSjwrI+2Jl6VHJG o6o2qkcJzwndj85Bw7qd6NxUeDEU7HQER+lBH/D4gRqGJ5H4w67MwQFZwPiZZBjUFu2Q mrlA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f59si14113867plf.158.2019.03.25.03.05.14; Mon, 25 Mar 2019 03:05:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730500AbfCYKDN (ORCPT + 99 others); Mon, 25 Mar 2019 06:03:13 -0400 Received: from mail-sz.amlogic.com ([211.162.65.117]:27672 "EHLO mail-sz.amlogic.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730250AbfCYKDN (ORCPT ); Mon, 25 Mar 2019 06:03:13 -0400 Received: from [10.28.18.125] (10.28.18.125) by mail-sz.amlogic.com (10.28.11.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1591.10; Mon, 25 Mar 2019 18:04:17 +0800 Subject: Re: 32-bit Amlogic (ARM) SoC: kernel BUG in kfree() To: Martin Blumenstingl , Matthew Wilcox CC: , , , , , , , , References: <20190321214401.GC19508@bombadil.infradead.org> From: Liang Yang Message-ID: <5cad2529-8776-687e-58d0-4fb9e2ec59b1@amlogic.com> Date: Mon, 25 Mar 2019 18:04:17 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------65F66B8BEFB8B57F8555B6FE" Content-Language: en-US X-Originating-IP: [10.28.18.125] X-ClientProxiedBy: mail-sz.amlogic.com (10.28.11.5) To mail-sz.amlogic.com (10.28.11.5) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --------------65F66B8BEFB8B57F8555B6FE Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit Hi Martin, On 2019/3/23 5:07, Martin Blumenstingl wrote: > Hi Matthew, > > On Thu, Mar 21, 2019 at 10:44 PM Matthew Wilcox wrote: >> >> On Thu, Mar 21, 2019 at 09:17:34PM +0100, Martin Blumenstingl wrote: >>> Hello, >>> >>> I am experiencing the following crash: >>> ------------[ cut here ]------------ >>> kernel BUG at mm/slub.c:3950! >> >> if (unlikely(!PageSlab(page))) { >> BUG_ON(!PageCompound(page)); >> >> You called kfree() on the address of a page which wasn't allocated by slab. >> >>> I have traced this crash to the kfree() in meson_nfc_read_buf(). >>> my observation is as follows: >>> - meson_nfc_read_buf() is called 7 times without any crash, the >>> kzalloc() call returns 0xe9e6c600 (virtual address) / 0x29e6c600 >>> (physical address) >>> - the eight time meson_nfc_read_buf() is called kzalloc() call returns >>> 0xee39a38b (virtual address) / 0x2e39a38b (physical address) and the >>> final kfree() crashes >>> - changing the size in the kzalloc() call from PER_INFO_BYTE (= 8) to >>> PAGE_SIZE works around that crash >> >> I suspect you're doing something which corrupts memory. Overrunning >> the end of your allocation or something similar. Have you tried KASAN >> or even the various slab debugging (eg redzones)? > KASAN is not available on 32-bit ARM. there was some progress last > year [0] but it didn't make it into mainline. I tried to make the > patches apply again and got it to compile (and my kernel is still > booting) but I have no idea if it's still working. for anyone > interested, my patches are here: [1] (I consider this a HACK because I > don't know anything about the code which is being touched in the > patches, I only made it compile) > > SLAB debugging (redzones) were a great hint, thank you very much for > that Matthew! I enabled: > CONFIG_SLUB_DEBUG=y > CONFIG_SLUB_DEBUG_ON=y > and with that I now get "BUG kmalloc-64 (Not tainted): Redzone > overwritten" (a larger kernel log extract is attached). > > I'm starting to wonder if the NAND controller (hardware) writes more > than 8 bytes. > some context: the "info" buffer allocated in meson_nfc_read_buf is > then passed to the NAND controller IP (after using dma_map_single). > > Liang, how does the NAND controller know that it only has to send > PER_INFO_BYTE (= 8) bytes when called from meson_nfc_read_buf? all > other callers of meson_nfc_dma_buffer_setup (which passes the info > buffer to the hardware) are using (nand->ecc.steps * PER_INFO_BYTE) > bytes? > NFC_CMD_N2M and CMDRWGEN are different commands. CMDRWGEN needs to set the ecc page size (1KB or 512B) and Pages(2, 4, 8, ...), so PER_INFO_BYTE(= 8) bytes for each ecc page. I have never used NFC_CMD_N2M to transfer data before, because it is very low efficient. And I do a experiment with the attachment and find on overwritten on my meson axg platform. Martin, I would appreciate it very much if you would try the attachment on your meson m8b platform. > > Regards > Martin > > > [0] https://lore.kernel.org/patchwork/cover/913212/ > [1] https://github.com/xdarklight/linux/tree/arm-kasan-hack-v5.1-rc1 > --------------65F66B8BEFB8B57F8555B6FE Content-Type: text/plain; charset="UTF-8"; name="nand_debug.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="nand_debug.diff" ZGlmZiAtLWdpdCBhL2RyaXZlcnMvbXRkL25hbmQvcmF3L21lc29uX25hbmQuYyBiL2RyaXZl cnMvbXRkL25hbmQvcmF3L21lc29uX25hbmQuYwpvbGQgbW9kZSAxMDA2NDQKbmV3IG1vZGUg MTAwNzU1CmluZGV4IGU4NThkNTguLjkwNWVmMzkKLS0tIGEvZHJpdmVycy9tdGQvbmFuZC9y YXcvbWVzb25fbmFuZC5jCisrKyBiL2RyaXZlcnMvbXRkL25hbmQvcmF3L21lc29uX25hbmQu YwpAQCAtNTI3LDExICs1MjcsMTIgQEAgc3RhdGljIHZvaWQgbWVzb25fbmZjX2RtYV9idWZm ZXJfcmVsZWFzZShzdHJ1Y3QgbmFuZF9jaGlwICpuYW5kLAogc3RhdGljIGludCBtZXNvbl9u ZmNfcmVhZF9idWYoc3RydWN0IG5hbmRfY2hpcCAqbmFuZCwgdTggKmJ1ZiwgaW50IGxlbikK IHsKIAlzdHJ1Y3QgbWVzb25fbmZjICpuZmMgPSBuYW5kX2dldF9jb250cm9sbGVyX2RhdGEo bmFuZCk7Ci0JaW50IHJldCA9IDA7CisJaW50IHJldCA9IDAsIGk7CiAJdTMyIGNtZDsKIAl1 OCAqaW5mbzsKIAotCWluZm8gPSBremFsbG9jKFBFUl9JTkZPX0JZVEUsIEdGUF9LRVJORUwp OworCWluZm8gPSBremFsbG9jKDIgKiBQRVJfSU5GT19CWVRFLCBHRlBfS0VSTkVMKTsKKwlt ZW1zZXQoaW5mbywgMHhGRCwgMiAqIFBFUl9JTkZPX0JZVEUpOwogCXJldCA9IG1lc29uX25m Y19kbWFfYnVmZmVyX3NldHVwKG5hbmQsIGJ1ZiwgbGVuLCBpbmZvLAogCQkJCQkgUEVSX0lO Rk9fQllURSwgRE1BX0ZST01fREVWSUNFKTsKIAlpZiAocmV0KQpAQCAtNTQzLDYgKzU0NCwx MiBAQCBzdGF0aWMgaW50IG1lc29uX25mY19yZWFkX2J1ZihzdHJ1Y3QgbmFuZF9jaGlwICpu YW5kLCB1OCAqYnVmLCBpbnQgbGVuKQogCW1lc29uX25mY19kcmFpbl9jbWQobmZjKTsKIAlt ZXNvbl9uZmNfd2FpdF9jbWRfZmluaXNoKG5mYywgMTAwMCk7CiAJbWVzb25fbmZjX2RtYV9i dWZmZXJfcmVsZWFzZShuYW5kLCBsZW4sIFBFUl9JTkZPX0JZVEUsIERNQV9GUk9NX0RFVklD RSk7CisKKwlmb3IgKGkgPSAwOyBpIDwgMiAqIFBFUl9JTkZPX0JZVEU7IGkrKyl7CisJCXBy aW50aygiMHgleCAiLCBpbmZvW2ldKTsNCisJfQorCXByaW50aygiXG4iKTsKKwogCWtmcmVl KGluZm8pOwogCiAJcmV0dXJuIHJldDsK --------------65F66B8BEFB8B57F8555B6FE--