[request for stable inclusion] mm/hugetlb: check for pte NULL pointer in __page_check_address()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Greg,

Please queue this commit for 3.0+

98398c32f6687ee1e1f3ae084effb4b75adb0747
mm/hugetlb: check for pte NULL pointer in __page_check_address()

I should have added the stable tag when I sent the patch. I didn't
manage to trigger the bug, but now I've found a reliable way to
reproduce it:

1. process 1 mmap() a hugetlb file, then sleep.
2. process 2 mmap() the same hugetlb file, memset the return address, then sleep.
3. soft offline the hugetlb page, and kernel get crashed:

[  179.167579] BUG: unable to handle kernel paging request at ffffeba400000030
[  179.174530] IP: [<ffffffff814e2829>] _raw_spin_lock+0x9/0x30
[  179.180180] PGD 0 
[  179.182189] Oops: 0002 [#1] SMP 
[  179.185418] Modules linked in: lp ppdev parport_pc parport joydev st sr_mod ide_gd_mod ide_cd_mod cdrom binfmt_misc cpufreq_conservative cpufreq_userspace cpufreq_powersave microcode fuse loop dm_mod igb dca i2c_algo_bit iTCO_wdt iTCO_vendor_support ptp lpc_ich pps_core hid_generic bnx2 serio_raw sg ehci_pci pcspkr mfd_core rtc_cmos i7core_edac mptctl edac_core button i2c_i801 acpi_cpufreq i2c_core usbhid hid uhci_hcd ehci_hcd usbcore sd_mod usb_common crc_t10dif crct10dif_common scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_dh_hp_sw scsi_dh edd ext3 mbcache jbd fan ide_pci_generic ide_core ata_generic ata_piix libata thermal processor thermal_sys hwmon mptsas mptscsih mptbase scsi_transport_sas scsi_mod
[  179.247994] CPU: 3 PID: 4893 Comm: bash Not tainted 3.13.0-rc4+ #58
[  179.254232] Hardware name: Huawei Technologies Co., Ltd. Tecal RH2285          /BC11BTSA              , BIOS CTSAV036 04/27/2011
[  179.265743] task: ffff880c21084450 ti: ffff880c26186000 task.ti: ffff880c26186000
[  179.273190] RIP: 0010:[<ffffffff814e2829>]  [<ffffffff814e2829>] _raw_spin_lock+0x9/0x30
[  179.281256] RSP: 0018:ffff880c26187ba8  EFLAGS: 00010206
[  179.286541] RAX: 0000000000010000 RBX: 0000000000000000 RCX: 0000000000000009
[  179.293642] RDX: ffffea0000000000 RSI: ffffffff81e7a1f8 RDI: ffffeba400000030
[  179.300743] RBP: ffff880c26187ba8 R08: 0000000000001000 R09: 0000000000000006
[  179.307845] R10: 0000000000000461 R11: 0000000000000006 R12: ffffeba400000030
[  179.314945] R13: ffffea00156c1000 R14: 0000000000000000 R15: ffff880c26187c28
[  179.322047] FS:  00007f96b110d700(0000) GS:ffff88063fc60000(0000) knlGS:0000000000000000
[  179.330101] CS:  0010 DS: 0000 ES: 0000 CR0: 00002677f000 CR4: 00000000000007e0
[  179.342920] Stack:
[  179.344919]  ffff880c26187be8 ffffffff81156bee ffffffff81d42682 00002aaaaae00000
[  179.352319]  ffff880627304150 ffff88062366c040 ffffea00156c1000 ffffea00156c1018
[  179.359718]  ffff880c26187c58 ffffffff81156cf1 ffffea0000c32000 0000000000000000
[  179.367122] Call Trace:
[  179.369559]  [<ffffffff81156bee>] __page_check_address+0xce/0x1a0
[  179.375625]  [<ffffffff81156cf1>] try_to_unmap_one+0x31/0x450
[  179.381345]  [<ffffffff814de1d1>] ? printk+0x54/0x78
[  179.386287]  [<ffffffff81157ebe>] try_to_unmap_file+0xce/0x2c0
[  179.392094]  [<ffffffff81158155>] try_to_unmap+0x55/0x70
[  179.397382]  [<ffffffff811780fd>] unmap_and_move_huge_page+0xcd/0x1c0
[  179.403794]  [<ffffffff8112a9f0>] ? page_alloc_cpu_notify+0x50/0x50
[  179.410034]  [<ffffffff8117869e>] migrate_pages+0x9e/0x210
[  179.415494]  [<ffffffff8117dab0>] ? soft_offline_huge_page+0x1f0/0x1f0
[  179.421992]  [<ffffffff8117d979>] soft_offline_huge_page+0xb9/0x1f0
[  179.428229]  [<ffffffff8117ec13>] soft_offline_page+0x133/0x250
[  179.434124]  [<ffffffff813935f8>] store_soft_offline_page+0xb8/0xd0
[  179.440363]  [<ffffffff8137b9ab>] dev_attr_store+0x1b/0x20
[  179.445825]  [<ffffffff811f6345>] flush_write_buffer+0x85/0x100
[  179.451717]  [<ffffffff811f6d27>] sysfs_write_file+0xf7/0x110
[  179.457438]  [<ffffffff811844b7>] vfs_write+0xc7/0x1e0
[  179.462553]  [<ffffffff811846ed>] SyS_write+0x5d/0xa0
[  179.467583]  [<ffffffff814ea962>] system_call_fastpath+0x16/0x1b
[  179.473561] Code: 00 00 8d 91 00 00 01 00 89 c8 f0 0f b1 17 39 c1 ba 01 00 00 00 75 db 89 d0 c9 c3 0f 1f 80 00 00 00 00 55 48 89 e5 b8 00 00 01 00 <f0> 0f c1 07 89 c2 c1 ea 10 66 39 d0 75 0b eb 11 0f 1f 80 00 00 
[  179.493000] RIP  [<ffffffff814e2829>] _raw_spin_lock+0x9/0x30
[  179.498729]  RSP <ffff880c26187ba8>
[  179.502198] CR2: ffffeba400000030
[  179.505497] ---[ end trace 09e8ee8dfcf9bacf ]---
[  179.510090] Kernel panic - not syncing: Fatal exception

Thanks,
Jianguo Wu

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]