Read /sys/kernel/debug/shrinker always trigger kernel panic
Reported by
gs0...@gmail.com,
Mar 7 2016
|
||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Platform: Lulu Steps to reproduce the problem: 1. login into shell w/ root account 2. cat /sys/kernel/debug/shrinker or grep -rsI "hello" /sys/kernel/debug/shrinker What is the expected behavior? no kernel panic What went wrong? it always trigger kernel panic as: 1>[ 504.055389] BUG: unable to handle kernel paging request at ffff881f6815a684 <1>[ 504.055416] IP: [<ffffffffb9479ee6>] do_raw_spin_lock+0xe/0x10b <5>[ 504.055443] PGD 3a0e9067 PUD 0 <5>[ 504.055458] Oops: 0000 [#1] PREEMPT SMP <0>[ 504.058071] gsmi: Log Shutdown Reason 0x03 <5>[ 504.058085] Modules linked in: ctr ccm uinput i2c_dev x86_pkg_temp_thermal iwlmvm iwl7000_mac80211 rfcomm snd_hda_codec_hdmi aesni_intel memc_x86 aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd snd_hda_codec_realtek snd_hda_codec_generic iwlwifi cros_ec_accel kfifo_buf iio_trig_sysfs industrialio snd_hda_intel snd_hda_controller snd_hda_codec snd_hwdep snd_soc_sst_acpi zram fuse cfg80211 nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables btusb btbcm btintel bluetooth uvcvideo videobuf2_vmalloc joydev snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async ppp_generic slhc tun <5>[ 504.058306] CPU: 3 PID: 12321 Comm: cat Not tainted 3.14.0 #1 <5>[ 504.058321] Hardware name: GOOGLE Lulu, BIOS Google_Lulu.6301.134.2015_05_15_1617 05/15/2015 <5>[ 504.058341] task: ffff880062ebcec0 ti: ffff880162c10000 task.ti: ffff880162c10000 <5>[ 504.058357] RIP: 0010:[<ffffffffb9479ee6>] [<ffffffffb9479ee6>] do_raw_spin_lock+0xe/0x10b <5>[ 504.058381] RSP: 0018:ffff880162c11dc8 EFLAGS: 00010282 <5>[ 504.058395] RAX: 0000000000000000 RBX: ffff881f6815a680 RCX: 000000000000b0af <5>[ 504.058411] RDX: 0000000000000001 RSI: 0000000077b85540 RDI: ffff881f6815a680 <5>[ 504.058426] RBP: ffff880162c11de0 R08: 0000000000000001 R09: 0000000000000000 <5>[ 504.058442] R10: 0000000000000022 R11: ffffffffb9a00300 R12: ffff88017a088000 <5>[ 504.058458] R13: ffff88017a088410 R14: ffff880077f033c0 R15: ffff880162c11e58 <5>[ 504.058475] FS: 00007fe23320b700(0000) GS:ffff88017ed80000(0000) knlGS:0000000000000000 <5>[ 504.058493] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <5>[ 504.058506] CR2: ffff881f6815a684 CR3: 0000000162c39000 CR4: 00000000003407e0 <5>[ 504.058521] Stack: <5>[ 504.058528] ffff881f6815a680 ffff88017a088000 ffff88017a088410 ffff880162c11df0 <5>[ 504.058551] ffffffffb999f33e ffff880162c11e10 ffffffffb94f2755 0000000000000000 <5>[ 504.058574] ffff88017a088000 ffff880162c11e48 ffffffffb9513d17 ffff88017a088410 <5>[ 504.058598] Call Trace: <5>[ 504.058614] [<ffffffffb999f33e>] _raw_spin_lock+0x16/0x18 <5>[ 504.058632] [<ffffffffb94f2755>] list_lru_count_node+0x1e/0x5a <5>[ 504.058649] [<ffffffffb9513d17>] super_cache_count+0x5e/0xb4 <5>[ 504.058667] [<ffffffffb94e2206>] debug_shrinker_show+0x5d/0xa9 <5>[ 504.058687] [<ffffffffb952da2a>] seq_read+0x16a/0x33c <5>[ 504.058705] [<ffffffffb9510fc8>] vfs_read+0x97/0xbb <5>[ 504.058722] [<ffffffffb95116d7>] SyS_read+0x5f/0xa3 <5>[ 504.058739] [<ffffffffb99a03dc>] system_call_fastpath+0x20/0x25 <5>[ 504.058752] Code: 00 00 48 81 c1 78 05 00 00 65 8b 14 25 1c a0 00 00 e8 92 09 52 00 e8 63 12 52 00 c9 c3 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 <81> 7f 04 ad 4e ad de 48 89 fb 74 0c 48 c7 c6 36 63 b6 b9 e8 4a <1>[ 504.058918] RIP [<ffffffffb9479ee6>] do_raw_spin_lock+0xe/0x10b <5>[ 504.058937] RSP <ffff880162c11dc8> <5>[ 504.058946] CR2: ffff881f6815a684 <4>[ 504.058958] ---[ end trace 769eac1a8b2f7a7c ]--- Did this work before? N/A Chrome version: 49.0.2623.75 Channel: dev OS Version: R51-8025 Flash Version: Shockwave Flash 20.0 r0 I suspect it affects other platforms. I did experiments
,
Mar 14 2016
,
Mar 16 2016
looks like you got a +2 in your CL, feel free to commit the change.
,
Mar 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/776351b11bb07ff3891b82f433707c064eddf7fa commit 776351b11bb07ff3891b82f433707c064eddf7fa Author: Harry Pan <harry.pan@intel.com> Date: Mon Mar 14 02:54:11 2016 CHROMIUM: kernel panic when reading /sys/kernel/debug/shrinker This patch fixes 'shrinker' debugfs node came from commit f68c7efeccb1 ("mm: vmscan: Add a debug file for shrinkers") and no similar functionality is in the upstream kernel. The fault reason is because sc->nid not properly initialized, it uses random value up on the stack, it then causes an invalid index in the list_lru_count_node() function. BUG=chromium:592567, chrome-os-partner:49409 TEST=sudo cat /sys/kernel/debug/shrinker Change-Id: Ifd48ee966da62a6e9fef29763c81e10d151a10a3 Signed-off-by: Harry Pan <harry.pan@intel.com> Reviewed-on: https://chromium-review.googlesource.com/332527 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Reviewed-by: Benson Leung <bleung@chromium.org> [modify] https://crrev.com/776351b11bb07ff3891b82f433707c064eddf7fa/mm/vmscan.c
,
Jul 21 2016
,
Sep 13 2016
this fixes chromeos-3.14, kindly review. https://chromium-review.googlesource.com/#/c/384340/
,
Sep 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/7e32418f0bcf41a2eacea3b0434fee274f3ac07c commit 7e32418f0bcf41a2eacea3b0434fee274f3ac07c Author: Harry Pan <harry.pan@intel.com> Date: Mon Mar 14 02:54:11 2016 CHROMIUM: kernel panic when reading /sys/kernel/debug/shrinker This patch fixes 'shrinker' debugfs node came from commit d50b2ff1fec2 ("mm: vmscan: Add a debug file for shrinkers") and no similar functionality is in the upstream kernel. The fault reason is because sc->nid not properly initialized, it uses random value up on the stack, it then causes an invalid index in the list_lru_count_node() function. BUG=chromium:592567 TEST=sudo cat /sys/kernel/debug/shrinker Change-Id: I1a8b9c98ecdd5676506e3d2973d62a4db7c2c75d Signed-off-by: Harry Pan <harry.pan@intel.com> Reviewed-on: https://chromium-review.googlesource.com/384340 Reviewed-by: Aaron Durbin <adurbin@chromium.org> Reviewed-by: Benson Leung <bleung@chromium.org> [modify] https://crrev.com/7e32418f0bcf41a2eacea3b0434fee274f3ac07c/mm/vmscan.c
,
Feb 17 2017
,
Mar 18 2017
Activating. Please assign to the right owner and the appropriate priority.
,
Apr 16 2018
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by adurbin@google.com
, Mar 10 2016This looks like sc->nid is not initialized and just causing an invalid index in list_lru_count_node(): struct list_lru_node *nlru = &lru->node[nid]; I think this sysfs debug file came in from the android sources. The commit is f68c7efecc, and no similar functionality is in the upstream kernel. This should fix it: diff --git a/mm/vmscan.c b/mm/vmscan.c index 7cafb28..b119bef 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -202,10 +202,10 @@ struct dentry *debug_file; static int debug_shrinker_show(struct seq_file *s, void *unused) { struct shrinker *shrinker; - struct shrink_control sc; - - sc.gfp_mask = -1; - sc.nr_to_scan = 0; + struct shrink_control sc = { + .gfp_mask = -1, + .nr_to_scan = 0, + }; down_read(&shrinker_rwsem); list_for_each_entry(shrinker, &shrinker_list, list) {