Kernel Crash on Caroline - BUG: unable to handle kernel NULL pointer dereference |
|||||||||||
Issue description58.0.3029.19/9334.13.0 Caroline Please specify Cr-* of the system to which this bug/feature applies (add the label below). Device in use . Crashes to black screen and reboots https://crash.corp.google.com/browse?stbtiq=c30a631660000000
,
Mar 20 2017
This is a single observation.
,
Mar 20 2017
,
Mar 20 2017
,
Mar 20 2017
It looks like there is maybe a patch for a similar crash that hasn't been merged: https://patchwork.kernel.org/patch/8051251/ I'm not sure if this is the same issue or not though
,
Mar 20 2017
Upstream c102f07ca0b0 ("zsmalloc: fix migrate_zspage-zs_free race condition")
,
Mar 21 2017
Thanks Guenter, it looks like 4.4 has this but 3.18 doesn't -- CL here: https://chromium-review.googlesource.com/457150
,
Mar 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a8c81f7aca71d637e67c38b13f95ab7660a00ae7 commit a8c81f7aca71d637e67c38b13f95ab7660a00ae7 Author: Junil Lee <junil0814.lee@lge.com> Date: Wed Mar 22 03:59:54 2017 UPSTREAM: zsmalloc: fix migrate_zspage-zs_free race condition record_obj() in migrate_zspage() does not preserve handle's HANDLE_PIN_BIT, set by find_aloced_obj()->trypin_tag(), and implicitly (accidentally) un-pins the handle, while migrate_zspage() still performs an explicit unpin_tag() on the that handle. This additional explicit unpin_tag() introduces a race condition with zs_free(), which can pin that handle by this time, so the handle becomes un-pinned. Schematically, it goes like this: CPU0 CPU1 migrate_zspage find_alloced_obj trypin_tag set HANDLE_PIN_BIT zs_free() pin_tag() obj_malloc() -- new object, no tag record_obj() -- remove HANDLE_PIN_BIT set HANDLE_PIN_BIT unpin_tag() -- remove zs_free's HANDLE_PIN_BIT The race condition may result in a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 00000000 CPU: 0 PID: 19001 Comm: CookieMonsterCl Tainted: PC is at get_zspage_mapping+0x0/0x24 LR is at obj_free.isra.22+0x64/0x128 Call trace: get_zspage_mapping+0x0/0x24 zs_free+0x88/0x114 zram_free_page+0x64/0xcc zram_slot_free_notify+0x90/0x108 swap_entry_free+0x278/0x294 free_swap_and_cache+0x38/0x11c unmap_single_vma+0x480/0x5c8 unmap_vmas+0x44/0x60 exit_mmap+0x50/0x110 mmput+0x58/0xe0 do_exit+0x320/0x8dc do_group_exit+0x44/0xa8 get_signal+0x538/0x580 do_signal+0x98/0x4b8 do_notify_resume+0x14/0x5c This patch keeps the lock bit in migration path and update value atomically. BUG= chromium:703196 TEST=build/boot on caroline Signed-off-by: Junil Lee <junil0814.lee@lge.com> Signed-off-by: Minchan Kim <minchan@kernel.org> Acked-by: Vlastimil Babka <vbabka@suse.cz> Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com> Cc: <stable@vger.kernel.org> [4.1+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit c102f07ca0b04f2cb49cfc161c83f6239d17f491) Signed-off-by: Sonny Rao <sonnyrao@chromium.org> Change-Id: Ibf8c8d03e1f994c42ff341912f3d69aac21d2345 Reviewed-on: https://chromium-review.googlesource.com/457150 Commit-Ready: Sonny Rao <sonnyrao@chromium.org> Tested-by: Sonny Rao <sonnyrao@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/a8c81f7aca71d637e67c38b13f95ab7660a00ae7/mm/zsmalloc.c
,
Mar 22 2017
,
Mar 22 2017
https://feedback.corp.google.com/product/208/neutron?lView=rd&lReport=55530801315 appears to be another of these, merge approved.
,
Mar 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8c75b50bda0d7c5cd900836bc05a648e564b7f53 commit 8c75b50bda0d7c5cd900836bc05a648e564b7f53 Author: Junil Lee <junil0814.lee@lge.com> Date: Wed Mar 22 22:27:29 2017 UPSTREAM: zsmalloc: fix migrate_zspage-zs_free race condition record_obj() in migrate_zspage() does not preserve handle's HANDLE_PIN_BIT, set by find_aloced_obj()->trypin_tag(), and implicitly (accidentally) un-pins the handle, while migrate_zspage() still performs an explicit unpin_tag() on the that handle. This additional explicit unpin_tag() introduces a race condition with zs_free(), which can pin that handle by this time, so the handle becomes un-pinned. Schematically, it goes like this: CPU0 CPU1 migrate_zspage find_alloced_obj trypin_tag set HANDLE_PIN_BIT zs_free() pin_tag() obj_malloc() -- new object, no tag record_obj() -- remove HANDLE_PIN_BIT set HANDLE_PIN_BIT unpin_tag() -- remove zs_free's HANDLE_PIN_BIT The race condition may result in a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 00000000 CPU: 0 PID: 19001 Comm: CookieMonsterCl Tainted: PC is at get_zspage_mapping+0x0/0x24 LR is at obj_free.isra.22+0x64/0x128 Call trace: get_zspage_mapping+0x0/0x24 zs_free+0x88/0x114 zram_free_page+0x64/0xcc zram_slot_free_notify+0x90/0x108 swap_entry_free+0x278/0x294 free_swap_and_cache+0x38/0x11c unmap_single_vma+0x480/0x5c8 unmap_vmas+0x44/0x60 exit_mmap+0x50/0x110 mmput+0x58/0xe0 do_exit+0x320/0x8dc do_group_exit+0x44/0xa8 get_signal+0x538/0x580 do_signal+0x98/0x4b8 do_notify_resume+0x14/0x5c This patch keeps the lock bit in migration path and update value atomically. BUG= chromium:703196 TEST=build/boot on caroline Signed-off-by: Junil Lee <junil0814.lee@lge.com> Signed-off-by: Minchan Kim <minchan@kernel.org> Acked-by: Vlastimil Babka <vbabka@suse.cz> Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com> Cc: <stable@vger.kernel.org> [4.1+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit c102f07ca0b04f2cb49cfc161c83f6239d17f491) Signed-off-by: Sonny Rao <sonnyrao@chromium.org> Change-Id: Ibf8c8d03e1f994c42ff341912f3d69aac21d2345 Reviewed-on: https://chromium-review.googlesource.com/457150 Commit-Ready: Sonny Rao <sonnyrao@chromium.org> Tested-by: Sonny Rao <sonnyrao@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a8c81f7aca71d637e67c38b13f95ab7660a00ae7) Reviewed-on: https://chromium-review.googlesource.com/457785 Reviewed-by: Sonny Rao <sonnyrao@chromium.org> Commit-Queue: Sonny Rao <sonnyrao@chromium.org> [modify] https://crrev.com/8c75b50bda0d7c5cd900836bc05a648e564b7f53/mm/zsmalloc.c
,
Mar 22 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8c75b50bda0d7c5cd900836bc05a648e564b7f53 commit 8c75b50bda0d7c5cd900836bc05a648e564b7f53 Author: Junil Lee <junil0814.lee@lge.com> Date: Wed Mar 22 22:27:29 2017 UPSTREAM: zsmalloc: fix migrate_zspage-zs_free race condition record_obj() in migrate_zspage() does not preserve handle's HANDLE_PIN_BIT, set by find_aloced_obj()->trypin_tag(), and implicitly (accidentally) un-pins the handle, while migrate_zspage() still performs an explicit unpin_tag() on the that handle. This additional explicit unpin_tag() introduces a race condition with zs_free(), which can pin that handle by this time, so the handle becomes un-pinned. Schematically, it goes like this: CPU0 CPU1 migrate_zspage find_alloced_obj trypin_tag set HANDLE_PIN_BIT zs_free() pin_tag() obj_malloc() -- new object, no tag record_obj() -- remove HANDLE_PIN_BIT set HANDLE_PIN_BIT unpin_tag() -- remove zs_free's HANDLE_PIN_BIT The race condition may result in a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 00000000 CPU: 0 PID: 19001 Comm: CookieMonsterCl Tainted: PC is at get_zspage_mapping+0x0/0x24 LR is at obj_free.isra.22+0x64/0x128 Call trace: get_zspage_mapping+0x0/0x24 zs_free+0x88/0x114 zram_free_page+0x64/0xcc zram_slot_free_notify+0x90/0x108 swap_entry_free+0x278/0x294 free_swap_and_cache+0x38/0x11c unmap_single_vma+0x480/0x5c8 unmap_vmas+0x44/0x60 exit_mmap+0x50/0x110 mmput+0x58/0xe0 do_exit+0x320/0x8dc do_group_exit+0x44/0xa8 get_signal+0x538/0x580 do_signal+0x98/0x4b8 do_notify_resume+0x14/0x5c This patch keeps the lock bit in migration path and update value atomically. BUG= chromium:703196 TEST=build/boot on caroline Signed-off-by: Junil Lee <junil0814.lee@lge.com> Signed-off-by: Minchan Kim <minchan@kernel.org> Acked-by: Vlastimil Babka <vbabka@suse.cz> Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com> Cc: <stable@vger.kernel.org> [4.1+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit c102f07ca0b04f2cb49cfc161c83f6239d17f491) Signed-off-by: Sonny Rao <sonnyrao@chromium.org> Change-Id: Ibf8c8d03e1f994c42ff341912f3d69aac21d2345 Reviewed-on: https://chromium-review.googlesource.com/457150 Commit-Ready: Sonny Rao <sonnyrao@chromium.org> Tested-by: Sonny Rao <sonnyrao@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit a8c81f7aca71d637e67c38b13f95ab7660a00ae7) Reviewed-on: https://chromium-review.googlesource.com/457785 Reviewed-by: Sonny Rao <sonnyrao@chromium.org> Commit-Queue: Sonny Rao <sonnyrao@chromium.org> [modify] https://crrev.com/8c75b50bda0d7c5cd900836bc05a648e564b7f53/mm/zsmalloc.c
,
Mar 22 2017
I think this is probably fixed now -- reopen if seen again
,
Mar 24 2017
Not able to reproduce this issue on build 9334.20.0
,
Mar 27 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2017
Merge is complete. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by ka...@chromium.org
, Mar 20 2017