Skip to content
Permalink
Browse files
dyndbg: try to release unneeded memory (panics)
try several different ways to call free_reserved_page() to return
unneeded pages to the buddy-allocator.  Commented out code doesn't
execute the loops, the active code crashes on free_reserved_page().
FWIW, dyndbg init runs at early_init.

Since I don't know squat about pfns or what kind of address
__start___dyndbg is (using virt_to_page didnt blow up at least), I
suspect thats where the trouble lays.

dyndbg:  60 44 2991 1770 mptcp.mptcp_established_options_rm_addr.895
dyndbg:  61 debug prints in module mptcp (in 44 functions)
dyndbg: page: ffffea0000101080 ffffffff84042468, ffffea00001014c0 ffffffff84053ce8, ffffea0000101500 ffffffff84054288 1770/2992
dyndbg: page: ffffea0000101080
dyndbg: page: ffffea00001014c0
dyndbg: page: ffffea0000101500
dyndbg: page: ffffea0000100f00
dyndbg: freeing page: 03ffe9fffe101500 4503599626862676
==================================================================
BUG: KASAN: wild-memory-access in free_reserved_page+0x11/0x60
Write of size 8 at addr 03ffe9fffe101500 by task swapper/0/1

CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc5-lm1-00036-g9127dc99a6b6-dirty torvalds#584
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-3.fc34 04/01/2014
Call Trace:
 dump_stack+0xbb/0x107
 ? free_reserved_page+0x11/0x60
 __kasan_report.cold+0x112/0x114
 ? free_reserved_page+0x11/0x60
 kasan_report+0x38/0x50
 kasan_check_range+0xf5/0x1d0
 free_reserved_page+0x11/0x60
 dynamic_debug_init+0x526/0x6de
 ? check_chain_key+0x1e8/0x2a0
 ? init_error_injection+0x78/0x78
 ? lock_is_held_type+0xf5/0x130
 ? lock_is_held_type+0xf5/0x130
 ? init_error_injection+0x78/0x78
 do_one_initcall+0xbb/0x3a0
 ? perf_trace_initcall_level+0x230/0x230
 ? _raw_spin_unlock_irqrestore+0x4b/0x5d
 ? lock_is_held_type+0xf5/0x130
 kernel_init_freeable+0x2b7/0x37a
 ? console_on_rootfs+0x52/0x52
 ? _raw_spin_unlock_irq+0x24/0x40
 ? mark_held_locks+0x24/0x90
 ? rest_init+0x260/0x260
 kernel_init+0xd/0x130
 ret_from_fork+0x22/0x30
==================================================================
Disabling lock debugging due to kernel taint
general protection fault, probably for non-canonical address 0x3ffe9fffe101501: 0000 [#1] SMP KASAN PTI
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G    B             5.13.0-rc5-lm1-00036-g9127dc99a6b6-dirty torvalds#584
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-3.fc34 04/01/2014
RIP: 0010:free_reserved_page+0x11/0x60
Code: 8e 6b ff ff ff e9 f0 2e 94 00 0f 0b 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 41 55 be 08 00 00 00 41 54 49 89 fc e8 1f f2 a3 ff <3e> 41 80 64 24 01 ef 4d 8d 6c 24 34 be 04 00 00 00 4c 89 ef e8 06
RSP: 0000:ffff8880062b7c50 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 03fffffffe101500 RCX: dffffc0000000000
RDX: 0000000000000007 RSI: 0000000000000004 RDI: ffffffff8257a3fb
RBP: ffff8880062b7d48 R08: 0000000000000000 R09: 0000000000000000
R10: fffffbfff0749448 R11: 0000000000000000 R12: 03ffe9fffe101500
R13: 1ffff11000c56f99 R14: ffffea0000101500 R15: ffff8880062ac900
FS:  0000000000000000(0000) GS:ffff88805e600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888005e01000 CR3: 000000000362a001 CR4: 0000000000370ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 dynamic_debug_init+0x526/0x6de
 ? check_chain_key+0x1e8/0x2a0
 ? init_error_injection+0x78/0x78
 ? lock_is_held_type+0xf5/0x130
 ? lock_is_held_type+0xf5/0x130
 ? init_error_injection+0x78/0x78
 do_one_initcall+0xbb/0x3a0
 ? perf_trace_initcall_level+0x230/0x230
 ? _raw_spin_unlock_irqrestore+0x4b/0x5d
 ? lock_is_held_type+0xf5/0x130
 kernel_init_freeable+0x2b7/0x37a
 ? console_on_rootfs+0x52/0x52
 ? _raw_spin_unlock_irq+0x24/0x40
 ? mark_held_locks+0x24/0x90
 ? rest_init+0x260/0x260
 kernel_init+0xd/0x130
 ret_from_fork+0x22/0x30
Modules linked in:
---[ end trace 01c6cf7d6a3cba04 ]---
RIP: 0010:free_reserved_page+0x11/0x60
Code: 8e 6b ff ff ff e9 f0 2e 94 00 0f 0b 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 41 55 be 08 00 00 00 41 54 49 89 fc e8 1f f2 a3 ff <3e> 41 80 64 24 01 ef 4d 8d 6c 24 34 be 04 00 00 00 4c 89 ef e8 06
RSP: 0000:ffff8880062b7c50 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 03fffffffe101500 RCX: dffffc0000000000
RDX: 0000000000000007 RSI: 0000000000000004 RDI: ffffffff8257a3fb
RBP: ffff8880062b7d48 R08: 0000000000000000 R09: 0000000000000000
R10: fffffbfff0749448 R11: 0000000000000000 R12: 03ffe9fffe101500
R13: 1ffff11000c56f99 R14: ffffea0000101500 R15: ffff8880062ac900
FS:  0000000000000000(0000) GS:ffff88805e600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888005e01000 CR3: 000000000362a001 CR4: 0000000000370ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
  • Loading branch information
jimc committed Jun 13, 2021
1 parent afdb554 commit 272e0af356f3c076132cffeb729b5435387d82bd
Showing 1 changed file with 45 additions and 3 deletions.
@@ -751,7 +751,7 @@ struct dd_ratelimit {
unlikely((desc->flags & _DPRINTK_FLAGS_ONCE) \
&& (desc->flags & _DPRINTK_FLAGS_PRINTED))

static struct dd_ratelimit *dd_rl_fetch(struct _ddebug *desc); //pre-decl
// static struct dd_ratelimit *dd_rl_fetch(struct _ddebug *desc);
static bool is_onced_or_limited(struct _ddebug *descriptor)
{
if (unlikely(descriptor->flags & _DPRINTK_FLAGS_ONCE &&
@@ -1316,7 +1316,8 @@ static int __init dynamic_debug_init_control(void)
return 0;
}

static int __init dynamic_debug_init(void)
static int __init __attribute__((optimize(0)))
dynamic_debug_init(void)
{
struct _ddebug *iter, *iter_mod_start;
struct _ddebug_site *site, *site_mod_start;
@@ -1326,7 +1327,10 @@ static int __init dynamic_debug_init(void)
int ret = 0;
int i, site_ct = 0, modct = 0, mod_index = 0;
unsigned int site_base;

// volatile
struct page *pg;
unsigned long pfn, addr;

if (&__start___dyndbg == &__stop___dyndbg) {
if (IS_ENABLED(CONFIG_DYNAMIC_DEBUG)) {
pr_warn("_ddebug table is empty in a CONFIG_DYNAMIC_DEBUG build\n");
@@ -1368,6 +1372,44 @@ static int __init dynamic_debug_init(void)
if (ret)
goto out_err;

vpr_info("page: %px %px, %px %px, %px %px %d/%d\n",
virt_to_page(__start___dyndbg_sites), __start___dyndbg_sites,
virt_to_page(site), site,
virt_to_page(__stop___dyndbg_sites), __stop___dyndbg_sites,
site_base, i);

pg = virt_to_page(__start___dyndbg_sites);
vpr_info("page: %px\n", pg);

pg = virt_to_page(site);
vpr_info("page: %px\n", pg);

pg = virt_to_page(__stop___dyndbg_sites);
vpr_info("page: %px\n", pg);

pg = virt_to_page(__stop___dyndbg_sites - PAGE_SIZE);
vpr_info("page: %px\n", pg);
/*
for (addr = site; addr < __stop___dyndbg_sites; addr += PAGE_SIZE) {
pg = pfn_to_page(addr >> PAGE_SHIFT);
vpr_info("freeing page: %px\n", pg);
free_reserved_page(pg);
}
*/
for (pfn = PFN_UP((long)site);
pfn < PFN_DOWN((long)__stop___dyndbg_sites); pfn++) {
struct page *page = pfn_to_page(pfn);
vpr_info("freeing page: %px %ld\n", page, pfn);
free_reserved_page(page);
}
/*
for (pg = virt_to_page(__stop___dyndbg_sites - PAGE_SIZE);
pg > virt_to_page(site);
pg = virt_to_page(site - PAGE_SIZE)) {
vpr_info("freeing page: %px\n", pg);
free_reserved_page(pg);
}
*/
ddebug_init_success = 1;
vpr_info("%d prdebugs in %d modules, %d KiB in ddebug tables, %d KiB in __dyndbg section, %d KiB in __dyndbg_sites section\n",
i, modct, (int)((modct * sizeof(struct ddebug_table)) >> 10),

0 comments on commit 272e0af

Please sign in to comment.