From: Peng Fan <peng.fan@nxp.com>
To: "linux-mm@kvack.org" <linux-mm@kvack.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"ast@kernel.org" <ast@kernel.org>,
"zlim.lnx@gmail.com" <zlim.lnx@gmail.com>,
"cgroups@vger.kernel.org" <cgroups@vger.kernel.org>,
"hannes@cmpxchg.org" <hannes@cmpxchg.org>,
"mhocko@kernel.org" <mhocko@kernel.org>,
"roman.gushchin@linux.dev" <roman.gushchin@linux.dev>,
"shakeelb@google.com" <shakeelb@google.com>,
"muchun.song@linux.dev" <muchun.song@linux.dev>
Subject: [Oops] vfree abort in bpf_jit_free with memcg_data value 0xffff
Date: Mon, 3 Jun 2024 09:10:43 +0000 [thread overview]
Message-ID: <DU0PR04MB941765BD4422D30FBDCFC1C388FF2@DU0PR04MB9417.eurprd04.prod.outlook.com> (raw)
Hi All,
We are running 6.6 kernel on NXP i.MX95 platform, and meet an issue very
hard to reproduce. Panic log in the end. I check the registers and source code.
static inline struct obj_cgroup *__folio_objcg(struct folio *folio)
{
unsigned long memcg_data = folio->memcg_data;
VM_BUG_ON_FOLIO(folio_test_slab(folio), folio);
VM_BUG_ON_FOLIO(memcg_data & MEMCG_DATA_OBJCGS, folio);
VM_BUG_ON_FOLIO(!(memcg_data & MEMCG_DATA_KMEM), folio);
return (struct obj_cgroup *)(memcg_data & ~MEMCG_DATA_FLAGS_MASK);
}
the memcg_data is 0xffff in register x1. This seems a invalid value.
Register x0 is x1 & ~3.
The panic happens in the PC: ffff800080305894, which is 'ldr x0, [x0, #16]'
I not have an good idea on how to fix the issue, please suggest if you have time
to give a look.
[ 12.843675] Unable to handle kernel paging request at virtual address 000000000001000c
[ 12.849981] audit: type=1334 audit(1709988536.322:30): prog-id=3 op=UNLOAD
[ 12.857888] Mem abort info:
[ 12.867630] ESR = 0x0000000096000004
[ 12.871368] EC = 0x25: DABT (current EL), IL = 32 bits
[ 12.876675] SET = 0, FnV = 0
[ 12.879732] EA = 0, S1PTW = 0
[ 12.882860] FSC = 0x04: level 0 translation fault
[ 12.887730] Data abort info:
[ 12.890599] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 12.896076] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 12.901120] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 12.906424] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001008de000
[ 12.912854] [000000000001000c] pgd=0000000000000000, p4d=0000000000000000
[ 12.919642] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
[ 12.925900] Modules linked in:
[ 12.928942] CPU: 4 PID: 131 Comm: kworker/4:2 Not tainted 6.6.23-06226-g41e0f501b547-dirty #248
[ 12.937625] Hardware name: NXP i.MX95 19X19 board (DT)
[ 12.942748] Workqueue: events bpf_prog_free_deferred
[ 12.947713] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 12.954663] pc : vfree+0x114/0x2e0
[ 12.958060] lr : vfree+0x78/0x2e0
[ 12.961362] sp : ffff80008459bd10
[ 12.964664] x29: ffff80008459bd10 x28: 0000000000000000 x27: 0000000000000000
[ 12.969128] watchdog: watchdog0: watchdog did not stop!
[ 12.971788] x26: 0000000000000000 x25: ffff0000808b5a00 x24: ffff000080090805
[ 12.971795] x23: ffff000084bcdc08 x22: 0000000000000000 x21: ffff00008493c6c0
[ 12.971802] x20: fffffc000100005e x19: 0000000000000000 x18: 0000000000000000
[ 12.971808] x17: ffff800084ec1000 x16: ffff00008465f208
[ 12.991063] systemd-shutdown[1]: Using hardware watchdog 'i.MX7ULP watchdog timer', version 0, device /dev/watchdog0
[ 12.991246] x15: 0000000000000000
[ 13.017453] x14: 0000000000000000 x13: ffff80008f001000 x12: ffff000084647a00
[ 13.024577] x11: ffff000080b9d1f8 x10: ffff0000846479d8 x9 : ffff8000803057f8
[ 13.031701] x8 : ffff80008459bcf0 x7 : 0000000000000001 x6 : ffff800082b84d38
[ 13.038825] x5 : 0000000000000000 x4 : 0000000080000000 x3 : ffff80008377d000
[ 13.045949] x2 : 0000000000000001 x1 : 000000000000ffff x0 : 000000000000fffc
[ 13.047210] systemd-shutdown[1]: Watchdog running with a timeout of 1min.
[ 13.053073] Call trace:
[ 13.053076] vfree+0x114/0x2e0
[ 13.053083] bpf_jit_free+0x54/0xb8
[ 13.068804] bpf_prog_free_deferred+0x16c/0x1a0
[ 13.073328] process_one_work+0x148/0x3b8
[ 13.077332] worker_thread+0x32c/0x450
[ 13.081076] kthread+0x11c/0x128
[ 13.084300] ret_from_fork+0x10/0x20
[ 13.087874] Code: a9425bf5 a8c57bfd d50323bf d65f03c0 (f9400800)
Part of the objdump code:
ffff8000803057f4: 97f8c73d bl ffff8000801374e8 <__rcu_read_lock>
ffff8000803057f8: f9400681 ldr x1, [x20, #8]
ffff8000803057fc: d1000420 sub x0, x1, #0x1
ffff800080305800: f240003f tst x1, #0x1
ffff800080305804: 9a941000 csel x0, x0, x20, ne // ne = any
ffff800080305808: f9401c01 ldr x1, [x0, #56]
ffff80008030580c: 927ef420 and x0, x1, #0xfffffffffffffffc
ffff800080305810: 37080421 tbnz w1, #1, ffff800080305894 <vfree+0x114>
ffff800080305814: b40000e0 cbz x0, ffff800080305830 <vfree+0xb0>
ffff800080305818: d53b4236 mrs x22, daif
ffff80008030581c: d50343df msr daifset, #0x3
ffff800080305820: 12800002 mov w2, #0xffffffff // #-1
ffff800080305824: 528005c1 mov w1, #0x2e // #46
ffff800080305828: 94015eac bl ffff80008035d2d8 <__mod_memcg_state>
ffff80008030582c: d51b4236 msr daif, x22
ffff800080305830: 97f8eafa bl ffff800080140418 <__rcu_read_unlock>
ffff800080305834: aa1403e0 mov x0, x20
ffff800080305838: 52800001 mov w1, #0x0 // #0
ffff80008030583c: 94001847 bl ffff80008030b958 <__free_pages>
ffff800080305840: 11000673 add w19, w19, #0x1
ffff800080305844: b9402ea0 ldr w0, [x21, #44]
ffff800080305848: f94012a1 ldr x1, [x21, #32]
......
ffff80008030588c: d50323bf autiasp
ffff800080305890: d65f03c0 ret
ffff800080305894: f9400800 ldr x0, [x0, #16]
ffff800080305898: 17ffffdf b ffff800080305814 <vfree+0x94>
ffff80008030589c: a90363f7 stp x23, x24, [sp, #48]
Thanks
Peng.
next reply other threads:[~2024-06-03 9:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-03 9:10 Peng Fan [this message]
2024-06-04 0:50 ` Roman Gushchin
2024-06-04 2:20 ` Peng Fan
2024-06-04 14:52 ` Peng Fan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DU0PR04MB941765BD4422D30FBDCFC1C388FF2@DU0PR04MB9417.eurprd04.prod.outlook.com \
--to=peng.fan@nxp.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=cgroups@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=hannes@cmpxchg.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=muchun.song@linux.dev \
--cc=roman.gushchin@linux.dev \
--cc=shakeelb@google.com \
--cc=zlim.lnx@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox