From: Matthew Wilcox <willy@infradead.org>
To: Hannes Reinecke <hare@suse.com>
Cc: Sagi Grimberg <sagi@grimberg.me>,
"linux-nvme@lists.infradead.org" <linux-nvme@lists.infradead.org>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
linux-mm@kvack.org
Subject: Re: Kernel oops with 6.14 when enabling TLS
Date: Mon, 3 Mar 2025 14:27:06 +0000 [thread overview]
Message-ID: <Z8W8OtJYFzr9OQac@casper.infradead.org> (raw)
In-Reply-To: <509dd4d3-85e9-40b2-a967-8c937909a1bf@suse.com>
On Mon, Mar 03, 2025 at 08:48:09AM +0100, Hannes Reinecke wrote:
> On 2/28/25 11:47, Hannes Reinecke wrote:
> > Hi Sagi,
> >
> > enabling TLS on latest linus tree reliably crashes my system:
> >
> > [ 487.018058] ------------[ cut here ]------------
> > [ 487.024046] WARNING: CPU: 9 PID: 6159 at mm/slub.c:4719
> > free_large_kmalloc+0x15/0xa0
That's:
if (WARN_ON_ONCE(order == 0))
pr_warn_once("object pointer: 0x%p\n", object);
And while the object pointer is obfuscated (hashed pointers), this
wouldn't be helpful in trying to track down the problem. Perhaps
we could make this a VM_WARN_ON_ONCE_FOLIO() so we get the dump_page()?
I'm tempted to believe this is a double-free, but then I'm not sure why
it'd be triggered by this patch.
> > [ 487.296801] kfree+0x234/0x320
> > [ 487.332084] nvmf_connect_admin_queue+0x105/0x1a0 [nvme_fabrics
> > 34d997d53c805aa2fae8e8baee6a736e8da38358]
> > [ 487.332093] nvme_tcp_start_queue+0x18f/0x310 [nvme_tcp
> > 68f6be106f52ac467179f8a0922f02aeb6fa1f1c]
> > [ 487.332102] nvme_tcp_setup_ctrl+0xf8/0x700 [nvme_tcp
> > 68f6be106f52ac467179f8a0922f02aeb6fa1f1c]
> > [ 487.394495] nvme_tcp_create_ctrl+0x2e3/0x4d0 [nvme_tcp
> > 68f6be106f52ac467179f8a0922f02aeb6fa1f1c]
> > [ 487.394503] nvmf_dev_write+0x323/0x3d0 [nvme_fabrics
> > 34d997d53c805aa2fae8e8baee6a736e8da38358]
> > [ 487.394514] vfs_write+0xd9/0x430
> > [ 487.551642] object pointer: 0x00000000346cb6fc
Oh, wait, that's not the crash!
We continue to free the folio. Even though we hit the "can't happen"
case. That's dangerous.
> > [ 489.405197] Oops: general protection fault, probably for non-
> > canonical address 0xdead000000000100: 0000 [#1] PREEMPT SMP NOPTI
I think we all recognise that as list poison. I bet this is a double-free.
Or it could be a wild-free. I mean, look at kfree():
folio = virt_to_folio(object);
if (unlikely(!folio_test_slab(folio))) {
free_large_kmalloc(folio, (void *)object);
return;
}
So if you call kfree() on a random pointer, chances are it's not part
of slab, and we jump into the free_large_kmalloc() path.
We have a _lot_ of page types available. We should mark large kmallocs
as such. I'll send a patch to do that.
next prev parent reply other threads:[~2025-03-03 14:27 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <08c29e4b-2f71-4b6d-8046-27e407214d8c@suse.com>
2025-03-03 7:48 ` Hannes Reinecke
2025-03-03 11:06 ` Hannes Reinecke
2025-03-03 12:57 ` Hannes Reinecke
2025-03-03 13:57 ` Matthew Wilcox
2025-03-03 14:05 ` Hannes Reinecke
2025-03-03 14:27 ` Matthew Wilcox [this message]
2025-03-03 14:42 ` Matthew Wilcox
2025-03-03 15:12 ` Vlastimil Babka
2025-03-03 15:39 ` Hannes Reinecke
2025-03-03 15:48 ` Matthew Wilcox
2025-03-03 16:15 ` Vlastimil Babka
2025-03-03 22:02 ` Vlastimil Babka
2025-03-04 7:58 ` Hannes Reinecke
2025-03-04 8:18 ` Vlastimil Babka
2025-03-04 10:20 ` Hannes Reinecke
2025-03-04 10:26 ` Vlastimil Babka
2025-03-04 15:11 ` Hannes Reinecke
2025-03-04 15:29 ` Vlastimil Babka
2025-03-04 16:20 ` Hannes Reinecke
2025-03-04 16:14 ` Matthew Wilcox
2025-03-04 16:32 ` Hannes Reinecke
2025-03-04 16:53 ` Matthew Wilcox
2025-03-04 18:05 ` Matthew Wilcox
2025-03-04 18:31 ` Vlastimil Babka
2025-03-04 19:39 ` Hannes Reinecke
2025-03-04 19:44 ` Vlastimil Babka
2025-03-05 7:14 ` Hannes Reinecke
2025-03-05 8:20 ` Hannes Reinecke
2025-03-05 8:58 ` Vlastimil Babka
2025-03-05 11:43 ` Hannes Reinecke
2025-03-05 18:11 ` Networking people smell funny and make poor life choices Matthew Wilcox
2025-03-06 0:46 ` Cong Wang
2025-03-12 15:09 ` Christoph Hellwig
2025-03-12 18:28 ` James R. Bergsten
2025-03-13 9:43 ` David Laight
2025-03-06 9:15 ` Kernel oops with 6.14 when enabling TLS Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z8W8OtJYFzr9OQac@casper.infradead.org \
--to=willy@infradead.org \
--cc=hare@suse.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox