Re: [rcutorture] 5155be9994: BUG:kernel_NULL_pointer_dereference,address
From: Paul E. McKenney
Date: Sun Jul 19 2020 - 18:08:16 EST
On Fri, Jul 17, 2020 at 02:04:55PM +0800, kernel test robot wrote:
> Greeting,
>
> FYI, we noticed the following commit (built with gcc-9):
>
> commit: 5155be9994e557618a8312389fb4e52dfbf28a3c ("rcutorture: Dynamically allocate rcu_fwds structure")
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
>
>
> in testcase: trinity
> with following parameters:
>
> runtime: 300s
>
> test-description: Trinity is a linux system call fuzz tester.
> test-url: http://codemonkey.org.uk/projects/trinity/
>
>
> on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
>
>
> +-----------------------------------------------------------+------------+------------+
> | | 6764100bd2 | 5155be9994 |
> +-----------------------------------------------------------+------------+------------+
> | boot_successes | 13 | 13 |
> | boot_failures | 9 | 9 |
> | WARNING:at_kernel/rcu/rcutorture.c:#rcutorture_oom_notify | 9 | 9 |
> | EIP:rcutorture_oom_notify | 9 | 9 |
> | invoked_oom-killer:gfp_mask=0x | 3 | |
> | Mem-Info | 3 | |
> | BUG:kernel_NULL_pointer_dereference,address | 0 | 9 |
> | Oops:#[##] | 0 | 9 |
> | EIP:rcu_torture_fwd_cb_hist | 0 | 9 |
> | Kernel_panic-not_syncing:Fatal_exception | 0 | 9 |
> +-----------------------------------------------------------+------------+------------+
>
>
> If you fix the issue, kindly add following tag
> Reported-by: kernel test robot <rong.a.chen@xxxxxxxxx>
Good catch! Fix shown below, and thank you for your testing efforts!
Thanx, Paul
------------------------------------------------------------------------
commit 36444974a456b95c18805dec8e0341cf02570fdc
Author: Paul E. McKenney <paulmck@xxxxxxxxxx>
Date: Sun Jul 19 14:40:31 2020 -0700
rcutorture: Properly set rcu_fwds for OOM handling
The conversion of rcu_fwds to dynamic allocation failed to actually
allocate the required structure. This commit therefore allocates it,
frees it, and updates rcu_fwds accordingly. While in the area, it
abstracts the cleanup actions into rcu_torture_fwd_prog_cleanup().
Fixes: 5155be9994e5 ("rcutorture: Dynamically allocate rcu_fwds structure")
Reported-by: kernel test robot <rong.a.chen@xxxxxxxxx>
Signed-off-by: Paul E. McKenney <paulmck@xxxxxxxxxx>
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index 748212c..e40a38f 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -2153,9 +2153,20 @@ static int __init rcu_torture_fwd_prog_init(void)
return -ENOMEM;
spin_lock_init(&rfp->rcu_fwd_lock);
rfp->rcu_fwd_cb_tail = &rfp->rcu_fwd_cb_head;
+ rcu_fwds = rfp;
return torture_create_kthread(rcu_torture_fwd_prog, rfp, fwd_prog_task);
}
+static void rcu_torture_fwd_prog_cleanup(void)
+{
+ struct rcu_fwd *rfp;
+
+ torture_stop_kthread(rcu_torture_fwd_prog, fwd_prog_task);
+ rfp = rcu_fwds;
+ rcu_fwds = NULL;
+ kfree(rfp);
+}
+
/* Callback function for RCU barrier testing. */
static void rcu_torture_barrier_cbf(struct rcu_head *rcu)
{
@@ -2453,7 +2464,7 @@ rcu_torture_cleanup(void)
show_rcu_gp_kthreads();
rcu_torture_read_exit_cleanup();
rcu_torture_barrier_cleanup();
- torture_stop_kthread(rcu_torture_fwd_prog, fwd_prog_task);
+ rcu_torture_fwd_prog_cleanup();
torture_stop_kthread(rcu_torture_stall, stall_task);
torture_stop_kthread(rcu_torture_writer, writer_task);