Re: [PROBLEM] 2.6.22-rc2 panics on x86-64 with slub

[Hugh Dickins]

On Mon, 21 May 2007, Christoph Lameter wrote:
> On Sun, 20 May 2007, Srihari Vijayaraghavan wrote:
> 
> > With no CONFIG_SLUB_DEBUG, things have slightly improved. No more panic. Good.
> > Serial console is working. Good. But there is another problem:
> 
> > Freeing unused kernel memory: 308k freed
> > BUG: spinlock bad magic on CPU#1, init/1
> >  lock: ffff81011ec0a100, .magic: ffff8101, .owner: <none>/-1, .owner_cpu: -1
> > 
> > Call Trace:
> >  [<ffffffff802fc516>] _raw_spin_lock+0x22/0xf6
> >  [<ffffffff8026f684>] vma_adjust+0x219/0x454
> >  [<ffffffff8026f684>] vma_adjust+0x219/0x454
> >  [<ffffffff8026fe0d>] vma_merge+0x147/0x1f4
> >  [<ffffffff80270b55>] do_mmap_pgoff+0x414/0x7c7
> >  [<ffffffff8040aa34>] _spin_unlock_irq+0x24/0x27
> >  [<ffffffff8020f528>] sys_mmap+0xe5/0x110
> >  [<ffffffff80209dde>] system_call+0x7e/0x83
> 
> Hmmmm..... We have seen this before
> 
> http://marc.info/?l=linux-kernel&m=117891943401284&w=2

Yes, sounded the same to me too: I couldn't reproduce it or see anything
wrong in the code back then.  But Srihari's info about CONFIG_DEBUG_SLUB
off has helped a lot: I was then able to reproduce it on my x86_64, and
after a lot of staring at the code, the problem became obvious...

[PATCH] slub: fix size adjustment when SLUB_DEBUG off

SLUB was corrupting the anon_vma's spinlock when not configured for
SLUB_DEBUG: the size adjustment necessary for SLAB_DESTROY_BY_RCU or
constructor was inside the CONFIG_SLUB_DEBUG appropriate for poisoning.

Signed-off-by: Hugh Dickins <hugh@xxxxxxxxxxx>
---
 mm/slub.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

--- 2.6.22-rc2/mm/slub.c	2007-05-21 13:13:20.000000000 +0100
+++ linux/mm/slub.c	2007-05-21 18:05:57.000000000 +0100
@@ -1917,16 +1917,26 @@ static int calculate_sizes(struct kmem_c
 	 */
 	s->inuse = size;
 
+	if ((flags & SLAB_DESTROY_BY_RCU) || s->ctor) {
+		/*
+		 * Relocate free pointer after the object if it is not
+		 * permitted to overwrite the first word of the object on
+		 * kmem_cache_free.
+		 *
+		 * This is the case if we do RCU or have a constructor.
+		 */
+		s->offset = size;
+		size += sizeof(void *);
+	}
+
 #ifdef CONFIG_SLUB_DEBUG
-	if (((flags & (SLAB_DESTROY_BY_RCU | SLAB_POISON)) ||
-		s->ctor)) {
+	if (s->flags & __OBJECT_POISON) {
 		/*
 		 * Relocate free pointer after the object if it is not
 		 * permitted to overwrite the first word of the object on
 		 * kmem_cache_free.
 		 *
-		 * This is the case if we do RCU, have a constructor or
-		 * destructor or are poisoning the objects.
+		 * This is the case if we are poisoning the objects.
 		 */
 		s->offset = size;
 		size += sizeof(void *);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/