Re: kernel BUG at kernel/futex.c:679 on v4.13-rc3-ish on arm64

From: Mark Rutland
Date: Tue Aug 08 2017 - 11:15:45 EST


On Tue, Aug 08, 2017 at 03:57:32PM +0100, Mark Rutland wrote:
> The below test case fires for me in a few seconds on an arm64 platform,
> triggering the kernel BUG at kernel/futex.c:679. If left running for longer, I
> then get a stream of other BUGs that I believe are a result of the first issue.

Likewise on v4.12 x86_64:

[2503756.486650] ------------[ cut here ]------------
[2503756.491450] WARNING: CPU: 0 PID: 21380 at kernel/futex.c:679 get_futex_key+0x2d8/0x330
[2503756.499527] Modules linked in:
[2503756.502754] CPU: 0 PID: 21380 Comm: futex-test Not tainted 4.12.0+ #14
[2503756.509441] Hardware name: LENOVO 7484A3G/LENOVO, BIOS 5CKT54AUS 09/07/2009
[2503756.516561] task: ffff9696e9abc800 task.stack: ffffa72c8637c000
[2503756.522648] RIP: 0010:get_futex_key+0x2d8/0x330
[2503756.527344] RSP: 0018:ffffa72c8637fcd8 EFLAGS: 00010246
[2503756.532734] RAX: 0000000000000000 RBX: ffffa72c8637fd88 RCX: ffff9696c618e690
[2503756.540025] RDX: ffffd98dc68b5f00 RSI: ffff9696c618e528 RDI: 0000000000000000
[2503756.547319] RBP: ffffa72c8637fd10 R08: ffff9696c618e670 R09: ffffa72c8637fc9c
[2503756.554609] R10: 0000008000000000 R11: ffff9696e5f65a58 R12: 00007f595cf4a000
[2503756.561900] R13: 0000000000000000 R14: 0000000000000001 R15: ffff9696e5fa4000
[2503756.569191] FS: 00007f595b759700(0000) GS:ffff9696fec00000(0000) knlGS:0000000000000000
[2503756.577439] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[2503756.583347] CR2: 00007f595cf4a000 CR3: 00000001a5e1d000 CR4: 00000000000406f0
[2503756.590646] Call Trace:
[2503756.593265] ? iput+0x85/0x1d0
[2503756.596491] futex_requeue+0x101/0x880
[2503756.600410] do_futex+0xbe/0xa00
[2503756.603810] ? pick_next_entity+0xa0/0x150
[2503756.608073] ? pick_next_task_fair+0x3fc/0x460
[2503756.612685] SyS_futex+0x6c/0x150
[2503756.616169] ? schedule+0x31/0x80
[2503756.619657] ? exit_to_usermode_loop+0x27/0x72
[2503756.624267] entry_SYSCALL_64_fastpath+0x13/0x94
[2503756.629051] RIP: 0033:0x7f595c84e4e9
[2503756.632795] RSP: 002b:00007f595b758e78 EFLAGS: 00000202 ORIG_RAX: 00000000000000ca
[2503756.640521] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f595c84e4e9
[2503756.647813] RDX: 0000000000000001 RSI: 000000000000000c RDI: 00007f595cf4a000
[2503756.655109] RBP: 00007f595b758ec0 R08: 00007f595cf4a004 R09: 0000000000000001
[2503756.662401] R10: 0000000000000000 R11: 0000000000000202 R12: 00007f595cb2e880
[2503756.669693] R13: 00007f595b7599c0 R14: 0000000000000000 R15: 0000000000000003
[2503756.676986] Code: 83 ef 01 e9 ea fd ff ff 48 8d 78 ff e9 20 fe ff ff e8 7d 6d 06 00 eb a7 b8 ea ff ff ff e9 35 fe ff ff 48 8d 78 ff e9 d9 fe ff ff <0f> ff 48 8b 7d d0 e8 4d f3 ff ff e9 7f fd ff ff 0f ff 48 89 f7
[2503756.695988] ---[ end trace adb5ba028949a89a ]---

Thanks,
Mark

> ---->8----
> #include <linux/futex.h>
> #include <pthread.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/mman.h>
> #include <sys/syscall.h>
> #include <sys/time.h>
> #include <unistd.h>
>
> #define NR_FUTEX_THREADS 16
>
> pthread_t threads[NR_FUTEX_THREADS];
>
> void *mem;
>
> #define MEM_PROT (PROT_READ | PROT_WRITE)
> #define MEM_SIZE 65536
>
> static int futex_wrapper(int *uaddr, int op, int val,
> const struct timespec *timeout,
> int *uaddr2, int val3)
> {
> syscall(SYS_futex, uaddr, op, val, timeout, uaddr2, val3);
> }
>
> void *poll_futex(void *unused)
> {
> for (;;) {
> futex_wrapper(mem, FUTEX_CMP_REQUEUE_PI, 1, NULL, mem + 4, 1);
> }
> }
>
> int main(int argc, char *argv[])
> {
> int i;
>
> mem = mmap(NULL, MEM_SIZE, MEM_PROT,
> MAP_SHARED | MAP_ANONYMOUS, -1, 0);
>
> printf("Mapping @ %p\n", mem);
>
> printf("Creating futex threads...\n");
>
> for (i = 0; i < NR_FUTEX_THREADS; i++)
> pthread_create(&threads[i], NULL, poll_futex, NULL);
>
> printf("Flipping mapping...\n");
> for (;;) {
> mmap(mem, MEM_SIZE, MEM_PROT,
> MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
> }
>
> return 0;
> }