On 11/24/2016 03:23 PM, Dmitry Vyukov wrote:
> On Thu, Nov 24, 2016 at 2:49 PM, Vlastimil Babka <
vba...@suse.cz> wrote:
>> On 11/18/2016 11:19 AM, Dmitry Vyukov wrote:
>>>
>>> Hello,
>>>
>>> I've got the following BUG while running syzkaller on
>>> a25f0944ba9b1d8a6813fd6f1a86f1bd59ac25a6 (4.9-rc5). Unfortunately it's
>>> not reproducible.
>>>
>>> kernel BUG at ./include/linux/mm.h:1743!
>>> invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
>>
>>
>> Shouldn't there be also dump_page() output? Since you've hit this:
>> VM_BUG_ON_PAGE(page->pmd_huge_pte, page);
>
> Here it is:
>
> [ 250.326131] page:ffffea0000e196c0 count:1 mapcount:0 mapping:
> (null) index:0x0
> [ 250.343393] flags: 0x1fffc0000000000()
> [ 250.345328] page dumped because: VM_BUG_ON_PAGE(page->pmd_huge_pte)
> [ 250.346780] ------------[ cut here ]------------
> [ 250.347742] kernel BUG at ./include/linux/mm.h:1743!
Yeah, as expected, not very useful for this particular BUG_ON :/
>> Anyway the output wouldn't contain the value of pmd_huge_pte or stuff that's
>> in union with it. I'd suggest adding a local patch that prints this in the
>> error case, in case the fuzzer hits it again.
>>
>> Heck, it might even make sense to print raw contents of struct page in
>> dump_page() as a catch-all solution? Should I send a patch?
>
> Yes, please send.
> We are moving towards continuous build without local patches.
Something like this?
-------8<-------
From 2ac2c9b83d7c4c8be076c24246865a2ed01f9032 Mon Sep 17 00:00:00 2001
From: Vlastimil Babka <
vba...@suse.cz>
Date: Fri, 25 Nov 2016 09:08:05 +0100
Subject: [PATCH] mm, debug: print raw struct page data in __dump_page()
The __dump_page() function is used when a page metadata inconsistency is
detected, either by standard runtime checks, or extra checks in CONFIG_DEBUG_VM
builds. It prints some of the relevant metadata, but not the whole struct page,
which is based on unions and interpretation is dependent on the context.
This means that sometimes e.g. a VM_BUG_ON_PAGE() checks certain field, which
is however not printed by __dump_page() and the resulting bug report may then
lack clues that could help in determining the root cause. This patch solves
the problem by simply printing the whole struct page word by word, so no part
is missing, but the interpretation of the data is left to developers. This is
similar to e.g. x86_64 raw stack dumps.
Example output:
page:ffffea00000475c0 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x100000000000400(reserved)
raw struct page data:
0100000000000400 0000000000000000 0000000000000000 00000001ffffffff
ffffea00000475e0 ffffea00000475e0 0000000000000000 0000000000000000
page dumped because: VM_BUG_ON_PAGE(1)
Signed-off-by: Vlastimil Babka <
vba...@suse.cz>
---
mm/debug.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/mm/debug.c b/mm/debug.c
index 9feb699c5d25..9f67ad74d036 100644
--- a/mm/debug.c
+++ b/mm/debug.c
@@ -48,6 +48,8 @@ void __dump_page(struct page *page, const char *reason)
* encode own info.
*/
int mapcount = PageSlab(page) ? 0 : page_mapcount(page);
+ int i;
+ const int words_per_line = (sizeof(unsigned long) == 8) ? 4 : 8;
pr_emerg("page:%p count:%d mapcount:%d mapping:%p index:%#lx",
page, page_ref_count(page), mapcount,
@@ -59,6 +61,21 @@ void __dump_page(struct page *page, const char *reason)
pr_emerg("flags: %#lx(%pGp)\n", page->flags, &page->flags);
+ pr_alert("raw struct page data:");
+ for (i = 0; i < sizeof(struct page) / sizeof(unsigned long); i++) {
+ unsigned long *word_ptr;
+
+ word_ptr = ((unsigned long *) page) + i;
+
+ if ((i % words_per_line) == 0) {
+ pr_cont("\n");
+ pr_alert(" %016lx", *word_ptr);
+ } else {
+ pr_cont(" %016lx", *word_ptr);
+ }
+ }
+ pr_cont("\n");
+
if (reason)
pr_alert("page dumped because: %s\n", reason);
--
2.10.2