- Linux-kselftest-mirror - lists.linaro.org

Re: [Syzkaller & bisect] There is WARNING: refcount bug in sock_map_free in v6.3-rc1

by Pengfei Xu

++ GPIO and kself-test mailing list. Hi kernel experts, It's a soft remind. My colleague Lai Yi found that similar "refcount_t: underflow; use-after-free" issue still existed in v6.3-rc5 kernel on x86 platforms. We could reproduce issue from kself-test: gpio-mockup.sh easily: kernel/tools/testing/selftests/gpio/gpio-mockup.sh: " [ 5781.338917] -----------[ cut here ]----------- [ 5781.344192] refcount_t: underflow; use-after-free. [ 5781.349666] WARNING: CPU: 250 PID: 82496 at lib/refcount.c:25 refcount_warn_saturate+0xbe/0x110 [ 5781.359550] Modules linked in: gpio_mockup isst_if_mmio isst_if_mbox_pci intel_th_sth stm_core intel_th_pti intel_th_pci intel_th_gth pmt_telemetry pmt_class intel_vsec intel_rapl_msr intel_rapl_common nfsv3 rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace bridge stp llc sunrpc intel_uncore_frequency intel_uncore_frequency_common i10nm_edac nfit x86_pkg_temp_thermal intel_powerclamp coretemp iTCO_wdt ofpart kvm_intel intel_pmc_bxt iTCO_vendor_support spi_nor mtd intel_sdsi kvm spdm irqbypass dax_hmem joydev asn1_encoder snd_pcm mei_me i2c_i801 spi_intel_pci isst_if_common idxd snd_timer intel_th i2c_smbus spi_intel mei i2c_ismt ipmi_ssif cxl_acpi ipmi_si cxl_core acpi_power_meter crc32c_intel i40e igb dca igc pinctrl_emmitsburg pinctrl_intel pwm_lpss fuse [last unloaded: isst_if_mmio] [ 5781.438080] CPU: 250 PID: 82496 Comm: modprobe Not tainted 6.3.0-rc5 #1 [ 5781.449711] Hardware name: Intel Corporation, BIOS IFWI 03/12/2023 [ 5781.461615] RIP: 0010:refcount_warn_saturate+0xbe/0x110 [ 5781.467585] Code: 01 01 e8 75 56 8e ff 0f 0b c3 cc cc cc cc 80 3d 4c 67 ac 01 00 75 85 48 c7 c7 b0 31 cd a9 c6 05 3c 67 ac 01 01 e8 52 56 8e ff <0f> 0b c3 cc cc cc cc 80 3d 27 67 ac 01 00 0f 85 5e ff ff ff 48 c7 [ 5781.488761] RSP: 0018:ff45a7f44d39feb0 EFLAGS: 00010286 [ 5781.494745] RAX: 0000000000000000 RBX: ffffffffc0b36540 RCX: 0000000000000000 [ 5781.502871] RDX: 0000000000000002 RSI: ffffffffa9c065c8 RDI: 00000000ffffffff [ 5781.510984] RBP: ff31c1afa78cb800 R08: 0000000000000001 R09: 0000000000000003 [ 5781.519100] R10: ff31c1b6fc000000 R11: ff31c1b6fc000000 R12: ff31c1afa78c4f40 [ 5781.527215] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 5781.535337] FS: 00007f9bc705a740(0000) GS:ff31c1b700280000(0000) knlGS:0000000000000000 [ 5781.544529] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5781.551063] CR2: 00007f9bc5e50dc0 CR3: 000000093b36c003 CR4: 0000000000f71ee0 [ 5781.559180] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 5781.567307] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 5781.575413] PKRU: 55555554 [ 5781.578551] Call Trace: [ 5781.581394] <TASK> [ 5781.583868] gpio_mockup_exit+0x33/0x420 [gpio_mockup] [ 5781.589756] __do_sys_delete_module.constprop.0+0x180/0x270 [ 5781.596112] ? syscall_trace_enter.constprop.0+0x17f/0x1b0 [ 5781.602354] do_syscall_64+0x43/0x90 [ 5781.606488] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 5781.612274] RIP: 0033:0x7f9bc5f2ff7b [ 5781.616376] Code: 73 01 c3 48 8b 0d 15 8f 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 8e 0c 00 f7 d8 64 89 01 48 [ 5781.637543] RSP: 002b:00007ffcac9c5e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [ 5781.646146] RAX: ffffffffffffffda RBX: 0000557113827e40 RCX: 00007f9bc5f2ff7b [ 5781.654267] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000557113827ea8 [ 5781.662382] RBP: 0000557113827ea8 R08: 00007ffcac9c4df1 R09: 0000000000000000 [ 5781.670491] R10: 00007f9bc5faeae0 R11: 0000000000000206 R12: 0000000000000000 [ 5781.678601] R13: 0000000000000000 R14: 0000557113827ea8 R15: 0000000000000000 [ 5781.686770] </TASK> [ 5781.689343] --[ end trace 0000000000000000 ]-- " And we could reproduce reproduce this issue as follow way also in vm: https://github.com/xupengfe/syzkaller_logs/blob/main/230306_123510_sock_map… I newly updated the syzkaller analysis repro.status repro.prog info in all detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/230306_123510_sock_map… Bisected and suspected bad commit is: " 0a182f8d6074 bpf. sockmap: fix race in sock_map_free() " I hope the info is helpful. Thanks! BR. -Pengfei On 2023-03-07 at 23:18:23 +0800, Pengfei Xu wrote: > Sorry to update the missed reproduced code from syzkaller: > https://github.com/xupengfe/syzkaller_logs/blob/main/230306_123510_sock_map… > > Thanks! > BR. > > On 2023-03-07 at 22:36:55 +0800, Pengfei Xu wrote: > > Hi Eric Dumazet, > > > > Greeting! > > > > Platform: x86 platform > > All detailed log link: https://github.com/xupengfe/syzkaller_logs/tree/main/230306_123510_sock_map… > > v6.3-rc1 problem dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/230306_123510_sock_map… > > Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/230306_123510_sock_map… > > Kconfig: https://github.com/xupengfe/syzkaller_logs/blob/main/230306_123510_sock_map… > > > > There is WARNING: refcount bug in sock_map_free in v6.3-rc1 kernel. > > > > > > [ 58.955232] ------------[ cut here ]------------ > > [ 58.955976] refcount_t: addition on 0; use-after-free. > > [ 58.956752] WARNING: CPU: 0 PID: 9 at lib/refcount.c:25 refcount_warn_saturate+0xe6/0x1c0 > > [ 58.957846] Modules linked in: > > [ 58.958278] CPU: 0 PID: 9 Comm: kworker/u4:0 Not tainted 6.3.0-rc1-fe15c26ee26e+ #1 > > [ 58.959340] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 > > [ 58.960854] Workqueue: events_unbound bpf_map_free_deferred > > [ 58.961630] RIP: 0010:refcount_warn_saturate+0xe6/0x1c0 > > [ 58.962344] Code: 1d b8 c2 43 02 31 ff 89 de e8 c6 ab 52 ff 84 db 75 97 e8 5d aa 52 ff 48 c7 c7 d8 b6 be 83 c6 05 98 c2 43 02 01 e8 1a 55 36 ff <0f> 0b e9 78 9 > > [ 58.964836] RSP: 0018:ffffc90000053da0 EFLAGS: 00010286 > > [ 58.965582] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8111b6fb > > [ 58.966570] RDX: 0000000000000000 RSI: ffff888007372340 RDI: 0000000000000002 > > [ 58.967569] RBP: ffffc90000053db0 R08: 0000000000000000 R09: 0000000000000001 > > [ 58.968547] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800ec16200 > > [ 58.969532] R13: 0000000000000000 R14: ffff888015808000 R15: ffff88800ed6fc00 > > [ 58.970500] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 > > [ 58.971647] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > [ 58.972447] CR2: 0000000020000000 CR3: 0000000003e3a006 CR4: 0000000000770ef0 > > [ 58.973461] PKRU: 55555554 > > [ 58.973851] Call Trace: > > [ 58.974206] <TASK> > > [ 58.974520] sock_map_free+0x387/0x390 > > [ 58.975077] bpf_map_free_deferred+0x124/0x2d0 > > [ 58.975753] process_one_work+0x3b1/0x9e0 > > [ 58.976350] worker_thread+0x52/0x660 > > [ 58.976895] ? __pfx_worker_thread+0x10/0x10 > > [ 58.977514] kthread+0x161/0x1a0 > > [ 58.977994] ? __pfx_kthread+0x10/0x10 > > [ 58.978529] ret_from_fork+0x29/0x50 > > [ 58.979073] </TASK> > > [ 58.979448] irq event stamp: 25237 > > [ 58.979940] hardirqs last enabled at (25245): [<ffffffff811eac21>] __up_console_sem+0x91/0xb0 > > [ 58.981151] hardirqs last disabled at (25252): [<ffffffff811eac06>] __up_console_sem+0x76/0xb0 > > [ 58.982466] softirqs last enabled at (25234): [<ffffffff83023a3c>] __do_softirq+0x31c/0x49c > > [ 58.983769] softirqs last disabled at (25229): [<ffffffff8112b5a4>] irq_exit_rcu+0xc4/0x100 > > [ 58.985055] ---[ end trace 0000000000000000 ]--- > > [ 58.985813] ------------[ cut here ]------------ > > [ 58.986530] refcount_t: underflow; use-after-free. > > [ 58.987460] WARNING: CPU: 0 PID: 9 at lib/refcount.c:28 refcount_warn_saturate+0x15e/0x1c0 > > [ 58.988714] Modules linked in: > > [ 58.989207] CPU: 0 PID: 9 Comm: kworker/u4:0 Tainted: G W 6.3.0-rc1-fe15c26ee26e+ #1 > > [ 58.990565] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 > > [ 58.992351] Workqueue: events_unbound bpf_map_free_deferred > > [ 58.993213] RIP: 0010:refcount_warn_saturate+0x15e/0x1c0 > > [ 58.994119] Code: 02 31 ff 89 de e8 52 ab 52 ff 84 db 0f 85 1f ff ff ff e8 e5 a9 52 ff 48 c7 c7 08 b7 be 83 c6 05 1f c2 43 02 01 e8 a2 54 36 ff <0f> 0b e9 00 9 > > [ 58.997238] RSP: 0018:ffffc90000053da0 EFLAGS: 00010286 > > [ 58.998124] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8111b6fb > > [ 58.999358] RDX: 0000000000000000 RSI: ffff888007372340 RDI: 0000000000000002 > > [ 59.000558] RBP: ffffc90000053db0 R08: 0000000000000000 R09: 0000000000000001 > > [ 59.001737] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800ec16200 > > [ 59.002928] R13: 0000000000000000 R14: ffff888015808000 R15: ffff88800ed6fc00 > > [ 59.004172] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000 > > [ 59.005541] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > [ 59.006521] CR2: 0000000020000000 CR3: 0000000003e3a006 CR4: 0000000000770ef0 > > [ 59.007770] PKRU: 55555554 > > [ 59.008260] Call Trace: > > [ 59.008709] <TASK> > > [ 59.009094] sock_map_free+0x36c/0x390 > > [ 59.009745] bpf_map_free_deferred+0x124/0x2d0 > > [ 59.010543] process_one_work+0x3b1/0x9e0 > > [ 59.011288] worker_thread+0x52/0x660 > > [ 59.011947] ? __pfx_worker_thread+0x10/0x10 > > [ 59.012694] kthread+0x161/0x1a0 > > [ 59.013270] ? __pfx_kthread+0x10/0x10 > > [ 59.013925] ret_from_fork+0x29/0x50 > > [ 59.014570] </TASK> > > [ 59.014959] irq event stamp: 25629 > > [ 59.015589] hardirqs last enabled at (25639): [<ffffffff811eac21>] __up_console_sem+0x91/0xb0 > > [ 59.017047] hardirqs last disabled at (25646): [<ffffffff811eac06>] __up_console_sem+0x76/0xb0 > > [ 59.018450] softirqs last enabled at (25412): [<ffffffff83023a3c>] __do_softirq+0x31c/0x49c > > [ 59.019851] softirqs last disabled at (25367): [<ffffffff8112b5a4>] irq_exit_rcu+0xc4/0x100 > > [ 59.021282] ---[ end trace 0000000000000000 ]--- > > > > Found this issue existed in v6.2 kernel also. > > And bisected from v6.2 to v5.11 and found the bad commit: > > " > > 0a182f8d6074 > > bpf. sockmap: fix race in sock_map_free() > > " > > Reverted the bad commit on top of v6.2, above issue was gone. > > > > > > There was "use after free" in dmesg info. > > And I found that GPIO kselftest triggered the similar Call Trace also. > > " > > cd linux/tools/testing/selftests > > > > 1. ./kselftest_install.sh > > > > > > 2. cd linux/tools/testing/selftests/kselftest_install/gpio > > > > # ./gpio-mockup.sh > > 1. Module load tests > > 1.1. dynamic allocation of gpio > > 2. Module load error tests > > 2.1 gpio overflow > > test failed: unexpected chip - gpiochip1 > > GPIO gpio-mockup test FAIL > > " > > Related dmesg: > > " > > [ 9729.144086] ------------[ cut here ]------------ > > [ 9729.149680] refcount_t: underflow; use-after-free. > > [ 9729.155478] WARNING: CPU: 75 PID: 809778 at lib/refcount.c:28 refcount_warn_saturate+0xd3/0x120 > > [ 9729.165489] Modules linked in: gpio_mockup(-) xt_state rds quota_v2 quota_tree brd overlay ntfs btrfs blake2b_generic xor raid6_pq ip6t_REJECT nf_reject_ipv6 ip6t_rpfilter xt_tcpudp ipt_REJECT nf_reject_ipv4 xt_conntrack nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 bridge stp llc vsock_loopback vhost_vsock vmw_vsock_virtio_transport_common vhost vhost_iotlb ip6_tables vsock ip_tables nft_compat x_tables ip_set nf_tables nfnetlink intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common i10nm_edac nfit x86_pkg_temp_thermal snd_hda_codec_realtek intel_powerclamp snd_hda_codec_generic ledtrig_audio coretemp snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_seq kmem ofpart snd_seq_device kvm_intel snd_pcm pmt_telemetry pmt_crashlog cmdlinepart snd_timer kvm ipmi_ssif spi_nor device_dax intel_sdsi pmt_class irqbypass mei_me mtd rapl snd i2c_i801 isst_if_mmio pcspkr dax_hmem isst_if_mbox_pci intel_cstate > > [ 9729.165539] spi_intel_pci soundcore isst_if_common mei intel_vsec idxd i2c_ismt spi_intel i2c_smbus ipmi_si acpi_power_meter acpi_pad mac_hid sch_fq_codel crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha512_ssse3 aesni_intel crypto_simd cryptd ast igc pinctrl_emmitsburg pinctrl_intel pwm_lpss [last unloaded: init_module(O)] > > [ 9729.297472] CPU: 75 PID: 809778 Comm: modprobe Tainted: G S IO 6.2.0-lkml #18 > > [ 9729.306942] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.SYS.0090.D03.2210040200 10/04/2022 > > [ 9729.318926] RIP: 0010:refcount_warn_saturate+0xd3/0x120 > > [ 9729.325020] Code: 9f 00 0f 0b 5d c3 cc cc cc cc 80 3d c5 72 b7 01 00 0f 85 74 ff ff ff 48 c7 c7 10 b9 2b bc c6 05 b1 72 b7 01 01 e8 7d 39 9f 00 <0f> 0b 5d c3 cc cc cc cc 80 3d 9b 72 b7 01 00 0f 85 4c ff ff ff 48 > > [ 9729.346438] RSP: 0018:ff38111b0f3b3e48 EFLAGS: 00010286 > > [ 9729.352524] RAX: 0000000000000000 RBX: ff1e4ed2436ee100 RCX: 0000000000000001 > > [ 9729.360745] RDX: 0000000000000001 RSI: ffffffffbc1ea3d1 RDI: 00000000ffffffff > > [ 9729.368960] RBP: ff38111b0f3b3e48 R08: 0000000000000000 R09: c0000000ff7fffff > > [ 9729.377188] R10: 0000000000000001 R11: ff38111b0f3b3cb8 R12: ff1e4ed24b90fc00 > > [ 9729.385415] R13: ff1e4ed2436ee140 R14: 0000000000000000 R15: 0000000000000000 > > [ 9729.393639] FS: 00007f76415d5740(0000) GS:ff1e4ef0972c0000(0000) knlGS:0000000000000000 > > [ 9729.402941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > [ 9729.409618] CR2: 00007f764154fd96 CR3: 000000108c20c006 CR4: 0000000000f71ee0 > > [ 9729.417860] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > [ 9729.426087] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 > > [ 9729.434328] PKRU: 55555554 > > [ 9729.437633] Call Trace: > > [ 9729.440650] <TASK> > > [ 9729.443266] kobject_put+0x10f/0x1b0 > > [ 9729.447520] fwnode_remove_software_node+0x35/0x50 > > [ 9729.453158] gpio_mockup_unregister_pdevs+0x3a/0x4e [gpio_mockup] > > [ 9729.460233] gpio_mockup_exit+0xd/0x3b3 [gpio_mockup] > > [ 9729.466169] __x64_sys_delete_module+0x140/0x240 > > [ 9729.471619] do_syscall_64+0x3b/0x90 > > [ 9729.475909] entry_SYSCALL_64_after_hwframe+0x72/0xdc > > [ 9729.481830] RIP: 0033:0x7f7641954f7b > > [ 9729.486100] Code: 73 01 c3 48 8b 0d 15 8f 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e5 8e 0c 00 f7 d8 64 89 01 48 > > [ 9729.507517] RSP: 002b:00007ffef02671e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 > > [ 9729.516270] RAX: ffffffffffffffda RBX: 0000562e93269ee0 RCX: 00007f7641954f7b > > [ 9729.524519] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000562e93269f48 > > [ 9729.532752] RBP: 0000562e93269f48 R08: 00007ffef0266191 R09: 0000000000000000 > > [ 9729.541004] R10: 00007f76419d3ae0 R11: 0000000000000206 R12: 0000000000000000 > > [ 9729.549266] R13: 0000000000000000 R14: 0000562e93269f48 R15: 0000000000000000 > > [ 9729.557518] </TASK> > > [ 9729.560246] ---[ end trace 0000000000000000 ]--- > > " > > > > I hope it's helpful. > > > > > > --- > > > > If you don't need the following environment to reproduce the problem or if you > > already have one, please ignore the following information. > > > > How to reproduce: > > git clone https://gitlab.com/xupengfe/repro_vm_env.git > > cd repro_vm_env > > tar -xvf repro_vm_env.tar.gz > > cd repro_vm_env; ./start3.sh // it needs qemu-system-x86_64 and I used v7.1.0 > > // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel > > // You could change the bzImage_xxx as you want > > You could use below command to log in, there is no password for root. > > ssh -p 10023 root@localhost > > > > After login vm(virtual machine) successfully, you could transfer reproduced > > binary to the vm by below way, and reproduce the problem in vm: > > gcc -pthread -o repro repro.c > > scp -P 10023 repro root@localhost:/root/ > > > > Get the bzImage for target kernel: > > Please use target kconfig and copy it to kernel_src/.config > > make olddefconfig > > make -jx bzImage //x should equal or less than cpu num your pc has > > > > Fill the bzImage file into above start3.sh to load the target kernel vm. > > > > > > Tips: > > If you already have qemu-system-x86_64, please ignore below info. > > If you want to install qemu v7.1.0 version: > > git clone https://github.com/qemu/qemu.git > > cd qemu > > git checkout -f v7.1.0 > > mkdir build > > cd build > > yum install -y ninja-build.x86_64 > > ../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl > > make > > make install > > --- > > > > Thanks! > > BR.

2 years, 3 months

3
4
0 0

[PATCH bpf-next v2 2/2] selftests: xsk: Add test UNALIGNED_INV_DESC_4K1_FRAME_SIZE

by Kal Conley

Add unaligned descriptor test for frame size of 4001. Using an odd frame size ensures that the end of the UMEM is not near a page boundary. This allows testing descriptors that staddle the end of the UMEM but not a page. This test used to fail without the previous commit ("xsk: Add check for unaligned descriptors that overrun UMEM"). Signed-off-by: Kal Conley <kal.conley(a)dectris.com> --- tools/testing/selftests/bpf/xskxceiver.c | 24 ++++++++++++++++++++++++ tools/testing/selftests/bpf/xskxceiver.h | 1 + 2 files changed, 25 insertions(+) diff --git a/tools/testing/selftests/bpf/xskxceiver.c b/tools/testing/selftests/bpf/xskxceiver.c index 1a4bdd5aa78c..5a9691e942de 100644 --- a/tools/testing/selftests/bpf/xskxceiver.c +++ b/tools/testing/selftests/bpf/xskxceiver.c @@ -69,6 +69,7 @@ */ #define _GNU_SOURCE +#include <assert.h> #include <fcntl.h> #include <errno.h> #include <getopt.h> @@ -1876,6 +1877,29 @@ static void run_pkt_test(struct test_spec *test, enum test_mode mode, enum test_ test->ifobj_rx->umem->unaligned_mode = true; testapp_invalid_desc(test); break; + case TEST_TYPE_UNALIGNED_INV_DESC_4K1_FRAME: { + u64 page_size, umem_size; + + if (!hugepages_present(test->ifobj_tx)) { + ksft_test_result_skip("No 2M huge pages present.\n"); + return; + } + test_spec_set_name(test, "UNALIGNED_INV_DESC_4K1_FRAME_SIZE"); + /* Odd frame size so the UMEM doesn't end near a page boundary. */ + test->ifobj_tx->umem->frame_size = 4001; + test->ifobj_rx->umem->frame_size = 4001; + test->ifobj_tx->umem->unaligned_mode = true; + test->ifobj_rx->umem->unaligned_mode = true; + /* This test exists to test descriptors that staddle the end of + * the UMEM but not a page. + */ + page_size = sysconf(_SC_PAGESIZE); + umem_size = test->ifobj_tx->umem->num_frames * test->ifobj_tx->umem->frame_size; + assert(umem_size % page_size > PKT_SIZE); + assert(umem_size % page_size < page_size - PKT_SIZE); + testapp_invalid_desc(test); + break; + } case TEST_TYPE_UNALIGNED: if (!testapp_unaligned(test)) return; diff --git a/tools/testing/selftests/bpf/xskxceiver.h b/tools/testing/selftests/bpf/xskxceiver.h index cc24ab72f3ff..919327807a4e 100644 --- a/tools/testing/selftests/bpf/xskxceiver.h +++ b/tools/testing/selftests/bpf/xskxceiver.h @@ -78,6 +78,7 @@ enum test_type { TEST_TYPE_ALIGNED_INV_DESC, TEST_TYPE_ALIGNED_INV_DESC_2K_FRAME, TEST_TYPE_UNALIGNED_INV_DESC, + TEST_TYPE_UNALIGNED_INV_DESC_4K1_FRAME, TEST_TYPE_HEADROOM, TEST_TYPE_TEARDOWN, TEST_TYPE_BIDI, -- 2.39.2

2 years, 3 months

2
1
0 0

[PATCH v2] selftests: media_tests: Add new subtest to video_device_test

by Ivan Orlov

Add new subtest to video_device_test to cover the VIDIOC_G_PRIORITY and VIDIOC_S_PRIORITY ioctl calls. This test tries to set the priority associated with the file descriptior via ioctl VIDIOC_S_PRIORITY command from V4L2 API. After that, the test tries to get the new priority via VIDIOC_G_PRIORITY ioctl command and compares the result with the v4l2_priority it set before. At the end, the test restores the old priority. This test will increase the code coverage for video_device_test, so I think it might be useful. Additionally, this patch will refactor the video_device_test a little bit, according to the new functionality. Signed-off-by: Ivan Orlov <ivan.orlov0322(a)gmail.com> --- V1 -> V2: Revert the test description change .../selftests/media_tests/video_device_test.c | 111 +++++++++++++----- 1 file changed, 83 insertions(+), 28 deletions(-) diff --git a/tools/testing/selftests/media_tests/video_device_test.c b/tools/testing/selftests/media_tests/video_device_test.c index 0f6aef2e2593..2c44e115f2f0 100644 --- a/tools/testing/selftests/media_tests/video_device_test.c +++ b/tools/testing/selftests/media_tests/video_device_test.c @@ -37,45 +37,58 @@ #include <time.h> #include <linux/videodev2.h> -int main(int argc, char **argv) +#define PRIORITY_MAX 4 + +int priority_test(int fd) { - int opt; - char video_dev[256]; - int count; - struct v4l2_tuner vtuner; - struct v4l2_capability vcap; + /* This test will try to update the priority associated with a file descriptor */ + + enum v4l2_priority old_priority, new_priority, priority_to_compare; int ret; - int fd; + int result = 0; - if (argc < 2) { - printf("Usage: %s [-d </dev/videoX>]\n", argv[0]); - exit(-1); + ret = ioctl(fd, VIDIOC_G_PRIORITY, &old_priority); + if (ret < 0) { + printf("Failed to get priority: %s\n", strerror(errno)); + return -1; + } + new_priority = (old_priority + 1) % PRIORITY_MAX; + ret = ioctl(fd, VIDIOC_S_PRIORITY, &new_priority); + if (ret < 0) { + printf("Failed to set priority: %s\n", strerror(errno)); + return -1; + } + ret = ioctl(fd, VIDIOC_G_PRIORITY, &priority_to_compare); + if (ret < 0) { + printf("Failed to get new priority: %s\n", strerror(errno)); + result = -1; + goto cleanup; + } + if (priority_to_compare != new_priority) { + printf("Priority wasn't set - test failed\n"); + result = -1; } - /* Process arguments */ - while ((opt = getopt(argc, argv, "d:")) != -1) { - switch (opt) { - case 'd': - strncpy(video_dev, optarg, sizeof(video_dev) - 1); - video_dev[sizeof(video_dev)-1] = '\0'; - break; - default: - printf("Usage: %s [-d </dev/videoX>]\n", argv[0]); - exit(-1); - } +cleanup: + ret = ioctl(fd, VIDIOC_S_PRIORITY, &old_priority); + if (ret < 0) { + printf("Failed to restore priority: %s\n", strerror(errno)); + return -1; } + return result; +} + +int loop_test(int fd) +{ + int count; + struct v4l2_tuner vtuner; + struct v4l2_capability vcap; + int ret; /* Generate random number of interations */ srand((unsigned int) time(NULL)); count = rand(); - /* Open Video device and keep it open */ - fd = open(video_dev, O_RDWR); - if (fd == -1) { - printf("Video Device open errno %s\n", strerror(errno)); - exit(-1); - } - printf("\nNote:\n" "While test is running, remove the device or unbind\n" "driver and ensure there are no use after free errors\n" @@ -98,4 +111,46 @@ int main(int argc, char **argv) sleep(10); count--; } + return 0; +} + +int main(int argc, char **argv) +{ + int opt; + char video_dev[256]; + int fd; + int test_result; + + if (argc < 2) { + printf("Usage: %s [-d </dev/videoX>]\n", argv[0]); + exit(-1); + } + + /* Process arguments */ + while ((opt = getopt(argc, argv, "d:")) != -1) { + switch (opt) { + case 'd': + strncpy(video_dev, optarg, sizeof(video_dev) - 1); + video_dev[sizeof(video_dev)-1] = '\0'; + break; + default: + printf("Usage: %s [-d </dev/videoX>]\n", argv[0]); + exit(-1); + } + } + + /* Open Video device and keep it open */ + fd = open(video_dev, O_RDWR); + if (fd == -1) { + printf("Video Device open errno %s\n", strerror(errno)); + exit(-1); + } + + test_result = priority_test(fd); + if (!test_result) + printf("Priority test - PASSED\n"); + else + printf("Priority test - FAILED\n"); + + loop_test(fd); } -- 2.34.1

2 years, 3 months

1
0
0 0

[PATCH] selftests: media_tests: Add new subtest to video_device_test

by Ivan Orlov

Add new subtest to video_device_test to cover the VIDIOC_G_PRIORITY and VIDIOC_S_PRIORITY ioctl calls. This test tries to set the priority associated with the file descriptior via ioctl VIDIOC_S_PRIORITY command from V4L2 API. After that, the test tries to get the new priority via VIDIOC_G_PRIORITY ioctl command and compares the result with the v4l2_priority it set before. At the end, the test restores the old priority. This test will increase the code coverage for video_device_test, so I think it might be useful. Additionally, this patch will refactor the video_device_test a little bit, according to the new functionality. Signed-off-by: Ivan Orlov <ivan.orlov0322(a)gmail.com> --- .../selftests/media_tests/video_device_test.c | 131 +++++++++++++----- 1 file changed, 93 insertions(+), 38 deletions(-) diff --git a/tools/testing/selftests/media_tests/video_device_test.c b/tools/testing/selftests/media_tests/video_device_test.c index 0f6aef2e2593..5e6f65ad2ca3 100644 --- a/tools/testing/selftests/media_tests/video_device_test.c +++ b/tools/testing/selftests/media_tests/video_device_test.c @@ -13,18 +13,9 @@ * in the Kselftest run. This test should be run when hardware and driver * that makes use of V4L2 API is present. * - * This test opens user specified Video Device and calls video ioctls in a - * loop once every 10 seconds. - * * Usage: * sudo ./video_device_test -d /dev/videoX - * - * While test is running, remove the device or unbind the driver and - * ensure there are no use after free errors and other Oops in the - * dmesg. - * When possible, enable KaSan kernel config option for use-after-free - * error detection. -*/ + */ #include <stdio.h> #include <unistd.h> @@ -37,45 +28,67 @@ #include <time.h> #include <linux/videodev2.h> -int main(int argc, char **argv) +#define PRIORITY_MAX 4 + +int priority_test(int fd) { - int opt; - char video_dev[256]; - int count; - struct v4l2_tuner vtuner; - struct v4l2_capability vcap; + /* This test will try to update the priority associated with a file descriptor */ + + enum v4l2_priority old_priority, new_priority, priority_to_compare; int ret; - int fd; + int result = 0; - if (argc < 2) { - printf("Usage: %s [-d </dev/videoX>]\n", argv[0]); - exit(-1); + ret = ioctl(fd, VIDIOC_G_PRIORITY, &old_priority); + if (ret < 0) { + printf("Failed to get priority: %s\n", strerror(errno)); + return -1; + } + new_priority = (old_priority + 1) % PRIORITY_MAX; + ret = ioctl(fd, VIDIOC_S_PRIORITY, &new_priority); + if (ret < 0) { + printf("Failed to set priority: %s\n", strerror(errno)); + return -1; + } + ret = ioctl(fd, VIDIOC_G_PRIORITY, &priority_to_compare); + if (ret < 0) { + printf("Failed to get new priority: %s\n", strerror(errno)); + result = -1; + goto cleanup; + } + if (priority_to_compare != new_priority) { + printf("Priority wasn't set - test failed\n"); + result = -1; } - /* Process arguments */ - while ((opt = getopt(argc, argv, "d:")) != -1) { - switch (opt) { - case 'd': - strncpy(video_dev, optarg, sizeof(video_dev) - 1); - video_dev[sizeof(video_dev)-1] = '\0'; - break; - default: - printf("Usage: %s [-d </dev/videoX>]\n", argv[0]); - exit(-1); - } +cleanup: + ret = ioctl(fd, VIDIOC_S_PRIORITY, &old_priority); + if (ret < 0) { + printf("Failed to restore priority: %s\n", strerror(errno)); + return -1; } + return result; +} + +int loop_test(int fd) +{ + /* + * This test opens user specified Video Device and calls video ioctls in a + * loop once every 10 seconds. + * While test is running, remove the device or unbind the driver and + * ensure there are no use after free errors and other Oops in the + * dmesg. + * When possible, enable KaSan kernel config option for use-after-free + * error detection. + */ + int count; + struct v4l2_tuner vtuner; + struct v4l2_capability vcap; + int ret; /* Generate random number of interations */ srand((unsigned int) time(NULL)); count = rand(); - /* Open Video device and keep it open */ - fd = open(video_dev, O_RDWR); - if (fd == -1) { - printf("Video Device open errno %s\n", strerror(errno)); - exit(-1); - } - printf("\nNote:\n" "While test is running, remove the device or unbind\n" "driver and ensure there are no use after free errors\n" @@ -98,4 +111,46 @@ int main(int argc, char **argv) sleep(10); count--; } + return 0; +} + +int main(int argc, char **argv) +{ + int opt; + char video_dev[256]; + int fd; + int test_result; + + if (argc < 2) { + printf("Usage: %s [-d </dev/videoX>]\n", argv[0]); + exit(-1); + } + + /* Process arguments */ + while ((opt = getopt(argc, argv, "d:")) != -1) { + switch (opt) { + case 'd': + strncpy(video_dev, optarg, sizeof(video_dev) - 1); + video_dev[sizeof(video_dev)-1] = '\0'; + break; + default: + printf("Usage: %s [-d </dev/videoX>]\n", argv[0]); + exit(-1); + } + } + + /* Open Video device and keep it open */ + fd = open(video_dev, O_RDWR); + if (fd == -1) { + printf("Video Device open errno %s\n", strerror(errno)); + exit(-1); + } + + test_result = priority_test(fd); + if (!test_result) + printf("Priority test - PASSED\n"); + else + printf("Priority test - FAILED\n"); + + loop_test(fd); } -- 2.34.1

2 years, 3 months

2
2
0 0

[PATCH bpf] selftests: xsk: Deflakify STATS_RX_DROPPED test

by Kal Conley

Fix flaky STATS_RX_DROPPED test. The receiver calls getsockopt after receiving the last (valid) packet which is not the final packet sent in the test (valid and invalid packets are sent in alternating fashion with the final packet being invalid). Since the last packet may or may not have been dropped already, both outcomes must be allowed. This issue could also be fixed by making sure the last packet sent is valid. This alternative is left as an exercise to the reader (or the benevolent maintainers of this file). This problem was quite visible on certain setups. On one machine this failure was observed 50% of the time. Also, remove a redundant assignment of pkt_stream->nb_pkts. This field is already initialized by __pkt_stream_alloc. Fixes: 27e934bec35b ("selftests: xsk: make stat tests not spin on getsockopt") Signed-off-by: Kal Conley <kal.conley(a)dectris.com> Acked-by: Magnus Karlsson <magnus.karlsson(a)intel.com> --- tools/testing/selftests/bpf/xskxceiver.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/bpf/xskxceiver.c b/tools/testing/selftests/bpf/xskxceiver.c index a17655107a94..30a364283542 100644 --- a/tools/testing/selftests/bpf/xskxceiver.c +++ b/tools/testing/selftests/bpf/xskxceiver.c @@ -631,7 +631,6 @@ static struct pkt_stream *pkt_stream_generate(struct xsk_umem_info *umem, u32 nb if (!pkt_stream) exit_with_error(ENOMEM); - pkt_stream->nb_pkts = nb_pkts; for (i = 0; i < nb_pkts; i++) { pkt_set(umem, &pkt_stream->pkts[i], (i % umem->num_frames) * umem->frame_size, pkt_len); @@ -1124,7 +1123,14 @@ static int validate_rx_dropped(struct ifobject *ifobject) if (err) return TEST_FAILURE; - if (stats.rx_dropped == ifobject->pkt_stream->nb_pkts / 2) + /* The receiver calls getsockopt after receiving the last (valid) + * packet which is not the final packet sent in this test (valid and + * invalid packets are sent in alternating fashion with the final + * packet being invalid). Since the last packet may or may not have + * been dropped already, both outcomes must be allowed. + */ + if (stats.rx_dropped == ifobject->pkt_stream->nb_pkts / 2 || + stats.rx_dropped == ifobject->pkt_stream->nb_pkts / 2 - 1) return TEST_PASS; return TEST_FAILURE; -- 2.39.2

2 years, 3 months

2
1
0 0

[PATCH bpf-next] selftests: xsk: Disable IPv6 on VETH1

by Kal Conley

This change fixes flakiness in the BIDIRECTIONAL test: # [is_pkt_valid] expected length [60], got length [90] not ok 1 FAIL: SKB BUSY-POLL BIDIRECTIONAL When IPv6 is enabled, the interface will periodically send MLDv1 and MLDv2 packets. These packets can cause the BIDIRECTIONAL test to fail since it uses VETH0 for RX. For other tests, this was not a problem since they only receive on VETH1 and IPv6 was already disabled on VETH0. Fixes: a89052572ebb ("selftests/bpf: Xsk selftests framework") Signed-off-by: Kal Conley <kal.conley(a)dectris.com> --- tools/testing/selftests/bpf/test_xsk.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/testing/selftests/bpf/test_xsk.sh b/tools/testing/selftests/bpf/test_xsk.sh index b077cf58f825..377fb157a57c 100755 --- a/tools/testing/selftests/bpf/test_xsk.sh +++ b/tools/testing/selftests/bpf/test_xsk.sh @@ -116,6 +116,7 @@ setup_vethPairs() { ip link add ${VETH0} numtxqueues 4 numrxqueues 4 type veth peer name ${VETH1} numtxqueues 4 numrxqueues 4 if [ -f /proc/net/if_inet6 ]; then echo 1 > /proc/sys/net/ipv6/conf/${VETH0}/disable_ipv6 + echo 1 > /proc/sys/net/ipv6/conf/${VETH1}/disable_ipv6 fi if [[ $verbose -eq 1 ]]; then echo "setting up ${VETH1}" -- 2.39.2

2 years, 3 months

2
1
0 0

[PATCH bpf-next] selftests: xsk: Add xskxceiver.h dependency to Makefile

by Kal Conley

xskxceiver depends on xskxceiver.h so tell make about it. Signed-off-by: Kal Conley <kal.conley(a)dectris.com> --- tools/testing/selftests/bpf/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile index b677dcd0b77a..b55d828911d5 100644 --- a/tools/testing/selftests/bpf/Makefile +++ b/tools/testing/selftests/bpf/Makefile @@ -607,7 +607,7 @@ $(OUTPUT)/test_verifier: test_verifier.c verifier/tests.h $(BPFOBJ) | $(OUTPUT) $(call msg,BINARY,,$@) $(Q)$(CC) $(CFLAGS) $(filter %.a %.o %.c,$^) $(LDLIBS) -o $@ -$(OUTPUT)/xskxceiver: xskxceiver.c $(OUTPUT)/xsk.o $(OUTPUT)/xsk_xdp_progs.skel.h $(BPFOBJ) | $(OUTPUT) +$(OUTPUT)/xskxceiver: xskxceiver.c xskxceiver.h $(OUTPUT)/xsk.o $(OUTPUT)/xsk_xdp_progs.skel.h $(BPFOBJ) | $(OUTPUT) $(call msg,BINARY,,$@) $(Q)$(CC) $(CFLAGS) $(filter %.a %.o %.c,$^) $(LDLIBS) -o $@ -- 2.39.2

2 years, 3 months

2
1
0 0

Re: [PATCH v4 1/3] mm: add new api to enable ksm per process

by David Hildenbrand

On 10.03.23 19:28, Stefan Roesch wrote: > Patch series "mm: process/cgroup ksm support", v3. > > So far KSM can only be enabled by calling madvise for memory regions. To > be able to use KSM for more workloads, KSM needs to have the ability to be > enabled / disabled at the process / cgroup level. > > Use case 1: > > The madvise call is not available in the programming language. An > example for this are programs with forked workloads using a garbage > collected language without pointers. In such a language madvise cannot > be made available. > > In addition the addresses of objects get moved around as they are > garbage collected. KSM sharing needs to be enabled "from the outside" > for these type of workloads. I guess the interpreter could enable it (like a memory allocator could enable it for the whole heap). But I get that it's much easier to enable this per-process, and eventually only when a lot of the same processes are running in that particular environment. > > Use case 2: > > The same interpreter can also be used for workloads where KSM brings > no benefit or even has overhead. We'd like to be able to enable KSM on > a workload by workload basis. Agreed. A per-process control is also helpful to identidy workloads where KSM might be beneficial (and to which degree). > > Use case 3: > > With the madvise call sharing opportunities are only enabled for the > current process: it is a workload-local decision. A considerable number > of sharing opportuniites may exist across multiple workloads or jobs. > Only a higler level entity like a job scheduler or container can know > for certain if its running one or more instances of a job. That job > scheduler however doesn't have the necessary internal worklaod knowledge > to make targeted madvise calls. > > Security concerns: > > In previous discussions security concerns have been brought up. The > problem is that an individual workload does not have the knowledge about > what else is running on a machine. Therefore it has to be very > conservative in what memory areas can be shared or not. However, if the > system is dedicated to running multiple jobs within the same security > domain, its the job scheduler that has the knowledge that sharing can be > safely enabled and is even desirable. > > Performance: > > Experiments with using UKSM have shown a capacity increase of around > 20%. > As raised, it would be great to include more details about the workload where this particulalry helps (e.g., a lot of Django processes operating in the same domain). > > 1. New options for prctl system command > > This patch series adds two new options to the prctl system call. > The first one allows to enable KSM at the process level and the second > one to query the setting. > > The setting will be inherited by child processes. > > With the above setting, KSM can be enabled for the seed process of a > cgroup and all processes in the cgroup will inherit the setting. > > 2. Changes to KSM processing > > When KSM is enabled at the process level, the KSM code will iterate > over all the VMA's and enable KSM for the eligible VMA's. > > When forking a process that has KSM enabled, the setting will be > inherited by the new child process. > > In addition when KSM is disabled for a process, KSM will be disabled > for the VMA's where KSM has been enabled. Do we want to make MADV_MERGEABLE/MADV_UNMERGEABLE fail while the new prctl is enabled for a process? > > 3. Add general_profit metric > > The general_profit metric of KSM is specified in the documentation, > but not calculated. This adds the general profit metric to > /sys/kernel/debug/mm/ksm. > > 4. Add more metrics to ksm_stat > > This adds the process profit and ksm type metric to > /proc/<pid>/ksm_stat. > > 5. Add more tests to ksm_tests > > This adds an option to specify the merge type to the ksm_tests. > This allows to test madvise and prctl KSM. It also adds a new option > to query if prctl KSM has been enabled. It adds a fork test to verify > that the KSM process setting is inherited by client processes. > > An update to the prctl(2) manpage has been proposed at [1]. > > This patch (of 3): > > This adds a new prctl to API to enable and disable KSM on a per process > basis instead of only at the VMA basis (with madvise). > > 1) Introduce new MMF_VM_MERGE_ANY flag > > This introduces the new flag MMF_VM_MERGE_ANY flag. When this flag > is set, kernel samepage merging (ksm) gets enabled for all vma's of a > process. > > 2) add flag to __ksm_enter > > This change adds the flag parameter to __ksm_enter. This allows to > distinguish if ksm was called by prctl or madvise. > > 3) add flag to __ksm_exit call > > This adds the flag parameter to the __ksm_exit() call. This allows > to distinguish if this call is for an prctl or madvise invocation. > > 4) invoke madvise for all vmas in scan_get_next_rmap_item > > If the new flag MMF_VM_MERGE_ANY has been set for a process, iterate > over all the vmas and enable ksm if possible. For the vmas that can be > ksm enabled this is only done once. > > 5) support disabling of ksm for a process > > This adds the ability to disable ksm for a process if ksm has been > enabled for the process. > > 6) add new prctl option to get and set ksm for a process > > This adds two new options to the prctl system call > - enable ksm for all vmas of a process (if the vmas support it). > - query if ksm has been enabled for a process. Did you consider, instead of handling MMF_VM_MERGE_ANY in a special way, to instead make it reuse the existing MMF_VM_MERGEABLE/VM_MERGEABLE infrastructure. Especially: 1) During prctl(MMF_VM_MERGE_ANY), set VM_MERGABLE on all applicable compatible. Further, set MMF_VM_MERGEABLE and enter KSM if not already set. 2) When creating a new, compatible VMA and MMF_VM_MERGE_ANY is set, set VM_MERGABLE? The you can avoid all runtime checks for compatible VMAs and only look at the VM_MERGEABLE flag. In fact, the VM_MERGEABLE will be completely expressive then for all VMAs. You don't need vma_ksm_mergeable() then. Another thing to consider is interaction with arch/s390/mm/gmap.c: s390x/kvm does not support KSM and it has to disable it for all VMAs. We have to find a way to fence the prctl (for example, fail setting the prctl after gmap_mark_unmergeable() ran, and make gmap_mark_unmergeable() fail if the prctl ran -- or handle it gracefully in some other way). > > Link: https://lkml.kernel.org/r/20230227220206.436662-1-shr@devkernel.io [1] > Link: https://lkml.kernel.org/r/20230224044000.3084046-1-shr@devkernel.io > Link: https://lkml.kernel.org/r/20230224044000.3084046-2-shr@devkernel.io > Signed-off-by: Stefan Roesch <shr(a)devkernel.io> > Cc: David Hildenbrand <david(a)redhat.com> > Cc: Johannes Weiner <hannes(a)cmpxchg.org> > Cc: Michal Hocko <mhocko(a)suse.com> > Cc: Rik van Riel <riel(a)surriel.com> > Cc: Bagas Sanjaya <bagasdotme(a)gmail.com> > Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> > --- > include/linux/ksm.h | 14 ++++-- > include/linux/sched/coredump.h | 1 + > include/uapi/linux/prctl.h | 2 + > kernel/sys.c | 27 ++++++++++ > mm/ksm.c | 90 +++++++++++++++++++++++----------- > 5 files changed, 101 insertions(+), 33 deletions(-) > > diff --git a/include/linux/ksm.h b/include/linux/ksm.h > index 7e232ba59b86..d38a05a36298 100644 > --- a/include/linux/ksm.h > +++ b/include/linux/ksm.h > @@ -18,20 +18,24 @@ > #ifdef CONFIG_KSM > int ksm_madvise(struct vm_area_struct *vma, unsigned long start, > unsigned long end, int advice, unsigned long *vm_flags); > -int __ksm_enter(struct mm_struct *mm); > -void __ksm_exit(struct mm_struct *mm); > +int __ksm_enter(struct mm_struct *mm, int flag); > +void __ksm_exit(struct mm_struct *mm, int flag); > > static inline int ksm_fork(struct mm_struct *mm, struct mm_struct *oldmm) > { > + if (test_bit(MMF_VM_MERGE_ANY, &oldmm->flags)) > + return __ksm_enter(mm, MMF_VM_MERGE_ANY); > if (test_bit(MMF_VM_MERGEABLE, &oldmm->flags)) > - return __ksm_enter(mm); > + return __ksm_enter(mm, MMF_VM_MERGEABLE); > return 0; > } > > static inline void ksm_exit(struct mm_struct *mm) > { > - if (test_bit(MMF_VM_MERGEABLE, &mm->flags)) > - __ksm_exit(mm); > + if (test_bit(MMF_VM_MERGE_ANY, &mm->flags)) > + __ksm_exit(mm, MMF_VM_MERGE_ANY); > + else if (test_bit(MMF_VM_MERGEABLE, &mm->flags)) > + __ksm_exit(mm, MMF_VM_MERGEABLE); > } > > /* > diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h > index 0e17ae7fbfd3..0ee96ea7a0e9 100644 > --- a/include/linux/sched/coredump.h > +++ b/include/linux/sched/coredump.h > @@ -90,4 +90,5 @@ static inline int get_dumpable(struct mm_struct *mm) > #define MMF_INIT_MASK (MMF_DUMPABLE_MASK | MMF_DUMP_FILTER_MASK |\ > MMF_DISABLE_THP_MASK | MMF_HAS_MDWE_MASK) > > +#define MMF_VM_MERGE_ANY 29 > #endif /* _LINUX_SCHED_COREDUMP_H */ > diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h > index 1312a137f7fb..759b3f53e53f 100644 > --- a/include/uapi/linux/prctl.h > +++ b/include/uapi/linux/prctl.h > @@ -290,4 +290,6 @@ struct prctl_mm_map { > #define PR_SET_VMA 0x53564d41 > # define PR_SET_VMA_ANON_NAME 0 > > +#define PR_SET_MEMORY_MERGE 67 > +#define PR_GET_MEMORY_MERGE 68 > #endif /* _LINUX_PRCTL_H */ > diff --git a/kernel/sys.c b/kernel/sys.c > index 495cd87d9bf4..edc439b1cae9 100644 > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -15,6 +15,7 @@ > #include <linux/highuid.h> > #include <linux/fs.h> > #include <linux/kmod.h> > +#include <linux/ksm.h> > #include <linux/perf_event.h> > #include <linux/resource.h> > #include <linux/kernel.h> > @@ -2661,6 +2662,32 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, > case PR_SET_VMA: > error = prctl_set_vma(arg2, arg3, arg4, arg5); > break; > +#ifdef CONFIG_KSM > + case PR_SET_MEMORY_MERGE: > + if (!capable(CAP_SYS_RESOURCE)) > + return -EPERM; > + > + if (arg2) { > + if (mmap_write_lock_killable(me->mm)) > + return -EINTR; > + > + if (!test_bit(MMF_VM_MERGE_ANY, &me->mm->flags)) > + error = __ksm_enter(me->mm, MMF_VM_MERGE_ANY); Hm, I think this might be problematic if we alread called __ksm_enter() via madvise(). Maybe we should really consider making MMF_VM_MERGE_ANY set MMF_VM_MERGABLE instead. Like: error = 0; if(test_bit(MMF_VM_MERGEABLE, &me->mm->flags)) error = __ksm_enter(me->mm); if (!error) set_bit(MMF_VM_MERGE_ANY, &me->mm->flags); > + mmap_write_unlock(me->mm); > + } else { > + __ksm_exit(me->mm, MMF_VM_MERGE_ANY); Hm, I'd prefer if we really only call __ksm_exit() when we really exit the process. Is there a strong requirement to optimize disabling of KSM or would it be sufficient to clear the MMF_VM_MERGE_ANY flag here? Also, I wonder what happens if we have another VMA in that process that has it enabled .. Last but not least, wouldn't we want to do the same thing as MADV_UNMERGEABLE and actually unmerge the KSM pages? It smells like it could be simpler and more consistent to handle by letting PR_SET_MEMORY_MERGE piggy-back on MMF_VM_MERGABLE/VM_MERGABLE and mimic what ksm_madvise() does simply for all VMAs. > --- a/mm/ksm.c > +++ b/mm/ksm.c > @@ -534,16 +534,58 @@ static int break_ksm(struct vm_area_struct *vma, unsigned long addr, > return (ret & VM_FAULT_OOM) ? -ENOMEM : 0; > } > > +static bool vma_ksm_compatible(struct vm_area_struct *vma) > +{ > + /* > + * Be somewhat over-protective for now! > + */ > + if (vma->vm_flags & (VM_MERGEABLE | VM_SHARED | VM_MAYSHARE | > + VM_PFNMAP | VM_IO | VM_DONTEXPAND | > + VM_HUGETLB | VM_MIXEDMAP)) > + return false; /* just ignore the advice */ That comment is kind-of stale and ksm_madvise() specific. > + The VM_MERGEABLE check is really only used for ksm_madvise() to return immediately. I suggest keeping it in ksm_madvise() -- "Already enabled". Returning "false" in that case looks wrong (it's not broken because you do an early check in vma_ksm_mergeable(), it's just semantically weird). -- Thanks, David / dhildenb

2 years, 3 months

3
7
0 0

[PATCH 0/5] selftests/mm: Implement support for arm64 on va

by Chaitanya S Prakash

The va_128TBswitch selftest is designed and implemented for PowerPC and x86 architectures which support a 128TB switch, up to 256TB of virtual address space and hugepage sizes of 16MB and 2MB respectively. Arm64 platforms on the other hand support a 256Tb switch, up to 4PB of virtual address space and a default hugepage size of 512MB when 64k pagesize is enabled. These architectural differences require introducing support for arm64 platforms, after which a more generic naming convention is suggested. The in code comments are amended to provide a more platform independent explanation of the working of the code and nr_hugepages are configured as required. Finally, the file running the testcase is modified in order to prevent skipping of hugetlb testcases of va_high_addr_switch. This series has been tested on 6.3.0-rc3 kernel, both on arm64 and x86 platforms. Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Aneesh Kumar K.V <aneesh.kumar(a)linux.ibm.com> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: linux-mm(a)kvack.org Cc: linux-kselftest(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Chaitanya S Prakash (5): selftests/mm: Add support for arm64 platform on va switch selftests/mm: Rename va_128TBswitch to va_high_addr_switch selftests/mm: Add platform independent in code comments selftests/mm: Configure nr_hugepages for arm64 selftests/mm: Run hugetlb testcases of va switch tools/testing/selftests/mm/Makefile | 4 +- tools/testing/selftests/mm/run_vmtests.sh | 12 +++++- ...va_128TBswitch.c => va_high_addr_switch.c} | 41 +++++++++++++++---- ..._128TBswitch.sh => va_high_addr_switch.sh} | 6 ++- 4 files changed, 49 insertions(+), 14 deletions(-) rename tools/testing/selftests/mm/{va_128TBswitch.c => va_high_addr_switch.c} (86%) rename tools/testing/selftests/mm/{va_128TBswitch.sh => va_high_addr_switch.sh} (89%) -- 2.30.2

2 years, 3 months

5
10
0 0

Re: [BUG RESEND] [BISECTED]: selftest: ftracetest: memleak in vfs_write()

by Mirsad Goran Todorovac

Hi, No progress on this bug report, so it is still unpatched in 6.3-rc5 so I am submitting again. Please see the relevant data at the bottom: On 27. 01. 2023. 19:36, Mirsad Goran Todorovac wrote: > Hi all, > > I came across a memory leak with the vanilla mainline Torvalds tree kernel > with MGLRU and CONFIG_KMEMLEAK enabled: > > unreferenced object 0xffff8d7c92ad5180 (size 192): > comm "ftracetest", pid 2738512, jiffies 4335176273 (age 4842.976s) > hex dump (first 32 bytes): > c0 59 ad 92 7c 8d ff ff 60 dd d7 31 7c 8d ff ff .Y..|...`..1|... > 60 55 df 97 ff ff ff ff 09 00 02 00 00 00 00 00 `U.............. > backtrace: > [<ffffffff965d9bf0>] __kmem_cache_alloc_node+0x1e0/0x340 > [<ffffffff96556dda>] kmalloc_trace+0x2a/0xa0 > [<ffffffff964382fc>] tracing_log_err+0x16c/0x1b0 > [<ffffffff96451963>] append_filter_err+0x113/0x1d0 > [<ffffffff96453c0a>] create_event_filter+0xba/0xe0 > [<ffffffff96454b18>] set_trigger_filter+0x98/0x160 > [<ffffffff96456554>] event_trigger_parse+0x104/0x180 > [<ffffffff96455823>] trigger_process_regex+0xc3/0x110 > [<ffffffff964558f7>] event_trigger_write+0x77/0xe0 > [<ffffffff96623a41>] vfs_write+0xd1/0x420 > [<ffffffff9662413b>] ksys_write+0x7b/0x100 > [<ffffffff966241e9>] __x64_sys_write+0x19/0x20 > [<ffffffff971c9188>] do_syscall_64+0x58/0x80 > [<ffffffff972000aa>] entry_SYSCALL_64_after_hwframe+0x72/0xdc > unreferenced object 0xffff8d7b076be000 (size 32): > comm "ftracetest", pid 2738512, jiffies 4335176273 (age 4842.976s) > hex dump (first 32 bytes): > 0a 20 20 43 6f 6d 6d 61 6e 64 3a 20 61 0a 00 00 . Command: a... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<ffffffff965d9bf0>] __kmem_cache_alloc_node+0x1e0/0x340 > [<ffffffff96557a8d>] __kmalloc+0x4d/0xd0 > [<ffffffff96438314>] tracing_log_err+0x184/0x1b0 > [<ffffffff96451963>] append_filter_err+0x113/0x1d0 > [<ffffffff96453c0a>] create_event_filter+0xba/0xe0 > [<ffffffff96454b18>] set_trigger_filter+0x98/0x160 > [<ffffffff96456554>] event_trigger_parse+0x104/0x180 > [<ffffffff96455823>] trigger_process_regex+0xc3/0x110 > [<ffffffff964558f7>] event_trigger_write+0x77/0xe0 > [<ffffffff96623a41>] vfs_write+0xd1/0x420 > [<ffffffff9662413b>] ksys_write+0x7b/0x100 > [<ffffffff966241e9>] __x64_sys_write+0x19/0x20 > [<ffffffff971c9188>] do_syscall_64+0x58/0x80 > [<ffffffff972000aa>] entry_SYSCALL_64_after_hwframe+0x72/0xdc > unreferenced object 0xffff8d7c92ad59c0 (size 192): > comm "ftracetest", pid 2738512, jiffies 4335176280 (age 4843.088s) > hex dump (first 32 bytes): > c0 5c ad 92 7c 8d ff ff 80 51 ad 92 7c 8d ff ff .\..|....Q..|... > 60 55 df 97 ff ff ff ff 01 00 0b 00 00 00 00 00 `U.............. > backtrace: > [<ffffffff965d9bf0>] __kmem_cache_alloc_node+0x1e0/0x340 > [<ffffffff96556dda>] kmalloc_trace+0x2a/0xa0 > [<ffffffff964382fc>] tracing_log_err+0x16c/0x1b0 > [<ffffffff96451963>] append_filter_err+0x113/0x1d0 > [<ffffffff96453c0a>] create_event_filter+0xba/0xe0 > [<ffffffff96454b18>] set_trigger_filter+0x98/0x160 > [<ffffffff96456554>] event_trigger_parse+0x104/0x180 > [<ffffffff96455823>] trigger_process_regex+0xc3/0x110 > [<ffffffff964558f7>] event_trigger_write+0x77/0xe0 > [<ffffffff96623a41>] vfs_write+0xd1/0x420 > [<ffffffff9662413b>] ksys_write+0x7b/0x100 > [<ffffffff966241e9>] __x64_sys_write+0x19/0x20 > [<ffffffff971c9188>] do_syscall_64+0x58/0x80 > [<ffffffff972000aa>] entry_SYSCALL_64_after_hwframe+0x72/0xdc > > The bug was noticed on Lenovo desktop 10TX000VCR (LENOVO_MT_10TX_BU_Lenovo_FM_V530S-07ICB) > running AlmaLinux 8.7 (Stone Smilodon), a CentOS clone, with the compiler: > > mtodorov@domac:~/linux/kernel/linux_torvalds$ gcc --version > gcc (Debian 8.3.0-6) 8.3.0 > Copyright (C) 2018 Free Software Foundation, Inc. > This is free software; see the source for copying conditions. There is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > mtodorov@domac:~/linux/kernel/linux_torvalds$ > > Bisecting gave the following culprit commit: > > git bisect good a92ce570c81dc0feaeb12a429b4bc65686d17967 > # good: [c6f613e5f35b0e2154d5ca12f0e8e0be0c19be9a] ipmi/watchdog: use strscpy() to instead of strncpy() > git bisect good c6f613e5f35b0e2154d5ca12f0e8e0be0c19be9a > # good: [90b12f423d3c8a89424c7bdde18e1923dfd0941e] Merge tag 'for-linus-6.2-1' of https://github.com/cminyard/linux-ipmi > git bisect good 90b12f423d3c8a89424c7bdde18e1923dfd0941e > # first bad commit: [71946a25f357a51dcce849367501d7fb04c0465b] Merge tag 'mmc-v6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc > > The commit was merged on December 13th 2022. > > It is a huge commit. > > The selftests/ftrace/ftracetest triggers this leak, sometimes several times in a run. > ftracetest requires root permission to run, but I haven't yet realised whether a non-superuser > could devise an automated script to abuse this leak exhausting all kernel's memory. > > Non-root user gets a EPERM error when trying to access /proc/sys/kernel internals: > > [marvin@pc-mtodorov linux_torvalds]$ tools/testing/selftests/ftrace/ftracetest > Error: this must be run by root user > tools/testing/selftests/ftrace/ftracetest: line 46: /proc/sys/kernel/sched_rt_runtime_us: Permission denied > [marvin@pc-mtodorov linux_torvalds]$ > > Hope this helps. > > According to the Code of Conduct, I have Cc:-ed maintainers from get_maintainers.pl and > I will add Thorsten because this is sort of a regression :-) The debug output is like follows: unreferenced object 0xffff93a3dc2d1e18 (size 192): comm "ftracetest", pid 12451, jiffies 4295087353 (age 463.476s) hex dump (first 32 bytes): 20 08 2d dc a3 93 ff ff c0 bd 5d cd a3 93 ff ff .-.......]..... c0 bf 85 b6 ff ff ff ff 09 00 02 00 00 00 00 00 ................ backtrace: [<ffffffffb4afb23c>] slab_post_alloc_hook+0x8c/0x3e0 [<ffffffffb4b02b19>] __kmem_cache_alloc_node+0x1d9/0x2a0 [<ffffffffb4a7693e>] kmalloc_trace+0x2e/0xc0 [<ffffffffb493a8fb>] tracing_log_err+0x18b/0x1d0 [<ffffffffb4959049>] append_filter_err.isra.13+0x119/0x190 [<ffffffffb495a89f>] create_filter+0xbf/0xe0 [<ffffffffb495ab10>] create_event_filter+0x10/0x20 [<ffffffffb495c040>] set_trigger_filter+0xa0/0x180 [<ffffffffb495d745>] event_trigger_parse+0xf5/0x160 [<ffffffffb495c889>] trigger_process_regex+0xc9/0x120 [<ffffffffb495c976>] event_trigger_write+0x86/0xf0 [<ffffffffb4b52dc2>] vfs_write+0xf2/0x520 [<ffffffffb4b533d8>] ksys_write+0x68/0xe0 [<ffffffffb4b5347e>] __x64_sys_write+0x1e/0x30 [<ffffffffb586619c>] do_syscall_64+0x5c/0x90 [<ffffffffb5a000ae>] entry_SYSCALL_64_after_hwframe+0x72/0xdc unreferenced object 0xffff93a3873dda20 (size 32): comm "ftracetest", pid 12451, jiffies 4295087353 (age 463.476s) hex dump (first 32 bytes): 0a 20 20 43 6f 6d 6d 61 6e 64 3a 20 61 0a 00 00 . Command: a... 00 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ backtrace: [<ffffffffb4afb23c>] slab_post_alloc_hook+0x8c/0x3e0 [<ffffffffb4b02b19>] __kmem_cache_alloc_node+0x1d9/0x2a0 [<ffffffffb4a77785>] __kmalloc+0x55/0x160 [<ffffffffb493a913>] tracing_log_err+0x1a3/0x1d0 [<ffffffffb4959049>] append_filter_err.isra.13+0x119/0x190 [<ffffffffb495a89f>] create_filter+0xbf/0xe0 [<ffffffffb495ab10>] create_event_filter+0x10/0x20 [<ffffffffb495c040>] set_trigger_filter+0xa0/0x180 [<ffffffffb495d745>] event_trigger_parse+0xf5/0x160 [<ffffffffb495c889>] trigger_process_regex+0xc9/0x120 [<ffffffffb495c976>] event_trigger_write+0x86/0xf0 [<ffffffffb4b52dc2>] vfs_write+0xf2/0x520 [<ffffffffb4b533d8>] ksys_write+0x68/0xe0 [<ffffffffb4b5347e>] __x64_sys_write+0x1e/0x30 [<ffffffffb586619c>] do_syscall_64+0x5c/0x90 [<ffffffffb5a000ae>] entry_SYSCALL_64_after_hwframe+0x72/0xdc Please find the complete debug info at the URL: https://domac.alu.unizg.hr/~mtodorov/linux/bugreports/ftracetest/ Bisect log is [edited]: > git bisect good a92ce570c81dc0feaeb12a429b4bc65686d17967 > # good: [c6f613e5f35b0e2154d5ca12f0e8e0be0c19be9a] ipmi/watchdog: use strscpy() to instead of strncpy() > git bisect good c6f613e5f35b0e2154d5ca12f0e8e0be0c19be9a > # good: [90b12f423d3c8a89424c7bdde18e1923dfd0941e] Merge tag 'for-linus-6.2-1' of https://github.com/cminyard/linux-ipmi > git bisect good 90b12f423d3c8a89424c7bdde18e1923dfd0941e > # first bad commit: [71946a25f357a51dcce849367501d7fb04c0465b] Merge tag 'mmc-v6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc > > The commit was merged on December 13th 2022. The amount of applied diffs in the culprit commit 71946a25f357a51dcce849367501d7fb04c0465b prevents me from bisecting further - I do not know which changes depend of which, and which can be tested independently. Hopefully I might come up with a reproducer, but I need some feedback first. Maybe there are ways to narrow down the lines of code that could have caused the leaks, yet I am completely new to the kernel/trace subtree. Apologies for not Cc:ing Ulf nine weeks ago, but it was an omission, not deliberate act. Best regards, Mirsad -- Mirsad Goran Todorovac Sistem inženjer Grafički fakultet | Akademija likovnih umjetnosti Sveučilište u Zagrebu System engineer Faculty of Graphic Arts | Academy of Fine Arts University of Zagreb, Republic of Croatia The European Union "I see something approaching fast ... Will it be friends with me?"

2 years, 3 months

3
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror