From: Robert R. <rob...@am...> - 2011-10-24 07:58:10
|
From: Xiao Guangrong <xia...@cn...> commit 45888a0c6edc305495b6bd72a30e66bc40b324c6 upstream. Backport for stable kernel v2.6.32.y to v2.6.36.y. Needed for next patch: oprofile, x86: Fix nmi-unsafe callgraph support This function is used by KVM to pin process's page in the atomic context. Define the 'weak' function to avoid other architecture not support it Acked-by: Nick Piggin <np...@su...> Signed-off-by: Xiao Guangrong <xia...@cn...> Signed-off-by: Marcelo Tosatti <mto...@re...> Signed-off-by: Robert Richter <rob...@am...> --- mm/util.c | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) diff --git a/mm/util.c b/mm/util.c index b377ce4..e48b493 100644 --- a/mm/util.c +++ b/mm/util.c @@ -233,6 +233,19 @@ void arch_pick_mmap_layout(struct mm_struct *mm) } #endif +/* + * Like get_user_pages_fast() except its IRQ-safe in that it won't fall + * back to the regular GUP. + * If the architecture not support this fucntion, simply return with no + * page pinned + */ +int __attribute__((weak)) __get_user_pages_fast(unsigned long start, + int nr_pages, int write, struct page **pages) +{ + return 0; +} +EXPORT_SYMBOL_GPL(__get_user_pages_fast); + /** * get_user_pages_fast() - pin user pages in memory * @start: starting user address -- 1.7.7 |
From: Robert R. <rob...@am...> - 2011-10-24 07:58:13
|
Following patches with some fixes for linux-stable: 2.6.32.y, 2.6.35.y: oprofile: Free potentially owned tasks in case of errors oprofile: Fix locking dependency in sync_start() v2.6.32.y to v2.6.36.y: export __get_user_pages_fast() function oprofile, x86: Fix nmi-unsafe callgraph support v2.6.28.y to v2.6.34.y: oprofile, x86: Fix crash when unloading module (timer mode) This patch series bases on v2.6.32.y. Robert Richter (4): oprofile: Free potentially owned tasks in case of errors oprofile: Fix locking dependency in sync_start() oprofile, x86: Fix nmi-unsafe callgraph support oprofile, x86: Fix crash when unloading module (timer mode) Xiao Guangrong (1): export __get_user_pages_fast() function arch/x86/oprofile/backtrace.c | 46 ++++++++++++++++++++++++++++++++++++--- arch/x86/oprofile/nmi_int.c | 8 +++--- drivers/oprofile/buffer_sync.c | 21 +++++++++-------- mm/util.c | 13 +++++++++++ 4 files changed, 70 insertions(+), 18 deletions(-) -- 1.7.7 |
From: Robert R. <rob...@am...> - 2011-10-24 07:58:11
|
Fix for stable kernels v2.6.28.y to v2.6.34.y. This patch is for .32. Oprofile crashs while unlaoding modules and if in timer mode. Timer mode is the fallback if the architectural initialization fails. The pointer variable model is then used uninitialzied during exit causing a NULL pointer dereference. It can be triggered with kernel parameters oprofile.timer=1 nolapic used. Happens esp. in virtual machine environments. oprofile: using timer interrupt. BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 IP: [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile] PGD 42ac5e067 PUD 42ac5d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP last sysfs file: /sys/module/oprofile/refcnt CPU 0 Modules linked in: oprofile(-) Pid: 2245, comm: modprobe Not tainted 2.6.32.21-oprofile-x86_64-debug-00038-gf4db115 #69 Anaheim RIP: 0010:[<ffffffffa000251f>] [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile] RSP: 0018:ffff88042d4f9ec8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffffffa0005590 RCX: ffff88042d4f9ea8 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 RBP: ffff88042d4f9ec8 R08: ffff88042d4f9ee8 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000080 R13: 00000000fffffff5 R14: 0000000000000001 R15: 00000000006101e0 FS: 00007fef6ac9c700(0000) GS:ffff880028200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000028 CR3: 000000042ac60000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process modprobe (pid: 2245, threadinfo ffff88042d4f8000, task ffff88042cd66040) Stack: ffff88042d4f9ed8 ffffffffa0002096 ffff88042d4f9ee8 ffffffffa0003bbb <0> ffff88042d4f9f78 ffffffff810748ad 656c69666f72706f 00007fff77a07800 <0> ffff88042d4f9f28 ffffffff81068414 000000000060f180 0000000000000000 Call Trace: [<ffffffffa0002096>] oprofile_arch_exit+0xe/0x10 [oprofile] [<ffffffffa0003bbb>] oprofile_exit+0x13/0x15 [oprofile] [<ffffffff810748ad>] sys_delete_module+0x1cd/0x244 [<ffffffff81068414>] ? trace_hardirqs_on_caller+0x114/0x13f [<ffffffff8143ad47>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff8100b13b>] system_call_fastpath+0x16/0x1b Code: 48 c7 c7 90 4e 00 a0 e8 e7 15 22 e1 48 c7 c7 e0 4e 00 a0 e8 bd 18 22 e1 48 c7 c7 70 4e 00 a0 e8 94 4e 41 e1 48 8b 05 d1 39 00 00 <48> 8b 40 28 48 85 c0 74 02 ff d0 c9 c3 55 48 89 e5 e8 cb 88 00 RIP [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile] RSP <ffff88042d4f9ec8> CR2: 0000000000000028 ---[ end trace 18b12420ceb19193 ]--- Signed-off-by: Robert Richter <rob...@am...> --- arch/x86/oprofile/nmi_int.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c index ca6b336..8f0e49b 100644 --- a/arch/x86/oprofile/nmi_int.c +++ b/arch/x86/oprofile/nmi_int.c @@ -750,12 +750,12 @@ int __init op_nmi_init(struct oprofile_operations *ops) void op_nmi_exit(void) { - if (using_nmi) { - exit_sysfs(); + if (!using_nmi) + return; + exit_sysfs(); #ifdef CONFIG_SMP - unregister_cpu_notifier(&oprofile_cpu_nb); + unregister_cpu_notifier(&oprofile_cpu_nb); #endif - } if (model->exit) model->exit(); } -- 1.7.7 |
From: Robert R. <rob...@am...> - 2011-10-24 07:58:13
|
commit a0e3e70243f5b270bc3eca718f0a9fa5e6b8262e upstream. Backport for stable kernel v2.6.32.y to v2.6.36.y. Current oprofile's x86 callgraph support may trigger page faults throwing the BUG_ON(in_nmi()) message below. This patch fixes this by using the same nmi-safe copy-from-user code as in perf. ------------[ cut here ]------------ kernel BUG at .../arch/x86/kernel/traps.c:436! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:0a.0/0000:07:00.0/0000:08:04.0/net/eth0/broadcast CPU 5 Modules linked in: Pid: 8611, comm: opcontrol Not tainted 2.6.39-00007-gfe47ae7 #1 Advanced Micro Device Anaheim/Anaheim RIP: 0010:[<ffffffff813e8e35>] [<ffffffff813e8e35>] do_nmi+0x22/0x1ee RSP: 0000:ffff88042fd47f28 EFLAGS: 00010002 RAX: ffff88042c0a7fd8 RBX: 0000000000000001 RCX: 00000000c0000101 RDX: 00000000ffff8804 RSI: ffffffffffffffff RDI: ffff88042fd47f58 RBP: ffff88042fd47f48 R08: 0000000000000004 R09: 0000000000001484 R10: 0000000000000001 R11: 0000000000000000 R12: ffff88042fd47f58 R13: 0000000000000000 R14: ffff88042fd47d98 R15: 0000000000000020 FS: 00007fca25e56700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000074 CR3: 000000042d28b000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process opcontrol (pid: 8611, threadinfo ffff88042c0a6000, task ffff88042c532310) Stack: 0000000000000000 0000000000000001 ffff88042c0a7fd8 0000000000000000 ffff88042fd47de8 ffffffff813e897a 0000000000000020 ffff88042fd47d98 0000000000000000 ffff88042c0a7fd8 ffff88042fd47de8 0000000000000074 Call Trace: <NMI> [<ffffffff813e897a>] nmi+0x1a/0x20 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771 <<EOE>> Code: ff 59 5b 41 5c 41 5d c9 c3 55 65 48 8b 04 25 88 b5 00 00 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 f6 80 47 e0 ff ff 04 74 04 <0f> 0b eb fe 81 80 44 e0 ff ff 00 00 01 04 65 ff 04 25 c4 0f 01 RIP [<ffffffff813e8e35>] do_nmi+0x22/0x1ee RSP <ffff88042fd47f28> ---[ end trace ed6752185092104b ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 8611, comm: opcontrol Tainted: G D 2.6.39-00007-gfe47ae7 #1 Call Trace: <NMI> [<ffffffff813e5e0a>] panic+0x8c/0x188 [<ffffffff813e915c>] oops_end+0x81/0x8e [<ffffffff8100403d>] die+0x55/0x5e [<ffffffff813e8c45>] do_trap+0x11c/0x12b [<ffffffff810023c8>] do_invalid_op+0x91/0x9a [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee [<ffffffff8131e6fa>] ? oprofile_add_sample+0x83/0x95 [<ffffffff81321670>] ? op_amd_check_ctrs+0x4f/0x2cf [<ffffffff813ee4d5>] invalid_op+0x15/0x20 [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee [<ffffffff813e8e7a>] ? do_nmi+0x67/0x1ee [<ffffffff813e897a>] nmi+0x1a/0x20 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771 <<EOE>> Cc: John Lumby <joh...@ho...> Cc: Maynard Johnson <may...@us...> Signed-off-by: Robert Richter <rob...@am...> --- arch/x86/oprofile/backtrace.c | 46 +++++++++++++++++++++++++++++++++++++--- 1 files changed, 42 insertions(+), 4 deletions(-) diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c index 044897b..c42896a 100644 --- a/arch/x86/oprofile/backtrace.c +++ b/arch/x86/oprofile/backtrace.c @@ -11,6 +11,8 @@ #include <linux/oprofile.h> #include <linux/sched.h> #include <linux/mm.h> +#include <linux/highmem.h> + #include <asm/ptrace.h> #include <asm/uaccess.h> #include <asm/stacktrace.h> @@ -47,6 +49,42 @@ static struct stacktrace_ops backtrace_ops = { .address = backtrace_address, }; +/* from arch/x86/kernel/cpu/perf_event.c: */ + +/* + * best effort, GUP based copy_from_user() that assumes IRQ or NMI context + */ +static unsigned long +copy_from_user_nmi(void *to, const void __user *from, unsigned long n) +{ + unsigned long offset, addr = (unsigned long)from; + unsigned long size, len = 0; + struct page *page; + void *map; + int ret; + + do { + ret = __get_user_pages_fast(addr, 1, 0, &page); + if (!ret) + break; + + offset = addr & (PAGE_SIZE - 1); + size = min(PAGE_SIZE - offset, n - len); + + map = kmap_atomic(page, KM_USER0); + memcpy(to, map+offset, size); + kunmap_atomic(map, KM_USER0); + put_page(page); + + len += size; + to += size; + addr += size; + + } while (len < n); + + return len; +} + struct frame_head { struct frame_head *bp; unsigned long ret; @@ -54,12 +92,12 @@ struct frame_head { static struct frame_head *dump_user_backtrace(struct frame_head *head) { + /* Also check accessibility of one struct frame_head beyond: */ struct frame_head bufhead[2]; + unsigned long bytes; - /* Also check accessibility of one struct frame_head beyond */ - if (!access_ok(VERIFY_READ, head, sizeof(bufhead))) - return NULL; - if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead))) + bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead)); + if (bytes != sizeof(bufhead)) return NULL; oprofile_add_trace(bufhead[0].ret); -- 1.7.7 |
From: Robert R. <rob...@am...> - 2011-10-24 07:58:12
|
commit 6ac6519b93065625119a347be1cbcc1b89edb773 upstream. Backport for stable kernels 2.6.32.y, 2.6.35.y. After registering the task free notifier we possibly have tasks in our dying_tasks list. Free them after unregistering the notifier in case of an error. Signed-off-by: Robert Richter <rob...@am...> --- drivers/oprofile/buffer_sync.c | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c index 5c4df24..6495ae0 100644 --- a/drivers/oprofile/buffer_sync.c +++ b/drivers/oprofile/buffer_sync.c @@ -140,6 +140,13 @@ static struct notifier_block module_load_nb = { .notifier_call = module_load_notify, }; +static void free_all_tasks(void) +{ + /* make sure we don't leak task structs */ + process_task_mortuary(); + process_task_mortuary(); +} + int sync_start(void) { int err; @@ -173,6 +180,7 @@ out3: profile_event_unregister(PROFILE_TASK_EXIT, &task_exit_nb); out2: task_handoff_unregister(&task_free_nb); + free_all_tasks(); out1: free_cpumask_var(marked_cpus); goto out; @@ -191,10 +199,7 @@ void sync_stop(void) mutex_unlock(&buffer_mutex); flush_scheduled_work(); - /* make sure we don't leak task structs */ - process_task_mortuary(); - process_task_mortuary(); - + free_all_tasks(); free_cpumask_var(marked_cpus); } -- 1.7.7 |
From: Robert R. <rob...@am...> - 2011-10-24 07:58:14
|
commit 130c5ce716c9bfd1c2a2ec840a746eb7ff9ce1e6 upstream. Backport for stable kernel 2.6.32.y, 2.6.35.y. This fixes the A->B/B->A locking dependency, see the warning below. The function task_exit_notify() is called with (task_exit_notifier) .rwsem set and then calls sync_buffer() which locks buffer_mutex. In sync_start() the buffer_mutex was set to prevent notifier functions to be started before sync_start() is finished. But when registering the notifier, (task_exit_notifier).rwsem is locked too, but now in different order than in sync_buffer(). In theory this causes a locking dependency, what does not occur in practice since task_exit_notify() is always called after the notifier is registered which means the lock is already released. However, after checking the notifier functions it turned out the buffer_mutex in sync_start() is unnecessary. This is because sync_buffer() may be called from the notifiers even if sync_start() did not finish yet, the buffers are already allocated but empty. No need to protect this with the mutex. So we fix this theoretical locking dependency by removing buffer_mutex in sync_start(). This is similar to the implementation before commit: 750d857 oprofile: fix crash when accessing freed task structs which introduced the locking dependency. Lockdep warning: oprofiled/4447 is trying to acquire lock: (buffer_mutex){+.+...}, at: [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile] but task is already holding lock: ((task_exit_notifier).rwsem){++++..}, at: [<ffffffff81058026>] __blocking_notifier_call_chain+0x39/0x67 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 ((task_exit_notifier).rwsem){++++..}: [<ffffffff8106557f>] lock_acquire+0xf8/0x11e [<ffffffff81463a2b>] down_write+0x44/0x67 [<ffffffff810581c0>] blocking_notifier_chain_register+0x52/0x8b [<ffffffff8105a6ac>] profile_event_register+0x2d/0x2f [<ffffffffa00013c1>] sync_start+0x47/0xc6 [oprofile] [<ffffffffa00001bb>] oprofile_setup+0x60/0xa5 [oprofile] [<ffffffffa00014e3>] event_buffer_open+0x59/0x8c [oprofile] [<ffffffff810cd3b9>] __dentry_open+0x1eb/0x308 [<ffffffff810cd59d>] nameidata_to_filp+0x60/0x67 [<ffffffff810daad6>] do_last+0x5be/0x6b2 [<ffffffff810dbc33>] path_openat+0xc7/0x360 [<ffffffff810dbfc5>] do_filp_open+0x3d/0x8c [<ffffffff810ccfd2>] do_sys_open+0x110/0x1a9 [<ffffffff810cd09e>] sys_open+0x20/0x22 [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b -> #0 (buffer_mutex){+.+...}: [<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711 [<ffffffff8106557f>] lock_acquire+0xf8/0x11e [<ffffffff814634f0>] mutex_lock_nested+0x63/0x309 [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile] [<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile] [<ffffffff81467b96>] notifier_call_chain+0x37/0x63 [<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67 [<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16 [<ffffffff8105a718>] profile_task_exit+0x1a/0x1c [<ffffffff81039e8f>] do_exit+0x2a/0x6fc [<ffffffff8103a5e4>] do_group_exit+0x83/0xae [<ffffffff8103a626>] sys_exit_group+0x17/0x1b [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b other info that might help us debug this: 1 lock held by oprofiled/4447: #0: ((task_exit_notifier).rwsem){++++..}, at: [<ffffffff81058026>] __blocking_notifier_call_chain+0x39/0x67 stack backtrace: Pid: 4447, comm: oprofiled Not tainted 2.6.39-00007-gcf4d8d4 #10 Call Trace: [<ffffffff81063193>] print_circular_bug+0xae/0xbc [<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffff8106557f>] lock_acquire+0xf8/0x11e [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffff81062627>] ? mark_lock+0x42f/0x552 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffff814634f0>] mutex_lock_nested+0x63/0x309 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile] [<ffffffff81058026>] ? __blocking_notifier_call_chain+0x39/0x67 [<ffffffff81058026>] ? __blocking_notifier_call_chain+0x39/0x67 [<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile] [<ffffffff81467b96>] notifier_call_chain+0x37/0x63 [<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67 [<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16 [<ffffffff8105a718>] profile_task_exit+0x1a/0x1c [<ffffffff81039e8f>] do_exit+0x2a/0x6fc [<ffffffff81465031>] ? retint_swapgs+0xe/0x13 [<ffffffff8103a5e4>] do_group_exit+0x83/0xae [<ffffffff8103a626>] sys_exit_group+0x17/0x1b [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b Reported-by: Marcin Slusarz <mar...@gm...> Cc: Carl Love <ca...@us...> Cc: <st...@ke...> # .36+ Signed-off-by: Robert Richter <rob...@am...> --- drivers/oprofile/buffer_sync.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c index 6495ae0..334ccd6 100644 --- a/drivers/oprofile/buffer_sync.c +++ b/drivers/oprofile/buffer_sync.c @@ -154,8 +154,6 @@ int sync_start(void) if (!zalloc_cpumask_var(&marked_cpus, GFP_KERNEL)) return -ENOMEM; - mutex_lock(&buffer_mutex); - err = task_handoff_register(&task_free_nb); if (err) goto out1; @@ -172,7 +170,6 @@ int sync_start(void) start_cpu_work(); out: - mutex_unlock(&buffer_mutex); return err; out4: profile_event_unregister(PROFILE_MUNMAP, &munmap_nb); @@ -189,14 +186,13 @@ out1: void sync_stop(void) { - /* flush buffers */ - mutex_lock(&buffer_mutex); end_cpu_work(); unregister_module_notifier(&module_load_nb); profile_event_unregister(PROFILE_MUNMAP, &munmap_nb); profile_event_unregister(PROFILE_TASK_EXIT, &task_exit_nb); task_handoff_unregister(&task_free_nb); - mutex_unlock(&buffer_mutex); + barrier(); /* do all of the above first */ + flush_scheduled_work(); free_all_tasks(); -- 1.7.7 |
From: Robert R. <rob...@am...> - 2011-12-07 09:11:42
|
On 24.10.11 03:57:48, Robert Richter wrote: > Following patches with some fixes for linux-stable: > > 2.6.32.y, 2.6.35.y: > > oprofile: Free potentially owned tasks in case of errors > oprofile: Fix locking dependency in sync_start() > > v2.6.32.y to v2.6.36.y: > > export __get_user_pages_fast() function > oprofile, x86: Fix nmi-unsafe callgraph support > > v2.6.28.y to v2.6.34.y: > > oprofile, x86: Fix crash when unloading module (timer mode) > > This patch series bases on v2.6.32.y. Greg, have you also looked at these ones for inclusion? Should I repost the patches? Thanks, -Robert > > > Robert Richter (4): > oprofile: Free potentially owned tasks in case of errors > oprofile: Fix locking dependency in sync_start() > oprofile, x86: Fix nmi-unsafe callgraph support > oprofile, x86: Fix crash when unloading module (timer mode) > > Xiao Guangrong (1): > export __get_user_pages_fast() function > > arch/x86/oprofile/backtrace.c | 46 ++++++++++++++++++++++++++++++++++++--- > arch/x86/oprofile/nmi_int.c | 8 +++--- > drivers/oprofile/buffer_sync.c | 21 +++++++++-------- > mm/util.c | 13 +++++++++++ > 4 files changed, 70 insertions(+), 18 deletions(-) > > -- > 1.7.7 > -- Advanced Micro Devices, Inc. Operating System Research Center |
From: Greg KH <gr...@su...> - 2011-12-07 15:05:52
|
On Wed, Dec 07, 2011 at 10:10:53AM +0100, Robert Richter wrote: > On 24.10.11 03:57:48, Robert Richter wrote: > > Following patches with some fixes for linux-stable: > > > > 2.6.32.y, 2.6.35.y: > > > > oprofile: Free potentially owned tasks in case of errors > > oprofile: Fix locking dependency in sync_start() > > > > v2.6.32.y to v2.6.36.y: > > > > export __get_user_pages_fast() function > > oprofile, x86: Fix nmi-unsafe callgraph support > > > > v2.6.28.y to v2.6.34.y: > > > > oprofile, x86: Fix crash when unloading module (timer mode) > > > > This patch series bases on v2.6.32.y. > > Greg, have you also looked at these ones for inclusion? No, why would I have? > Should I repost the patches? I never saw them, so I guess so. But note: <formletter> This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read Documentation/stable_kernel_rules.txt for how to do this properly. </formletter> |
From: Robert R. <rob...@am...> - 2011-12-07 16:50:56
|
On 07.12.11 07:05:36, Greg KH wrote: > On Wed, Dec 07, 2011 at 10:10:53AM +0100, Robert Richter wrote: > > On 24.10.11 03:57:48, Robert Richter wrote: > > > Following patches with some fixes for linux-stable: > > > > > > 2.6.32.y, 2.6.35.y: > > > > > > oprofile: Free potentially owned tasks in case of errors > > > oprofile: Fix locking dependency in sync_start() > > > > > > v2.6.32.y to v2.6.36.y: > > > > > > export __get_user_pages_fast() function > > > oprofile, x86: Fix nmi-unsafe callgraph support > > > > > > v2.6.28.y to v2.6.34.y: > > > > > > oprofile, x86: Fix crash when unloading module (timer mode) > > > > > > This patch series bases on v2.6.32.y. > > > > Greg, have you also looked at these ones for inclusion? > > No, why would I have? > > > Should I repost the patches? > > I never saw them, so I guess so. But note: > > <formletter> > > This is not the correct way to submit patches for inclusion in the > stable kernel tree. Please read Documentation/stable_kernel_rules.txt > for how to do this properly. > > </formletter> Hmm, I sent it to st...@ke.... All of them should apply to the stable kernel rules. The fixes are for code that changed in between in the upstream kernel and upstream patches do not apply without conflicts anymore. So these fixes are intended only for stable kernels. Some of it also accidentially missed the stable tag in the commit message of the upstream commit, so I resubmitted it to st...@ke.... Anything not correct in the way doing it? -Robert -- Advanced Micro Devices, Inc. Operating System Research Center |
From: Greg KH <gr...@su...> - 2011-12-07 17:02:16
|
On Wed, Dec 07, 2011 at 05:50:40PM +0100, Robert Richter wrote: > On 07.12.11 07:05:36, Greg KH wrote: > > On Wed, Dec 07, 2011 at 10:10:53AM +0100, Robert Richter wrote: > > > On 24.10.11 03:57:48, Robert Richter wrote: > > > > Following patches with some fixes for linux-stable: > > > > > > > > 2.6.32.y, 2.6.35.y: > > > > > > > > oprofile: Free potentially owned tasks in case of errors > > > > oprofile: Fix locking dependency in sync_start() > > > > > > > > v2.6.32.y to v2.6.36.y: > > > > > > > > export __get_user_pages_fast() function > > > > oprofile, x86: Fix nmi-unsafe callgraph support > > > > > > > > v2.6.28.y to v2.6.34.y: > > > > > > > > oprofile, x86: Fix crash when unloading module (timer mode) > > > > > > > > This patch series bases on v2.6.32.y. > > > > > > Greg, have you also looked at these ones for inclusion? > > > > No, why would I have? > > > > > Should I repost the patches? > > > > I never saw them, so I guess so. But note: > > > > <formletter> > > > > This is not the correct way to submit patches for inclusion in the > > stable kernel tree. Please read Documentation/stable_kernel_rules.txt > > for how to do this properly. > > > > </formletter> > > Hmm, I sent it to st...@ke.... All of them should apply to the > stable kernel rules. > > The fixes are for code that changed in between in the upstream kernel > and upstream patches do not apply without conflicts anymore. So these > fixes are intended only for stable kernels. Some of it also > accidentially missed the stable tag in the commit message of the > upstream commit, so I resubmitted it to st...@ke.... > > Anything not correct in the way doing it? st...@ke... is dead since October, try st...@vg... instead. thanks, greg k-h |
From: Robert R. <rob...@am...> - 2011-12-07 17:20:39
|
On 07.12.11 09:01:03, Greg KH wrote: > st...@ke... is dead since October, try st...@vg... > instead. Ah, ok. Will repost. Thanks, -Robert -- Advanced Micro Devices, Inc. Operating System Research Center |
From: Robert R. <rob...@am...> - 2011-12-07 17:30:29
|
Following patches with some fixes for linux-stable: 2.6.32.y, 2.6.35.y: oprofile: Free potentially owned tasks in case of errors oprofile: Fix locking dependency in sync_start() v2.6.32.y to v2.6.36.y: export __get_user_pages_fast() function oprofile, x86: Fix nmi-unsafe callgraph support v2.6.28.y to v2.6.34.y: oprofile, x86: Fix crash when unloading module (timer mode) This patch series bases on v2.6.32.y. Robert Richter (4): oprofile: Free potentially owned tasks in case of errors oprofile: Fix locking dependency in sync_start() oprofile, x86: Fix nmi-unsafe callgraph support oprofile, x86: Fix crash when unloading module (timer mode) Xiao Guangrong (1): export __get_user_pages_fast() function arch/x86/oprofile/backtrace.c | 46 ++++++++++++++++++++++++++++++++++++--- arch/x86/oprofile/nmi_int.c | 8 +++--- drivers/oprofile/buffer_sync.c | 21 +++++++++-------- mm/util.c | 13 +++++++++++ 4 files changed, 70 insertions(+), 18 deletions(-) -- 1.7.7 |
From: Robert R. <rob...@am...> - 2011-12-07 17:30:31
|
commit 6ac6519b93065625119a347be1cbcc1b89edb773 upstream. Backport for stable kernels 2.6.32.y, 2.6.35.y. After registering the task free notifier we possibly have tasks in our dying_tasks list. Free them after unregistering the notifier in case of an error. Signed-off-by: Robert Richter <rob...@am...> --- drivers/oprofile/buffer_sync.c | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c index 5c4df24..6495ae0 100644 --- a/drivers/oprofile/buffer_sync.c +++ b/drivers/oprofile/buffer_sync.c @@ -140,6 +140,13 @@ static struct notifier_block module_load_nb = { .notifier_call = module_load_notify, }; +static void free_all_tasks(void) +{ + /* make sure we don't leak task structs */ + process_task_mortuary(); + process_task_mortuary(); +} + int sync_start(void) { int err; @@ -173,6 +180,7 @@ out3: profile_event_unregister(PROFILE_TASK_EXIT, &task_exit_nb); out2: task_handoff_unregister(&task_free_nb); + free_all_tasks(); out1: free_cpumask_var(marked_cpus); goto out; @@ -191,10 +199,7 @@ void sync_stop(void) mutex_unlock(&buffer_mutex); flush_scheduled_work(); - /* make sure we don't leak task structs */ - process_task_mortuary(); - process_task_mortuary(); - + free_all_tasks(); free_cpumask_var(marked_cpus); } -- 1.7.7 |
From: <gr...@su...> - 2011-12-09 22:17:49
|
This is a note to let you know that I've just added the patch titled oprofile: Free potentially owned tasks in case of errors to the 2.6.32-longterm tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.32.git;a=summary The filename of the patch is: oprofile-free-potentially-owned-tasks-in-case-of-errors.patch and it can be found in the queue-2.6.32 subdirectory. If you, or anyone else, feels it should not be added to the 2.6.32 longterm tree, please let <st...@vg...> know about it. >From rob...@am... Fri Dec 9 13:56:26 2011 From: Robert Richter <rob...@am...> Date: Wed, 7 Dec 2011 18:30:10 +0100 Subject: oprofile: Free potentially owned tasks in case of errors To: Greg KH <gr...@su...> Cc: <st...@vg...>, oprofile-list <opr...@li...> Message-ID: <132...@am...> From: Robert Richter <rob...@am...> commit 6ac6519b93065625119a347be1cbcc1b89edb773 upstream. After registering the task free notifier we possibly have tasks in our dying_tasks list. Free them after unregistering the notifier in case of an error. Signed-off-by: Robert Richter <rob...@am...> Signed-off-by: Greg Kroah-Hartman <gr...@su...> --- drivers/oprofile/buffer_sync.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- a/drivers/oprofile/buffer_sync.c +++ b/drivers/oprofile/buffer_sync.c @@ -140,6 +140,13 @@ static struct notifier_block module_load .notifier_call = module_load_notify, }; +static void free_all_tasks(void) +{ + /* make sure we don't leak task structs */ + process_task_mortuary(); + process_task_mortuary(); +} + int sync_start(void) { int err; @@ -173,6 +180,7 @@ out3: profile_event_unregister(PROFILE_TASK_EXIT, &task_exit_nb); out2: task_handoff_unregister(&task_free_nb); + free_all_tasks(); out1: free_cpumask_var(marked_cpus); goto out; @@ -191,10 +199,7 @@ void sync_stop(void) mutex_unlock(&buffer_mutex); flush_scheduled_work(); - /* make sure we don't leak task structs */ - process_task_mortuary(); - process_task_mortuary(); - + free_all_tasks(); free_cpumask_var(marked_cpus); } Patches currently in longterm-queue-2.6.32 which might be from rob...@am... are /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/oprofile-free-potentially-owned-tasks-in-case-of-errors.patch /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/oprofile-fix-locking-dependency-in-sync_start.patch |
From: Robert R. <rob...@am...> - 2011-12-07 17:30:34
|
commit 130c5ce716c9bfd1c2a2ec840a746eb7ff9ce1e6 upstream. Backport for stable kernel 2.6.32.y, 2.6.35.y. This fixes the A->B/B->A locking dependency, see the warning below. The function task_exit_notify() is called with (task_exit_notifier) .rwsem set and then calls sync_buffer() which locks buffer_mutex. In sync_start() the buffer_mutex was set to prevent notifier functions to be started before sync_start() is finished. But when registering the notifier, (task_exit_notifier).rwsem is locked too, but now in different order than in sync_buffer(). In theory this causes a locking dependency, what does not occur in practice since task_exit_notify() is always called after the notifier is registered which means the lock is already released. However, after checking the notifier functions it turned out the buffer_mutex in sync_start() is unnecessary. This is because sync_buffer() may be called from the notifiers even if sync_start() did not finish yet, the buffers are already allocated but empty. No need to protect this with the mutex. So we fix this theoretical locking dependency by removing buffer_mutex in sync_start(). This is similar to the implementation before commit: 750d857 oprofile: fix crash when accessing freed task structs which introduced the locking dependency. Lockdep warning: oprofiled/4447 is trying to acquire lock: (buffer_mutex){+.+...}, at: [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile] but task is already holding lock: ((task_exit_notifier).rwsem){++++..}, at: [<ffffffff81058026>] __blocking_notifier_call_chain+0x39/0x67 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 ((task_exit_notifier).rwsem){++++..}: [<ffffffff8106557f>] lock_acquire+0xf8/0x11e [<ffffffff81463a2b>] down_write+0x44/0x67 [<ffffffff810581c0>] blocking_notifier_chain_register+0x52/0x8b [<ffffffff8105a6ac>] profile_event_register+0x2d/0x2f [<ffffffffa00013c1>] sync_start+0x47/0xc6 [oprofile] [<ffffffffa00001bb>] oprofile_setup+0x60/0xa5 [oprofile] [<ffffffffa00014e3>] event_buffer_open+0x59/0x8c [oprofile] [<ffffffff810cd3b9>] __dentry_open+0x1eb/0x308 [<ffffffff810cd59d>] nameidata_to_filp+0x60/0x67 [<ffffffff810daad6>] do_last+0x5be/0x6b2 [<ffffffff810dbc33>] path_openat+0xc7/0x360 [<ffffffff810dbfc5>] do_filp_open+0x3d/0x8c [<ffffffff810ccfd2>] do_sys_open+0x110/0x1a9 [<ffffffff810cd09e>] sys_open+0x20/0x22 [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b -> #0 (buffer_mutex){+.+...}: [<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711 [<ffffffff8106557f>] lock_acquire+0xf8/0x11e [<ffffffff814634f0>] mutex_lock_nested+0x63/0x309 [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile] [<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile] [<ffffffff81467b96>] notifier_call_chain+0x37/0x63 [<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67 [<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16 [<ffffffff8105a718>] profile_task_exit+0x1a/0x1c [<ffffffff81039e8f>] do_exit+0x2a/0x6fc [<ffffffff8103a5e4>] do_group_exit+0x83/0xae [<ffffffff8103a626>] sys_exit_group+0x17/0x1b [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b other info that might help us debug this: 1 lock held by oprofiled/4447: #0: ((task_exit_notifier).rwsem){++++..}, at: [<ffffffff81058026>] __blocking_notifier_call_chain+0x39/0x67 stack backtrace: Pid: 4447, comm: oprofiled Not tainted 2.6.39-00007-gcf4d8d4 #10 Call Trace: [<ffffffff81063193>] print_circular_bug+0xae/0xbc [<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffff8106557f>] lock_acquire+0xf8/0x11e [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffff81062627>] ? mark_lock+0x42f/0x552 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffff814634f0>] mutex_lock_nested+0x63/0x309 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile] [<ffffffff81058026>] ? __blocking_notifier_call_chain+0x39/0x67 [<ffffffff81058026>] ? __blocking_notifier_call_chain+0x39/0x67 [<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile] [<ffffffff81467b96>] notifier_call_chain+0x37/0x63 [<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67 [<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16 [<ffffffff8105a718>] profile_task_exit+0x1a/0x1c [<ffffffff81039e8f>] do_exit+0x2a/0x6fc [<ffffffff81465031>] ? retint_swapgs+0xe/0x13 [<ffffffff8103a5e4>] do_group_exit+0x83/0xae [<ffffffff8103a626>] sys_exit_group+0x17/0x1b [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b Reported-by: Marcin Slusarz <mar...@gm...> Cc: Carl Love <ca...@us...> Cc: <st...@ke...> # .36+ Signed-off-by: Robert Richter <rob...@am...> --- drivers/oprofile/buffer_sync.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c index 6495ae0..334ccd6 100644 --- a/drivers/oprofile/buffer_sync.c +++ b/drivers/oprofile/buffer_sync.c @@ -154,8 +154,6 @@ int sync_start(void) if (!zalloc_cpumask_var(&marked_cpus, GFP_KERNEL)) return -ENOMEM; - mutex_lock(&buffer_mutex); - err = task_handoff_register(&task_free_nb); if (err) goto out1; @@ -172,7 +170,6 @@ int sync_start(void) start_cpu_work(); out: - mutex_unlock(&buffer_mutex); return err; out4: profile_event_unregister(PROFILE_MUNMAP, &munmap_nb); @@ -189,14 +186,13 @@ out1: void sync_stop(void) { - /* flush buffers */ - mutex_lock(&buffer_mutex); end_cpu_work(); unregister_module_notifier(&module_load_nb); profile_event_unregister(PROFILE_MUNMAP, &munmap_nb); profile_event_unregister(PROFILE_TASK_EXIT, &task_exit_nb); task_handoff_unregister(&task_free_nb); - mutex_unlock(&buffer_mutex); + barrier(); /* do all of the above first */ + flush_scheduled_work(); free_all_tasks(); -- 1.7.7 |
From: <gr...@su...> - 2011-12-09 22:17:52
|
This is a note to let you know that I've just added the patch titled oprofile: Fix locking dependency in sync_start() to the 2.6.32-longterm tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.32.git;a=summary The filename of the patch is: oprofile-fix-locking-dependency-in-sync_start.patch and it can be found in the queue-2.6.32 subdirectory. If you, or anyone else, feels it should not be added to the 2.6.32 longterm tree, please let <st...@vg...> know about it. >From rob...@am... Fri Dec 9 13:56:55 2011 From: Robert Richter <rob...@am...> Date: Wed, 7 Dec 2011 18:30:11 +0100 Subject: oprofile: Fix locking dependency in sync_start() To: Greg KH <gr...@su...> Cc: <st...@vg...>, oprofile-list <opr...@li...> Message-ID: <132...@am...> From: Robert Richter <rob...@am...> commit 130c5ce716c9bfd1c2a2ec840a746eb7ff9ce1e6 upstream. This fixes the A->B/B->A locking dependency, see the warning below. The function task_exit_notify() is called with (task_exit_notifier) .rwsem set and then calls sync_buffer() which locks buffer_mutex. In sync_start() the buffer_mutex was set to prevent notifier functions to be started before sync_start() is finished. But when registering the notifier, (task_exit_notifier).rwsem is locked too, but now in different order than in sync_buffer(). In theory this causes a locking dependency, what does not occur in practice since task_exit_notify() is always called after the notifier is registered which means the lock is already released. However, after checking the notifier functions it turned out the buffer_mutex in sync_start() is unnecessary. This is because sync_buffer() may be called from the notifiers even if sync_start() did not finish yet, the buffers are already allocated but empty. No need to protect this with the mutex. So we fix this theoretical locking dependency by removing buffer_mutex in sync_start(). This is similar to the implementation before commit: 750d857 oprofile: fix crash when accessing freed task structs which introduced the locking dependency. Lockdep warning: oprofiled/4447 is trying to acquire lock: (buffer_mutex){+.+...}, at: [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile] but task is already holding lock: ((task_exit_notifier).rwsem){++++..}, at: [<ffffffff81058026>] __blocking_notifier_call_chain+0x39/0x67 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 ((task_exit_notifier).rwsem){++++..}: [<ffffffff8106557f>] lock_acquire+0xf8/0x11e [<ffffffff81463a2b>] down_write+0x44/0x67 [<ffffffff810581c0>] blocking_notifier_chain_register+0x52/0x8b [<ffffffff8105a6ac>] profile_event_register+0x2d/0x2f [<ffffffffa00013c1>] sync_start+0x47/0xc6 [oprofile] [<ffffffffa00001bb>] oprofile_setup+0x60/0xa5 [oprofile] [<ffffffffa00014e3>] event_buffer_open+0x59/0x8c [oprofile] [<ffffffff810cd3b9>] __dentry_open+0x1eb/0x308 [<ffffffff810cd59d>] nameidata_to_filp+0x60/0x67 [<ffffffff810daad6>] do_last+0x5be/0x6b2 [<ffffffff810dbc33>] path_openat+0xc7/0x360 [<ffffffff810dbfc5>] do_filp_open+0x3d/0x8c [<ffffffff810ccfd2>] do_sys_open+0x110/0x1a9 [<ffffffff810cd09e>] sys_open+0x20/0x22 [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b -> #0 (buffer_mutex){+.+...}: [<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711 [<ffffffff8106557f>] lock_acquire+0xf8/0x11e [<ffffffff814634f0>] mutex_lock_nested+0x63/0x309 [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile] [<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile] [<ffffffff81467b96>] notifier_call_chain+0x37/0x63 [<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67 [<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16 [<ffffffff8105a718>] profile_task_exit+0x1a/0x1c [<ffffffff81039e8f>] do_exit+0x2a/0x6fc [<ffffffff8103a5e4>] do_group_exit+0x83/0xae [<ffffffff8103a626>] sys_exit_group+0x17/0x1b [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b other info that might help us debug this: 1 lock held by oprofiled/4447: #0: ((task_exit_notifier).rwsem){++++..}, at: [<ffffffff81058026>] __blocking_notifier_call_chain+0x39/0x67 stack backtrace: Pid: 4447, comm: oprofiled Not tainted 2.6.39-00007-gcf4d8d4 #10 Call Trace: [<ffffffff81063193>] print_circular_bug+0xae/0xbc [<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffff8106557f>] lock_acquire+0xf8/0x11e [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffff81062627>] ? mark_lock+0x42f/0x552 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffff814634f0>] mutex_lock_nested+0x63/0x309 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile] [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile] [<ffffffff81058026>] ? __blocking_notifier_call_chain+0x39/0x67 [<ffffffff81058026>] ? __blocking_notifier_call_chain+0x39/0x67 [<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile] [<ffffffff81467b96>] notifier_call_chain+0x37/0x63 [<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67 [<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16 [<ffffffff8105a718>] profile_task_exit+0x1a/0x1c [<ffffffff81039e8f>] do_exit+0x2a/0x6fc [<ffffffff81465031>] ? retint_swapgs+0xe/0x13 [<ffffffff8103a5e4>] do_group_exit+0x83/0xae [<ffffffff8103a626>] sys_exit_group+0x17/0x1b [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b Reported-by: Marcin Slusarz <mar...@gm...> Cc: Carl Love <ca...@us...> Signed-off-by: Robert Richter <rob...@am...> Signed-off-by: Greg Kroah-Hartman <gr...@su...> --- drivers/oprofile/buffer_sync.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) --- a/drivers/oprofile/buffer_sync.c +++ b/drivers/oprofile/buffer_sync.c @@ -154,8 +154,6 @@ int sync_start(void) if (!zalloc_cpumask_var(&marked_cpus, GFP_KERNEL)) return -ENOMEM; - mutex_lock(&buffer_mutex); - err = task_handoff_register(&task_free_nb); if (err) goto out1; @@ -172,7 +170,6 @@ int sync_start(void) start_cpu_work(); out: - mutex_unlock(&buffer_mutex); return err; out4: profile_event_unregister(PROFILE_MUNMAP, &munmap_nb); @@ -189,14 +186,13 @@ out1: void sync_stop(void) { - /* flush buffers */ - mutex_lock(&buffer_mutex); end_cpu_work(); unregister_module_notifier(&module_load_nb); profile_event_unregister(PROFILE_MUNMAP, &munmap_nb); profile_event_unregister(PROFILE_TASK_EXIT, &task_exit_nb); task_handoff_unregister(&task_free_nb); - mutex_unlock(&buffer_mutex); + barrier(); /* do all of the above first */ + flush_scheduled_work(); free_all_tasks(); Patches currently in longterm-queue-2.6.32 which might be from rob...@am... are /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/oprofile-free-potentially-owned-tasks-in-case-of-errors.patch /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/oprofile-fix-locking-dependency-in-sync_start.patch |
From: Robert R. <rob...@am...> - 2011-12-07 17:30:37
|
commit a0e3e70243f5b270bc3eca718f0a9fa5e6b8262e upstream. Backport for stable kernel v2.6.32.y to v2.6.36.y. Current oprofile's x86 callgraph support may trigger page faults throwing the BUG_ON(in_nmi()) message below. This patch fixes this by using the same nmi-safe copy-from-user code as in perf. ------------[ cut here ]------------ kernel BUG at .../arch/x86/kernel/traps.c:436! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:0a.0/0000:07:00.0/0000:08:04.0/net/eth0/broadcast CPU 5 Modules linked in: Pid: 8611, comm: opcontrol Not tainted 2.6.39-00007-gfe47ae7 #1 Advanced Micro Device Anaheim/Anaheim RIP: 0010:[<ffffffff813e8e35>] [<ffffffff813e8e35>] do_nmi+0x22/0x1ee RSP: 0000:ffff88042fd47f28 EFLAGS: 00010002 RAX: ffff88042c0a7fd8 RBX: 0000000000000001 RCX: 00000000c0000101 RDX: 00000000ffff8804 RSI: ffffffffffffffff RDI: ffff88042fd47f58 RBP: ffff88042fd47f48 R08: 0000000000000004 R09: 0000000000001484 R10: 0000000000000001 R11: 0000000000000000 R12: ffff88042fd47f58 R13: 0000000000000000 R14: ffff88042fd47d98 R15: 0000000000000020 FS: 00007fca25e56700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000074 CR3: 000000042d28b000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process opcontrol (pid: 8611, threadinfo ffff88042c0a6000, task ffff88042c532310) Stack: 0000000000000000 0000000000000001 ffff88042c0a7fd8 0000000000000000 ffff88042fd47de8 ffffffff813e897a 0000000000000020 ffff88042fd47d98 0000000000000000 ffff88042c0a7fd8 ffff88042fd47de8 0000000000000074 Call Trace: <NMI> [<ffffffff813e897a>] nmi+0x1a/0x20 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771 <<EOE>> Code: ff 59 5b 41 5c 41 5d c9 c3 55 65 48 8b 04 25 88 b5 00 00 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 f6 80 47 e0 ff ff 04 74 04 <0f> 0b eb fe 81 80 44 e0 ff ff 00 00 01 04 65 ff 04 25 c4 0f 01 RIP [<ffffffff813e8e35>] do_nmi+0x22/0x1ee RSP <ffff88042fd47f28> ---[ end trace ed6752185092104b ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 8611, comm: opcontrol Tainted: G D 2.6.39-00007-gfe47ae7 #1 Call Trace: <NMI> [<ffffffff813e5e0a>] panic+0x8c/0x188 [<ffffffff813e915c>] oops_end+0x81/0x8e [<ffffffff8100403d>] die+0x55/0x5e [<ffffffff813e8c45>] do_trap+0x11c/0x12b [<ffffffff810023c8>] do_invalid_op+0x91/0x9a [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee [<ffffffff8131e6fa>] ? oprofile_add_sample+0x83/0x95 [<ffffffff81321670>] ? op_amd_check_ctrs+0x4f/0x2cf [<ffffffff813ee4d5>] invalid_op+0x15/0x20 [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee [<ffffffff813e8e7a>] ? do_nmi+0x67/0x1ee [<ffffffff813e897a>] nmi+0x1a/0x20 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771 <<EOE>> Cc: John Lumby <joh...@ho...> Cc: Maynard Johnson <may...@us...> Signed-off-by: Robert Richter <rob...@am...> --- arch/x86/oprofile/backtrace.c | 46 +++++++++++++++++++++++++++++++++++++--- 1 files changed, 42 insertions(+), 4 deletions(-) diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c index 044897b..c42896a 100644 --- a/arch/x86/oprofile/backtrace.c +++ b/arch/x86/oprofile/backtrace.c @@ -11,6 +11,8 @@ #include <linux/oprofile.h> #include <linux/sched.h> #include <linux/mm.h> +#include <linux/highmem.h> + #include <asm/ptrace.h> #include <asm/uaccess.h> #include <asm/stacktrace.h> @@ -47,6 +49,42 @@ static struct stacktrace_ops backtrace_ops = { .address = backtrace_address, }; +/* from arch/x86/kernel/cpu/perf_event.c: */ + +/* + * best effort, GUP based copy_from_user() that assumes IRQ or NMI context + */ +static unsigned long +copy_from_user_nmi(void *to, const void __user *from, unsigned long n) +{ + unsigned long offset, addr = (unsigned long)from; + unsigned long size, len = 0; + struct page *page; + void *map; + int ret; + + do { + ret = __get_user_pages_fast(addr, 1, 0, &page); + if (!ret) + break; + + offset = addr & (PAGE_SIZE - 1); + size = min(PAGE_SIZE - offset, n - len); + + map = kmap_atomic(page, KM_USER0); + memcpy(to, map+offset, size); + kunmap_atomic(map, KM_USER0); + put_page(page); + + len += size; + to += size; + addr += size; + + } while (len < n); + + return len; +} + struct frame_head { struct frame_head *bp; unsigned long ret; @@ -54,12 +92,12 @@ struct frame_head { static struct frame_head *dump_user_backtrace(struct frame_head *head) { + /* Also check accessibility of one struct frame_head beyond: */ struct frame_head bufhead[2]; + unsigned long bytes; - /* Also check accessibility of one struct frame_head beyond */ - if (!access_ok(VERIFY_READ, head, sizeof(bufhead))) - return NULL; - if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead))) + bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead)); + if (bytes != sizeof(bufhead)) return NULL; oprofile_add_trace(bufhead[0].ret); -- 1.7.7 |
From: Robert R. <rob...@am...> - 2011-12-07 17:30:39
|
Fix for stable kernels v2.6.28.y to v2.6.34.y. This patch is for .32. Oprofile crashs while unlaoding modules and if in timer mode. Timer mode is the fallback if the architectural initialization fails. The pointer variable model is then used uninitialzied during exit causing a NULL pointer dereference. It can be triggered with kernel parameters oprofile.timer=1 nolapic used. Happens esp. in virtual machine environments. oprofile: using timer interrupt. BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 IP: [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile] PGD 42ac5e067 PUD 42ac5d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP last sysfs file: /sys/module/oprofile/refcnt CPU 0 Modules linked in: oprofile(-) Pid: 2245, comm: modprobe Not tainted 2.6.32.21-oprofile-x86_64-debug-00038-gf4db115 #69 Anaheim RIP: 0010:[<ffffffffa000251f>] [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile] RSP: 0018:ffff88042d4f9ec8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffffffa0005590 RCX: ffff88042d4f9ea8 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 RBP: ffff88042d4f9ec8 R08: ffff88042d4f9ee8 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000080 R13: 00000000fffffff5 R14: 0000000000000001 R15: 00000000006101e0 FS: 00007fef6ac9c700(0000) GS:ffff880028200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000028 CR3: 000000042ac60000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process modprobe (pid: 2245, threadinfo ffff88042d4f8000, task ffff88042cd66040) Stack: ffff88042d4f9ed8 ffffffffa0002096 ffff88042d4f9ee8 ffffffffa0003bbb <0> ffff88042d4f9f78 ffffffff810748ad 656c69666f72706f 00007fff77a07800 <0> ffff88042d4f9f28 ffffffff81068414 000000000060f180 0000000000000000 Call Trace: [<ffffffffa0002096>] oprofile_arch_exit+0xe/0x10 [oprofile] [<ffffffffa0003bbb>] oprofile_exit+0x13/0x15 [oprofile] [<ffffffff810748ad>] sys_delete_module+0x1cd/0x244 [<ffffffff81068414>] ? trace_hardirqs_on_caller+0x114/0x13f [<ffffffff8143ad47>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff8100b13b>] system_call_fastpath+0x16/0x1b Code: 48 c7 c7 90 4e 00 a0 e8 e7 15 22 e1 48 c7 c7 e0 4e 00 a0 e8 bd 18 22 e1 48 c7 c7 70 4e 00 a0 e8 94 4e 41 e1 48 8b 05 d1 39 00 00 <48> 8b 40 28 48 85 c0 74 02 ff d0 c9 c3 55 48 89 e5 e8 cb 88 00 RIP [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile] RSP <ffff88042d4f9ec8> CR2: 0000000000000028 ---[ end trace 18b12420ceb19193 ]--- Signed-off-by: Robert Richter <rob...@am...> --- arch/x86/oprofile/nmi_int.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c index ca6b336..8f0e49b 100644 --- a/arch/x86/oprofile/nmi_int.c +++ b/arch/x86/oprofile/nmi_int.c @@ -750,12 +750,12 @@ int __init op_nmi_init(struct oprofile_operations *ops) void op_nmi_exit(void) { - if (using_nmi) { - exit_sysfs(); + if (!using_nmi) + return; + exit_sysfs(); #ifdef CONFIG_SMP - unregister_cpu_notifier(&oprofile_cpu_nb); + unregister_cpu_notifier(&oprofile_cpu_nb); #endif - } if (model->exit) model->exit(); } -- 1.7.7 |
From: Robert R. <rob...@am...> - 2011-12-07 17:31:08
|
From: Xiao Guangrong <xia...@cn...> commit 45888a0c6edc305495b6bd72a30e66bc40b324c6 upstream. Backport for stable kernel v2.6.32.y to v2.6.36.y. Needed for next patch: oprofile, x86: Fix nmi-unsafe callgraph support This function is used by KVM to pin process's page in the atomic context. Define the 'weak' function to avoid other architecture not support it Acked-by: Nick Piggin <np...@su...> Signed-off-by: Xiao Guangrong <xia...@cn...> Signed-off-by: Marcelo Tosatti <mto...@re...> Signed-off-by: Robert Richter <rob...@am...> --- mm/util.c | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) diff --git a/mm/util.c b/mm/util.c index b377ce4..e48b493 100644 --- a/mm/util.c +++ b/mm/util.c @@ -233,6 +233,19 @@ void arch_pick_mmap_layout(struct mm_struct *mm) } #endif +/* + * Like get_user_pages_fast() except its IRQ-safe in that it won't fall + * back to the regular GUP. + * If the architecture not support this fucntion, simply return with no + * page pinned + */ +int __attribute__((weak)) __get_user_pages_fast(unsigned long start, + int nr_pages, int write, struct page **pages) +{ + return 0; +} +EXPORT_SYMBOL_GPL(__get_user_pages_fast); + /** * get_user_pages_fast() - pin user pages in memory * @start: starting user address -- 1.7.7 |
From: Greg KH <gr...@kr...> - 2011-12-09 22:03:20
|
On Wed, Dec 07, 2011 at 06:30:13PM +0100, Robert Richter wrote: > commit a0e3e70243f5b270bc3eca718f0a9fa5e6b8262e upstream. <snip> Something went wrong with your whitespace in this patch: > +static unsigned long > +copy_from_user_nmi(void *to, const void __user *from, unsigned long n) > +{ > + unsigned long offset, addr = (unsigned long)from; > + unsigned long size, len = 0; > + struct page *page; > + void *map; > + int ret; > + > + do { > + ret = __get_user_pages_fast(addr, 1, 0, &page); > + if (!ret) > + break; Please fix this up and resend it. I've taken the first 2 patches in this series, but not the last 3 because of this. greg k-h |
From: Robert R. <rob...@am...> - 2011-12-12 13:48:19
|
On 09.12.11 14:01:13, Greg KH wrote: > Something went wrong with your whitespace in this patch: Didn't notice that. Updated version enclosed (updates only patch 4/5, other patches remain unchanged). Thanks, -Robert >From 6eb18975b419f5bc1d50639465ce8e803b20e552 Mon Sep 17 00:00:00 2001 From: Robert Richter <rob...@am...> Date: Fri, 3 Jun 2011 16:37:47 +0200 Subject: [PATCH 4/5 v2] oprofile, x86: Fix nmi-unsafe callgraph support commit a0e3e70243f5b270bc3eca718f0a9fa5e6b8262e upstream. Backport for stable kernel v2.6.32.y to v2.6.36.y. Current oprofile's x86 callgraph support may trigger page faults throwing the BUG_ON(in_nmi()) message below. This patch fixes this by using the same nmi-safe copy-from-user code as in perf. ------------[ cut here ]------------ kernel BUG at .../arch/x86/kernel/traps.c:436! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:0a.0/0000:07:00.0/0000:08:04.0/net/eth0/broadcast CPU 5 Modules linked in: Pid: 8611, comm: opcontrol Not tainted 2.6.39-00007-gfe47ae7 #1 Advanced Micro Device Anaheim/Anaheim RIP: 0010:[<ffffffff813e8e35>] [<ffffffff813e8e35>] do_nmi+0x22/0x1ee RSP: 0000:ffff88042fd47f28 EFLAGS: 00010002 RAX: ffff88042c0a7fd8 RBX: 0000000000000001 RCX: 00000000c0000101 RDX: 00000000ffff8804 RSI: ffffffffffffffff RDI: ffff88042fd47f58 RBP: ffff88042fd47f48 R08: 0000000000000004 R09: 0000000000001484 R10: 0000000000000001 R11: 0000000000000000 R12: ffff88042fd47f58 R13: 0000000000000000 R14: ffff88042fd47d98 R15: 0000000000000020 FS: 00007fca25e56700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000074 CR3: 000000042d28b000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process opcontrol (pid: 8611, threadinfo ffff88042c0a6000, task ffff88042c532310) Stack: 0000000000000000 0000000000000001 ffff88042c0a7fd8 0000000000000000 ffff88042fd47de8 ffffffff813e897a 0000000000000020 ffff88042fd47d98 0000000000000000 ffff88042c0a7fd8 ffff88042fd47de8 0000000000000074 Call Trace: <NMI> [<ffffffff813e897a>] nmi+0x1a/0x20 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771 <<EOE>> Code: ff 59 5b 41 5c 41 5d c9 c3 55 65 48 8b 04 25 88 b5 00 00 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 f6 80 47 e0 ff ff 04 74 04 <0f> 0b eb fe 81 80 44 e0 ff ff 00 00 01 04 65 ff 04 25 c4 0f 01 RIP [<ffffffff813e8e35>] do_nmi+0x22/0x1ee RSP <ffff88042fd47f28> ---[ end trace ed6752185092104b ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 8611, comm: opcontrol Tainted: G D 2.6.39-00007-gfe47ae7 #1 Call Trace: <NMI> [<ffffffff813e5e0a>] panic+0x8c/0x188 [<ffffffff813e915c>] oops_end+0x81/0x8e [<ffffffff8100403d>] die+0x55/0x5e [<ffffffff813e8c45>] do_trap+0x11c/0x12b [<ffffffff810023c8>] do_invalid_op+0x91/0x9a [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee [<ffffffff8131e6fa>] ? oprofile_add_sample+0x83/0x95 [<ffffffff81321670>] ? op_amd_check_ctrs+0x4f/0x2cf [<ffffffff813ee4d5>] invalid_op+0x15/0x20 [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee [<ffffffff813e8e7a>] ? do_nmi+0x67/0x1ee [<ffffffff813e897a>] nmi+0x1a/0x20 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771 <<EOE>> Cc: John Lumby <joh...@ho...> Cc: Maynard Johnson <may...@us...> Signed-off-by: Robert Richter <rob...@am...> --- arch/x86/oprofile/backtrace.c | 46 +++++++++++++++++++++++++++++++++++++--- 1 files changed, 42 insertions(+), 4 deletions(-) diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c index 044897b..829edf0 100644 --- a/arch/x86/oprofile/backtrace.c +++ b/arch/x86/oprofile/backtrace.c @@ -11,6 +11,8 @@ #include <linux/oprofile.h> #include <linux/sched.h> #include <linux/mm.h> +#include <linux/highmem.h> + #include <asm/ptrace.h> #include <asm/uaccess.h> #include <asm/stacktrace.h> @@ -47,6 +49,42 @@ static struct stacktrace_ops backtrace_ops = { .address = backtrace_address, }; +/* from arch/x86/kernel/cpu/perf_event.c: */ + +/* + * best effort, GUP based copy_from_user() that assumes IRQ or NMI context + */ +static unsigned long +copy_from_user_nmi(void *to, const void __user *from, unsigned long n) +{ + unsigned long offset, addr = (unsigned long)from; + unsigned long size, len = 0; + struct page *page; + void *map; + int ret; + + do { + ret = __get_user_pages_fast(addr, 1, 0, &page); + if (!ret) + break; + + offset = addr & (PAGE_SIZE - 1); + size = min(PAGE_SIZE - offset, n - len); + + map = kmap_atomic(page, KM_USER0); + memcpy(to, map+offset, size); + kunmap_atomic(map, KM_USER0); + put_page(page); + + len += size; + to += size; + addr += size; + + } while (len < n); + + return len; +} + struct frame_head { struct frame_head *bp; unsigned long ret; @@ -54,12 +92,12 @@ struct frame_head { static struct frame_head *dump_user_backtrace(struct frame_head *head) { + /* Also check accessibility of one struct frame_head beyond: */ struct frame_head bufhead[2]; + unsigned long bytes; - /* Also check accessibility of one struct frame_head beyond */ - if (!access_ok(VERIFY_READ, head, sizeof(bufhead))) - return NULL; - if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead))) + bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead)); + if (bytes != sizeof(bufhead)) return NULL; oprofile_add_trace(bufhead[0].ret); -- 1.7.7 -- Advanced Micro Devices, Inc. Operating System Research Center |
From: Robert R. <rob...@am...> - 2011-12-12 23:41:27
|
Resending patch 3 to 5 of my former submission. Fixing whitespace demage in patch 2 of this patch set. Following patches with some fixes for linux-stable: v2.6.32.y to v2.6.36.y: export __get_user_pages_fast() function oprofile, x86: Fix nmi-unsafe callgraph support v2.6.28.y to v2.6.34.y: oprofile, x86: Fix crash when unloading module (timer mode) This patch series bases on v2.6.32.y. Robert Richter (2): oprofile, x86: Fix nmi-unsafe callgraph support oprofile, x86: Fix crash when unloading module (timer mode) Xiao Guangrong (1): export __get_user_pages_fast() function arch/x86/oprofile/backtrace.c | 46 +++++++++++++++++++++++++++++++++++++--- arch/x86/oprofile/nmi_int.c | 8 +++--- mm/util.c | 13 +++++++++++ 3 files changed, 59 insertions(+), 8 deletions(-) -- 1.7.7 |
From: Robert R. <rob...@am...> - 2011-12-12 23:40:50
|
commit a0e3e70243f5b270bc3eca718f0a9fa5e6b8262e upstream. Backport for stable kernel v2.6.32.y to v2.6.36.y. Current oprofile's x86 callgraph support may trigger page faults throwing the BUG_ON(in_nmi()) message below. This patch fixes this by using the same nmi-safe copy-from-user code as in perf. ------------[ cut here ]------------ kernel BUG at .../arch/x86/kernel/traps.c:436! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:0a.0/0000:07:00.0/0000:08:04.0/net/eth0/broadcast CPU 5 Modules linked in: Pid: 8611, comm: opcontrol Not tainted 2.6.39-00007-gfe47ae7 #1 Advanced Micro Device Anaheim/Anaheim RIP: 0010:[<ffffffff813e8e35>] [<ffffffff813e8e35>] do_nmi+0x22/0x1ee RSP: 0000:ffff88042fd47f28 EFLAGS: 00010002 RAX: ffff88042c0a7fd8 RBX: 0000000000000001 RCX: 00000000c0000101 RDX: 00000000ffff8804 RSI: ffffffffffffffff RDI: ffff88042fd47f58 RBP: ffff88042fd47f48 R08: 0000000000000004 R09: 0000000000001484 R10: 0000000000000001 R11: 0000000000000000 R12: ffff88042fd47f58 R13: 0000000000000000 R14: ffff88042fd47d98 R15: 0000000000000020 FS: 00007fca25e56700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000074 CR3: 000000042d28b000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process opcontrol (pid: 8611, threadinfo ffff88042c0a6000, task ffff88042c532310) Stack: 0000000000000000 0000000000000001 ffff88042c0a7fd8 0000000000000000 ffff88042fd47de8 ffffffff813e897a 0000000000000020 ffff88042fd47d98 0000000000000000 ffff88042c0a7fd8 ffff88042fd47de8 0000000000000074 Call Trace: <NMI> [<ffffffff813e897a>] nmi+0x1a/0x20 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771 <<EOE>> Code: ff 59 5b 41 5c 41 5d c9 c3 55 65 48 8b 04 25 88 b5 00 00 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 f6 80 47 e0 ff ff 04 74 04 <0f> 0b eb fe 81 80 44 e0 ff ff 00 00 01 04 65 ff 04 25 c4 0f 01 RIP [<ffffffff813e8e35>] do_nmi+0x22/0x1ee RSP <ffff88042fd47f28> ---[ end trace ed6752185092104b ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 8611, comm: opcontrol Tainted: G D 2.6.39-00007-gfe47ae7 #1 Call Trace: <NMI> [<ffffffff813e5e0a>] panic+0x8c/0x188 [<ffffffff813e915c>] oops_end+0x81/0x8e [<ffffffff8100403d>] die+0x55/0x5e [<ffffffff813e8c45>] do_trap+0x11c/0x12b [<ffffffff810023c8>] do_invalid_op+0x91/0x9a [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee [<ffffffff8131e6fa>] ? oprofile_add_sample+0x83/0x95 [<ffffffff81321670>] ? op_amd_check_ctrs+0x4f/0x2cf [<ffffffff813ee4d5>] invalid_op+0x15/0x20 [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee [<ffffffff813e8e7a>] ? do_nmi+0x67/0x1ee [<ffffffff813e897a>] nmi+0x1a/0x20 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771 <<EOE>> Cc: John Lumby <joh...@ho...> Cc: Maynard Johnson <may...@us...> Signed-off-by: Robert Richter <rob...@am...> --- arch/x86/oprofile/backtrace.c | 46 +++++++++++++++++++++++++++++++++++++--- 1 files changed, 42 insertions(+), 4 deletions(-) diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c index 044897b..829edf0 100644 --- a/arch/x86/oprofile/backtrace.c +++ b/arch/x86/oprofile/backtrace.c @@ -11,6 +11,8 @@ #include <linux/oprofile.h> #include <linux/sched.h> #include <linux/mm.h> +#include <linux/highmem.h> + #include <asm/ptrace.h> #include <asm/uaccess.h> #include <asm/stacktrace.h> @@ -47,6 +49,42 @@ static struct stacktrace_ops backtrace_ops = { .address = backtrace_address, }; +/* from arch/x86/kernel/cpu/perf_event.c: */ + +/* + * best effort, GUP based copy_from_user() that assumes IRQ or NMI context + */ +static unsigned long +copy_from_user_nmi(void *to, const void __user *from, unsigned long n) +{ + unsigned long offset, addr = (unsigned long)from; + unsigned long size, len = 0; + struct page *page; + void *map; + int ret; + + do { + ret = __get_user_pages_fast(addr, 1, 0, &page); + if (!ret) + break; + + offset = addr & (PAGE_SIZE - 1); + size = min(PAGE_SIZE - offset, n - len); + + map = kmap_atomic(page, KM_USER0); + memcpy(to, map+offset, size); + kunmap_atomic(map, KM_USER0); + put_page(page); + + len += size; + to += size; + addr += size; + + } while (len < n); + + return len; +} + struct frame_head { struct frame_head *bp; unsigned long ret; @@ -54,12 +92,12 @@ struct frame_head { static struct frame_head *dump_user_backtrace(struct frame_head *head) { + /* Also check accessibility of one struct frame_head beyond: */ struct frame_head bufhead[2]; + unsigned long bytes; - /* Also check accessibility of one struct frame_head beyond */ - if (!access_ok(VERIFY_READ, head, sizeof(bufhead))) - return NULL; - if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead))) + bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead)); + if (bytes != sizeof(bufhead)) return NULL; oprofile_add_trace(bufhead[0].ret); -- 1.7.7 |
From: <gr...@su...> - 2011-12-13 22:42:34
|
This is a note to let you know that I've just added the patch titled [PATCH 2/3] oprofile, x86: Fix nmi-unsafe callgraph support to the 2.6.32-longterm tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.32.git;a=summary The filename of the patch is: oprofile-x86-fix-nmi-unsafe-callgraph-support.patch and it can be found in the queue-2.6.32 subdirectory. If you, or anyone else, feels it should not be added to the 2.6.32 longterm tree, please let <st...@vg...> know about it. >From rob...@am... Tue Dec 13 14:38:24 2011 From: Robert Richter <rob...@am...> Date: Tue, 13 Dec 2011 00:40:35 +0100 Subject: [PATCH 2/3] oprofile, x86: Fix nmi-unsafe callgraph support To: Greg KH <gr...@kr...> Cc: <st...@vg...>, oprofile-list <opr...@li...> Message-ID: <132...@am...> From: Robert Richter <rob...@am...> commit a0e3e70243f5b270bc3eca718f0a9fa5e6b8262e upstream. Backport for stable kernel v2.6.32.y to v2.6.36.y. Current oprofile's x86 callgraph support may trigger page faults throwing the BUG_ON(in_nmi()) message below. This patch fixes this by using the same nmi-safe copy-from-user code as in perf. ------------[ cut here ]------------ kernel BUG at .../arch/x86/kernel/traps.c:436! invalid opcode: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:0a.0/0000:07:00.0/0000:08:04.0/net/eth0/broadcast CPU 5 Modules linked in: Pid: 8611, comm: opcontrol Not tainted 2.6.39-00007-gfe47ae7 #1 Advanced Micro Device Anaheim/Anaheim RIP: 0010:[<ffffffff813e8e35>] [<ffffffff813e8e35>] do_nmi+0x22/0x1ee RSP: 0000:ffff88042fd47f28 EFLAGS: 00010002 RAX: ffff88042c0a7fd8 RBX: 0000000000000001 RCX: 00000000c0000101 RDX: 00000000ffff8804 RSI: ffffffffffffffff RDI: ffff88042fd47f58 RBP: ffff88042fd47f48 R08: 0000000000000004 R09: 0000000000001484 R10: 0000000000000001 R11: 0000000000000000 R12: ffff88042fd47f58 R13: 0000000000000000 R14: ffff88042fd47d98 R15: 0000000000000020 FS: 00007fca25e56700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000074 CR3: 000000042d28b000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process opcontrol (pid: 8611, threadinfo ffff88042c0a6000, task ffff88042c532310) Stack: 0000000000000000 0000000000000001 ffff88042c0a7fd8 0000000000000000 ffff88042fd47de8 ffffffff813e897a 0000000000000020 ffff88042fd47d98 0000000000000000 ffff88042c0a7fd8 ffff88042fd47de8 0000000000000074 Call Trace: <NMI> [<ffffffff813e897a>] nmi+0x1a/0x20 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771 <<EOE>> Code: ff 59 5b 41 5c 41 5d c9 c3 55 65 48 8b 04 25 88 b5 00 00 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 f6 80 47 e0 ff ff 04 74 04 <0f> 0b eb fe 81 80 44 e0 ff ff 00 00 01 04 65 ff 04 25 c4 0f 01 RIP [<ffffffff813e8e35>] do_nmi+0x22/0x1ee RSP <ffff88042fd47f28> ---[ end trace ed6752185092104b ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 8611, comm: opcontrol Tainted: G D 2.6.39-00007-gfe47ae7 #1 Call Trace: <NMI> [<ffffffff813e5e0a>] panic+0x8c/0x188 [<ffffffff813e915c>] oops_end+0x81/0x8e [<ffffffff8100403d>] die+0x55/0x5e [<ffffffff813e8c45>] do_trap+0x11c/0x12b [<ffffffff810023c8>] do_invalid_op+0x91/0x9a [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee [<ffffffff8131e6fa>] ? oprofile_add_sample+0x83/0x95 [<ffffffff81321670>] ? op_amd_check_ctrs+0x4f/0x2cf [<ffffffff813ee4d5>] invalid_op+0x15/0x20 [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee [<ffffffff813e8e7a>] ? do_nmi+0x67/0x1ee [<ffffffff813e897a>] nmi+0x1a/0x20 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771 <<EOE>> Cc: John Lumby <joh...@ho...> Cc: Maynard Johnson <may...@us...> Signed-off-by: Robert Richter <rob...@am...> Signed-off-by: Greg Kroah-Hartman <gr...@su...> --- arch/x86/oprofile/backtrace.c | 46 ++++++++++++++++++++++++++++++++++++++---- 1 file changed, 42 insertions(+), 4 deletions(-) --- a/arch/x86/oprofile/backtrace.c +++ b/arch/x86/oprofile/backtrace.c @@ -11,6 +11,8 @@ #include <linux/oprofile.h> #include <linux/sched.h> #include <linux/mm.h> +#include <linux/highmem.h> + #include <asm/ptrace.h> #include <asm/uaccess.h> #include <asm/stacktrace.h> @@ -47,6 +49,42 @@ static struct stacktrace_ops backtrace_o .address = backtrace_address, }; +/* from arch/x86/kernel/cpu/perf_event.c: */ + +/* + * best effort, GUP based copy_from_user() that assumes IRQ or NMI context + */ +static unsigned long +copy_from_user_nmi(void *to, const void __user *from, unsigned long n) +{ + unsigned long offset, addr = (unsigned long)from; + unsigned long size, len = 0; + struct page *page; + void *map; + int ret; + + do { + ret = __get_user_pages_fast(addr, 1, 0, &page); + if (!ret) + break; + + offset = addr & (PAGE_SIZE - 1); + size = min(PAGE_SIZE - offset, n - len); + + map = kmap_atomic(page, KM_USER0); + memcpy(to, map+offset, size); + kunmap_atomic(map, KM_USER0); + put_page(page); + + len += size; + to += size; + addr += size; + + } while (len < n); + + return len; +} + struct frame_head { struct frame_head *bp; unsigned long ret; @@ -54,12 +92,12 @@ struct frame_head { static struct frame_head *dump_user_backtrace(struct frame_head *head) { + /* Also check accessibility of one struct frame_head beyond: */ struct frame_head bufhead[2]; + unsigned long bytes; - /* Also check accessibility of one struct frame_head beyond */ - if (!access_ok(VERIFY_READ, head, sizeof(bufhead))) - return NULL; - if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead))) + bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead)); + if (bytes != sizeof(bufhead)) return NULL; oprofile_add_trace(bufhead[0].ret); Patches currently in longterm-queue-2.6.32 which might be from rob...@am... are /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/oprofile-x86-fix-nmi-unsafe-callgraph-support.patch /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/oprofile-free-potentially-owned-tasks-in-case-of-errors.patch /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/oprofile-fix-locking-dependency-in-sync_start.patch /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/oprofile-x86-fix-crash-when-unloading-module-timer-mode.patch /home/gregkh/linux/longterm/longterm-queue-2.6.32/queue-2.6.32/export-__get_user_pages_fast-function.patch |
From: Robert R. <rob...@am...> - 2011-12-12 23:40:50
|
Fix for stable kernels v2.6.28.y to v2.6.34.y. This patch is for .32. Oprofile crashs while unlaoding modules and if in timer mode. Timer mode is the fallback if the architectural initialization fails. The pointer variable model is then used uninitialzied during exit causing a NULL pointer dereference. It can be triggered with kernel parameters oprofile.timer=1 nolapic used. Happens esp. in virtual machine environments. oprofile: using timer interrupt. BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 IP: [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile] PGD 42ac5e067 PUD 42ac5d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP last sysfs file: /sys/module/oprofile/refcnt CPU 0 Modules linked in: oprofile(-) Pid: 2245, comm: modprobe Not tainted 2.6.32.21-oprofile-x86_64-debug-00038-gf4db115 #69 Anaheim RIP: 0010:[<ffffffffa000251f>] [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile] RSP: 0018:ffff88042d4f9ec8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffffffa0005590 RCX: ffff88042d4f9ea8 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 RBP: ffff88042d4f9ec8 R08: ffff88042d4f9ee8 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000080 R13: 00000000fffffff5 R14: 0000000000000001 R15: 00000000006101e0 FS: 00007fef6ac9c700(0000) GS:ffff880028200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000028 CR3: 000000042ac60000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process modprobe (pid: 2245, threadinfo ffff88042d4f8000, task ffff88042cd66040) Stack: ffff88042d4f9ed8 ffffffffa0002096 ffff88042d4f9ee8 ffffffffa0003bbb <0> ffff88042d4f9f78 ffffffff810748ad 656c69666f72706f 00007fff77a07800 <0> ffff88042d4f9f28 ffffffff81068414 000000000060f180 0000000000000000 Call Trace: [<ffffffffa0002096>] oprofile_arch_exit+0xe/0x10 [oprofile] [<ffffffffa0003bbb>] oprofile_exit+0x13/0x15 [oprofile] [<ffffffff810748ad>] sys_delete_module+0x1cd/0x244 [<ffffffff81068414>] ? trace_hardirqs_on_caller+0x114/0x13f [<ffffffff8143ad47>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff8100b13b>] system_call_fastpath+0x16/0x1b Code: 48 c7 c7 90 4e 00 a0 e8 e7 15 22 e1 48 c7 c7 e0 4e 00 a0 e8 bd 18 22 e1 48 c7 c7 70 4e 00 a0 e8 94 4e 41 e1 48 8b 05 d1 39 00 00 <48> 8b 40 28 48 85 c0 74 02 ff d0 c9 c3 55 48 89 e5 e8 cb 88 00 RIP [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile] RSP <ffff88042d4f9ec8> CR2: 0000000000000028 ---[ end trace 18b12420ceb19193 ]--- Signed-off-by: Robert Richter <rob...@am...> --- arch/x86/oprofile/nmi_int.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c index ca6b336..8f0e49b 100644 --- a/arch/x86/oprofile/nmi_int.c +++ b/arch/x86/oprofile/nmi_int.c @@ -750,12 +750,12 @@ int __init op_nmi_init(struct oprofile_operations *ops) void op_nmi_exit(void) { - if (using_nmi) { - exit_sysfs(); + if (!using_nmi) + return; + exit_sysfs(); #ifdef CONFIG_SMP - unregister_cpu_notifier(&oprofile_cpu_nb); + unregister_cpu_notifier(&oprofile_cpu_nb); #endif - } if (model->exit) model->exit(); } -- 1.7.7 |