On Mon, Oct 14, 2013 at 02:28:30PM -0700, Paul E. McKenney wrote:
> On Mon, Oct 14, 2013 at 10:53:03AM -0700, Linus Torvalds wrote:
> > Hmm. No obvious ideas come to mind, but I'm adding more people to the cc.
> > 
> > Clearly the wait_event_interruptible_timeout() in the RCU grace-period
> > thread causes this, but I'm not seeing why shutdown would trigger it.
> > 
> > The code disassembles to
> > 
> >    0: 85 db                 test   %ebx,%ebx
> >    2: 79 0c                 jns    0x10
> >    4: 81 e6 ff 00 00 00     and    $0xff,%esi
> >    a: 8d 44 f0 30           lea    0x30(%eax,%esi,8),%eax
> >    e: eb 0a                 jmp    0x1a
> >   10: c1 e9 1a             shr    $0x1a,%ecx
> >   13: 8d 84 c8 30 0e 00 00 lea    0xe30(%eax,%ecx,8),%eax
> >   1a: 8b 48 04             mov    0x4(%eax),%ecx
> >   1d: 89 50 04             mov    %edx,0x4(%eax)
> >   20: 89 02                 mov    %eax,(%edx)
> >   22: 89 4a 04             mov    %ecx,0x4(%edx)
> >   25:* 89 11                 mov    %edx,(%ecx) <-- trapping instruction
> >   27: 5b                   pop    %ebx
> >   28: 5e                   pop    %esi
> >   29: 5d                   pop    %ebp
> >   2a: c3                   ret
> > 
> > so the oops is in the final
> > 
> >         list_add_tail(&timer->entry, vec);
> > 
> > where "%ecx" is "vec->prev" (f8c551f4). That looks like it might be a
> > perfectly valid pointer, but clearly it isn't (it's about 115M off the
> > top of virtual memory, I think that might be in the vmalloc area).
> > 
> > So I'm *guessing* that something did a vfree() on some data structure
> > that contained active timers - and then later on the RCU thread ended
> > up being the next thing that tried to add a timer after the
> > now-non-existing one.
> > 
> > And your other oopses do seem to have a similar pattern, even if their
> > actual oops is elsewhere. They oops in run_timer_softirq, also taking
> > a page fault in the 0xf9...... range, so it might well be a vmalloc
> > address there too.
> > 
> > But I sure as hell can't start to guess what that would be.
> > 
> > I'm wondering it CONFIG_DEBUG_OBJECTS (and then
> > CONFIG_DEBUG_OBJECTS_FREE=y and CONFIG_DEBUG_OBJECTS_TIMERS=y) might
> > help catch this...
> 
> I would also like to nominate CONFIG_DEBUG_OBJECTS_RCU_HEAD=y, which
> checks for invoking call_rcu() twice in a row on the same rcu_head.
> 
> Any chance of a look at the .config file?

Yeah it would be nice to get the .config.

Looks like the problem happens on timer softirq during timers callback 
execution.
The two previous reports from Knut seem to be about the same.

I've been thinking that CONFIG_DEBUG_LIST could help. Unfortunately it's good
to spot list APIs misuse but, if Linus is right, the problem may be that the 
list
belongs to an object that has been freed, and I believe that won't detect such 
a thing.

Still it would be nice to try it, in case we are missing some list misuse.

Also knut, do you have a serial line?

If so may be looking at the timer events may help. Could you try to enable the 
following
timer events?

      echo 1 > /sys/kernel/debug/tracing/events/timer/timer_cancel
      echo 1 > /sys/kernel/debug/tracing/events/timer/timer_expire_entry
      echo 1 > /sys/kernel/debug/tracing/events/timer/timer_expire_exit
      echo 1 > /sys/kernel/debug/tracing/events/timer/timer_init
      echo 1 > /sys/kernel/debug/tracing/events/timer/timer_start

And also enable ftrace_dump_on_oops:

      sysctl kernel.ftrace_dump_on_oops=1

We may have some interesting clues about who manipulated the timer list last 
before
the oops happened.

Thanks!
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to