Re: Bug: fio traps into kernel without exiting because futex has a deadloop
- From: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
- Date: Thu, 11 Jun 2009 08:18:48 +0200
On Thu, 2009-06-11 at 07:55 +0200, Peter Zijlstra wrote:
On Thu, 2009-06-11 at 11:08 +0800, Zhang, Yanmin wrote:
I investigate a fio hang issue. When I run fio multi-process
testing on many disks, fio traps into kernel and doesn't exit
(mostly hit once after runing sub test cases for hundreds of times).
Oprofile data shows kernel consumes time with some futex functions.
Command kill couldn't kill the process and machine reboot also hangs.
Eventually, I locate the root cause as a bug of futex. Kernel enters
a deadloop between 'retry' and 'goto retry' in function futex_wake_op.
By unknown reason (might be an issue of fio or glibc), parameter uaddr2
points to an area which is READONLY. So futex_atomic_op_inuser returns
-EFAULT when trying to changing the data at uaddr2, but later get_user
still succeeds becasue the area is READONLY. Then go back to retry.
I create a simple test case to trigger it, which just shmat an READONLY
area for address uaddr2.
It could be used as a DOS attack.
/me has morning juice and notices he sent the wrong commit...
commit 64d1304a64477629cb16b75491a77bafe6f86963
Author: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Date: Mon May 18 21:20:10 2009 +0200
futex: setup writeable mapping for futex ops which modify user space data
The futex code installs a read only mapping via get_user_pages_fast()
even if the futex op function has to modify user space data. The
eventual fault was fixed up by futex_handle_fault() which walked the
VMA with mmap_sem held.
After the cleanup patches which removed the mmap_sem dependency of the
futex code commit 4dc5b7a36a49eff97050894cf1b3a9a02523717 (futex:
clean up fault logic) removed the private VMA walk logic from the
futex code. This change results in a stale RO mapping which is not
fixed up.
Instead of reintroducing the previous fault logic we set up the
mapping in get_user_pages_fast() read/write for all operations which
modify user space data. Also handle private futexes in the same way
and make the current unconditional access_ok(VERIFY_WRITE) depend on
the futex op.
Reported-by: Andreas Schwab <schwab@xxxxxxxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
CC: stable@xxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
- Follow-Ups:
- Re: Bug: fio traps into kernel without exiting because futex has a deadloop
- From: Zhang, Yanmin
- Re: Bug: fio traps into kernel without exiting because futex has a deadloop
- From: Darren Hart
- Re: Bug: fio traps into kernel without exiting because futex has a deadloop
- References:
- Bug: fio traps into kernel without exiting because futex has a deadloop
- From: Zhang, Yanmin
- Re: Bug: fio traps into kernel without exiting because futex has a deadloop
- From: Peter Zijlstra
- Bug: fio traps into kernel without exiting because futex has a deadloop
- Prev by Date: Re: [PATCH 04/19] io-controller: Modify cfq to make use of flat elevator fair queuing
- Next by Date: Re: Bug: fio traps into kernel without exiting because futex has a deadloop
- Previous by thread: Re: Bug: fio traps into kernel without exiting because futex has a deadloop
- Next by thread: Re: Bug: fio traps into kernel without exiting because futex has a deadloop
- Index(es):
Relevant Pages
|
