mount using 100% CPU #121

Dmole · 2012-09-23T04:34:28Z

https://bugs.launchpad.net/raspbian/+bug/1054768

popcornmix · 2012-09-23T09:53:28Z

I think you will need to provide more evidence that this is a linux kernel bug.
Is the encrypted filesystem on sdcard or USB disk or something else?

Dmole · 2012-09-24T19:16:33Z

If you can't kill something it's likely not a user space problem.
but just to be sure I installed the old image and reproduced the problem after updating the kernel but no packages;

dd bs=1m if=2012-08-16-wheezy-raspbian.img of=/dev/rdisk3
#booted, resized root, rebooted
apt-get install git lvm2 cryptsetup
wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update;
chmod +x /usr/bin/rpi-update; rpi-update 240;
shutdown now -r;
vgimport vg_right
vgchange -ay vg_right
cryptsetup luksOpen /dev/vg_right/lv_right crypt_right
mount /dev/mapper/crypt_right /media/right

nasty hang where before there was non.

I don't have a backup of the intermediate kernel that had XTS support but no mount problems, but I'll try checking out a few different commits from git to see if I can find out which one was the regression.

Dmole · 2012-09-24T23:58:57Z

using git clone http://github.com/Hexxeh/rpi-firmware.git
I have narrowed down where the regression is/was:

Current HEAD fails (mount hangs) (kernel.img md5sum 81282fe2ad1d3fb1ac967f37a08ede74)
commit fa03a4070e42ba7d0c632debbe87bdd809ff9e2a
Date: Sat Sep 1 01:04:11 2012 +0100

...9 commits...

fails (kernel.img md5sum 832534b281dd72cf5ed89d0feef78865)
commit 424079987166d37652236988f691bbe00f58ba6f
Date: Sun Aug 19 12:48:04 2012 +0100

won't boot (kernel.img md5sum aa4de6903ce9c5a9489ffe2fff2c5706) (Rebase to kernel 3.2.27)
commit 0ef3d91e613a3d8db5debbd7eb8105071bfcb9be
Date: Sat Aug 18 15:30:25 2012 +0100

won't boot (kernel.img md5sum 2c3ace3249aabc90d5dae39332bd269b)
commit 800d33e6f1284d8ef4f255c35017b32e5a118bda
Date: Fri Aug 17 23:55:17 2012 +0100

WORKS (kernel.img md5sum 2c3ace3249aabc90d5dae39332bd269b)
commit 8c628900aabe4a15743d8a11cb6169ad0bf1918e
Date: Fri Aug 17 18:29:51 2012 +0100

WORKS First kernel i can test with (XTS support)
commit 8ddf43766192b3c7549262b376bb4d840a610ff7
Date: Wed Aug 15 21:25:43 2012 +0100

so kernel 3.2.27 is likely the culprit

popcornmix · 2012-09-25T00:17:23Z

Thanks for investigating.
Unfortunately if it is the change to 3.2.27, it is not a Raspberry Pi specific change, and is may be an upstream bug.
Might be worth searching for any reports of this problem on other platforms.

Dmole · 2012-09-25T00:59:12Z

Yes it's likely upstream, As pointed out in the link of the first post there are similar but not identical mount problems in other distributions. maybe we should use a more stable branch for the official build?

Also this repo is not listed as down stream of anything on github, so should I assume it's re-basing off https://github.com/torvalds/linux ?

Any pointers on where to look for the problem code?

…/ entries map_files/ entries are never supposed to be executed, still curious minds might try to run them, which leads to the following deadlock ====================================================== [ INFO: possible circular locking dependency detected ] 3.4.0-rc4-24406-g841e6a6 #121 Not tainted ------------------------------------------------------- bash/1556 is trying to acquire lock: (&sb->s_type->i_mutex_key#8){+.+.+.}, at: do_lookup+0x267/0x2b1 but task is already holding lock: (&sig->cred_guard_mutex){+.+.+.}, at: prepare_bprm_creds+0x2d/0x69 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&sig->cred_guard_mutex){+.+.+.}: validate_chain+0x444/0x4f4 __lock_acquire+0x387/0x3f8 lock_acquire+0x12b/0x158 __mutex_lock_common+0x56/0x3a9 mutex_lock_killable_nested+0x40/0x45 lock_trace+0x24/0x59 proc_map_files_lookup+0x5a/0x165 __lookup_hash+0x52/0x73 do_lookup+0x276/0x2b1 walk_component+0x3d/0x114 do_last+0xfc/0x540 path_openat+0xd3/0x306 do_filp_open+0x3d/0x89 do_sys_open+0x74/0x106 sys_open+0x21/0x23 tracesys+0xdd/0xe2 -> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}: check_prev_add+0x6a/0x1ef validate_chain+0x444/0x4f4 __lock_acquire+0x387/0x3f8 lock_acquire+0x12b/0x158 __mutex_lock_common+0x56/0x3a9 mutex_lock_nested+0x40/0x45 do_lookup+0x267/0x2b1 walk_component+0x3d/0x114 link_path_walk+0x1f9/0x48f path_openat+0xb6/0x306 do_filp_open+0x3d/0x89 open_exec+0x25/0xa0 do_execve_common+0xea/0x2f9 do_execve+0x43/0x45 sys_execve+0x43/0x5a stub_execve+0x6c/0xc0 This is because prepare_bprm_creds grabs task->signal->cred_guard_mutex and when do_lookup happens we try to grab task->signal->cred_guard_mutex again in lock_trace. Fix it using plain ptrace_may_access() helper in proc_map_files_lookup() and in proc_map_files_readdir() instead of lock_trace(), the caller must be CAP_SYS_ADMIN granted anyway. Signed-off-by: Cyrill Gorcunov <[email protected]> Reported-by: Sasha Levin <[email protected]> Cc: Konstantin Khlebnikov <[email protected]> Cc: Pavel Emelyanov <[email protected]> Cc: Dave Jones <[email protected]> Cc: Vasiliy Kulikov <[email protected]> Cc: Oleg Nesterov <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>

Dmole · 2013-06-07T02:58:23Z

This is now fixed ( tested in kernel 3.6.11 )

[ Upstream commit 80bf6ce ] When we get into activate_mm(), lockdep complains that we're doing something strange: WARNING: possible circular locking dependency detected 5.1.0-10252-gb00152307319-dirty #121 Not tainted ------------------------------------------------------ inside.sh/366 is trying to acquire lock: (____ptrval____) (&(&p->alloc_lock)->rlock){+.+.}, at: flush_old_exec+0x703/0x8d7 but task is already holding lock: (____ptrval____) (&mm->mmap_sem){++++}, at: flush_old_exec+0x6c5/0x8d7 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&mm->mmap_sem){++++}: [...] __lock_acquire+0x12ab/0x139f lock_acquire+0x155/0x18e down_write+0x3f/0x98 flush_old_exec+0x748/0x8d7 load_elf_binary+0x2ca/0xddb [...] -> #0 (&(&p->alloc_lock)->rlock){+.+.}: [...] __lock_acquire+0x12ab/0x139f lock_acquire+0x155/0x18e _raw_spin_lock+0x30/0x83 flush_old_exec+0x703/0x8d7 load_elf_binary+0x2ca/0xddb [...] other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&mm->mmap_sem); lock(&(&p->alloc_lock)->rlock); lock(&mm->mmap_sem); lock(&(&p->alloc_lock)->rlock); *** DEADLOCK *** 2 locks held by inside.sh/366: #0: (____ptrval____) (&sig->cred_guard_mutex){+.+.}, at: __do_execve_file+0x12d/0x869 #1: (____ptrval____) (&mm->mmap_sem){++++}, at: flush_old_exec+0x6c5/0x8d7 stack backtrace: CPU: 0 PID: 366 Comm: inside.sh Not tainted 5.1.0-10252-gb00152307319-dirty #121 Stack: [...] Call Trace: [<600420de>] show_stack+0x13b/0x155 [<6048906b>] dump_stack+0x2a/0x2c [<6009ae64>] print_circular_bug+0x332/0x343 [<6009c5c6>] check_prev_add+0x669/0xdad [<600a06b4>] __lock_acquire+0x12ab/0x139f [<6009f3d0>] lock_acquire+0x155/0x18e [<604a07e0>] _raw_spin_lock+0x30/0x83 [<60151e6a>] flush_old_exec+0x703/0x8d7 [<601a8eb8>] load_elf_binary+0x2ca/0xddb [...] I think it's because in exec_mmap() we have down_read(&old_mm->mmap_sem); ... task_lock(tsk); ... activate_mm(active_mm, mm); (which does down_write(&mm->mmap_sem)) I'm not really sure why lockdep throws in the whole knowledge about the task lock, but it seems that old_mm and mm shouldn't ever be the same (and it doesn't deadlock) so tell lockdep that they're different. Signed-off-by: Johannes Berg <[email protected]> Signed-off-by: Richard Weinberger <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

Make the pionter passing to .dispatch MAYBE_NULL

Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 52a62f8 ("pktgen: Parse internet mix (imix) input") Signed-off-by: Artem Chernyshev <[email protected]> [ fp: allow to fill the array completely; minor changelog cleanup ] Signed-off-by: Fedor Pchelkin <[email protected]> Signed-off-by: David S. Miller <[email protected]>

[ Upstream commit 76201b5 ] Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pkt [20]' CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl lib/dump_stack.c:117 __ubsan_handle_out_of_bounds lib/ubsan.c:429 get_imix_entries net/core/pktgen.c:874 pktgen_if_write net/core/pktgen.c:1063 pde_write fs/proc/inode.c:334 proc_reg_write fs/proc/inode.c:346 vfs_write fs/read_write.c:593 ksys_write fs/read_write.c:644 do_syscall_64 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130 Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 52a62f8 ("pktgen: Parse internet mix (imix) input") Signed-off-by: Artem Chernyshev <[email protected]> [ fp: allow to fill the array completely; minor changelog cleanup ] Signed-off-by: Fedor Pchelkin <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

Dmole closed this as completed Jun 7, 2013

jeanlemotan mentioned this issue Feb 1, 2015

Small optimizations #781

Closed

0lxb pushed a commit to 0lxb/rpi_linux that referenced this issue Jan 30, 2024

Merge pull request raspberrypi#121 from ThinkerYzu/maybe_null

b1a0f3e

Make the pionter passing to .dispatch MAYBE_NULL

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

mount using 100% CPU #121

mount using 100% CPU #121

Dmole commented Sep 23, 2012

popcornmix commented Sep 23, 2012

Uh oh!

Dmole commented Sep 24, 2012

Uh oh!

Dmole commented Sep 24, 2012

Uh oh!

popcornmix commented Sep 25, 2012

Uh oh!

Dmole commented Sep 25, 2012

Uh oh!

Dmole commented Jun 7, 2013

Uh oh!

mount using 100% CPU #121

mount using 100% CPU #121

Comments

Dmole commented Sep 23, 2012

popcornmix commented Sep 23, 2012

Uh oh!

Dmole commented Sep 24, 2012

Uh oh!

Dmole commented Sep 24, 2012

Uh oh!

popcornmix commented Sep 25, 2012

Uh oh!

Dmole commented Sep 25, 2012

Uh oh!

Dmole commented Jun 7, 2013

Uh oh!