Opened 7 days ago

Closed 6 days ago

Last modified 6 days ago

#19417 closed bug (fixed)

Panic in map_backing_store() on low memory

Reported by: korli Owned by: nobody
Priority: normal Milestone: R1/beta6
Component: System/Kernel Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: x86-64

Description

self-built hrev58638 on Qemu with 6G memory, running the executable: 

export DISABLE_ASLR=1
Sanitizer-x86_64-Test --gtest_filter=SanitizerCommon.*

kernel panic, always reproducible. 

slab memory manager: created area 0xffffffffa1801000 (9321)
slab memory manager: created area 0xffffffffa2001000 (32254)
slab memory manager: created area 0xffffffffa2801000 (49300)
0xffffffffa22d63e0->VMAnonymousCache::_Commit(262144): Failed to reserve 262144 bytes of RAM
Last message repeated 8812 times.
vm_page_fault: vm_soft_fault returned error 'Bad address' on fault at 0x48, ip 0xffffffff8013e819, write 1, kernel, exec 0, thread 0x169
PANIC: vm_page_fault: unhandled page fault in kernel space at 0x48, ip 0xffffffff8013e819

Welcome to Kernel Debugging Land...
Thread 361 "Sanitizer-x86_64-Test" running on CPU 0
stack trace for thread 361 "Sanitizer-x86_64-Test"
    kernel stack: 0xffffffff81c7d000 to 0xffffffff81c82000
      user stack: 0x00007f0000084000 to 0x00007f0001084000
frame                       caller             <image>:function + offset
 0 ffffffff81c813c0 (+  32) ffffffff8015d2f0   <kernel_x86_64> arch_debug_call_with_fault_handler + 0x1a
 1 ffffffff81c81410 (+  80) ffffffff800bb618   <kernel_x86_64> debug_call_with_fault_handler + 0x78
 2 ffffffff81c81470 (+  96) ffffffff800bce71   <kernel_x86_64> kernel_debugger_loop(char const*, char const*, __va_list_tag*, int) + 0x101
 3 ffffffff81c814c0 (+  80) ffffffff800bd22e   <kernel_x86_64> kernel_debugger_internal(char const*, char const*, __va_list_tag*, int) + 0x6e
 4 ffffffff81c815b0 (+ 240) ffffffff800bd5f7   <kernel_x86_64> panic + 0xc7
 5 ffffffff81c816b0 (+ 256) ffffffff80143168   <kernel_x86_64> vm_page_fault + 0x2b8
 6 ffffffff81c816f0 (+  64) ffffffff801698ae   <kernel_x86_64> x86_page_fault_exception + 0x18e
 7 ffffffff81c81a78 (+ 904) ffffffff8015ebec   <kernel_x86_64> int_bottom + 0x80
kernel iframe at 0xffffffff81c81a78 (end = 0xffffffff81c81b40)
 rax 0x0                   rbx 0xffffffff9fe48bf8    rcx 0x169
 rdx 0xffffffff9fbb9840    rsi 0x0                   rdi 0xffffffff820083a8
 rbp 0xffffffff81c81bc0     r8 0x9                    r9 0x3
 r10 0xffffffffa2003628    r11 0xffffffffa2001000    r12 0x0
 r13 0xffffffffa22d63e0    r14 0x3                   r15 0x0
 rip 0xffffffff8013e819    rsp 0xffffffff81c81b40 rflags 0x10246
 vector: 0xe, error code: 0x2
 8 ffffffff81c81bc0 (+ 328) ffffffff8013e819   <kernel_x86_64> map_backing_store(VMAddressSpace*, VMCache*, long, char const*, unsigned long, int, int, int, int, unsigned int, virtual_address_restrictions const*, bool, VMArea**, void**) + 0xd9
 9 ffffffff81c81d10 (+ 336) ffffffff8013f4e4   <kernel_x86_64> vm_create_anonymous_area + 0x3d4
10 ffffffff81c81e40 (+ 304) ffffffff801411ad   <kernel_x86_64> _vm_map_file(int, char const*, void**, unsigned int, unsigned long, unsigned int, unsigned int, bool, int, long, bool) + 0x3fd
11 ffffffff81c81f00 (+ 192) ffffffff8014193e   <kernel_x86_64> _user_map_file + 0x11e
12 ffffffff81c81f30 (+  48) ffffffff8015eeef   <kernel_x86_64> x86_64_syscall_entry + 0xfb
user iframe at 0xffffffff81c81f30 (end = 0xffffffff81c81ff8)
 rax 0xd4                  rbx 0x50d158d80000        rcx 0x15282bc
 rdx 0x1                   rsi 0x7f0001075c38        rdi 0x6c0e06
 rbp 0x40000                r8 0x3                    r9 0x1
 r10 0x40000               r11 0x216                 r12 0x50d158d80000
 r13 0x100100083f00        r14 0x50d158d80000        r15 0x20000
 rip 0x15282bc             rsp 0x7f0001075c08     rflags 0x216
 vector: 0x63, error code: 0x0
13 0000000000040000 (+   0) 00000000015282bc   </boot/system/lib/libroot.so> _kern_map_file + 0x0c
0000000000040000 -- read fault

Attachments (1)

Sanitizer-x86_64-Test.xz (2.1 MB ) - added by korli 7 days ago.
xz compressed Test executable

Change History (6)

by korli, 7 days ago

Attachment: Sanitizer-x86_64-Test.xz added

xz compressed Test executable

comment:1 by X512, 7 days ago

0xffffffffa22d63e0->VMAnonymousCache::_Commit(262144): Failed to reserve 262144 bytes of RAM

Last message repeated 8812 times.

Should be related to kernel bug with underestimating used physical memory. For example page translation table memory is not accounted yet.

comment:2 by waddlesplash, 7 days ago

I don't think those problems are relevant here. Those commit errors mean we failed to reserve memory, while the pages used accounting problems would manifest as failures to reserve or allocate pages later. This looks like we have a missing OOM case in map_backing_store, should be a straightforward fix.

comment:3 by waddlesplash, 6 days ago

I need to use DISABLE_ASLR=1 in order to not get the test to fail here: 

[   283] map_file("sanitizer mmap", [0x0], B_RANDOMIZED_ANY_ADDRESS, 0x20000000000, B_READ_AREA|B_WRITE_AREA|
B_OVERCOMMITTING_AREA, 0x1, true, 0xffffffff, 0x0) = 0x80000000 ([0x0]) (359 us)

That appears to be 2 TB of address space. I guess ASLR means we fill in the address space too much to fit such a large area?

comment:4 by waddlesplash, 6 days ago

Milestone: UnscheduledR1/beta6
Resolution: fixed
Status: newclosed

I didn't manage to get this to reproduce under a DEBUG=1 build, but the disassembly showed that the next instruction was "test %hrev12, %hrev12", and 0x48==72==offsetof(area, protection_max), so the cause seemed obvious. Fixed in hrev58642.

comment:5 by korli, 6 days ago

yeah DISABLE_ASLR=1 was needed, see the bug description. I confirm it's fixed. Thanks!

Note: See TracTickets for help on using tickets.