On Tue, Aug 08, 2017 at 03:57:32PM +0100, Mark Rutland wrote: > The below test case fires for me in a few seconds on an arm64 platform, > triggering the kernel BUG at kernel/futex.c:679. If left running for longer, I > then get a stream of other BUGs that I believe are a result of the first > issue.
Likewise on v4.12 x86_64: [2503756.486650] ------------[ cut here ]------------ [2503756.491450] WARNING: CPU: 0 PID: 21380 at kernel/futex.c:679 get_futex_key+0x2d8/0x330 [2503756.499527] Modules linked in: [2503756.502754] CPU: 0 PID: 21380 Comm: futex-test Not tainted 4.12.0+ #14 [2503756.509441] Hardware name: LENOVO 7484A3G/LENOVO, BIOS 5CKT54AUS 09/07/2009 [2503756.516561] task: ffff9696e9abc800 task.stack: ffffa72c8637c000 [2503756.522648] RIP: 0010:get_futex_key+0x2d8/0x330 [2503756.527344] RSP: 0018:ffffa72c8637fcd8 EFLAGS: 00010246 [2503756.532734] RAX: 0000000000000000 RBX: ffffa72c8637fd88 RCX: ffff9696c618e690 [2503756.540025] RDX: ffffd98dc68b5f00 RSI: ffff9696c618e528 RDI: 0000000000000000 [2503756.547319] RBP: ffffa72c8637fd10 R08: ffff9696c618e670 R09: ffffa72c8637fc9c [2503756.554609] R10: 0000008000000000 R11: ffff9696e5f65a58 R12: 00007f595cf4a000 [2503756.561900] R13: 0000000000000000 R14: 0000000000000001 R15: ffff9696e5fa4000 [2503756.569191] FS: 00007f595b759700(0000) GS:ffff9696fec00000(0000) knlGS:0000000000000000 [2503756.577439] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2503756.583347] CR2: 00007f595cf4a000 CR3: 00000001a5e1d000 CR4: 00000000000406f0 [2503756.590646] Call Trace: [2503756.593265] ? iput+0x85/0x1d0 [2503756.596491] futex_requeue+0x101/0x880 [2503756.600410] do_futex+0xbe/0xa00 [2503756.603810] ? pick_next_entity+0xa0/0x150 [2503756.608073] ? pick_next_task_fair+0x3fc/0x460 [2503756.612685] SyS_futex+0x6c/0x150 [2503756.616169] ? schedule+0x31/0x80 [2503756.619657] ? exit_to_usermode_loop+0x27/0x72 [2503756.624267] entry_SYSCALL_64_fastpath+0x13/0x94 [2503756.629051] RIP: 0033:0x7f595c84e4e9 [2503756.632795] RSP: 002b:00007f595b758e78 EFLAGS: 00000202 ORIG_RAX: 00000000000000ca [2503756.640521] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f595c84e4e9 [2503756.647813] RDX: 0000000000000001 RSI: 000000000000000c RDI: 00007f595cf4a000 [2503756.655109] RBP: 00007f595b758ec0 R08: 00007f595cf4a004 R09: 0000000000000001 [2503756.662401] R10: 0000000000000000 R11: 0000000000000202 R12: 00007f595cb2e880 [2503756.669693] R13: 00007f595b7599c0 R14: 0000000000000000 R15: 0000000000000003 [2503756.676986] Code: 83 ef 01 e9 ea fd ff ff 48 8d 78 ff e9 20 fe ff ff e8 7d 6d 06 00 eb a7 b8 ea ff ff ff e9 35 fe ff ff 48 8d 78 ff e9 d9 fe ff ff <0f> ff 48 8b 7d d0 e8 4d f3 ff ff e9 7f fd ff ff 0f ff 48 89 f7 [2503756.695988] ---[ end trace adb5ba028949a89a ]--- Thanks, Mark > ---->8---- > #include <linux/futex.h> > #include <pthread.h> > #include <stdio.h> > #include <stdlib.h> > #include <sys/mman.h> > #include <sys/syscall.h> > #include <sys/time.h> > #include <unistd.h> > > #define NR_FUTEX_THREADS 16 > > pthread_t threads[NR_FUTEX_THREADS]; > > void *mem; > > #define MEM_PROT (PROT_READ | PROT_WRITE) > #define MEM_SIZE 65536 > > static int futex_wrapper(int *uaddr, int op, int val, > const struct timespec *timeout, > int *uaddr2, int val3) > { > syscall(SYS_futex, uaddr, op, val, timeout, uaddr2, val3); > } > > void *poll_futex(void *unused) > { > for (;;) { > futex_wrapper(mem, FUTEX_CMP_REQUEUE_PI, 1, NULL, mem + 4, 1); > } > } > > int main(int argc, char *argv[]) > { > int i; > > mem = mmap(NULL, MEM_SIZE, MEM_PROT, > MAP_SHARED | MAP_ANONYMOUS, -1, 0); > > printf("Mapping @ %p\n", mem); > > printf("Creating futex threads...\n"); > > for (i = 0; i < NR_FUTEX_THREADS; i++) > pthread_create(&threads[i], NULL, poll_futex, NULL); > > printf("Flipping mapping...\n"); > for (;;) { > mmap(mem, MEM_SIZE, MEM_PROT, > MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0); > } > > return 0; > }