Bug 8476

Summary: kernel BUG at include/linux/slub_def.h:88 kmalloc_index()
Product: Memory Management Reporter: Cherwin R. Nooitmeer (cherwin)
Component: Slab AllocatorAssignee: Andrew Morton (akpm)
Status: CLOSED CODE_FIX    
Severity: low CC: airlied, akpm, chtitux, clameter, delist, facorread, ismail, j-engel, randy.dunlap
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.22-rc1 Subsystem:
Regression: --- Bisected commit-id:
Attachments: kernel configuration file
Boot log
dmesg, .config...
dmesg, .config...
system info

Description Cherwin R. Nooitmeer 2007-05-14 10:15:48 UTC
Most recent kernel where this bug did *NOT* occur:
None, first occurance of SLUB

Distribution:
Debian unstable

Hardware Environment:

/proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 2
model name      : Intel(R) Celeron(R) CPU 2.40GHz
stepping        : 9
cpu MHz         : 2398.007
cache size      : 128 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov pat
pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe cid xtpr
bogomips        : 4797.98
clflush size    : 64

/proc/meminfo
MemTotal:       774060 kB
MemFree:         12680 kB
Buffers:         26520 kB
Cached:         348516 kB
SwapCached:        760 kB
Active:         408696 kB
Inactive:       236228 kB
SwapTotal:      498004 kB
SwapFree:       495652 kB
Dirty:             712 kB
Writeback:           0 kB
AnonPages:      269148 kB
Mapped:          81596 kB
Slab:            22912 kB
SReclaimable:    15616 kB
SUnreclaim:       7296 kB
PageTables:       2044 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:    885032 kB
Committed_AS:   533908 kB
VmallocTotal:   253912 kB
VmallocUsed:      4048 kB
VmallocChunk:   249356 kB

lspci
00:00.0 Host bridge: Intel Corporation 82852/82855 GM/GME/PM/GMV Processor to
I/O Controller (rev 02)
00:00.1 System peripheral: Intel Corporation 82852/82855 GM/GME/PM/GMV Processor
to I/O Controller (rev 02)
00:00.3 System peripheral: Intel Corporation 82852/82855 GM/GME/PM/GMV Processor
to I/O Controller (rev 02)
00:02.0 VGA compatible controller: Intel Corporation 82852/855GM Integrated
Graphics Device (rev 02)
00:02.1 Display controller: Intel Corporation 82852/855GM Integrated Graphics
Device (rev 02)
00:1d.0 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M)
USB UHCI Controller #1 (rev 01)
00:1d.1 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M)
USB UHCI Controller #2 (rev 01)
00:1d.2 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M)
USB UHCI Controller #3 (rev 01)
00:1d.7 USB Controller: Intel Corporation 82801DB/DBM (ICH4/ICH4-M) USB2 EHCI
Controller (rev 01)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev 81)
00:1f.0 ISA bridge: Intel Corporation 82801DBM (ICH4-M) LPC Interface Bridge
(rev 01)
00:1f.1 IDE interface: Intel Corporation 82801DBM (ICH4-M) IDE Controller (rev 01)
00:1f.5 Multimedia audio controller: Intel Corporation 82801DB/DBL/DBM
(ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 01)
00:1f.6 Modem: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97
Modem Controller (rev 01)
02:01.0 Ethernet controller: Broadcom Corporation BCM4401 100Base-T (rev 01)
02:02.0 Network controller: Broadcom Corporation BCM4306 802.11b/g Wireless LAN
Controller (rev 03)
02:04.0 CardBus bridge: Texas Instruments PCI1510 PC card Cardbus Controller

Software Environment:
Linux version 2.6.22-rc1-v1.1 (root@dellstation) (gcc version 4.1.3 20070429
(prerelease) (Debian 4.1.2-6)) #3 PREEMPT Mon May 14 05:14:05 CEST 2007

lsmod:
Module                  Size  Used by
sn9c102               114948  0
gspca                 639184  0
compat_ioctl32          1280  1 sn9c102
videodev               24192  2 sn9c102,gspca
v4l1_compat            11780  1 videodev
v4l2_common            14464  2 sn9c102,videodev
i915                   18816  2
drm                    65812  3 i915
rfcomm                 28700  0
l2cap                  17668  5 rfcomm
bluetooth              39908  4 rfcomm,l2cap
ipv6                  189540  10
bcm43xx               105448  0
b44                    20876  0
yenta_socket           21260  0
rsrc_nonstatic          8320  1 yenta_socket
rng_core                3972  1 bcm43xx

gcc 4.1.3
GNU Make 3.81
ldconfig (GNU libc) 2.5

Problem Description:
The kernel prints this message during boot:

BUG: at include/linux/slub_def.h:88 kmalloc_index()
 [<c014f67f>] get_slab+0x43/0x1c6
 [<c014f875>] __kmalloc+0xc/0x57
 [<f0a7b564>] drm_rmdraw+0x0/0x27d [drm]
 [<f0a7b698>] drm_rmdraw+0x134/0x27d [drm]
 [<f0a7b564>] drm_rmdraw+0x0/0x27d [drm]
 [<f0a7c1d0>] drm_ioctl+0x144/0x18c [drm]
 [<c01265ad>] enqueue_hrtimer+0xe3/0xef
 [<c015c184>] do_ioctl+0x4c/0x64
 [<c015c3c7>] vfs_ioctl+0x22b/0x23e
 [<c015c40d>] sys_ioctl+0x33/0x4e
 [<c0103ca0>] syscall_call+0x7/0xb
 =======================

Steps to reproduce:
Enable these settings in .config
CONFIG_SLUB_DEBUG=y
CONFIG_SLUB=y
CONFIG_DRM=m
CONFIG_DRM_I915=m
Comment 1 Cherwin R. Nooitmeer 2007-05-14 10:17:28 UTC
Created attachment 11498 [details]
kernel configuration file
Comment 2 Cherwin R. Nooitmeer 2007-05-14 10:25:54 UTC
Created attachment 11499 [details]
Boot log
Comment 3 Johannes Engel 2007-05-14 11:50:18 UTC
I can confirm that also using intel 945 chipset.

=====
BUG: at include/linux/slub_def.h:88 kmalloc_index()
 [<c0171eaa>] get_slab+0x43/0x1c6
 [<c01720a8>] __kmalloc+0xd/0x62
 [<c01bffa1>] copy_from_user+0x23/0x4f
 [<f9080619>] drm_rmdraw+0x126/0x24e [drm]
 [<f90804f3>] drm_rmdraw+0x0/0x24e [drm]
 [<f9081140>] drm_ioctl+0x14c/0x194 [drm]
 [<c01301e5>] autoremove_wake_function+0x0/0x35
 [<c017ee58>] do_ioctl+0x4c/0x64
 [<c017f0a1>] vfs_ioctl+0x231/0x244
 [<c01753d2>] vfs_read+0x118/0x153
 [<c017f100>] sys_ioctl+0x4c/0x68
 [<c0123f3d>] sys_gettimeofday+0x2b/0x58
 [<c0103cf2>] sysenter_past_esp+0x5f/0x85
 =======================
Comment 4 Andrew Morton 2007-05-14 13:19:21 UTC
Dave, this warning is due to DRM performing a zero-length kmalloc().

slub wants to handle that differently from slab and generally it's a sign
that something has gone wrong in the caller.  Could you please take a look,
see if we can avoid doing that?

Thanks.
Comment 5 Dave Airlie 2007-05-15 12:08:54 UTC
I know where the code is going wrong, I'm just not connected to the Internet
well enough to fix it.. I'll get to it before the end of the month hopefully..
Comment 6 Fabio Correa 2007-05-15 12:23:07 UTC
I got a BUG at the same point, but the trace has to do with the USB subsystem.
Not sure if it is worth a separate bug report, I file it here as a commentary.

Distribution: Gentoo Linux
Kernel: Vanilla-sources-2.6.22_rc1

Attachment on its way.

Hope it helps!!!
Comment 7 Fabio Correa 2007-05-15 12:32:44 UTC
Created attachment 11511 [details]
dmesg, .config...

Attachment includes: cpuinfo  dmesg  gentoo_emerge_info  kernel_config	lsmod 
lspci  lspci-vv  meminfo

BUG: at include/linux/slub_def.h:88 kmalloc_index()

Call Trace:
 [<ffffffff8027efb9>] get_slab+0x229/0x240
 [<ffffffff802805c5>] __kmalloc_track_caller+0x95/0xc0
 [<ffffffff88179f99>] :usbcore:usb_get_configuration+0x8b9/0xf70
 [<ffffffff80280553>] __kmalloc_track_caller+0x23/0xc0
 [<ffffffff8026647b>] __kzalloc+0x1b/0x50
 [<ffffffff88179f99>] :usbcore:usb_get_configuration+0x8b9/0xf70
 [<ffffffff881782ec>] :usbcore:usb_get_device_descriptor+0x7c/0xa0
 [<ffffffff8024b1ff>] mark_held_locks+0x3f/0x80
 [<ffffffff88172104>] :usbcore:usb_new_device+0x14/0x100
 [<ffffffff88172a4a>] :usbcore:hub_thread+0x32a/0xd60
 [<ffffffff804255f7>] thread_return+0x88/0x701
 [<ffffffff80243040>] autoremove_wake_function+0x0/0x30
 [<ffffffff88172720>] :usbcore:hub_thread+0x0/0xd60
 [<ffffffff88172720>] :usbcore:hub_thread+0x0/0xd60
 [<ffffffff88172720>] :usbcore:hub_thread+0x0/0xd60
 [<ffffffff80242c9b>] kthread+0x4b/0x80
 [<ffffffff8020a968>] child_rip+0xa/0x12
 [<ffffffff8020a07c>] restore_args+0x0/0x30
 [<ffffffff80242c50>] kthread+0x0/0x80
 [<ffffffff8020a95e>] child_rip+0x0/0x12
Comment 8 Fabio Correa 2007-05-15 12:33:23 UTC
Created attachment 11512 [details]
dmesg, .config...

Attachment includes: cpuinfo  dmesg  gentoo_emerge_info  kernel_config	lsmod 
lspci  lspci-vv  meminfo

BUG: at include/linux/slub_def.h:88 kmalloc_index()

Call Trace:
 [<ffffffff8027efb9>] get_slab+0x229/0x240
 [<ffffffff802805c5>] __kmalloc_track_caller+0x95/0xc0
 [<ffffffff88179f99>] :usbcore:usb_get_configuration+0x8b9/0xf70
 [<ffffffff80280553>] __kmalloc_track_caller+0x23/0xc0
 [<ffffffff8026647b>] __kzalloc+0x1b/0x50
 [<ffffffff88179f99>] :usbcore:usb_get_configuration+0x8b9/0xf70
 [<ffffffff881782ec>] :usbcore:usb_get_device_descriptor+0x7c/0xa0
 [<ffffffff8024b1ff>] mark_held_locks+0x3f/0x80
 [<ffffffff88172104>] :usbcore:usb_new_device+0x14/0x100
 [<ffffffff88172a4a>] :usbcore:hub_thread+0x32a/0xd60
 [<ffffffff804255f7>] thread_return+0x88/0x701
 [<ffffffff80243040>] autoremove_wake_function+0x0/0x30
 [<ffffffff88172720>] :usbcore:hub_thread+0x0/0xd60
 [<ffffffff88172720>] :usbcore:hub_thread+0x0/0xd60
 [<ffffffff88172720>] :usbcore:hub_thread+0x0/0xd60
 [<ffffffff80242c9b>] kthread+0x4b/0x80
 [<ffffffff8020a968>] child_rip+0xa/0x12
 [<ffffffff8020a07c>] restore_args+0x0/0x30
 [<ffffffff80242c50>] kthread+0x0/0x80
 [<ffffffff8020a95e>] child_rip+0x0/0x12
Comment 9 Christoph Lameter 2007-05-15 13:07:29 UTC
This is due to a zero sized allocation. Could you modify your code to not 
perform zero sized allocs? In the future we may have the slab allocators 
return NULL for any zero sized alloc.


Comment 10 Richard Mittendorfer 2007-05-20 15:00:48 UTC
May 20 23:15:04 tp kernel: BUG: at include/linux/slub_def.h:77 kmalloc_index()
May 20 23:15:04 tp kernel: [<c01611a0>] get_slab+0x1d0/0x260
May 20 23:15:04 tp kernel: [<c01612cc>] __kmalloc+0xc/0x60
May 20 23:15:04 tp kernel: [<d0ac41bf>] drm_rmdraw+0x29f/0x2f0 [drm]
May 20 23:15:04 tp kernel: [<c01458b4>] filemap_nopage+0x164/0x380
May 20 23:15:04 tp kernel: [<c0158748>] can_share_swap_page+0x38/0x80
May 20 23:15:04 tp kernel: [<d0ac3f20>] drm_rmdraw+0x0/0x2f0 [drm]
May 20 23:15:04 tp kernel: [<d0ac4d6e>] drm_ioctl+0xae/0x200 [drm]
May 20 23:15:04 tp kernel: [<c01705a8>] do_ioctl+0x78/0x90
May 20 23:15:04 tp kernel: [<c017061c>] vfs_ioctl+0x5c/0x2a0
May 20 23:15:04 tp kernel: [<c017089d>] sys_ioctl+0x3d/0x70
May 20 23:15:04 tp kernel: [<c0103fbe>] sysenter_past_esp+0x5f/0x85
May 20 23:15:04 tp kernel: [<c02d0000>] __inet6_lookup_established+0x40/0x280
May 20 23:15:04 tp kernel: ==================

happend on 2.6.22-rc2 (-ck1, madwifi tainted) sometimes when using 3d (savage
drm) - seen only when back from STD for now.

00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host bridge
(rev 03)
00:01.0 PCI bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge
(rev 03)
00:02.0 CardBus bridge: Texas Instruments PCI1450 (rev 03)
00:02.1 CardBus bridge: Texas Instruments PCI1450 (rev 03)
00:03.0 Ethernet controller: Intel Corporation 82557/8/9 [Ethernet Pro 100] (rev 09)
00:03.1 Serial controller: Xircom Mini-PCI V.90 56k Modem
00:05.0 Multimedia audio controller: Cirrus Logic CS 4614/22/24 [CrystalClear
SoundFusion Audio Accelerator] (rev 01)
00:07.0 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev 02)
00:07.1 IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01)
00:07.2 USB Controller: Intel Corporation 82371AB/EB/MB PIIX4 USB (rev 01)
00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03)
01:00.0 VGA compatible controller: S3 Inc. 86C270-294 Savage/IX-MV (rev 11)
06:00.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC
(rev 01)

...
WARN_ON_ONCE(size == 0);
...

..like already identified. 
is there a fix around, more info neede?

thx, ritch
Comment 11 Dave Airlie 2007-05-25 12:48:29 UTC
Fix should be in my drm tree for the next mm..
Comment 12 Fabio Correa 2007-06-14 08:04:55 UTC
Created attachment 11751 [details]
system info

A very similar warning arises with the official nVidia drivers.
Kernel version: 2.6.22-rc4

WARNING: at include/linux/slub_def.h:77 kmalloc_index()

Call Trace:
 [<ffffffff80267123>] get_slab+0x42/0x23d
 [<ffffffff802673a8>] __kmalloc+0xd/0x68
 [<ffffffff883fb056>] :nvidia:os_alloc_mem+0x72/0xce
 [<ffffffff880ec185>] :nvidia:_nv003401rm+0x9/0x1e
 [<ffffffff880d259b>] :nvidia:_nv002573rm+0x20d/0x37c
 [<ffffffff880cad97>] :nvidia:_nv004360rm+0x91/0xca
 [<ffffffff880f7818>] :nvidia:_nv002557rm+0x2c0/0x63a
 [<ffffffff880f4ded>] :nvidia:rm_ioctl+0x9/0xe
 [<ffffffff883f85c9>] :nvidia:nv_kern_ioctl+0x345/0x3d6
 [<ffffffff80207e5e>] __switch_to+0x10d/0x27d
 [<ffffffff883f8699>] :nvidia:nv_kern_unlocked_ioctl+0x1c/0x23
 [<ffffffff80274aa3>] do_ioctl+0x2b/0xb6
 [<ffffffff80274d7b>] vfs_ioctl+0x24d/0x266
 [<ffffffff80274dd0>] sys_ioctl+0x3c/0x60
 [<ffffffff802094ce>] system_call+0x7e/0x83
Comment 13 Théophile Helleboid 2007-06-17 02:41:12 UTC
with linux-2.6.22-rc4, nvidia drivers,  Host bridge: Intel Corporation 82845 845 [Brookdale] Chipset Host Bridge (rev 03)
WARNING: at include/linux/slub_def.h:77 kmalloc_index()
 [<c0160a7a>] get_slab+0x1b1/0x233
 [<c0160b71>] __kmalloc+0xc/0x59
 [<d11b7c77>] os_alloc_mem+0x5e/0xa3 [nvidia]
 [<d0f31c62>] _nv002768rm+0x16/0x2c [nvidia]
 [<d10b3589>] _nv005646rm+0xf1/0xfc [nvidia]
 [<d0f179c6>] _nv002011rm+0x202/0x384 [nvidia]
 [<d0f3a0d6>] rm_set_interrupts+0x142/0x15c [nvidia]
 [<d0f10ee9>] _nv003626rm+0x81/0xb8 [nvidia]
 [<d0f3c1fd>] _nv001996rm+0x3d/0x770 [nvidia]
 [<d0f3c503>] _nv001996rm+0x343/0x770 [nvidia]
 [<d11b794b>] os_pci_read_dword+0x2b/0x34 [nvidia]
 [<d11b4cdd>] nv_verify_pci_config+0x14c/0x296 [nvidia]
 [<d0f3a3bc>] rm_ioctl+0x1c/0x24 [nvidia]
 [<d11b52fd>] nv_kern_ioctl+0x2df/0x354 [nvidia]
 [<c015215f>] free_pgtables+0x85/0xaf
 [<c0384641>] sock_set_timeout+0x14/0xf5
 [<d11b53a7>] nv_kern_unlocked_ioctl+0x18/0x1d [nvidia]
 [<d11b538f>] nv_kern_unlocked_ioctl+0x0/0x1d [nvidia]
 [<c016e76f>] do_ioctl+0x1f/0xa9
 [<c0153238>] remove_vma+0x31/0x36
 [<c016e849>] vfs_ioctl+0x50/0x27a
 [<c016eaa7>] sys_ioctl+0x34/0x51
 [<c0103d4e>] sysenter_past_esp+0x5f/0x85
 [<c0384641>] sock_set_timeout+0x14/0xf5
 =======================