Re: generic/320 triggers "list_add attempted on force-poisoned entry" warning on XFS

[Eryu Guan <eguan@xxxxxxxxxx>]

On Sat, Feb 27, 2016 at 12:10:51PM -0800, Dan Williams wrote:
> On Sat, Feb 27, 2016 at 5:02 AM, Eryu Guan <eguan@xxxxxxxxxx> wrote:
> > Hi,
> >
> > Starting from 4.5-rc1 kernel, I sometimes see generic/320 triggers
> > "list_add attempted on force-poisoned entry" warnings on XFS, test hosts
> > are arm64/ppc64/ppc64le, haven't seen it on x86_64 hosts.
> 
> Hmm, this triggers when a list_head has ->next or ->prev pointing at
> the address of force_poison which is only defined in lib/list_debug.c.
> The only call site that uses list_force_poison() is in
> devm_memremap_pages().  That currently depends on CONFIG_ZONE_DEVICE
> which in turn depends on X86_64.
> 
> So, this appears to be a false positive and the address of
> force_poison is somehow ending up on the stack by accident as that is
> the random value being passed in from __down_common:
> 
>     struct semaphore_waiter waiter;
> 
>     list_add_tail(&waiter.list, &sem->wait_list);
> 
> So, I think we need a more unique poison value that should never
> appear on the stack:

Unfortunately I can still see the warning after applying this test patch.

Then I added debug code to print the pointer value and re-ran the test.
All five failures printed the same pointer value, failed in the same
pattern:

list_add attempted on force-poisoned entry(0000000000000500), new->next = 
c00000000136bc00, new->prev = 0000000000000500

Thanks,
Eryu

> 
> diff --git a/include/linux/poison.h b/include/linux/poison.h
> index 4a27153574e2..0604806c2f52 100644
> --- a/include/linux/poison.h
> +++ b/include/linux/poison.h
> @@ -21,6 +21,7 @@
>  */
> #define LIST_POISON1  ((void *) 0x100 + POISON_POINTER_DELTA)
> #define LIST_POISON2  ((void *) 0x200 + POISON_POINTER_DELTA)
> +#define LIST_POISON3  ((void *) 0x500 + POISON_POINTER_DELTA)
> 
> /********** include/linux/timer.h **********/
> /*
> diff --git a/lib/list_debug.c b/lib/list_debug.c
> index 3345a089ef7b..318bf1c181b2 100644
> --- a/lib/list_debug.c
> +++ b/lib/list_debug.c
> @@ -12,11 +12,10 @@
> #include <linux/kernel.h>
> #include <linux/rculist.h>
> 
> -static struct list_head force_poison;
> void list_force_poison(struct list_head *entry)
> {
> -       entry->next = &force_poison;
> -       entry->prev = &force_poison;
> +       entry->next = LIST_POISON3;
> +       entry->prev = LIST_POISON3;
> }
> 
> /*
> @@ -30,7 +29,7 @@ void __list_add(struct list_head *new,
>                              struct list_head *prev,
>                              struct list_head *next)
> {
> -       WARN(new->next == &force_poison || new->prev == &force_poison,
> +       WARN(new->next == LIST_POISON3 || new->prev == LIST_POISON3,
>                "list_add attempted on force-poisoned entry\n");
>        WARN(next->prev != prev,
>                "list_add corruption. next->prev should be "