From patchwork Mon May 29 12:37:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: mawupeng X-Patchwork-Id: 13258525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC248C77B7A for ; Mon, 29 May 2023 12:37:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F28FF900003; Mon, 29 May 2023 08:37:22 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id ED93E900002; Mon, 29 May 2023 08:37:22 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DC93F900003; Mon, 29 May 2023 08:37:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id CED84900002 for ; Mon, 29 May 2023 08:37:22 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 974364010D for ; Mon, 29 May 2023 12:37:22 +0000 (UTC) X-FDA: 80843243124.12.BF919E6 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by imf10.hostedemail.com (Postfix) with ESMTP id 25801C001B for ; Mon, 29 May 2023 12:37:17 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=none; spf=pass (imf10.hostedemail.com: domain of mawupeng1@huawei.com designates 45.249.212.189 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1685363841; a=rsa-sha256; cv=none; b=oSn/lYLLjcPaC+1sheCNmJSiG5Wbki/DPN2IHz1d+ZRNHzSi6h3GKtsySKiwVLNoj8l638 fi1vB6aR7h8BQnl0nQoY1hlSawy4e/ITMLszej49K8cCjwOQpRYYQtcT1a0hOCZKCEgYrI rcOBr5Rw9MkCTs24S32WuzDj/YcGbSo= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=none; spf=pass (imf10.hostedemail.com: domain of mawupeng1@huawei.com designates 45.249.212.189 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1685363841; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=6T0bchCW3ZO+jkDRRBiy5NT7fsh94Kd1GmCkmycBYBw=; b=k4rJmdsJ6SNztCWV8CoZnumFI+8nEJ/NNGn/tA1Ydc7pICksUylRDLAtaSBRmqsXovgMQy JWlTJzCkI+vBC6AFYe3dq6g+15tMgj/7f97FjwdK2LnYQqqWSxKnXewEKp8QVC5lry1KeS egwi4n5M4fgWwUHnNfLfR9H6cp8WR/I= Received: from dggpemm500014.china.huawei.com (unknown [172.30.72.56]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4QVFP50DRgzLmPC; Mon, 29 May 2023 20:35:37 +0800 (CST) Received: from localhost.localdomain (10.175.112.125) by dggpemm500014.china.huawei.com (7.185.36.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Mon, 29 May 2023 20:37:10 +0800 From: Wupeng Ma To: , , CC: , , , , , Subject: [RFC PATCH stable 5.10/5.15] mm: Pass head page to clear_page_mlock for page_remove_rmap Date: Mon, 29 May 2023 20:37:05 +0800 Message-ID: <20230529123705.955378-1-mawupeng1@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Originating-IP: [10.175.112.125] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To dggpemm500014.china.huawei.com (7.185.36.153) X-CFilter-Loop: Reflected X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 25801C001B X-Stat-Signature: ctnmcauoz6hwzcjw6oui4wnfnwzbocze X-HE-Tag: 1685363837-881424 X-HE-Meta: U2FsdGVkX19RS+AUSS4mpsI3XVNNRO6BBQ47wm8gkUyXmD8KxJVv+sWCTh81BOBGfGYl8Mg65Jv4vlqaX6FE9EClvuzbn2GLT6m9CnjdZ0GKXH4V+v44qatu7/+1UHC9ue3Ssp4D6JZehF+iV2wyVO3KMyZDFjI7zbx1g7hSxDUOJUzAHNdP0CNpCVuov9RP75mzSpf3XV7Sg4L54DQ6FiipW9V9LEiZ+cGGA0UoGd38hPt2pvKcwEjY9GEa+/+D5VSlUINnwjtn8VEon2dLT1yiBC2O3ODihTc1UhQwhycs7wXs2+5SXfo+sNJK0PJXutxdTFlx4H7YmzJhB2xaqLZsL7Hn1pY4/n7ycYWJSifKxLnilfLXXERwBQEcZxJxsWj4FV37kfThzHhqx3freW3bhcO58fjX9f6GTeHdmE+FStxEl75v44I8BuzT0yuIIgF2S/HvJ8oVzfZwtVKFfx4DmtyITmsllEgEPDEykvltO72peQkGK63MGdi5DgRo+8Gsz66QzGjhgp5zybQKuGxO1xl25S3kI3UTaHMOpyqjB8RrnYVspMyabK7KNPKwJi9qFNEX3cXCxaklJ9jkNsZnNashlVslm+/n+sYErl0aY3+WM48bj1LMiedYxxN2Y/1z8xE4N2edY4QYQLHgLf68Ihp/sXuXx7WVfHOsE6YbpX/hNQQmmX1Xgd7v/FBLPIdQRdYjIXy2OhHO7Muw5t1q48WcHfSszgMdY9qZhiE/5RsA9p1KFBX4T+yZvfHonJ6MqxZRJtagTmjnpZkFBfAstGAEXtE1AHsfXF3+QKyTyf2gIRwDbhHaNKYOtHTITtY5jguPj5nvkz0mMPK/KLPavj9zaWhn22aQZMtbBrjOk6bWAL3e96XmMT9ZZn8dyx+CJvwi9KRz2++qbQ2n5Qjaa400BqZv8LV6FPEQihuVQauF6zZjhaTpS66VKSk0jKzF85k6C7/ByxMn69d ZxTJSdwB v8Zkywga+mDtxvPD45wlPzHDj6PODqjw0FLZ6PvNn5unRvpvAG7reZU/DB1XFK9ZnhWnzELPqaj4YiewxIF5PTwtvrxk7++MaAqs6NRL0Il6krwXyp/jD6DGxsWXiByRRGGwdrYbiACcCdq13p+AZPtkvJxld7krIZfVXTrpJQNaEFuzHrCGe/DwTK0vK9FjKn4Cd X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Ma Wupeng Our syzbot report a mlock related problem. During exit_mm, tail page is passed to clear_page_mlock which final lead to kernel panic. During unmap_page_range, if compound is false, it means this page is seen as a small page. This page is passed to isolate_lru_page if this page is PageMlocked and finally lead to "trying to isolate tail page" warning. Here is the simplified calltrace: unmap_page_range zap_pte_range page_remove_rmap(page, false); // compound is false means to handle to small page not compound page nr_pages = thp_nr_pages(page); clear_page_mlock(page) // maybe tail page here isolate_lru_page WARN_RATELIMIT(PageTail(page), "trying to isolate tail page"); Since mlock is not supposed to handle tail, we pass head page to clear_page_mlock() to slove this problem. This bug can lead to multiple reports. Here ares the simplified reports: ------------[ cut here ]------------ trying to isolate tail page WARNING: CPU: 1 PID: 24489 at mm/vmscan.c:2031 isolate_lru_page+0x574/0x660 page:fffffc000eb7a300 refcount:512 mapcount:0 mapping:0000000000000000 index:0x2008c pfn:0x3ede8c head:fffffc000eb78000 order:9 compound_mapcount:0 compound_pincount:0 memcg:ffff0000d24bc000 anon flags: 0x37ffff80009080c(uptodate|dirty|arch_1|head|swapbacked|node=1|zone=2|lastcpupid=0xfffff) raw: 037ffff800000800 fffffc000eb78001 fffffc000eb7a308 dead000000000400 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 head: 037ffff80009080c fffffc000eb70008 fffffc000e350708 ffff0003829eb839 head: 0000000000020000 0000000000000000 00000200ffffffff ffff0000d24bc000 page dumped because: VM_WARN_ON_ONCE_PAGE(!memcg && !mem_cgroup_disabled()) ------------[ cut here ]------------ WARNING: CPU: 1 PID: 24489 at include/linux/memcontrol.h:767 lock_page_lruvec_irq+0x148/0x190 page:fffffc000eb7a300 refcount:0 mapcount:0 mapping:dead000000000400 index:0x0 pfn:0x3ede8c failed to read mapping contents, not a valid kernel address? flags: 0x37ffff800000800(arch_1|node=1|zone=2|lastcpupid=0xfffff) raw: 037ffff800000800 dead000000000100 dead000000000122 dead000000000400 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u)) ------------[ cut here ]------------ kernel BUG at include/linux/mm.h:1213! Call trace: lru_cache_add+0x2d4/0x2e8 putback_lru_page+0x2c/0x168 clear_page_mlock+0x254/0x318 page_remove_rmap+0x900/0x9c0 unmap_page_range+0xa78/0x16a0 unmap_single_vma+0x114/0x1a0 unmap_vmas+0x100/0x220 exit_mmap+0x120/0x410 mmput+0x174/0x498 exit_mm+0x33c/0x460 do_exit+0x3c0/0x1310 do_group_exit+0x98/0x170 get_signal+0x370/0x13d0 do_notify_resume+0x5a0/0x968 el0_da+0x154/0x188 el0t_64_sync_handler+0x88/0xb8 el0t_64_sync+0x1a0/0x1a4 Code: 912b0021 aa1503e0 910c0021 9401a49c (d4210000) This bug can be reproduced in both linux-5.10.y & linux-5.15.y and maybe fixed after commit 889a3747b3b7 ("mm/lru: Add folio LRU functions"). This patch turn page into folio for LRU related operations, all operations to page is turn to folio which means head page after this patch. Fixes: d281ee614518 ("rmap: add argument to charge compound page") Signed-off-by: Ma Wupeng --- mm/rmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/rmap.c b/mm/rmap.c index 330b361a460e..8838f6a9d65d 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -1372,7 +1372,7 @@ void page_remove_rmap(struct page *page, bool compound) __dec_lruvec_page_state(page, NR_ANON_MAPPED); if (unlikely(PageMlocked(page))) - clear_page_mlock(page); + clear_page_mlock(compound_head(page)); if (PageTransCompound(page)) deferred_split_huge_page(compound_head(page));