From patchwork Thu May 23 07:12:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miaohe Lin X-Patchwork-Id: 13671329 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9C4AC25B75 for ; Thu, 23 May 2024 07:15:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4D71F6B008C; Thu, 23 May 2024 03:15:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 460376B0092; Thu, 23 May 2024 03:15:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 302E86B0093; Thu, 23 May 2024 03:15:38 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 0E0346B008C for ; Thu, 23 May 2024 03:15:38 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 2A551C0371 for ; Thu, 23 May 2024 07:15:37 +0000 (UTC) X-FDA: 82148800314.05.583DB26 Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [45.249.212.190]) by imf20.hostedemail.com (Postfix) with ESMTP id 5D5F71C000D for ; Thu, 23 May 2024 07:15:34 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=none; spf=pass (imf20.hostedemail.com: domain of linmiaohe@huawei.com designates 45.249.212.190 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1716448535; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=LeGb5yX7Jk15b7vInAyJgqebhoXsoYQUqn5NpMMMZ00=; b=tj2gn6j25jPms94Tf1aXFnou7rdivc2ec51/gck7YC1MFKymTOuocZTM+jQxGQUeblV8r8 UeD0Vb6bEc/S1E26B9dD6M3w0tEaEDXI/YBIxdayTF3EfS4pBxcjem+JZDJ2dQ2lKL1BlY Kl3JoMSOqdtiVMMLo/CkIrOrdbGYMcc= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1716448535; a=rsa-sha256; cv=none; b=56SraR8cQdajRk0b1F94hnYzvqTJqd5NOlEdyNoAgbP7642qi3P23+SqBtvs6jRWEVYtEd 8Xe58VQXcCZJgjIZqBxk5NmXQeFXALdOXfM3+OCVgKM7t8bXptyBve6417VCpuSnoOkiVT OsbQSTyd68+L3k6F5GBNQRjIW+kmFWI= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=none; spf=pass (imf20.hostedemail.com: domain of linmiaohe@huawei.com designates 45.249.212.190 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com Received: from mail.maildlp.com (unknown [172.19.88.163]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4VlK9X54Y1z2CjPG; Thu, 23 May 2024 15:12:00 +0800 (CST) Received: from canpemm500002.china.huawei.com (unknown [7.192.104.244]) by mail.maildlp.com (Postfix) with ESMTPS id 7132918005F; Thu, 23 May 2024 15:15:30 +0800 (CST) Received: from huawei.com (10.173.135.154) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Thu, 23 May 2024 15:15:29 +0800 From: Miaohe Lin To: CC: , , , Subject: [PATCH] mm/memory-failure: fix handling of dissolved but not taken off from buddy pages Date: Thu, 23 May 2024 15:12:17 +0800 Message-ID: <20240523071217.1696196-1-linmiaohe@huawei.com> X-Mailer: git-send-email 2.33.0 MIME-Version: 1.0 X-Originating-IP: [10.173.135.154] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To canpemm500002.china.huawei.com (7.192.104.244) X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 5D5F71C000D X-Rspam-User: X-Stat-Signature: hbtf8gormkye3au67da8srr3odgkt6ue X-HE-Tag: 1716448534-637835 X-HE-Meta: U2FsdGVkX1+31UyXQ1Jcpj68PVFB3J4M7eoZeoMnEe1HTBgi9zfRbwVRGZGL0Q90qUnv4s3ysfVktYnRe57yvP/PAe/m7AdcBQv9zCQkBiXf4xqBY1gF38OEgh8YodfMhlDXla/2hZn+lNI55k+lzraSA4fpHmibHNj5wJ8ZElNZz4JyvAPQ7u/2N2pEEw9x2ZwK0w4+KVO630MeQkJIZ+NGtzaJOIwxGgFssfh+EwAez3jHqY6/X7bIfvXGhTBY6w5iYW4h6fFL+iwRPfIpL2jG+BYQohWhi45VJ6yuLVPQ1lpSJrdDw4SOB5/49OhIc0XsoUz+9fhANjxz4ctd7Qa1KxRsSeZAnBGHTzJ2/HVwwwEm0+4rtUQZ3wa3eaGkcEj4bNQVk0o+eL/P4bXgXuJTtvDRSzfWKCNOi9+dVte1JGrEBO9SD1npAqUXEqxLpmSYLTIfJ3bi7YTEYhHiN3ds3DCjTe8ZYlzMDZ1KQ9QAm82gdMVVf1KODUCHKuaDCzNJRO0/fRlT8w9Vn4Vh7+mNSW3DthziFErkq4mwKnU0PGJxaLJXt6+5NmvVScCOdcflWwNqF1/cWS41nzWC2TgNiIINvpsOE8+ysl2EUhx76t23ukVIRBxhg2D8rFIe5yZFpu2bs3veBzjHf1jLi0XoLe3OZIAw1WfhBTqeprPdC9ZjF1KgvnSHyrqCYG6g3Kv1J4yd8ZItOlm5SgViR1UqEaDGt0FpoHHQQ/Gc8OHP84OozpmekmmPPsjXvQWZO+BCg1wefdmIitVuq0d8I1IJzcIvalzBMM3NO3hVbLXq+Mk+RUfr884G5jAKItMJVego6oLQnzpZt182RUPFxaDPeoYDUkmt3FzXKDBg9sxdzidMCvXcNSmbB5ypwma/OCGMd/+lqEXeefW+sL8J3WlAxo/CqnQXyneKaAcjDNVJjW425w1UfgZNbwdCbtbxkzeNQYyWgWV9Si83sr0 UYsl49Lu QhmIDhUBXhJdKcc2ZMmY/U3KUHzY1ilNCpxtHTCQi+a1nVzUk0u4U6lpphdjtj1RDUuqiFGmQF/Q0vve3/9w/A8/RFbgVrYuHE7s2rYAlLDdblm9JnINdbekHY/V1IBJXFYqF7/wMVHzVeybvaPz/bWZ+4O3zmD1kecWIs+BXIE8b3JPJpaY2lTzDV2UHhyMK81keSm/iX3OUahJee8hcnv2ZDHm939xX/OGZJjrbPCP2Tg7RgR/Rw4+ozXr+Eh3ws0a8YfBdyUekkj4r7fQ6rd85/hckjlkp8NvW8zqXkNakR6w= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: When I did memory failure tests recently, below panic occurs: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00 flags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff) raw: 06fffe0000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000009 00000000ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(!PageBuddy(page)) ------------[ cut here ]------------ kernel BUG at include/linux/page-flags.h:1009! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:__del_page_from_free_list+0x151/0x180 RSP: 0018:ffffa49c90437998 EFLAGS: 00000046 RAX: 0000000000000035 RBX: 0000000000000009 RCX: ffff8dd8dfd1c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff8dd8dfd1c9c0 RBP: ffffd901233b8000 R08: ffffffffab5511f8 R09: 0000000000008c69 R10: 0000000000003c15 R11: ffffffffab5511f8 R12: ffff8dd8fffc0c80 R13: 0000000000000001 R14: ffff8dd8fffc0c80 R15: 0000000000000009 FS: 00007ff916304740(0000) GS:ffff8dd8dfd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055eae50124c8 CR3: 00000008479e0000 CR4: 00000000000006f0 Call Trace: __rmqueue_pcplist+0x23b/0x520 get_page_from_freelist+0x26b/0xe40 __alloc_pages_noprof+0x113/0x1120 __folio_alloc_noprof+0x11/0xb0 alloc_buddy_hugetlb_folio.isra.0+0x5a/0x130 __alloc_fresh_hugetlb_folio+0xe7/0x140 alloc_pool_huge_folio+0x68/0x100 set_max_huge_pages+0x13d/0x340 hugetlb_sysctl_handler_common+0xe8/0x110 proc_sys_call_handler+0x194/0x280 vfs_write+0x387/0x550 ksys_write+0x64/0xe0 do_syscall_64+0xc2/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff916114887 RSP: 002b:00007ffec8a2fd78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055eae500e350 RCX: 00007ff916114887 RDX: 0000000000000004 RSI: 000055eae500e390 RDI: 0000000000000003 RBP: 000055eae50104c0 R08: 0000000000000000 R09: 000055eae50104c0 R10: 0000000000000077 R11: 0000000000000246 R12: 0000000000000004 R13: 0000000000000004 R14: 00007ff916216b80 R15: 00007ff916216a00 Modules linked in: mce_inject hwpoison_inject ---[ end trace 0000000000000000 ]--- And before the panic, there had an warning about bad page state: BUG: Bad page state in process page-types pfn:8cee00 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00 flags: 0x6fffe0000000000(node=1|zone=2|lastcpupid=0x7fff) page_type: 0xffffff7f(buddy) raw: 06fffe0000000000 ffffd901241c0008 ffffd901240f8008 0000000000000000 raw: 0000000000000000 0000000000000009 00000000ffffff7f 0000000000000000 page dumped because: nonzero mapcount Modules linked in: mce_inject hwpoison_inject CPU: 8 PID: 154211 Comm: page-types Not tainted 6.9.0-rc4-00499-g5544ec3178e2-dirty #22 Call Trace: dump_stack_lvl+0x83/0xa0 bad_page+0x63/0xf0 free_unref_page+0x36e/0x5c0 unpoison_memory+0x50b/0x630 simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110 debugfs_attr_write+0x42/0x60 full_proxy_write+0x5b/0x80 vfs_write+0xcd/0x550 ksys_write+0x64/0xe0 do_syscall_64+0xc2/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f189a514887 RSP: 002b:00007ffdcd899718 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f189a514887 RDX: 0000000000000009 RSI: 00007ffdcd899730 RDI: 0000000000000003 RBP: 00007ffdcd8997a0 R08: 0000000000000000 R09: 00007ffdcd8994b2 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcda199a8 R13: 0000000000404af1 R14: 000000000040ad78 R15: 00007f189a7a5040 The root cause should be the below race: memory_failure try_memory_failure_hugetlb me_huge_page __page_handle_poison dissolve_free_hugetlb_folio drain_all_pages -- Buddy page can be isolated e.g. for compaction. take_page_off_buddy -- Failed as page is not in the buddy list. -- Page can be putback into buddy after compaction. page_ref_inc -- Leads to buddy page with refcnt = 1. Then unpoison_memory() can unpoison the page and send the buddy page back into buddy list again leading to the above bad page state warning. And bad_page() will call page_mapcount_reset() to remove PageBuddy from buddy page leading to later VM_BUG_ON_PAGE(!PageBuddy(page)) when trying to allocate this page. Fix this issue by only treating __page_handle_poison() as successful when it returns 1. Signed-off-by: Miaohe Lin Fixes: ceaf8fbea79a ("mm, hwpoison: skip raw hwpoison page in freeing 1GB hugepage") Cc: --- mm/memory-failure.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index a3958150cbf2..8962c0d314b0 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -1239,7 +1239,7 @@ static int me_huge_page(struct page_state *ps, struct page *p) * subpages. */ folio_put(folio); - if (__page_handle_poison(p) >= 0) { + if (__page_handle_poison(p) > 0) { page_ref_inc(p); res = MF_RECOVERED; } else { @@ -2116,7 +2116,7 @@ static int try_memory_failure_hugetlb(unsigned long pfn, int flags, int *hugetlb */ if (res == 0) { folio_unlock(folio); - if (__page_handle_poison(p) >= 0) { + if (__page_handle_poison(p) > 0) { page_ref_inc(p); res = MF_RECOVERED; } else {