From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CE00C0219B for ; Fri, 7 Feb 2025 10:26:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9E84C280003; Fri, 7 Feb 2025 05:26:38 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 99801280001; Fri, 7 Feb 2025 05:26:38 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 86069280003; Fri, 7 Feb 2025 05:26:38 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 651DE280001 for ; Fri, 7 Feb 2025 05:26:38 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id E58281C98A0 for ; Fri, 7 Feb 2025 10:25:50 +0000 (UTC) X-FDA: 83092767702.27.4766230 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf23.hostedemail.com (Postfix) with ESMTP id 75165140009 for ; Fri, 7 Feb 2025 10:25:48 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ti6rnxIW; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=Y2fvq+82; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ti6rnxIW; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=Y2fvq+82; dmarc=none; spf=pass (imf23.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738923948; a=rsa-sha256; cv=none; b=gC7esisLNkNV+26kXCy1GbYULgq5Hk8V+sEBc+X+1+LCLGSua3jaLGguz3HfLefNg8KQKk RTBtjfGU1Zq1eGch86jzrlMcBCSFsOFlk8eZMVOJ+YZdUfXN/BzssS5/1gvVliLkN15pwh CYhmzA9ieaGpDcNdc1i45OEMvYYfl2k= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ti6rnxIW; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=Y2fvq+82; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=ti6rnxIW; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=Y2fvq+82; dmarc=none; spf=pass (imf23.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738923948; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=f4PcZmgG4NDKgXQ9ax0vEC5xMEC26xGqBmksg3k/Yng=; b=6E3WxOafjejdlavyKQshSj6B+Tg+BqARhVQEzbGcY5IY26PlIOD35Bs6Bj7KFhT1uUJuTr M0JezxIoXRlvVZ6OAm+0vn4J5Y5Tp1DHvhHr0+7OL6iVN/bW3jsdWoBs1UXf/WYSu9XFKT VVt9KqkK5TjILogHrnXv51TkHqS9xaI= Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id C54DA21161; Fri, 7 Feb 2025 10:25:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1738923946; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f4PcZmgG4NDKgXQ9ax0vEC5xMEC26xGqBmksg3k/Yng=; b=ti6rnxIWRJ1nov7ayMX9xq+I3tE4k/Vw/TJ0Cayy9Y4Nl7fngepsfvkiRfsgF0RvBEA24C coem/XYMHlCYZsb+rEz1+67BvsM8Xxu7EbEkavyRJbru1ZV9r7v0xlF3uGfr0iF9j/IBWU 1K+RVjG5QntnZfy2oA59+8Psdeky8Lg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1738923946; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f4PcZmgG4NDKgXQ9ax0vEC5xMEC26xGqBmksg3k/Yng=; b=Y2fvq+82EAXGOwkXuJIcpHmhBTdEIJytTHko3ByToSLDahHgUkbh7rypd7fwchBekWRyXa krUbd1P9TfgeZfDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1738923946; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f4PcZmgG4NDKgXQ9ax0vEC5xMEC26xGqBmksg3k/Yng=; b=ti6rnxIWRJ1nov7ayMX9xq+I3tE4k/Vw/TJ0Cayy9Y4Nl7fngepsfvkiRfsgF0RvBEA24C coem/XYMHlCYZsb+rEz1+67BvsM8Xxu7EbEkavyRJbru1ZV9r7v0xlF3uGfr0iF9j/IBWU 1K+RVjG5QntnZfy2oA59+8Psdeky8Lg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1738923946; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f4PcZmgG4NDKgXQ9ax0vEC5xMEC26xGqBmksg3k/Yng=; b=Y2fvq+82EAXGOwkXuJIcpHmhBTdEIJytTHko3ByToSLDahHgUkbh7rypd7fwchBekWRyXa krUbd1P9TfgeZfDg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id AD558139CB; Fri, 7 Feb 2025 10:25:46 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id dxPpKarfpWcQcAAAD6G6ig (envelope-from ); Fri, 07 Feb 2025 10:25:46 +0000 Message-ID: <03eb13ad-03a2-4982-9545-0a5506e043d0@suse.cz> Date: Fri, 7 Feb 2025 11:25:46 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [REGRESSION][BISECTED] Crash with Bad page state for FUSE/Flatpak related applications since v6.13 Content-Language: en-US To: Matthew Wilcox , Miklos Szeredi Cc: Christian Heusel , Josef Bacik , Miklos Szeredi , regressions@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Joanne Koong , linux-mm References: <2f681f48-00f5-4e09-8431-2b3dbfaa881e@heusel.eu> From: Vlastimil Babka In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Action: no action X-Rspam-User: X-Rspamd-Queue-Id: 75165140009 X-Rspamd-Server: rspam12 X-Stat-Signature: jwugyxmyk4frfezafhddwmw1p79cxres X-HE-Tag: 1738923948-71292 X-HE-Meta: U2FsdGVkX18/FdLs1cmsp+dNmC+CI+MWi+rsctTniMKrdrq37oQQpHnMsGY2IP7TblTL0KpXafoJKCu+GQzSF4FlR3Xefkp7E5iP+NbVN2Y0FgDBcOJvl2Yp/FrOFhNHDBPedSuGLamR23nRuBWBIStpLxc+3ilowfkd7VXGlmUx8xAT2hVwNp8kwnqsNvpVENlprhcgW5nm0c4oX9Qjn2WGljyBRGc68zPiYW8a6IFP9o+6Lz+9QZLz80B/PykJQLE0wthzST10ljKyalA2OD/bn51qEY7UOwLBlE39JU1mrPeT+rW5pZ6/BH8uAwHtyqEEtRaRHV/fFe0NYjgapWoU8Cxb951JFZamZ+zeFMF0SbV8hwhoPJjMhMGGkSJ8Sk0t5s7b9avXoNkX5nikdhTcpo+pBo7RdLOPHuxS3IQYXdn0xPktaV8+pwgQjzGYAZjAYvNTs4H5Uym00zdoUEl2CXiRNehGluk8fO59a0/kKNg57RV5zp7ZobV/CzsKiW0PTEXcIJOYHaqiqO2QWo0gExXyQ8mIJGIlJd9ClMVbFqAweDIpQ6LAGrWxp/w6aNKwCzSu6ZeU08NetA5hxzu+V5vEd6GL0xLyppcSCBF4daLjaPy8lSbS7sGUVEsnHDAqwmc9HLk9FBqb9QAc2CK9q1eV709C7/BXzQTiu03ywaAt1RkM5U56maIWrNimvKVsOCQOnarmpZaKHqbbE71Ssr/flOmVQSPQGb5ALoTws8fEyRL15DKFQ2WLVx+hdRoRAQUYraiuy5R/6QGL8z6VVjRNylVVrOdlJZkJPI80zXhBj+5qaM/kK9ERmfYPidOjmtI+6bqNiMx398x0X8Ns8p7sYEqdDLD1PLOADYvjFD5OR6eSnjUrrgCAWd0MMaTeVaOSbqgSzRcKKn/PCeC8QvlCzBQGC4yHfW4TAzb0n2qVzJJ6rRz4KZ8VispWrLX97lOWmucyyHqrt/w aOYIWrFK RBwTcscstcuI5qFYbqP8yL+ddh6LKz4ocGldLko8WcvSAgZiONs+VhNnleu2+gwYuhTGndQ78Yzl0rLX6vBOvXQrKxQMY1yKeaWpVTPfMVXVZzPNLKYw4CqjGa/1AWADKwCigoknN0BZKiTd8FNkxgHhGAdUBKBFB1N50157m9ZW+y19XkSpGo5IMvIr66riDCV//foCBALzT9MtfInDCGUTiSAUnFb5soxOFQi/tx9NBzSkvPVZWKy7gjwOVzK6KXr+cA3G+D3xsNPXCRX2aR87iAk6HzQYkJ5rX X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2/7/25 10:45, Matthew Wilcox wrote: > On Fri, Feb 07, 2025 at 10:34:52AM +0100, Miklos Szeredi wrote: >> Seems like page allocation gets an inconsistent page (mapcount != -1) >> in the report below. > > I think you're misreading the report. _mapcount is -1. Which means > mapcount is 0. > >> > Feb 06 08:54:47 archvm kernel: BUG: Bad page state in process rnote pfn:67587 >> > Feb 06 08:54:47 archvm kernel: page: refcount:-1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x67587 refcount of -1 doesn't look healthy too, should be 0 at this point? >> > Feb 06 08:54:47 archvm kernel: flags: 0xfffffc8000020(lru|node=0|zone=1|lastcpupid=0x1fffff) >> > Feb 06 08:54:47 archvm kernel: raw: 000fffffc8000020 dead000000000100 dead000000000122 0000000000000000 > > flags lru.next lru.prev mapping > >> > Feb 06 08:54:47 archvm kernel: raw: 0000000000000000 0000000000000000 ffffffffffffffff 0000000000000000 > > index private mapcount:refcount memcg_data > >> > Feb 06 08:54:47 archvm kernel: page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag(s) set > > So the problem is the lru flag is set. > >> > Feb 06 08:54:47 archvm kernel: dump_stack_lvl+0x5d/0x80 >> > Feb 06 08:54:47 archvm kernel: bad_page.cold+0x7a/0x91 >> > Feb 06 08:54:47 archvm kernel: __rmqueue_pcplist+0x200/0xc50 >> > Feb 06 08:54:47 archvm kernel: get_page_from_freelist+0x2ae/0x1740 >> > Feb 06 08:54:47 archvm kernel: __alloc_frozen_pages_noprof+0x184/0x330 >> > Feb 06 08:54:47 archvm kernel: alloc_pages_mpol+0x7d/0x160 >> > Feb 06 08:54:47 archvm kernel: folio_alloc_mpol_noprof+0x14/0x40 >> > Feb 06 08:54:47 archvm kernel: vma_alloc_folio_noprof+0x69/0xb0 >> > Feb 06 08:54:47 archvm kernel: do_anonymous_page+0x32a/0x8b0 > > It's very weird, because PG_lru is also in PAGE_FLAGS_CHECK_AT_FREE. > So it should already have been checked and not be set. I'm on holiday Could be a use-after free of the page, which sets PG_lru again. The list corruptions in __rmqueue_pcplist also suggest some page manipulation after free. The -1 refcount suggests somebody was using the page while it was freed due to refcount dropping to 0 and then did a put_page()? > until Monday, so I'm not going to dive into this any further.