From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99AD1E77188 for ; Mon, 23 Dec 2024 02:55:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E5D346B007B; Sun, 22 Dec 2024 21:55:48 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E0EAA6B0082; Sun, 22 Dec 2024 21:55:48 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CD4AE6B0083; Sun, 22 Dec 2024 21:55:48 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id AFB5F6B007B for ; Sun, 22 Dec 2024 21:55:48 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 43397C1616 for ; Mon, 23 Dec 2024 02:55:48 +0000 (UTC) X-FDA: 82924707306.13.541EE33 Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [45.249.212.190]) by imf02.hostedemail.com (Postfix) with ESMTP id 5CBAB8000B for ; Mon, 23 Dec 2024 02:54:32 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf02.hostedemail.com: domain of linmiaohe@huawei.com designates 45.249.212.190 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1734922511; a=rsa-sha256; cv=none; b=tKsd8eaaJ4kZfvQfe6KlVIh+g/MzKm/nvbvzL/Jzf4SRzIuZXeZ+OvXSQEmGQ0BOmpS0mC 1RanIHM/eij4fai2IaB9rNtzZ2L/O30Iq6XWqb/dKYxVv+u1w5+2PPaxeRm1CRfM/hMGWf DUq7WuTZeZNQf3SS/eXq+nIjyOUpYoA= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf02.hostedemail.com: domain of linmiaohe@huawei.com designates 45.249.212.190 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1734922511; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PRcsQax/SC8oqX5bM5LEtbq9UHMOWzM4mU0xyU2hvBo=; b=pXna0BCaxKiP86yUZGMHa+ki0cr7glUyERJOp1GVQ20iE+Yis5cF6LXAQBnPt8fkJEfPyj 8znb8tMs8/UapFTl++z6nudag4UxKKp3ha4lUGRvEL5Vb3XTV5ZTwKoUBXHwQRYhCxiRf+ TZGycD7lRFcfLUpbEv8qAElYPxHwi10= Received: from mail.maildlp.com (unknown [172.19.163.17]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4YGjJl0d85z21p1l; Mon, 23 Dec 2024 10:53:43 +0800 (CST) Received: from kwepemd200019.china.huawei.com (unknown [7.221.188.193]) by mail.maildlp.com (Postfix) with ESMTPS id 866591A0188; Mon, 23 Dec 2024 10:55:40 +0800 (CST) Received: from [10.173.127.72] (10.173.127.72) by kwepemd200019.china.huawei.com (7.221.188.193) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 23 Dec 2024 10:55:39 +0800 Subject: Re: [PATCH v2] mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory To: David Hildenbrand , , Dan Williams CC: , , References: <20241219115209.574065-1-linmiaohe@huawei.com> <06a45f8a-0981-40a2-a12a-5964fcdace13@redhat.com> From: Miaohe Lin Message-ID: <1af81f0e-6500-9719-20be-505851673b58@huawei.com> Date: Mon, 23 Dec 2024 10:55:39 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 8bit X-Originating-IP: [10.173.127.72] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To kwepemd200019.china.huawei.com (7.221.188.193) X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 5CBAB8000B X-Stat-Signature: ob6x7zh4x91itifce1igk4ehnwpmk838 X-Rspam-User: X-HE-Tag: 1734922472-190259 X-HE-Meta: U2FsdGVkX18Mb5iMYWO3yKRKsWqmOyHOswHG9BuXLouawiAQR5BSrHloPKZuMcomZTvj1jwJVMLzNXnndQ6dpvv9NvRJZAWhPGPZ7SdP6V0lysvUCTxg529Rhm8u6TwWxkdWcUWkUO6IgRHEgfitAccmZUxufl378XNaOIsIjsp5op/4IaXUm38LgglzJMh+seq3nM+CVGO1vypnKtZ4tY5l/riN3FwpI+Tpd+NVVHCvqHB2nvd+vsiJJ9LHVpdeZBEaC7onO/EWzkmEhBKJmidCDamWsBHXQyPkg6r8LFbsNQ/zc7a0co6fbVkmjfujcXBDboVHP/7IiLFrkYl/3FyeDZ0OjjN1iq3c/dpeSFVe3+LS3l2+Kmc7qSJ2zgtDSJQhNtpX09P4JoWG4X5AHVDS2msp1txyKd4s1mn4QHn3OXnKWXxgTqr6XUDwY4nDV4KiBnf67DZpJSdoc1QaKt7VfIXwz6j/7wcvaELQFYadayJZyEwj+NkhEuX/O57fMIymxrUWK0fqhwXFFZivkBRKKp1pxsA2cqXMRn0shEOnRCMe6NmI2zyHOfJ8/ZgUrJEYY7XPdQPXlnjXS3fMlLVNNeOxQI/D+QMY7P4OcjlSPXUfQ+7w5RSLHB4qrGQAyW0BuVr2axCFHNCSoWgr8FINgUAuEZIACXnoWtwfMQ0x13TN4yl+G5Y5ojk7cISu2RVAzVL9kXpP6xLzGq4iMDlir/rr8ImhNY/X8nIn0vYpHXUlViqvRviMHUKzzMGm9ZdcFiT0xg6IbSL+mFuLbWBNLYHFVJ5y0K31dvy7cHjvRcfJ//ZCcBedDcb7c+li+u3+n7+UCLfKgLXYvlED6v2sdMwoBfNxT6LuSBFur1HOKPt+lTRr6W/Dw4lnAPOQ0IpKbkutsy+evVkO7cL11CCrklDqd4c+ZWW4PAO/tXg36Jxh2/VFKkh/xeNIrxDZyGlQd/siuZyB96jx1vT xu/oFVcb CkZFURLLQf4AV2+96zyW/4PiKwxr3Wo2ETy4pGjxe/cOes8Fq3w47UbQNC3KE0iabJE0iBhtLXM6IhEFU+QKmQuj12r9fcG5WMOSyUtMmYee2mdUBzs5bPE+WITpxpLPNuovySMhseZV6l4YZWlGSj9NY/nI/IEPN5PwVnj7nsYJSUvodWkSG8tmvFuGZulgMSiopH+6qdeJD/nvEocdVUKJlVH5i9q3L8GHeBEhMrW7a6hvz9jkdUc9kqnM34VqEi+3XlqadXetjcxgWqL2qne3xwyM9LS8dsEIUSnJ+ElxJJnM= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/12/20 16:50, David Hildenbrand wrote: > On 20.12.24 03:35, Miaohe Lin wrote: >> On 2024/12/19 20:18, David Hildenbrand wrote: >>> On 19.12.24 12:52, Miaohe Lin wrote: >>>> When I did memory failure tests recently, below panic occurs: >>>> >>>> page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) >>>> kernel BUG at include/linux/page-flags.h:616! >>>> Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI >>>> CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40 >>>> RIP: 0010:unpoison_memory+0x2f3/0x590 >>>> RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 >>>> RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 >>>> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 >>>> RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb >>>> R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 >>>> R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe >>>> FS:  00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 >>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >>>> CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 >>>> Call Trace: >>>>    >>>>    unpoison_memory+0x2f3/0x590 >>>>    simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110 >>>>    debugfs_attr_write+0x42/0x60 >>>>    full_proxy_write+0x5b/0x80 >>>>    vfs_write+0xd5/0x540 >>>>    ksys_write+0x64/0xe0 >>>>    do_syscall_64+0xb9/0x1d0 >>>>    entry_SYSCALL_64_after_hwframe+0x77/0x7f >>>> RIP: 0033:0x7f08f0314887 >>>> RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 >>>> RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887 >>>> RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001 >>>> RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff >>>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 >>>> R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00 >>>>    >>>> Modules linked in: hwpoison_inject >>>> ---[ end trace 0000000000000000 ]--- >>>> RIP: 0010:unpoison_memory+0x2f3/0x590 >>>> RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 >>>> RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 >>>> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 >>>> RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb >>>> R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 >>>> R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe >>>> FS:  00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 >>>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >>>> CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 >>>> Kernel panic - not syncing: Fatal exception >>>> Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) >>>> ---[ end Kernel panic - not syncing: Fatal exception ]--- >>>> >>>> The root cause is that unpoison_memory() tries to check the PG_HWPoison >>>> flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is >>>> triggered. This can be reproduced by below steps: >>>> 1.Offline memory block: >>>>    echo offline > /sys/devices/system/memory/memory12/state >>>> 2.Get offlined memory pfn: >>>>    page-types -b n -rlN >>>> 3.Write pfn to unpoison-pfn >>>>    echo > /sys/kernel/debug/hwpoison/unpoison-pfn >>>> >>>> Signed-off-by: Miaohe Lin >>>> --- >>>> v2: Use pfn_to_online_page per David. Thanks. >>>> --- >>>>    mm/memory-failure.c | 14 +++++++++++--- >>>>    1 file changed, 11 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/mm/memory-failure.c b/mm/memory-failure.c >>>> index a7b8ccd29b6f..02be0596ce67 100644 >>>> --- a/mm/memory-failure.c >>>> +++ b/mm/memory-failure.c >>>> @@ -2556,10 +2556,18 @@ int unpoison_memory(unsigned long pfn) >>>>        static DEFINE_RATELIMIT_STATE(unpoison_rs, DEFAULT_RATELIMIT_INTERVAL, >>>>                        DEFAULT_RATELIMIT_BURST); >>>>    -    if (!pfn_valid(pfn)) >>>> -        return -ENXIO; >>>> +    p = pfn_to_online_page(pfn); >>>> +    if (!p) { >>>> +        struct dev_pagemap *pgmap; >>>>    -    p = pfn_to_page(pfn); >>>> +        if (!pfn_valid(pfn)) >>>> +            return -ENXIO; >>>> +        pgmap = get_dev_pagemap(pfn, NULL); >>>> +        if (!pgmap) >>>> +            return -ENXIO; >>>> +        put_dev_pagemap(pgmap); >>>> +        p = pfn_to_page(pfn); >>>> +    } >>> >>> Hm, I wonder if we can do anything reasonable with ZONE_DEVICE pages here? >> >> All I can see in unpoison_memory() is folio_test_clear_hwpoison() for ZONE_DEVICE pages. > > IIRC, it can only be triggered via debugfs in special kernel configs. So chances are this was never ever actually run against a ZONE_DEVICE page. If ZONE_DEVICE pages are never expected, we can simply filter them out. > >> >>> >>> CCing Dan, maybe he knows if this interface used to do something reasonable with ZONE_DEVICE pages. >>> >>> Also, I'm not sure about using the page after doing the put_dev_pagemap(). Likely we would have to do that at the before exiting from this function. >> >> IMHO, the page can be used after doing put_dev_pagemap(). The page should still be >> available while it has HWPoison set. > > 1) Why do you think it can be used afterwards? :) > > 2) At that point in time you don't even know yet if the page is >    HWPoisoned! That check is performed later > > 3) From GUP code, I recall that we must keep the pagemap referenced >    until we grabbed a page/folio reference. I think you're right, David. I missed this case. :) Thanks. . > > Or are you worrying about memory offline? That >> might not be the scope of this problem. But I might be miss something. > > I suspect unpoison_memory() doesn't do with ZONE_DEVICE pages what it should be doing. Maybe I'm wrong, it would be great to get feedback from Dan. > >