From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5573DC4727C for ; Thu, 1 Oct 2020 14:32:26 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id BA9F020B1F for ; Thu, 1 Oct 2020 14:32:25 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="M3RGHKIk" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BA9F020B1F Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 00A196B0062; Thu, 1 Oct 2020 10:32:25 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id EFDE76B0068; Thu, 1 Oct 2020 10:32:24 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DEC496B006C; Thu, 1 Oct 2020 10:32:24 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0155.hostedemail.com [216.40.44.155]) by kanga.kvack.org (Postfix) with ESMTP id A4B8D6B0062 for ; Thu, 1 Oct 2020 10:32:24 -0400 (EDT) Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 38B6A8249980 for ; Thu, 1 Oct 2020 14:32:24 +0000 (UTC) X-FDA: 77323597008.27.price69_1312d9e2719c Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin27.hostedemail.com (Postfix) with ESMTP id 07FC83D670 for ; Thu, 1 Oct 2020 14:32:24 +0000 (UTC) X-HE-Tag: price69_1312d9e2719c X-Filterd-Recvd-Size: 4822 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by imf25.hostedemail.com (Postfix) with ESMTP for ; Thu, 1 Oct 2020 14:32:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1601562742; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=MT7eYQmEncoWFfXb3v2i0oegKhgFDremUCLyTZsLhEU=; b=M3RGHKIk2q/7JK8/ECFX6Vc1wDjCRGgM/NxUUIwXCtEL/YzLnQ67P8xScGK5j6rAKL1ocL g9KLFT10D10inbVckukeHRO1+Z40AGN7gVHLgM6qw/RIG8A0oj3DkKsrkfII8Ye09mf61C jxE5+Jzt0/58MzdinLHaB3Ao7bdQ0P8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-593-3ey2_6RHMpaPr7bYlc1JGA-1; Thu, 01 Oct 2020 10:32:21 -0400 X-MC-Unique: 3ey2_6RHMpaPr7bYlc1JGA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8806DA3F5F; Thu, 1 Oct 2020 14:32:01 +0000 (UTC) Received: from optiplex-lnx (unknown [10.3.128.5]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 389FE19C59; Thu, 1 Oct 2020 14:31:59 +0000 (UTC) Date: Thu, 1 Oct 2020 10:31:57 -0400 From: Rafael Aquini To: "Huang, Ying" Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, akpm@linux-foundation.org Subject: Re: [PATCH] mm: swapfile: avoid split_swap_cluster() NULL pointer dereference Message-ID: <20201001143157.GA1530324@optiplex-lnx> References: <20200923043459.GL795820@optiplex-lnx> <87sgb9oz1u.fsf@yhuang-dev.intel.com> <20200923130138.GM795820@optiplex-lnx> <87blhwng5f.fsf@yhuang-dev.intel.com> <20200924020928.GC1023012@optiplex-lnx> <877dsjessq.fsf@yhuang-dev.intel.com> <20200924063038.GD1023012@optiplex-lnx> <87tuvnd3db.fsf@yhuang-dev.intel.com> <20200924150833.GE1023012@optiplex-lnx> <87r1qqbkx5.fsf@yhuang-dev.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87r1qqbkx5.fsf@yhuang-dev.intel.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Sep 25, 2020 at 11:21:58AM +0800, Huang, Ying wrote: > Rafael Aquini writes: > >> Or, can you help to run the test with a debug kernel based on upstream > >> kernel. I can provide some debug patch. > >> > > > > Sure, I can set your patches to run with the test cases we have that tend to > > reproduce the issue with some degree of success. > > Thanks! > > I found a race condition. During THP splitting, "head" may be unlocked > before calling split_swap_cluster(), because head != page during > deferred splitting. So we should call split_swap_cluster() before > unlocking. The debug patch to do that is as below. Can you help to > test it? > > Best Regards, > Huang, Ying > > ------------------------8<---------------------------- > From 24ce0736a9f587d2dba12f12491c88d3e296a491 Mon Sep 17 00:00:00 2001 > From: Huang Ying > Date: Fri, 25 Sep 2020 11:10:56 +0800 > Subject: [PATCH] dbg: Call split_swap_clsuter() before unlock page during > split THP > > --- > mm/huge_memory.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/mm/huge_memory.c b/mm/huge_memory.c > index faadc449cca5..8d79e5e6b46e 100644 > --- a/mm/huge_memory.c > +++ b/mm/huge_memory.c > @@ -2444,6 +2444,12 @@ static void __split_huge_page(struct page *page, struct list_head *list, > > remap_page(head); > > + if (PageSwapCache(head)) { > + swp_entry_t entry = { .val = page_private(head) }; > + > + split_swap_cluster(entry); > + } > + > for (i = 0; i < HPAGE_PMD_NR; i++) { > struct page *subpage = head + i; > if (subpage == page) > @@ -2678,12 +2684,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list) > } > > __split_huge_page(page, list, end, flags); > - if (PageSwapCache(head)) { > - swp_entry_t entry = { .val = page_private(head) }; > - > - ret = split_swap_cluster(entry); > - } else > - ret = 0; > + ret = 0; > } else { > if (IS_ENABLED(CONFIG_DEBUG_VM) && mapcount) { > pr_alert("total_mapcount: %u, page_count(): %u\n", > -- > 2.28.0 > I left it running for several days, on several systems that had seen the crash hitting before, and no crashes were observed for either the upstream kernel nor the distro build 4.18-based kernel. I guess we can comfortably go with your patch. Thanks!