From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9EEC1C4320A for ; Tue, 31 Aug 2021 14:01:53 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id CF5D8600CD for ; Tue, 31 Aug 2021 14:01:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org CF5D8600CD Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=morinfr.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 29D448D0002; Tue, 31 Aug 2021 10:01:52 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 225428D0001; Tue, 31 Aug 2021 10:01:52 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0ED788D0002; Tue, 31 Aug 2021 10:01:52 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0200.hostedemail.com [216.40.44.200]) by kanga.kvack.org (Postfix) with ESMTP id EF5C98D0001 for ; Tue, 31 Aug 2021 10:01:51 -0400 (EDT) Received: from smtpin08.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 7CA27181C1921 for ; Tue, 31 Aug 2021 14:01:51 +0000 (UTC) X-FDA: 78535539222.08.8101507 Received: from smtp4-g21.free.fr (smtp4-g21.free.fr [212.27.42.4]) by imf03.hostedemail.com (Postfix) with ESMTP id D9A3F30000A4 for ; Tue, 31 Aug 2021 14:01:50 +0000 (UTC) Received: from bender.morinfr.org (unknown [82.64.86.27]) by smtp4-g21.free.fr (Postfix) with ESMTPS id 4E8E619F553; Tue, 31 Aug 2021 16:01:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=morinfr.org ; s=20170427; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=55Oic2tBQdEhKwkImI+q3MlSVJdEokDkBiFlL5mk7CE=; b=I7NOqWvE/o4ycQDxccwJ6VSIRI wuYlIWSu6fnwBGdndzr70GYLMn5cCo+Lh+/3fsK7B6cgU3buqMNhvK750jiCKE/OvRAya52uzzygb G8M31NDV7UKc/a4FzRDqCr4rI3HTgnGxZeVqypWRpxODpj0NYHk0Bt3NIRqTk7Y1A6d0=; Received: from guillaum by bender.morinfr.org with local (Exim 4.92) (envelope-from ) id 1mL4Ki-0002Qo-TR; Tue, 31 Aug 2021 16:01:48 +0200 Date: Tue, 31 Aug 2021 16:01:48 +0200 From: Guillaume Morin To: Mike Kravetz Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, cgroups@vger.kernel.org, Mina Almasry , David Rientjes , Greg Thelen , Sandipan Das , Shakeel Butt , Shuah Khan , Andrew Morton , Guillaume Morin , stable@vger.kernel.org Subject: Re: [PATCH] hugetlb: fix hugetlb cgroup refcounting during vma split Message-ID: <20210831140147.GA18648@bender.morinfr.org> Mail-Followup-To: Mike Kravetz , linux-mm@kvack.org, linux-kernel@vger.kernel.org, cgroups@vger.kernel.org, Mina Almasry , David Rientjes , Greg Thelen , Sandipan Das , Shakeel Butt , Shuah Khan , Andrew Morton , Guillaume Morin , stable@vger.kernel.org References: <20210830215015.155224-1-mike.kravetz@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210830215015.155224-1-mike.kravetz@oracle.com> User-Agent: Mutt/1.10.1 (2018-07-13) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=morinfr.org header.s=20170427 header.b=I7NOqWvE; spf=none (imf03.hostedemail.com: domain of guillaume@morinfr.org has no SPF policy when checking 212.27.42.4) smtp.mailfrom=guillaume@morinfr.org; dmarc=none X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: D9A3F30000A4 X-Stat-Signature: ybez4s7rx6diufoncb5jq3qachmeb3si X-HE-Tag: 1630418510-430159 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000005, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 30 Aug 14:50, Mike Kravetz wrote: > Guillaume Morin reported hitting the following WARNING followed > by GPF or NULL pointer deference either in cgroups_destroy or in > the kill_css path.: > > percpu ref (css_release) <= 0 (-1) after switching to atomic > WARNING: CPU: 23 PID: 130 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x127/0x130 > CPU: 23 PID: 130 Comm: ksoftirqd/23 Kdump: loaded Tainted: G O 5.10.60 #1 > RIP: 0010:percpu_ref_switch_to_atomic_rcu+0x127/0x130 > Call Trace: > rcu_core+0x30f/0x530 > rcu_core_si+0xe/0x10 > __do_softirq+0x103/0x2a2 > ? sort_range+0x30/0x30 > run_ksoftirqd+0x2b/0x40 > smpboot_thread_fn+0x11a/0x170 > kthread+0x10a/0x140 > ? kthread_create_worker_on_cpu+0x70/0x70 > ret_from_fork+0x22/0x30 > > Upon further examination, it was discovered that the css structure > was associated with hugetlb reservations. > > For private hugetlb mappings the vma points to a reserve map that > contains a pointer to the css. At mmap time, reservations are set up > and a reference to the css is taken. This reference is dropped in the > vma close operation; hugetlb_vm_op_close. However, if a vma is split > no additional reference to the css is taken yet hugetlb_vm_op_close will > be called twice for the split vma resulting in an underflow. > > Fix by taking another reference in hugetlb_vm_op_open. Note that the > reference is only taken for the owner of the reserve map. In the more > common fork case, the pointer to the reserve map is cleared for > non-owning vmas. > > Fixes: e9fe92ae0cd2 ("hugetlb_cgroup: add reservation accounting for > private mappings") > Reported-by: Guillaume Morin > Suggested-by: Guillaume Morin > Signed-off-by: Mike Kravetz > Cc: I verified that the patch does fix the underflow. I appreciate the help! Feel free to add: Tested-by: Guillaume Morin -- Guillaume Morin