On 21.11.19 23:09, Roman Gushchin wrote:
> On Thu, Nov 21, 2019 at 12:55:28PM -0800, Roman Gushchin wrote:
>> On Thu, Nov 21, 2019 at 12:43:01PM -0800, Rik van Riel wrote:
>>> On Thu, 2019-11-21 at 13:45 -0500, Roman Gushchin wrote:
>>>> On Thu, Nov 21, 2019 at 05:59:54PM +0100, Christian Borntraeger
>>>> wrote:
>>>>>
>>>>>
>>>>> Yes, rmmod has to be called directly after the guest shutdown to
>>>>> see the issue.
>>>>> See my 2nd mail.
>>>>
>>>> I see. Do you know, which kmem_cache it is? If not, can you, please,
>>>> figure it out?

I can try to figure out.

>>>>
>>>> I tried to reproduce the issue, but wasn't successful so far. So I
>>>> wonder
>>>> what can make your case special.
>>>
>>> I do not know either, but have a guess.
>>>
>>> My guess would be that either the slab object or the
>>> slab page is RCU freed, and the kmem_cache destruction
>>> is called before that RCU callback has completed.
>>>
>>
>> I've a reproducer, but it requires SLAB_TYPESAFE_BY_RCU to panic.
>> The only question is if it's the same or different issues.
>> As soon as I'll have a fix, I'll post it here to test.
> 
> Ah, no, the issue I've reproduced is already fixed by commit b749ecfaf6c5
> ("mm: memcg/slab: fix panic in __free_slab() caused by premature memcg pointer release").
> 
> Christian, can you, please, confirm that you have this one in your tree?

The problem still reproduces on the latest next kernel.
> 
> Also, can you, please, provide you config?

I can but this is an s390 config. 

> And you mentioned some panics, but didn't send any dmesg messages.
> Can you, please, provide them?

Those were all the WARN_ONs from percpu_ref_exit, I just had panic_on_warn enabled.

I attached my config and dmesg just in case for the next kernel of today.