From: Jinjiang Tu <tujinjiang@huawei.com>
To: Miaohe Lin <linmiaohe@huawei.com>
Cc: <linux-mm@kvack.org>, <wangkefeng.wang@huawei.com>,
<sunnanyong@huawei.com>, <akpm@linux-foundation.org>,
<nao.horiguchi@gmail.com>, <david@redhat.com>
Subject: Re: [PATCH 2/2] mm/vmscan: don't try to reclaim hwpoison folio
Date: Thu, 20 Mar 2025 11:37:50 +0800 [thread overview]
Message-ID: <84c9a11c-9ae6-dd27-9fa9-6ab580c649a5@huawei.com> (raw)
In-Reply-To: <8a5ecc18-55f2-4c58-e52e-7fda91e27088@huawei.com>
在 2025/3/20 10:50, Miaohe Lin 写道:
> On 2025/3/18 16:39, Jinjiang Tu wrote:
>> Syzkaller reports a bug as follows:
> Thanks for your fix.
>
>> Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000
>> Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users
>> Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed
>> page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e
>> memcg:ffff0000dd6d9000
>> anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff)
>> raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9
>> raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000
>> page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio))
>> ------------[ cut here ]------------
>> kernel BUG at mm/swap_state.c:184!
>> Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
>> Modules linked in:
>> CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3
>> Hardware name: linux,dummy-virt (DT)
>> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>> pc : add_to_swap+0xbc/0x158
>> lr : add_to_swap+0xbc/0x158
>> sp : ffff800087f37340
>> x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780
>> x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0
>> x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4
>> x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000
>> x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c
>> x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b
>> x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000
>> x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001
>> x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000
>> x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000
>> Call trace:
>> add_to_swap+0xbc/0x158
>> shrink_folio_list+0x12ac/0x2648
>> shrink_inactive_list+0x318/0x948
>> shrink_lruvec+0x450/0x720
>> shrink_node_memcgs+0x280/0x4a8
>> shrink_node+0x128/0x978
>> balance_pgdat+0x4f0/0xb20
>> kswapd+0x228/0x438
>> kthread+0x214/0x230
>> ret_from_fork+0x10/0x20
>>
> There are too many races in memory_failure to handle...
>
>> I can reproduce this issue with the following steps:
>> 1) When a dirty swapcache page is isolated by reclaim process and the page
>> isn't locked, inject memory failure for the page. me_swapcache_dirty()
>> clears uptodate flag and tries to delete from lru, but fails. Reclaim
>> process will put the hwpoisoned page back to lru.
> The hwpoisoned page is put back to lru list due to memory_failure holding the extra page refcnt?
Yes
>
>> 2) The process that maps the hwpoisoned page exits, the page is deleted
>> the page will never be freed and will be in the lru forever.
> Again, memory_failure holds the extra page refcnt so...
>
>> 3) If we trigger a reclaim again and tries to reclaim the page,
>> add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is
>> cleared.
>>
>> To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the
>> hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap
>> it in shrink_folio_list(), otherwise the folio will fail to be unmaped
>> by hwpoison_user_mappings() since the folio isn't in lru list.
>>
>> Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
> Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Thanks for your review.
>
> Thanks.
> .
next prev parent reply other threads:[~2025-03-20 3:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-18 8:39 [PATCH 0/2] " Jinjiang Tu
2025-03-18 8:39 ` [PATCH 1/2] mm/hwpoison: introduce folio_contain_hwpoisoned_page() helper Jinjiang Tu
2025-03-20 2:36 ` Miaohe Lin
2025-04-01 16:28 ` David Hildenbrand
2025-03-18 8:39 ` [PATCH 2/2] mm/vmscan: don't try to reclaim hwpoison folio Jinjiang Tu
2025-03-20 2:50 ` Miaohe Lin
2025-03-20 3:37 ` Jinjiang Tu [this message]
2025-04-01 16:36 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=84c9a11c-9ae6-dd27-9fa9-6ab580c649a5@huawei.com \
--to=tujinjiang@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=linmiaohe@huawei.com \
--cc=linux-mm@kvack.org \
--cc=nao.horiguchi@gmail.com \
--cc=sunnanyong@huawei.com \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox