From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2BCDFC433F5
	for <linux-mm@archiver.kernel.org>; Tue,  5 Apr 2022 20:48:55 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 88E246B0072; Tue,  5 Apr 2022 16:48:44 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 83C406B0073; Tue,  5 Apr 2022 16:48:44 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 6DCCE6B0074; Tue,  5 Apr 2022 16:48:44 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0180.hostedemail.com [216.40.44.180])
	by kanga.kvack.org (Postfix) with ESMTP id 5927C6B0072
	for <linux-mm@kvack.org>; Tue,  5 Apr 2022 16:48:44 -0400 (EDT)
Received: from smtpin25.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 1CDEF183E9048
	for <linux-mm@kvack.org>; Tue,  5 Apr 2022 20:48:34 +0000 (UTC)
X-FDA: 79324013748.25.49226A2
Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173])
	by imf17.hostedemail.com (Postfix) with ESMTP id A9D6940006
	for <linux-mm@kvack.org>; Tue,  5 Apr 2022 20:48:33 +0000 (UTC)
Received: by mail-pl1-f173.google.com with SMTP id y6so183529plg.2
        for <linux-mm@kvack.org>; Tue, 05 Apr 2022 13:48:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=eQJXQ0o4/xZn83G9V0zs1zmNIfX3wUZZ2U7kK8rPsT8=;
        b=dqZAVPoJmEVZRkK4fDdyarkdxCjyaLibCaemYMbu2ALQFNFVNsR01bQisMSFPUJig2
         z9clku74QrgA8hZ48ZC2BxYWSpSp7iMBzUqDX1w1xgC90j9PA743LNIcAcHZSYvGEP/Y
         DqyhIBwncn8ZK1MfzOWoXw32w1qT2EQwzjgPId+pk8WVWf/C6w8y0iDXZSyUyo3SQmD9
         OnVTX9CPhHxMV75rn2OpT49euYse8RyIvGJmHUQCss5WRabuzTZZ0OuUWGx8HimUKJf7
         ba+xogmszDY37tfobgluSoZHRD6Fpmr9evryc7vTgFFfRuF9G4VgKrYBZnoBH0mS3zqM
         aDWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=eQJXQ0o4/xZn83G9V0zs1zmNIfX3wUZZ2U7kK8rPsT8=;
        b=deeObjnI08OVHrPVPrM/BOU/L8SmIt04/jY0g0jEAExFi9pv8w3UWKEx7IPoP1mgBk
         tlWtb0L9NHQGXnbaNW1z0S5GtZJ01GLTqAcmKqKtNZkZ14BRZX4yqC7TP5J0WcHCWudP
         LLPYZRnqx+7yP3NupL16WLM6iTcrKReNbbA4707iy9H0LaMNeOxzQeZ7eTimbrIjRI2U
         +E79vna10z1zaVhSADPfLSIQB80/npeG22z/DEJbmGKn8tIHDDDILYduEWeSbzDZQ6X3
         YFH6Vvn0HNYURd0ZsuGnhnZPXh44MllUUYWhYkTDzu5QxEh2wA2fPo9zF2rGxBbixf5j
         O0RA==
X-Gm-Message-State: AOAM531Yhh7ryxeF8qT0jTdPvYsER6IvJi4ioGLX4iy/jlxgANvzpt38
	cMI2cl5tmkY8JKbrVhzpmA7QGg0TV4Uh/Gl7nM8=
X-Google-Smtp-Source: ABdhPJwNwBsNPifmbbwbkO5MnAKc7ceCoJwOotXzWhk0urCtLqOMcRUvQm/YZBXhUnj4IYsbiw8eVB9f2NKD5ae7qJo=
X-Received: by 2002:a17:903:1cb:b0:156:c35f:7f14 with SMTP id
 e11-20020a17090301cb00b00156c35f7f14mr5235856plh.26.1649191712485; Tue, 05
 Apr 2022 13:48:32 -0700 (PDT)
MIME-Version: 1.0
References: <bug-215804-201763@https.bugzilla.kernel.org/> <YkyXRsMubP8uNOF8@casper.infradead.org>
In-Reply-To: <YkyXRsMubP8uNOF8@casper.infradead.org>
From: Yang Shi <shy828301@gmail.com>
Date: Tue, 5 Apr 2022 13:48:21 -0700
Message-ID: <CAHbLzkqm4WVGpEp+YOxkNd+VeOvnO+314kbzDhgKaJ-oeyNt9g@mail.gmail.com>
Subject: Re: [Bug 215804] New: [xfstests generic/670] Unable to handle kernel
 paging request at virtual address fffffbffff000008
To: Matthew Wilcox <willy@infradead.org>
Cc: bugzilla-daemon@kernel.org, linux-xfs@vger.kernel.org, 
	Linux MM <linux-mm@kvack.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspam-User: 
Authentication-Results: imf17.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=dqZAVPoJ;
	spf=pass (imf17.hostedemail.com: domain of shy828301@gmail.com designates 209.85.214.173 as permitted sender) smtp.mailfrom=shy828301@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: A9D6940006
X-Stat-Signature: cxtqpokx4uutj8a4ceukn3rogjsc3wkb
X-HE-Tag: 1649191713-430890
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Apr 5, 2022 at 12:25 PM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Tue, Apr 05, 2022 at 04:44:35AM +0000, bugzilla-daemon@kernel.org wrote:
> > https://bugzilla.kernel.org/show_bug.cgi?id=215804
> [...]
> > [37285.232165] Unable to handle kernel paging request at virtual address
> > fffffbffff000008
> > [37285.232776] KASAN: maybe wild-memory-access in range
> > [0x0003dffff8000040-0x0003dffff8000047]
> > [37285.233332] Mem abort info:
> > [37285.233520]   ESR = 0x96000006
> > [37285.233725]   EC = 0x25: DABT (current EL), IL = 32 bits
> > [37285.234077]   SET = 0, FnV = 0
> > [37285.234281]   EA = 0, S1PTW = 0
> > [37285.234544]   FSC = 0x06: level 2 translation fault
> > [37285.234871] Data abort info:
> > [37285.235065]   ISV = 0, ISS = 0x00000006
> > [37285.235319]   CM = 0, WnR = 0
> > [37285.235517] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000004574eb000
> > [37285.235953] [fffffbffff000008] pgd=0000000458c71003, p4d=0000000458c71003,
> > pud=0000000458c72003, pmd=0000000000000000
> > [37285.236651] Internal error: Oops: 96000006 [#1] SMP
> > [37285.239187] CPU: 3 PID: 3302514 Comm: xfs_io Kdump: loaded Tainted: G       W         5.17.0+ #1
> > [37285.239810] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
> > [37285.240292] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> > [37285.240783] pc : __split_huge_pmd+0x1d8/0x34c
> > [37285.241097] lr : __split_huge_pmd+0x174/0x34c
> > [37285.241407] sp : ffff800023a56fe0
> > [37285.241642] x29: ffff800023a56fe0 x28: 0000000000000000 x27:
> > ffff0001c54d4060
> > [37285.242145] x26: 0000000000000000 x25: 0000000000000000 x24:
> > fffffc00056cf000
> > [37285.242661] x23: 1ffff0000474ae0a x22: ffff0007104fe630 x21:
> > ffff00014fab66b0
> > [37285.243175] x20: ffff800023a57080 x19: fffffbffff000000 x18:
> > 0000000000000000
> > [37285.243689] x17: 0000000000000000 x16: ffffb109a2ec7e30 x15:
> > 0000ffffd9035c10
> > [37285.244202] x14: 00000000f2040000 x13: 0000000000000000 x12:
> > ffff70000474aded
> > [37285.244715] x11: 1ffff0000474adec x10: ffff70000474adec x9 :
> > dfff800000000000
> > [37285.245230] x8 : ffff800023a56f63 x7 : 0000000000000001 x6 :
> > 0000000000000003
> > [37285.245745] x5 : ffff800023a56f60 x4 : ffff70000474adec x3 :
> > 1fffe000cd086e01
> > [37285.246257] x2 : 1fffff7fffe00001 x1 : 0000000000000000 x0 :
> > fffffbffff000008
> > [37285.246770] Call trace:
> > [37285.246952]  __split_huge_pmd+0x1d8/0x34c
> > [37285.247246]  split_huge_pmd_address+0x10c/0x1a0
> > [37285.247577]  try_to_unmap_one+0xb64/0x125c
> > [37285.247878]  rmap_walk_file+0x1dc/0x4b0
> > [37285.248159]  try_to_unmap+0x134/0x16c
> > [37285.248427]  split_huge_page_to_list+0x5ec/0xcbc
> > [37285.248763]  truncate_inode_partial_folio+0x194/0x2ec
>
> Clearly this is due to my changes, but I'm wondering why it doesn't
> happen with misaligned mappings and shmem today.  Here's the path I
> see as being problematic:
>
> split_huge_page()
>   split_huge_page_to_list()
>     unmap_page()
>       ttu_flags = ... TTU_SPLIT_HUGE_PMD ...
>       try_to_unmap()
>         try_to_unmap_one()
>           split_huge_pmd_address()
>             pmd = pmd_offset(pud, address);
>             __split_huge_pmd(vma, pmd, address, freeze, folio);
>               if (folio) {
>                 if (folio != page_folio(pmd_page(*pmd)))
>
> I'm assuming it's crashing at that line.  Calling pmd_page() on a
> pmd that we haven't checked is pmd_trans_huge() seems like a really
> bad idea.  I probably compounded that problem by calling page_folio()
> on something that's not necessarily a PMD that points to a page, but
> I think the real sin here is that nobody checks before this that it's
> trans_huge.
>
> Here's Option A for fixing it: Only check pmd_page() after checking
> pmd_trans_huge():
>
> +++ b/mm/huge_memory.c
> @@ -2145,15 +2145,14 @@ void __split_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
>          * pmd against. Otherwise we can end up replacing wrong folio.
>          */
>         VM_BUG_ON(freeze && !folio);
> -       if (folio) {
> -               VM_WARN_ON_ONCE(!folio_test_locked(folio));
> -               if (folio != page_folio(pmd_page(*pmd)))
> -                       goto out;
> -       }
> +       VM_WARN_ON_ONCE(folio && !folio_test_locked(folio));
>
>         if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd) ||
> -           is_pmd_migration_entry(*pmd))
> +           is_pmd_migration_entry(*pmd)) {
> +               if (folio && folio != page_folio(pmd_page(*pmd)))
> +                       goto out;
>                 __split_huge_pmd_locked(vma, pmd, range.start, freeze);
> +       }
>
>  out:
>         spin_unlock(ptl);
>
> I can think of a few more ways of fixing it, but that one seems best.
> Not tested in any meaningful way, more looking for feedback.

I agree with your analysis. That pmd may be a normal PMD so its
so-called pfn is invalid in fact. The fix looks fine to me.

>