From: Hugh Dickins <hughd@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Dave Jones <davej@redhat.com>,
Johannes Weiner <hannes@cmpxchg.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: [PATCH] tmpfs: fix shmem_getpage_gfp VM_BUG_ON
Date: Mon, 5 Nov 2012 17:32:41 -0800 (PST) [thread overview]
Message-ID: <alpine.LNX.2.00.1211051729590.963@eggly.anvils> (raw)
In-Reply-To: <alpine.LNX.2.00.1211021606580.11106@eggly.anvils>
Fuzzing with trinity hit the "impossible" VM_BUG_ON(error)
(which Fedora has converted to WARNING) in shmem_getpage_gfp():
WARNING: at mm/shmem.c:1151 shmem_getpage_gfp+0xa5c/0xa70()
Pid: 29795, comm: trinity-child4 Not tainted 3.7.0-rc2+ #49
Call Trace:
[<ffffffff8107100f>] warn_slowpath_common+0x7f/0xc0
[<ffffffff8107106a>] warn_slowpath_null+0x1a/0x20
[<ffffffff811903fc>] shmem_getpage_gfp+0xa5c/0xa70
[<ffffffff81190e4f>] shmem_fault+0x4f/0xa0
[<ffffffff8119f391>] __do_fault+0x71/0x5c0
[<ffffffff811a2767>] handle_pte_fault+0x97/0xae0
[<ffffffff811a4a39>] handle_mm_fault+0x289/0x350
[<ffffffff816d091e>] __do_page_fault+0x18e/0x530
[<ffffffff816d0ceb>] do_page_fault+0x2b/0x50
[<ffffffff816cd3b8>] page_fault+0x28/0x30
[<ffffffff816d5688>] tracesys+0xe1/0xe6
Thanks to Johannes for pointing to truncation: free_swap_and_cache()
only does a trylock on the page, so the page lock we've held since
before confirming swap is not enough to protect against truncation.
What cleanup is needed in this case? Just delete_from_swap_cache(),
which takes care of the memcg uncharge.
Reported-by: Dave Jones <davej@redhat.com>
Hypothesis-by: Johannes Weiner <hannes@cmpxchg.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: stable@vger.kernel.org
---
mm/shmem.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- 3.7-rc4/mm/shmem.c 2012-10-14 16:16:58.361309122 -0700
+++ linux/mm/shmem.c 2012-11-01 14:31:04.288185742 -0700
@@ -1145,8 +1145,22 @@ repeat:
if (!error) {
error = shmem_add_to_page_cache(page, mapping, index,
gfp, swp_to_radix_entry(swap));
- /* We already confirmed swap, and make no allocation */
- VM_BUG_ON(error);
+ /*
+ * We already confirmed swap under page lock, and make
+ * no memory allocation here, so usually no possibility
+ * of error; but free_swap_and_cache() only trylocks a
+ * page, so it is just possible that the entry has been
+ * truncated or holepunched since swap was confirmed.
+ * shmem_undo_range() will have done some of the
+ * unaccounting, now delete_from_swap_cache() will do
+ * the rest (including mem_cgroup_uncharge_swapcache).
+ * Reset swap.val? No, leave it so "failed" goes back to
+ * "repeat": reading a hole and writing should succeed.
+ */
+ if (error) {
+ VM_BUG_ON(error != -ENOENT);
+ delete_from_swap_cache(page);
+ }
}
if (error)
goto failed;
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2012-11-06 1:32 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-25 2:37 shmem_getpage_gfp VM_BUG_ON triggered. [3.7rc2] Dave Jones
2012-10-25 4:36 ` Hugh Dickins
2012-10-25 4:50 ` Ni zhan Chen
2012-10-25 6:59 ` Hugh Dickins
2012-10-25 9:53 ` Ni zhan Chen
2012-10-25 10:21 ` Ni zhan Chen
2012-10-25 21:27 ` Hugh Dickins
2012-10-26 1:48 ` Ni zhan Chen
2012-10-25 11:14 ` Dave Jones
2012-10-25 21:28 ` Hugh Dickins
2012-10-25 20:52 ` Johannes Weiner
2012-10-25 21:48 ` Hugh Dickins
2012-10-26 2:15 ` Ni zhan Chen
2012-11-01 19:10 ` Dave Jones
2012-11-01 23:03 ` Hugh Dickins
2012-11-01 23:20 ` Dave Jones
2012-11-01 23:48 ` Hugh Dickins
2012-11-02 1:43 ` Dave Jones
2012-11-02 23:26 ` Hugh Dickins
2012-11-06 1:32 ` Hugh Dickins [this message]
2012-11-06 13:54 ` [PATCH] tmpfs: fix shmem_getpage_gfp VM_BUG_ON Dave Jones
2012-11-06 23:48 ` Hugh Dickins
2012-11-07 22:38 ` Dave Jones
2012-11-14 1:36 ` [PATCH] tmpfs: fix shmem_getpage_gfp VM_BUG_ON fix Hugh Dickins
2012-11-14 3:07 ` [PATCH] tmpfs: fix shmem_getpage_gfp VM_BUG_ON Jaegeuk Hanse
2012-11-14 3:50 ` Hugh Dickins
2012-11-14 6:14 ` Dave Jones
2012-11-14 10:06 ` Hugh Dickins
2012-11-15 7:39 ` Jaegeuk Hanse
2012-11-15 19:56 ` Hugh Dickins
2012-11-16 0:40 ` Jaegeuk Hanse
2012-11-16 9:34 ` Jaegeuk Hanse
2012-11-17 4:48 ` Hugh Dickins
2012-11-18 0:57 ` Jaegeuk Hanse
2012-11-18 1:48 ` Jaegeuk Hanse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LNX.2.00.1211051729590.963@eggly.anvils \
--to=hughd@google.com \
--cc=akpm@linux-foundation.org \
--cc=davej@redhat.com \
--cc=hannes@cmpxchg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox