Re: kernel BUG at include/linux/swapops.h:204!

[Hillf Danton <hdanton@sina.com>]

On Sat, 10 Jul 2021 09:33:26 +0200 Igor Raits wrote:
>Hello,
>
>I've seen one weird bug on 5.12.14 that happened a couple of times when I
>started a bunch of VMs on a server.

Thanks for your report.

>
>I've briefly googled this problem but could not find any relevant commit
>that would fix this issue.

Not sure this is the first report - a similar one [0] from syzbot.

[0] https://lore.kernel.org/linux-mm/00000000000045ff9505c1cfc9ae@google.com/

>
>Do you have any hint how to debug this further or know the fix by any
>chance?

This report has more info about the BUG - in pmd_migration_entry_wait() huge
migration entry is checked under page table lock. And on the updater side,
hme should be set and removed also with ptl held, see below diff.

>
>Thanks in advance. Stack trace following:
>
>[  376.876610] ------------[ cut here ]------------
>[  376.881274] kernel BUG at include/linux/swapops.h:204!
>[  376.886455] invalid opcode: 0000 [#1] SMP NOPTI
>[  376.891014] CPU: 40 PID: 11775 Comm: rpc-worker Tainted: G            E
>    5.12.14-1.gdc.el8.x86_64 #1
>[  376.900464] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380
>Gen10, BIOS U30 05/24/2021
>[  376.909038] RIP: 0010:pmd_migration_entry_wait+0x132/0x140
>[  376.914562] Code: 02 00 00 00 5b 4c 89 c7 5d e9 8a e4 f6 ff 48 81 e2 00
>f0 ff ff 48 f7 d2 48 21 c2 89 d1 f7 c2 81 01 00 00 75 80 e9 44 ff ff ff
><0f> 0b 48 8b 2d 75 bd 30 01 e9 ef fe ff ff 0f 1f 44 00 00 41 55 48
>[  376.933443] RSP: 0000:ffffb65a5e1cfdc8 EFLAGS: 00010246
>[  376.938701] RAX: 0017ffffc0000000 RBX: ffff908b8ecabaf8 RCX:
>ffffffffffffffff
>[  376.945878] RDX: 0000000000000000 RSI: ffff908b8ecabaf8 RDI:
>fffff497473b2ae8
>[  376.953055] RBP: fffff497473b2ae8 R08: fffff49747fa8080 R09:
>0000000000000000
>[  376.960230] R10: 0000000000000000 R11: 0000000000000000 R12:
>0000000000000af8
>[  376.967407] R13: 0400000000000000 R14: 0400000000000080 R15:
>ffff908bbef7b6a8
>[  376.974582] FS:  00007f5bb1f81700(0000) GS:ffff90e87fd80000(0000)
>knlGS:0000000000000000
>[  376.982718] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>[  376.988497] CR2: 00007f5b2bfffd98 CR3: 00000001f793e006 CR4:
>00000000007726e0
>[  376.995673] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
>0000000000000000
>[  377.002849] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
>0000000000000400
>[  377.010026] PKRU: 55555554
>[  377.012745] Call Trace:
>[  377.015207]  __handle_mm_fault+0x5ad/0x6e0
>[  377.019335]  handle_mm_fault+0xc5/0x290
>[  377.023194]  do_user_addr_fault+0x1cd/0x740
>[  377.027406]  exc_page_fault+0x54/0x110
>[  377.031182]  ? asm_exc_page_fault+0x8/0x30
>[  377.035307]  asm_exc_page_fault+0x1e/0x30


+++ x/mm/huge_memory.c
@@ -2983,6 +2983,7 @@ void set_pmd_migration_entry(struct page
 	struct vm_area_struct *vma = pvmw->vma;
 	struct mm_struct *mm = vma->vm_mm;
 	unsigned long address = pvmw->address;
+	spinlock_t *ptl;
 	pmd_t pmdval;
 	swp_entry_t entry;
 	pmd_t pmdswp;
@@ -2998,7 +2999,9 @@ void set_pmd_migration_entry(struct page
 	pmdswp = swp_entry_to_pmd(entry);
 	if (pmd_soft_dirty(pmdval))
 		pmdswp = pmd_swp_mksoft_dirty(pmdswp);
+	ptl = pmd_lock(mm, pvmw->pmd);
 	set_pmd_at(mm, address, pvmw->pmd, pmdswp);
+	spin_unlock(ptl);
 	page_remove_rmap(page, true);
 	put_page(page);
 }
@@ -3009,6 +3012,7 @@ void remove_migration_pmd(struct page_vm
 	struct mm_struct *mm = vma->vm_mm;
 	unsigned long address = pvmw->address;
 	unsigned long mmun_start = address & HPAGE_PMD_MASK;
+	spinlock_t *ptl;
 	pmd_t pmde;
 	swp_entry_t entry;
 
@@ -3028,7 +3032,9 @@ void remove_migration_pmd(struct page_vm
 		page_add_anon_rmap(new, vma, mmun_start, true);
 	else
 		page_add_file_rmap(new, true);
+	ptl = pmd_lock(mm, pvmw->pmd);
 	set_pmd_at(mm, mmun_start, pvmw->pmd, pmde);
+	spin_unlock(ptl);
 	if ((vma->vm_flags & VM_LOCKED) && !PageDoubleMap(new))
 		mlock_vma_page(new);
 	update_mmu_cache_pmd(vma, address, pvmw->pmd);