All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Williams <dan.j.williams@intel.com>
To: "Shutemov, Kirill" <kirill.shutemov@intel.com>,
	Matthew Wilcox <willy@infradead.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Linux MM <linux-mm@kvack.org>,
	linux-nvdimm <linux-nvdimm@lists.01.org>
Subject: mapcount corruption regression
Date: Mon, 30 Nov 2020 17:20:25 -0800	[thread overview]
Message-ID: <CAPcyv4isen63tJ7q02rvVuu_Rm6QPdT0Bu-P_HJ2zePMySFNNg@mail.gmail.com> (raw)

Kirill, Willy, compound page experts,

I am seeking some debug ideas about the following splat:

BUG: Bad page state in process lt-pmem-ns  pfn:121a12
page:0000000051ef73f7 refcount:0 mapcount:-1024
mapping:0000000000000000 index:0x0 pfn:0x121a12
flags: 0x2ffff800000000()
raw: 002ffff800000000 dead000000000100 0000000000000000 0000000000000000
raw: 0000000000000000 ffff8a6914886b48 00000000fffffbff 0000000000000000
page dumped because: nonzero mapcount
[..]
CPU: 26 PID: 6127 Comm: lt-pmem-ns Tainted: G           OE     5.10.0-rc4+ #450
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
 dump_stack+0x8b/0xb0
 bad_page.cold+0x63/0x94
 free_pcp_prepare+0x224/0x270
 free_unref_page+0x18/0xd0
 pud_free_pmd_page+0x146/0x160
 ioremap_pud_range+0xe3/0x350
 ioremap_page_range+0x108/0x160
 __ioremap_caller.constprop.0+0x174/0x2b0
 ? memremap+0x7a/0x110
 memremap+0x7a/0x110
 devm_memremap+0x53/0xa0
 pmem_attach_disk+0x4ed/0x530 [nd_pmem]

It triggers on v5.10-rc4 not on v5.9, but the bisect comes up with an
ambiguous result. I've run the bisect 3 times and landed on:

032c7ed95817 Merge tag 'arm64-upstream' of
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

...which does not touch anything near _mapcount. I suspect there is
something unique about the build that lines up the corruption to
happen or not happen.

The test is a simple namespace creation test that results in an
memremap() / ioremap() over several gigabytes of memory capacity. The
-1024 was interesting because that's the GUP_PIN_COUNTING_BIAS, but
that's the _refcount, I did not see any questionable changes to how
_mapcount is manipulated post v5.9. Problem should be reproducible by
running:

make -j TESTS="pmem-ns" check

...in qemu-kvm with some virtual pmem defined:

-object memory-backend-file,id=mem1,share,mem-path=${mem}1,size=$((mem_size+label_size))
-device nvdimm,memdev=mem1,id=nv1,label-size=${label_size}

...where ${mem}1 is a 128GB sparse file $mem_size is 127GB and
$label_size is 128KB.
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org

WARNING: multiple messages have this Message-ID (diff)
From: Dan Williams <dan.j.williams@intel.com>
To: "Shutemov, Kirill" <kirill.shutemov@intel.com>,
	Matthew Wilcox <willy@infradead.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Linux MM <linux-mm@kvack.org>,
	linux-nvdimm <linux-nvdimm@lists.01.org>
Subject: mapcount corruption regression
Date: Mon, 30 Nov 2020 17:20:25 -0800	[thread overview]
Message-ID: <CAPcyv4isen63tJ7q02rvVuu_Rm6QPdT0Bu-P_HJ2zePMySFNNg@mail.gmail.com> (raw)

Kirill, Willy, compound page experts,

I am seeking some debug ideas about the following splat:

BUG: Bad page state in process lt-pmem-ns  pfn:121a12
page:0000000051ef73f7 refcount:0 mapcount:-1024
mapping:0000000000000000 index:0x0 pfn:0x121a12
flags: 0x2ffff800000000()
raw: 002ffff800000000 dead000000000100 0000000000000000 0000000000000000
raw: 0000000000000000 ffff8a6914886b48 00000000fffffbff 0000000000000000
page dumped because: nonzero mapcount
[..]
CPU: 26 PID: 6127 Comm: lt-pmem-ns Tainted: G           OE     5.10.0-rc4+ #450
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
 dump_stack+0x8b/0xb0
 bad_page.cold+0x63/0x94
 free_pcp_prepare+0x224/0x270
 free_unref_page+0x18/0xd0
 pud_free_pmd_page+0x146/0x160
 ioremap_pud_range+0xe3/0x350
 ioremap_page_range+0x108/0x160
 __ioremap_caller.constprop.0+0x174/0x2b0
 ? memremap+0x7a/0x110
 memremap+0x7a/0x110
 devm_memremap+0x53/0xa0
 pmem_attach_disk+0x4ed/0x530 [nd_pmem]

It triggers on v5.10-rc4 not on v5.9, but the bisect comes up with an
ambiguous result. I've run the bisect 3 times and landed on:

032c7ed95817 Merge tag 'arm64-upstream' of
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

...which does not touch anything near _mapcount. I suspect there is
something unique about the build that lines up the corruption to
happen or not happen.

The test is a simple namespace creation test that results in an
memremap() / ioremap() over several gigabytes of memory capacity. The
-1024 was interesting because that's the GUP_PIN_COUNTING_BIAS, but
that's the _refcount, I did not see any questionable changes to how
_mapcount is manipulated post v5.9. Problem should be reproducible by
running:

make -j TESTS="pmem-ns" check

...in qemu-kvm with some virtual pmem defined:

-object memory-backend-file,id=mem1,share,mem-path=${mem}1,size=$((mem_size+label_size))
-device nvdimm,memdev=mem1,id=nv1,label-size=${label_size}

...where ${mem}1 is a 128GB sparse file $mem_size is 127GB and
$label_size is 128KB.

WARNING: multiple messages have this Message-ID (diff)
From: Dan Williams <dan.j.williams@intel.com>
To: "Shutemov, Kirill" <kirill.shutemov@intel.com>,
	Matthew Wilcox <willy@infradead.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Linux MM <linux-mm@kvack.org>,
	 linux-nvdimm <linux-nvdimm@lists.01.org>
Subject: mapcount corruption regression
Date: Mon, 30 Nov 2020 17:20:25 -0800	[thread overview]
Message-ID: <CAPcyv4isen63tJ7q02rvVuu_Rm6QPdT0Bu-P_HJ2zePMySFNNg@mail.gmail.com> (raw)

Kirill, Willy, compound page experts,

I am seeking some debug ideas about the following splat:

BUG: Bad page state in process lt-pmem-ns  pfn:121a12
page:0000000051ef73f7 refcount:0 mapcount:-1024
mapping:0000000000000000 index:0x0 pfn:0x121a12
flags: 0x2ffff800000000()
raw: 002ffff800000000 dead000000000100 0000000000000000 0000000000000000
raw: 0000000000000000 ffff8a6914886b48 00000000fffffbff 0000000000000000
page dumped because: nonzero mapcount
[..]
CPU: 26 PID: 6127 Comm: lt-pmem-ns Tainted: G           OE     5.10.0-rc4+ #450
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
 dump_stack+0x8b/0xb0
 bad_page.cold+0x63/0x94
 free_pcp_prepare+0x224/0x270
 free_unref_page+0x18/0xd0
 pud_free_pmd_page+0x146/0x160
 ioremap_pud_range+0xe3/0x350
 ioremap_page_range+0x108/0x160
 __ioremap_caller.constprop.0+0x174/0x2b0
 ? memremap+0x7a/0x110
 memremap+0x7a/0x110
 devm_memremap+0x53/0xa0
 pmem_attach_disk+0x4ed/0x530 [nd_pmem]

It triggers on v5.10-rc4 not on v5.9, but the bisect comes up with an
ambiguous result. I've run the bisect 3 times and landed on:

032c7ed95817 Merge tag 'arm64-upstream' of
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

...which does not touch anything near _mapcount. I suspect there is
something unique about the build that lines up the corruption to
happen or not happen.

The test is a simple namespace creation test that results in an
memremap() / ioremap() over several gigabytes of memory capacity. The
-1024 was interesting because that's the GUP_PIN_COUNTING_BIAS, but
that's the _refcount, I did not see any questionable changes to how
_mapcount is manipulated post v5.9. Problem should be reproducible by
running:

make -j TESTS="pmem-ns" check

...in qemu-kvm with some virtual pmem defined:

-object memory-backend-file,id=mem1,share,mem-path=${mem}1,size=$((mem_size+label_size))
-device nvdimm,memdev=mem1,id=nv1,label-size=${label_size}

...where ${mem}1 is a 128GB sparse file $mem_size is 127GB and
$label_size is 128KB.


             reply	other threads:[~2020-12-01  1:20 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-01  1:20 Dan Williams [this message]
2020-12-01  1:20 ` mapcount corruption regression Dan Williams
2020-12-01  1:20 ` Dan Williams
2020-12-01  1:46 ` Dan Williams
2020-12-01  1:46   ` Dan Williams
2020-12-01  1:46   ` Dan Williams
2020-12-01  2:24 ` Matthew Wilcox
2020-12-01  2:24   ` Matthew Wilcox
2020-12-01 20:42   ` Dan Williams
2020-12-01 20:42     ` Dan Williams
2020-12-01 20:42     ` Dan Williams
2020-12-01 20:49     ` Matthew Wilcox
2020-12-01 20:49       ` Matthew Wilcox
2020-12-02  2:28       ` Dan Williams
2020-12-02  2:28         ` Dan Williams
2020-12-02  2:28         ` Dan Williams
2020-12-02  3:43         ` Matthew Wilcox
2020-12-02  3:43           ` Matthew Wilcox
2020-12-02  5:07           ` Dan Williams
2020-12-02  5:07             ` Dan Williams
2020-12-02  5:07             ` Dan Williams
2020-12-02  8:49             ` Dan Williams
2020-12-02  8:49               ` Dan Williams
2020-12-02  8:49               ` Dan Williams
2020-12-02 22:37               ` Yi Zhang
2020-12-02 22:37                 ` Yi Zhang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAPcyv4isen63tJ7q02rvVuu_Rm6QPdT0Bu-P_HJ2zePMySFNNg@mail.gmail.com \
    --to=dan.j.williams@intel.com \
    --cc=kirill.shutemov@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-nvdimm@lists.01.org \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.