From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail-pg0-f72.google.com (mail-pg0-f72.google.com [74.125.83.72])
	by kanga.kvack.org (Postfix) with ESMTP id 67F946B0005
	for <linux-mm@kvack.org>; Wed, 31 Jan 2018 05:54:59 -0500 (EST)
Received: by mail-pg0-f72.google.com with SMTP id q2so3053187pgf.22
        for <linux-mm@kvack.org>; Wed, 31 Jan 2018 02:54:59 -0800 (PST)
Received: from bombadil.infradead.org (bombadil.infradead.org. [65.50.211.133])
        by mx.google.com with ESMTPS id n19si1644593pgd.648.2018.01.31.02.54.57
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 31 Jan 2018 02:54:58 -0800 (PST)
Date: Wed, 31 Jan 2018 02:54:56 -0800
From: Matthew Wilcox <willy@infradead.org>
Subject: Re: [Bug 198497] New: handle_mm_fault / xen_pmd_val /
 radix_tree_lookup_slot Null pointer
Message-ID: <20180131105456.GC28275@bombadil.infradead.org>
References: <bug-198497-27@https.bugzilla.kernel.org/>
 <20180118135518.639141f0b0ea8bb047ab6306@linux-foundation.org>
 <7ba7635e-249a-9071-75bb-7874506bd2b2@redhat.com>
 <20180119030447.GA26245@bombadil.infradead.org>
 <d38ff996-8294-81a6-075f-d7b2a60aa2f4@rimuhosting.com>
 <20180119132145.GB2897@bombadil.infradead.org>
 <9d2ddba4-3fb3-0fb4-a058-f2cfd1b05538@redhat.com>
 <32ab6fd6-e3c6-9489-8163-aa73861aa71a@rimuhosting.com>
 <20180126194058.GA31600@bombadil.infradead.org>
 <9ff38687-edde-6b4e-4532-9c150f8ea647@rimuhosting.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <9ff38687-edde-6b4e-4532-9c150f8ea647@rimuhosting.com>
Sender: owner-linux-mm@kvack.org
List-ID: <linux-mm.kvack.org>
To: xen@randonwebstuff.com
Cc: Laura Abbott <labbott@redhat.com>, Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org, bugzilla-daemon@bugzilla.kernel.org

On Tue, Jan 30, 2018 at 11:26:42AM +1300, xen@randonwebstuff.com wrote:
> After, received this stack.
> 
> Have not tried memtest86.  These are production hosts.  This has occurred on
> multiple hosts.  I can only recall this occurring on 32 bit kernels.  I
> cannot recall issues with other VMs not running that kernel on the same
> hosts.
> 
> [  125.329163] Bad swp_entry: e000000

Mixed news here then ... 'e' is 8 | 4 | 2, so it's not a single bitflip.
So no point in running memtest86.

I should have made the printk produce leading zeroes, because that's
0x0e00'0000.  ptes use the top 5 bits to encode the swapfile, so
this swap entry is decoded as swapfile 1, page number 0x0600'0000.
That's clearly ludicrous because you don't have a swapfile 1, and if
you did, it wouldn't be so large as a terabyte.

I think the next step in debugging this is printing the PTE which gave
us this swp_entry.  If you can drop the patch I asked you to try, and
apply this patch instead, we'll have more idea about what's going on.

Thanks!

diff --git a/mm/memory.c b/mm/memory.c
index 403934297a3d..8caaddb07747 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2892,6 +2892,10 @@ int do_swap_page(struct vm_fault *vmf)
 	if (!page)
 		page = lookup_swap_cache(entry, vma_readahead ? vma : NULL,
 					 vmf->address);
+	if (IS_ERR(page)) {
+		pte_ERROR(vmf->orig_pte);
+		page = NULL;
+	}
 	if (!page) {
 		struct swap_info_struct *si = swp_swap_info(entry);
 
diff --git a/mm/shmem.c b/mm/shmem.c
index 7fbe67be86fa..905fa34e022a 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1651,6 +1651,10 @@ static int shmem_getpage_gfp(struct inode *inode, pgoff_t index,
 	if (swap.val) {
 		/* Look it up and read it in.. */
 		page = lookup_swap_cache(swap, NULL, 0);
+		if (IS_ERR(page)) {
+			pte_ERROR(vmf->orig_pte);
+			page = NULL;
+		}
 		if (!page) {
 			/* Or update major stats only when swapin succeeds?? */
 			if (fault_type) {
diff --git a/mm/swap_state.c b/mm/swap_state.c
index 39ae7cfad90f..7ee594c8eadd 100644
--- a/mm/swap_state.c
+++ b/mm/swap_state.c
@@ -334,8 +334,14 @@ struct page *lookup_swap_cache(swp_entry_t entry, struct vm_area_struct *vma,
 	struct page *page;
 	unsigned long ra_info;
 	int win, hits, readahead;
+	struct address_space *swapper_space = swap_address_space(entry);
+
+	if (!swapper_space) {
+		pr_err("Bad swp_entry: %lx\n", entry.val);
+		return ERR_PTR(-EFAULT);
+	}
 
-	page = find_get_page(swap_address_space(entry), swp_offset(entry));
+	page = find_get_page(swapper_space, swp_offset(entry));
 
 	INC_CACHE_INFO(find_total);
 	if (page) {
@@ -676,6 +682,10 @@ struct page *swap_readahead_detect(struct vm_fault *vmf,
 	if ((unlikely(non_swap_entry(entry))))
 		return NULL;
 	page = lookup_swap_cache(entry, vma, faddr);
+	if (IS_ERR(page)) {
+		pte_ERROR(vmf->orig_pte);
+		page = NULL;
+	}
 	if (page)
 		return page;
 

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>