From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755113AbbLDUsy (ORCPT ); Fri, 4 Dec 2015 15:48:54 -0500 Received: from userp1040.oracle.com ([156.151.31.81]:32450 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752444AbbLDUsx (ORCPT ); Fri, 4 Dec 2015 15:48:53 -0500 Subject: Re: mm: BUG in __munlock_pagevec To: "Kirill A. Shutemov" References: <565C5C38.3040705@oracle.com> <20151201213801.GA138207@black.fi.intel.com> <5661FBB6.6050307@oracle.com> Cc: Vlastimil Babka , "linux-mm@kvack.org" , LKML From: Sasha Levin Message-ID: <5661FC30.5060707@oracle.com> Date: Fri, 4 Dec 2015 15:48:48 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <5661FBB6.6050307@oracle.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Source-IP: aserv0022.oracle.com [141.146.126.234] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/04/2015 03:46 PM, Sasha Levin wrote: > On 12/01/2015 04:38 PM, Kirill A. Shutemov wrote: >> > On Mon, Nov 30, 2015 at 09:24:56AM -0500, Sasha Levin wrote: >>>> >> > Hi all, >>>> >> > >>>> >> > I've hit the following while fuzzing with trinity on the latest -next kernel: >>>> >> > >>>> >> > >>>> >> > [ 850.305385] page:ffffea001a5a0f00 count:0 mapcount:1 mapping:dead000000000400 index:0x1ffffffffff >>>> >> > [ 850.306773] flags: 0x2fffff80000000() >>>> >> > [ 850.307175] page dumped because: VM_BUG_ON_PAGE(1 && PageTail(page)) >>>> >> > [ 850.308027] page_owner info is not active (free page?) >> > Could you check this completely untested patch: >> > >> > diff --git a/mm/mlock.c b/mm/mlock.c >> > index af421d8bd6da..9197b6721a1e 100644 >> > --- a/mm/mlock.c >> > +++ b/mm/mlock.c >> > @@ -393,6 +393,13 @@ static unsigned long __munlock_pagevec_fill(struct pagevec *pvec, >> > if (!page || page_zone_id(page) != zoneid) >> > break; >> > >> > + /* >> > + * Do not use pagevec for PTE-mapped THP, >> > + * munlock_vma_pages_range() will handle them. >> > + */ >> > + if (PageTransCompound(page)) >> > + break; >> > + >> > get_page(page); >> > /* >> > * Increase the address that will be returned *before* the > I've started seeing: And: [ 883.470914] kernel BUG at mm/mlock.c:460! [ 883.472612] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 883.474950] Modules linked in: [ 883.476583] CPU: 11 PID: 15210 Comm: trinity-c191 Not tainted 4.4.0-rc3-next-20151203-sasha-00025-gf813aca-dirty #2691 [ 883.481771] task: ffff8801026b4000 ti: ffff8808a25d0000 task.ti: ffff8808a25d0000 [ 883.485068] RIP: 0010:[] [] munlock_vma_pages_range+0x2b3/0xab0 [ 883.493522] RSP: 0018:ffff8808a25d79e8 EFLAGS: 00010246 [ 883.495623] RAX: 0000000000000000 RBX: ffffea0029af2740 RCX: 0000000000000000 [ 883.498478] RDX: 1ffffd400535e4ef RSI: 0000000000000246 RDI: ffffea0029af2778 [ 883.501609] RBP: ffff8808a25d7be0 R08: fffffbfff36d4114 R09: ffffffff9b6a08a4 [ 883.504475] R10: 0000000000000001 R11: 1ffffffff36d410d R12: ffffea0029af2760 [ 883.507422] R13: ffff8808a25d7bb8 R14: dffffc0000000000 R15: ffffea0029af0000 [ 883.510004] FS: 0000000000000000(0000) GS:ffff880aa4600000(0000) knlGS:0000000000000000 [ 883.511243] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 883.512303] CR2: 0000000000639378 CR3: 0000000880b7b000 CR4: 00000000000006a0 [ 883.518040] DR0: 0000000000008ac6 DR1: 0000000000000000 DR2: 0000000000000000 [ 883.519467] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 [ 883.520662] Stack: [ 883.521038] ffff8811eb99db60 0000000000000002 ffff880aa7fcf000 1ffff101144baf4b [ 883.522493] ffffed023d733b6c 0000000002c97000 000077f75da28510 0000002e00000000 [ 883.524015] ffff8808a25d7a78 ffffea002a6a495c 00007f04ffe7b000 ffffea0029af0001 [ 883.527296] Call Trace: [ 883.528482] [] ? munlock_vma_page+0x400/0x400 [ 883.531246] [] ? in_lock_functions+0x30/0x40 [ 883.534027] [] ? get_parent_ip+0xd/0x40 [ 883.536351] [] ? preempt_count_add+0xe9/0x140 [ 883.539045] [] ? free_debug_processing+0x417/0x550 [ 883.542045] [] ? exit_aio+0x365/0x3c0 [ 883.544352] [] exit_mmap+0x1f1/0x420 [ 883.546476] [] ? __khugepaged_exit+0x2ee/0x3a0 [ 883.548906] [] ? SyS_remap_file_pages+0x630/0x630 [ 883.551544] [] ? kmem_cache_free+0x26d/0x2d0 [ 883.553718] [] ? __khugepaged_exit+0x2ff/0x3a0 [ 883.556319] [] ? hugepage_madvise+0x160/0x160 [ 883.558901] [] ? ___might_sleep+0xd6/0x3f0 [ 883.561232] [] ? __might_sleep+0x1f2/0x220 [ 883.566857] [] mmput+0xe5/0x320 [ 883.568416] [] ? sighand_ctor+0x70/0x70 [ 883.570136] [] ? mm_update_next_owner+0x5c9/0x600 [ 883.572272] [] ? preempt_count_add+0xe9/0x140 [ 883.574501] [] do_exit+0xe8d/0x1540 [ 883.577297] [] ? sched_clock+0x44/0x50 [ 883.579268] [] ? local_clock+0x1c/0x20 [ 883.581118] [] ? mm_update_next_owner+0x600/0x600 [ 883.585181] [] ? __context_tracking_exit+0xb1/0xc0 [ 883.587569] [] ? context_tracking_exit+0x11b/0x120 [ 883.589850] [] ? syscall_trace_enter_phase1+0x4aa/0x4f0 [ 883.592297] [] ? enter_from_user_mode+0x80/0x80 [ 883.594603] [] ? check_preemption_disabled+0x233/0x250 [ 883.596920] [] do_group_exit+0x1e9/0x330 [ 883.598682] [] SyS_exit_group+0x1d/0x20 [ 883.602748] [] entry_SYSCALL_64_fastpath+0x35/0x99 [ 883.604899] Code: 3c 30 00 74 08 4c 89 ff e8 0b be 08 00 49 8b 07 a9 00 00 10 00 74 22 e8 9c c3 08 00 48 c7 c6 c0 94 b0 8b 48 89 df e8 3d 0f fe ff <0f> 0b 48 c7 c7 e0 f3 ec 8f e8 ad 71 9f 01 e8 7a c3 08 00 4c 89 [ 883.613771] RIP [] munlock_vma_pages_range+0x2b3/0xab0 [ 883.614902] RSP Thanks, Sasha From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ob0-f180.google.com (mail-ob0-f180.google.com [209.85.214.180]) by kanga.kvack.org (Postfix) with ESMTP id D6EF06B0258 for ; Fri, 4 Dec 2015 15:48:51 -0500 (EST) Received: by obcse5 with SMTP id se5so78107348obc.3 for ; Fri, 04 Dec 2015 12:48:51 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com. [156.151.31.81]) by mx.google.com with ESMTPS id s3si14288237oet.58.2015.12.04.12.48.50 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Dec 2015 12:48:51 -0800 (PST) Subject: Re: mm: BUG in __munlock_pagevec References: <565C5C38.3040705@oracle.com> <20151201213801.GA138207@black.fi.intel.com> <5661FBB6.6050307@oracle.com> From: Sasha Levin Message-ID: <5661FC30.5060707@oracle.com> Date: Fri, 4 Dec 2015 15:48:48 -0500 MIME-Version: 1.0 In-Reply-To: <5661FBB6.6050307@oracle.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: "Kirill A. Shutemov" Cc: Vlastimil Babka , "linux-mm@kvack.org" , LKML On 12/04/2015 03:46 PM, Sasha Levin wrote: > On 12/01/2015 04:38 PM, Kirill A. Shutemov wrote: >> > On Mon, Nov 30, 2015 at 09:24:56AM -0500, Sasha Levin wrote: >>>> >> > Hi all, >>>> >> > >>>> >> > I've hit the following while fuzzing with trinity on the latest -next kernel: >>>> >> > >>>> >> > >>>> >> > [ 850.305385] page:ffffea001a5a0f00 count:0 mapcount:1 mapping:dead000000000400 index:0x1ffffffffff >>>> >> > [ 850.306773] flags: 0x2fffff80000000() >>>> >> > [ 850.307175] page dumped because: VM_BUG_ON_PAGE(1 && PageTail(page)) >>>> >> > [ 850.308027] page_owner info is not active (free page?) >> > Could you check this completely untested patch: >> > >> > diff --git a/mm/mlock.c b/mm/mlock.c >> > index af421d8bd6da..9197b6721a1e 100644 >> > --- a/mm/mlock.c >> > +++ b/mm/mlock.c >> > @@ -393,6 +393,13 @@ static unsigned long __munlock_pagevec_fill(struct pagevec *pvec, >> > if (!page || page_zone_id(page) != zoneid) >> > break; >> > >> > + /* >> > + * Do not use pagevec for PTE-mapped THP, >> > + * munlock_vma_pages_range() will handle them. >> > + */ >> > + if (PageTransCompound(page)) >> > + break; >> > + >> > get_page(page); >> > /* >> > * Increase the address that will be returned *before* the > I've started seeing: And: [ 883.470914] kernel BUG at mm/mlock.c:460! [ 883.472612] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 883.474950] Modules linked in: [ 883.476583] CPU: 11 PID: 15210 Comm: trinity-c191 Not tainted 4.4.0-rc3-next-20151203-sasha-00025-gf813aca-dirty #2691 [ 883.481771] task: ffff8801026b4000 ti: ffff8808a25d0000 task.ti: ffff8808a25d0000 [ 883.485068] RIP: 0010:[] [] munlock_vma_pages_range+0x2b3/0xab0 [ 883.493522] RSP: 0018:ffff8808a25d79e8 EFLAGS: 00010246 [ 883.495623] RAX: 0000000000000000 RBX: ffffea0029af2740 RCX: 0000000000000000 [ 883.498478] RDX: 1ffffd400535e4ef RSI: 0000000000000246 RDI: ffffea0029af2778 [ 883.501609] RBP: ffff8808a25d7be0 R08: fffffbfff36d4114 R09: ffffffff9b6a08a4 [ 883.504475] R10: 0000000000000001 R11: 1ffffffff36d410d R12: ffffea0029af2760 [ 883.507422] R13: ffff8808a25d7bb8 R14: dffffc0000000000 R15: ffffea0029af0000 [ 883.510004] FS: 0000000000000000(0000) GS:ffff880aa4600000(0000) knlGS:0000000000000000 [ 883.511243] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 883.512303] CR2: 0000000000639378 CR3: 0000000880b7b000 CR4: 00000000000006a0 [ 883.518040] DR0: 0000000000008ac6 DR1: 0000000000000000 DR2: 0000000000000000 [ 883.519467] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 [ 883.520662] Stack: [ 883.521038] ffff8811eb99db60 0000000000000002 ffff880aa7fcf000 1ffff101144baf4b [ 883.522493] ffffed023d733b6c 0000000002c97000 000077f75da28510 0000002e00000000 [ 883.524015] ffff8808a25d7a78 ffffea002a6a495c 00007f04ffe7b000 ffffea0029af0001 [ 883.527296] Call Trace: [ 883.528482] [] ? munlock_vma_page+0x400/0x400 [ 883.531246] [] ? in_lock_functions+0x30/0x40 [ 883.534027] [] ? get_parent_ip+0xd/0x40 [ 883.536351] [] ? preempt_count_add+0xe9/0x140 [ 883.539045] [] ? free_debug_processing+0x417/0x550 [ 883.542045] [] ? exit_aio+0x365/0x3c0 [ 883.544352] [] exit_mmap+0x1f1/0x420 [ 883.546476] [] ? __khugepaged_exit+0x2ee/0x3a0 [ 883.548906] [] ? SyS_remap_file_pages+0x630/0x630 [ 883.551544] [] ? kmem_cache_free+0x26d/0x2d0 [ 883.553718] [] ? __khugepaged_exit+0x2ff/0x3a0 [ 883.556319] [] ? hugepage_madvise+0x160/0x160 [ 883.558901] [] ? ___might_sleep+0xd6/0x3f0 [ 883.561232] [] ? __might_sleep+0x1f2/0x220 [ 883.566857] [] mmput+0xe5/0x320 [ 883.568416] [] ? sighand_ctor+0x70/0x70 [ 883.570136] [] ? mm_update_next_owner+0x5c9/0x600 [ 883.572272] [] ? preempt_count_add+0xe9/0x140 [ 883.574501] [] do_exit+0xe8d/0x1540 [ 883.577297] [] ? sched_clock+0x44/0x50 [ 883.579268] [] ? local_clock+0x1c/0x20 [ 883.581118] [] ? mm_update_next_owner+0x600/0x600 [ 883.585181] [] ? __context_tracking_exit+0xb1/0xc0 [ 883.587569] [] ? context_tracking_exit+0x11b/0x120 [ 883.589850] [] ? syscall_trace_enter_phase1+0x4aa/0x4f0 [ 883.592297] [] ? enter_from_user_mode+0x80/0x80 [ 883.594603] [] ? check_preemption_disabled+0x233/0x250 [ 883.596920] [] do_group_exit+0x1e9/0x330 [ 883.598682] [] SyS_exit_group+0x1d/0x20 [ 883.602748] [] entry_SYSCALL_64_fastpath+0x35/0x99 [ 883.604899] Code: 3c 30 00 74 08 4c 89 ff e8 0b be 08 00 49 8b 07 a9 00 00 10 00 74 22 e8 9c c3 08 00 48 c7 c6 c0 94 b0 8b 48 89 df e8 3d 0f fe ff <0f> 0b 48 c7 c7 e0 f3 ec 8f e8 ad 71 9f 01 e8 7a c3 08 00 4c 89 [ 883.613771] RIP [] munlock_vma_pages_range+0x2b3/0xab0 [ 883.614902] RSP Thanks, Sasha -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org