All of lore.kernel.org
 help / color / mirror / Atom feed
* [patch 09/16] mm/page_io.c: fix oops during block io poll in swapin path
@ 2017-08-02 20:32 akpm
  0 siblings, 0 replies; only message in thread
From: akpm @ 2017-08-02 20:32 UTC (permalink / raw)
  To: torvalds, mm-commits, akpm, penguin-kernel, axboe, hughd, shli,
	tim.c.chen, ying.huang

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Subject: mm/page_io.c: fix oops during block io poll in swapin path

When a thread is OOM-killed during swap_readpage() operation, an oops
occurs because end_swap_bio_read() is calling wake_up_process() based on
an assumption that the thread which called swap_readpage() is still alive.

----------
[  167.408563] Out of memory: Kill process 525 (polkitd) score 0 or sacrifice child
[  167.410592] Killed process 525 (polkitd) total-vm:528128kB, anon-rss:0kB, file-rss:4kB, shmem-rss:0kB
[  167.415666] oom_reaper: reaped process 525 (polkitd), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
[  167.460471] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
[  167.462303] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter coretemp ppdev pcspkr vmw_balloon sg shpchp vmw_vmci parport_pc parport i2c_piix4 ip_tables xfs libcrc32c sd_mod sr_mod cdrom ata_generic pata_acpi vmwgfx ahci libahci drm_kms_helper ata_piix syscopyarea sysfillrect sysimgblt fb_sys_fops mptspi scsi_transport_spi ttm e1000 mptscsih drm mptbase i2c_core libata serio_raw
[  167.476975] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.13.0-rc2-next-20170725 #129
[  167.479002] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
[  167.481523] task: ffffffffb7c16500 task.stack: ffffffffb7c00000
[  167.483240] RIP: 0010:__lock_acquire+0x151/0x12f0
[  167.484808] RSP: 0018:ffffa01f39e03c50 EFLAGS: 00010002
[  167.486659] RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000000000 RCX: 0000000000000000
[  167.488996] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa01f350d0bb8
[  167.491392] RBP: ffffa01f39e03d10 R08: ffffffffb709fefb R09: 0000000000000001
[  167.493375] R10: 0000000000000000 R11: ffffffffb7c16500 R12: 0000000000000001
[  167.495316] R13: 0000000000000000 R14: 0000000000000000 R15: ffffa01f350d0bb8
[  167.497253] FS:  0000000000000000(0000) GS:ffffa01f39e00000(0000) knlGS:0000000000000000
[  167.499384] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  167.501090] CR2: 00007f5ab0e3a9d0 CR3: 000000012dee5000 CR4: 00000000001606f0
[  167.503124] Call Trace:
[  167.504271]  <IRQ>
[  167.505331]  ? free_debug_processing+0x25d/0x3b0
[  167.506807]  ? __slab_free+0x9f/0x280
[  167.508075]  ? __slab_free+0x9f/0x280
[  167.509339]  lock_acquire+0x59/0x80
[  167.510582]  ? lock_acquire+0x59/0x80
[  167.511872]  ? try_to_wake_up+0x3b/0x410
[  167.513133]  _raw_spin_lock_irqsave+0x3b/0x4f
[  167.514449]  ? try_to_wake_up+0x3b/0x410
[  167.515693]  try_to_wake_up+0x3b/0x410
[  167.516857]  ? mempool_free_slab+0x12/0x20
[  167.518068]  ? mempool_free+0x26/0x80
[  167.519291]  wake_up_process+0x10/0x20
[  167.520763]  end_swap_bio_read+0x6f/0xf0
[  167.522229]  bio_endio+0x92/0xb0
[  167.523324]  blk_update_request+0x88/0x270
[  167.524642]  scsi_end_request+0x32/0x1c0
[  167.525864]  scsi_io_completion+0x209/0x680
[  167.527040]  scsi_finish_command+0xd4/0x120
[  167.528210]  scsi_softirq_done+0x120/0x140
[  167.529369]  __blk_mq_complete_request_remote+0xe/0x10
[  167.530809]  flush_smp_call_function_queue+0x51/0x120
[  167.532109]  generic_smp_call_function_single_interrupt+0xe/0x20
[  167.533597]  smp_trace_call_function_single_interrupt+0x22/0x30
[  167.535049]  smp_call_function_single_interrupt+0x9/0x10
[  167.536391]  call_function_single_interrupt+0xa7/0xb0
[  167.537821]  </IRQ>
[  167.538670] RIP: 0010:native_safe_halt+0x6/0x10
[  167.539895] RSP: 0018:ffffffffb7c03df8 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff04
[  167.541602] RAX: ffffffffb7c16500 RBX: ffffffffb7c16500 RCX: 0000000000000000
[  167.543201] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffffffffb7c16500
[  167.544894] RBP: ffffffffb7c03df8 R08: 0000000000000001 R09: 0000000000000000
[  167.546497] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffb7e4fa20
[  167.548023] R13: ffffffffb7c16500 R14: 0000000000000000 R15: 0000000000000000
[  167.549561]  ? trace_hardirqs_on+0xd/0x10
[  167.550593]  default_idle+0xe/0x20
[  167.551521]  arch_cpu_idle+0xa/0x10
[  167.552496]  default_idle_call+0x1e/0x30
[  167.553783]  do_idle+0x187/0x200
[  167.554875]  cpu_startup_entry+0x6e/0x70
[  167.556023]  rest_init+0xd0/0xe0
[  167.556921]  start_kernel+0x456/0x477
[  167.557875]  ? early_idt_handler_array+0x120/0x120
[  167.559018]  x86_64_start_reservations+0x24/0x26
[  167.560104]  x86_64_start_kernel+0xf7/0x11a
[  167.561131]  secondary_startup_64+0xa5/0xa5
[  167.562169] Code: c3 49 81 3f 20 9e 0b b8 41 bc 00 00 00 00 44 0f 45 e2 83 fe 01 0f 87 62 ff ff ff 89 f0 49 8b 44 c7 08 48 85 c0 0f 84 52 ff ff ff <f0> ff 80 98 01 00 00 8b 3d 5a 49 c4 01 45 8b b3 18 0c 00 00 85
[  167.565895] RIP: __lock_acquire+0x151/0x12f0 RSP: ffffa01f39e03c50
[  167.567280] ---[ end trace 6c441db499169b1e ]---
[  167.568400] Kernel panic - not syncing: Fatal exception in interrupt
[  167.569907] Kernel Offset: 0x36000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[  167.572108] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
----------

Fix it by holding a reference to the thread.

[akpm@linux-foundation.org: add comment]
Fixes: 23955622ff8d231b ("swap: add block io poll in swapin path")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Shaohua Li <shli@fb.com>
Cc: Tim Chen <tim.c.chen@intel.com>
Cc: Huang Ying <ying.huang@intel.com>
Cc: Jens Axboe <axboe@fb.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/page_io.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff -puN mm/page_io.c~swap-fix-oops-during-block-io-poll-in-swapin-path mm/page_io.c
--- a/mm/page_io.c~swap-fix-oops-during-block-io-poll-in-swapin-path
+++ a/mm/page_io.c
@@ -22,6 +22,7 @@
 #include <linux/frontswap.h>
 #include <linux/blkdev.h>
 #include <linux/uio.h>
+#include <linux/sched/task.h>
 #include <asm/pgtable.h>
 
 static struct bio *get_swap_bio(gfp_t gfp_flags,
@@ -136,6 +137,7 @@ out:
 	WRITE_ONCE(bio->bi_private, NULL);
 	bio_put(bio);
 	wake_up_process(waiter);
+	put_task_struct(waiter);
 }
 
 int generic_swapfile_activate(struct swap_info_struct *sis,
@@ -378,6 +380,11 @@ int swap_readpage(struct page *page, boo
 		goto out;
 	}
 	bdev = bio->bi_bdev;
+	/*
+	 * Keep this task valid during swap readpage because the oom killer may
+	 * attempt to access it in the page fault retry time check.
+	 */
+	get_task_struct(current);
 	bio->bi_private = current;
 	bio_set_op_attrs(bio, REQ_OP_READ, 0);
 	count_vm_event(PSWPIN);
_

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2017-08-02 20:32 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-02 20:32 [patch 09/16] mm/page_io.c: fix oops during block io poll in swapin path akpm

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.