From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7537CC433E0 for ; Fri, 7 Aug 2020 14:36:00 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 10797221E2 for ; Fri, 7 Aug 2020 14:36:00 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=shutemov-name.20150623.gappssmtp.com header.i=@shutemov-name.20150623.gappssmtp.com header.b="tVV5cEmO" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 10797221E2 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=shutemov.name Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 95A5B6B0026; Fri, 7 Aug 2020 10:35:59 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 90B1B6B002A; Fri, 7 Aug 2020 10:35:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7FAA58D0001; Fri, 7 Aug 2020 10:35:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0134.hostedemail.com [216.40.44.134]) by kanga.kvack.org (Postfix) with ESMTP id 65B296B0026 for ; Fri, 7 Aug 2020 10:35:59 -0400 (EDT) Received: from smtpin22.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 5918C2C79 for ; Fri, 7 Aug 2020 14:35:58 +0000 (UTC) X-FDA: 77124021996.22.range02_2813a6826fc1 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin22.hostedemail.com (Postfix) with ESMTP id 8E59518037389 for ; Fri, 7 Aug 2020 14:35:08 +0000 (UTC) X-HE-Tag: range02_2813a6826fc1 X-Filterd-Recvd-Size: 7628 Received: from mail-lj1-f194.google.com (mail-lj1-f194.google.com [209.85.208.194]) by imf15.hostedemail.com (Postfix) with ESMTP for ; Fri, 7 Aug 2020 14:35:07 +0000 (UTC) Received: by mail-lj1-f194.google.com with SMTP id w14so2451536ljj.4 for ; Fri, 07 Aug 2020 07:35:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov-name.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=inTZQ+SWYKPqvxN97kdR63lIdHSrqzj2OXPwaYUerNM=; b=tVV5cEmOsoVkpic+RAt7gGQ+6JZO47nkHVfqCnOdbRwyV+HZoVQegKtt7Ub5RK9fDH X9vNcNIYpD+oPtRJNls9f/f27kdfZmkHtAtXug+62bxrpe/Yc0ObZm2xdhRgmeXipTJp OqotTxnQM+jyRSboTMHSq8oLthxd+yiMZlSnA3ozJmgB71LzU9mux6WVLLXX2YJPEaAN FPdBMw17/evHRJef0BCO+5xLbc8kqkJIf6A11fNMsujV4BDKK6CRhzApYm+AmfhKer7U TKcBBFAzGzpj8Gq4KHVcdcIpEMieDkDOp5meRL0mabUFOYzfrTPYOk2Vfpn1iJGpZ2kM 2R3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=inTZQ+SWYKPqvxN97kdR63lIdHSrqzj2OXPwaYUerNM=; b=ZzOqkQNqTG6jAcE7a+4B8MnTg6WpjDtt0JqmtPJe5DdFa2Bet1tOga1g0VutJgJ08/ zuyxQ04dVxC/uCu9wU9Um6XgYYYq2Mtt0BYoA4DxZFFUjYv1F09DD1D4HveFq3ZTUD0J iEdaUqIzxzvywL2N/+DDEMgx3XEh2O6LIeIAzHHa8oLxdEUYycYBz9NGzXPC73gik0Hc jWK9JasZWwhSGgc2B3vJ67TD2/Zr6vpDnZI+EDjf7n7jsgA6txr8MI7NNLorjq/i1nS3 ShG1TZ6kmJqDkgrHwuS9RIhi2su6liP9dJE3soE0bTNHnD8bPdDvZIxV/V0xczTRHoQb MmPg== X-Gm-Message-State: AOAM5307VJFBpuqd4Cmqe9Bm6lW6dP6hwTJN4MK33HN7mK270DFEZg0l D1KXRK3n2XClEln6r3CELi+PeQ== X-Google-Smtp-Source: ABdhPJzTmAu7Iyyk65CRjuUmbecqmhTDzTeLgYkm6VB8eNGZRAFj9Wl9uswFxVz1GbAkjNWqxEAadQ== X-Received: by 2002:a2e:898d:: with SMTP id c13mr5842062lji.236.1596810906217; Fri, 07 Aug 2020 07:35:06 -0700 (PDT) Received: from box.localdomain ([86.57.175.117]) by smtp.gmail.com with ESMTPSA id u10sm3923054lju.113.2020.08.07.07.35.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Aug 2020 07:35:05 -0700 (PDT) Received: by box.localdomain (Postfix, from userid 1000) id 280E5102FA7; Fri, 7 Aug 2020 17:35:04 +0300 (+03) Date: Fri, 7 Aug 2020 17:35:04 +0300 From: "Kirill A. Shutemov" To: John Hubbard Cc: Andrew Morton , LKML , linux-mm@kvack.org, willy@infradead.org, cai@lca.pw, rppt@linux.ibm.com, vbabka@suse.cz, william.kucharski@oracle.com, "Kirill A . Shutemov" Subject: Re: [PATCH v2] mm, dump_page: do not crash with bad compound_mapcount() Message-ID: <20200807143504.4kudtd4xeoqaroqg@box> References: <20200804214807.169256-1-jhubbard@nvidia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200804214807.169256-1-jhubbard@nvidia.com> X-Rspamd-Queue-Id: 8E59518037389 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam01 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Aug 04, 2020 at 02:48:07PM -0700, John Hubbard wrote: > If a compound page is being split while dump_page() is being run on that > page, we can end up calling compound_mapcount() on a page that is no > longer compound. This leads to a crash (already seen at least once in > the field), due to the VM_BUG_ON_PAGE() assertion inside > compound_mapcount(). > > (The above is from Matthew Wilcox's analysis of Qian Cai's bug report.) > > A similar problem is possible, via compound_pincount() instead of > compound_mapcount(). > > In order to avoid this kind of crash, make dump_page() slightly more > robust, by providing a pair of simpler routines that don't contain > assertions: head_mapcount() and head_pincount(). I find naming misleading. head_mapcount() and head_pincount() sounds like a mapcount/pincount of the head page, but it's not. It's mapcount and pincount of the compound page. Maybe compound_mapcount_head() and compound_pincoun_head()? Or __compound_mapcount() and __compound_pincount(). > For debug tools, we don't want to go *too* far in this direction, but > this is a simple small fix, and the crash has already been seen, so it's > a good trade-off. > > Reported-by: Qian Cai > Suggested-by: Matthew Wilcox > Cc: Vlastimil Babka > Cc: Kirill A. Shutemov > Signed-off-by: John Hubbard > --- > Hi, > > I'm assuming that a fix is not required for -stable, but let me know if > others feel differently. The dump_page() code has changed a lot in that > area. > > Changes since v1 [1]: > > 1) Rebased onto mmotm > > 2) Used a simpler head_*count() approach. > > 3) Added Matthew's Suggested-by: tag > > 4) Support pincount as well as mapcount. > > [1] https://lore.kernel.org/linux-mm/20200804183943.1244828-1-jhubbard@nvidia.com/ > > thanks, > John Hubbard > > include/linux/mm.h | 14 ++++++++++++-- > mm/debug.c | 6 +++--- > 2 files changed, 15 insertions(+), 5 deletions(-) > > diff --git a/include/linux/mm.h b/include/linux/mm.h > index 4f12b2465e80..8ab941cf73f4 100644 > --- a/include/linux/mm.h > +++ b/include/linux/mm.h > @@ -776,6 +776,11 @@ static inline void *kvcalloc(size_t n, size_t size, gfp_t flags) > extern void kvfree(const void *addr); > extern void kvfree_sensitive(const void *addr, size_t len); > > +static inline int head_mapcount(struct page *head) > +{ Do we want VM_BUG_ON_PAGE(!PageHead(head), head) here? > + return atomic_read(compound_mapcount_ptr(head)) + 1; > +} > + > /* > * Mapcount of compound page as a whole, does not include mapped sub-pages. > * > @@ -785,7 +790,7 @@ static inline int compound_mapcount(struct page *page) > { > VM_BUG_ON_PAGE(!PageCompound(page), page); > page = compound_head(page); > - return atomic_read(compound_mapcount_ptr(page)) + 1; > + return head_mapcount(page); > } > > /* > @@ -898,11 +903,16 @@ static inline bool hpage_pincount_available(struct page *page) > return PageCompound(page) && compound_order(page) > 1; > } > > +static inline int head_pincount(struct page *head) > +{ Ditto. > + return atomic_read(compound_pincount_ptr(head)); > +} > + > static inline int compound_pincount(struct page *page) > { > VM_BUG_ON_PAGE(!hpage_pincount_available(page), page); > page = compound_head(page); > - return atomic_read(compound_pincount_ptr(page)); > + return head_pincount(page); > } > > static inline void set_compound_order(struct page *page, unsigned int order) > diff --git a/mm/debug.c b/mm/debug.c > index c27fff1e3ca8..69b60637112b 100644 > --- a/mm/debug.c > +++ b/mm/debug.c > @@ -102,12 +102,12 @@ void __dump_page(struct page *page, const char *reason) > if (hpage_pincount_available(page)) { > pr_warn("head:%p order:%u compound_mapcount:%d compound_pincount:%d\n", > head, compound_order(head), > - compound_mapcount(head), > - compound_pincount(head)); > + head_mapcount(head), > + head_pincount(head)); > } else { > pr_warn("head:%p order:%u compound_mapcount:%d\n", > head, compound_order(head), > - compound_mapcount(head)); > + head_mapcount(head)); > } > } > if (PageKsm(page)) > -- > 2.28.0 > -- Kirill A. Shutemov