From: Vlastimil Babka <vbabka@suse.cz>
To: John Hubbard <jhubbard@nvidia.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
linux-mm@kvack.org, willy@infradead.org, cai@lca.pw,
kirill@shutemov.name, rppt@linux.ibm.com,
william.kucharski@oracle.com,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Subject: Re: [PATCH v2] mm, dump_page: do not crash with bad compound_mapcount()
Date: Thu, 6 Aug 2020 13:45:11 +0200 [thread overview]
Message-ID: <ac97deea-4638-badd-9495-c9ca313837bb@suse.cz> (raw)
In-Reply-To: <20200804214807.169256-1-jhubbard@nvidia.com>
On 8/4/20 11:48 PM, John Hubbard wrote:
> If a compound page is being split while dump_page() is being run on that
> page, we can end up calling compound_mapcount() on a page that is no
> longer compound. This leads to a crash (already seen at least once in
> the field), due to the VM_BUG_ON_PAGE() assertion inside
> compound_mapcount().
>
> (The above is from Matthew Wilcox's analysis of Qian Cai's bug report.)
>
> A similar problem is possible, via compound_pincount() instead of
> compound_mapcount().
>
> In order to avoid this kind of crash, make dump_page() slightly more
> robust, by providing a pair of simpler routines that don't contain
> assertions: head_mapcount() and head_pincount().
>
> For debug tools, we don't want to go *too* far in this direction, but
> this is a simple small fix, and the crash has already been seen, so it's
> a good trade-off.
>
> Reported-by: Qian Cai <cai@lca.pw>
> Suggested-by: Matthew Wilcox <willy@infradead.org>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
> Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
> ---
> Hi,
>
> I'm assuming that a fix is not required for -stable, but let me know if
> others feel differently. The dump_page() code has changed a lot in that
> area.
I'd say only if we backport all those changes, as most were to avoid similar
kind of crashes?
How about this additional patch now that we have head_mapcoun()? (I wouldn't
go for squashing as the goal and scope is too different).
----8<----
From 3b3d5b4639eea9c0787eed510a32acdc918d569f Mon Sep 17 00:00:00 2001
From: Vlastimil Babka <vbabka@suse.cz>
Date: Thu, 6 Aug 2020 13:33:58 +0200
Subject: [PATCH] mm, thp: use head_mapcount when we know we have a head page
Patch "mm, dump_page: do not crash with bad compound_mapcount()" has introduced
head_mapcount() to split out the part of compound_mapcount() where we already
know/assume we have a head page. We can use the new function in more places
where we already have a head page, to avoid the overhead of compound_head()
and (with DEBUG_VM) a debug check. This patch does that. There are few more
applicable places, but behind DEBUG_VM so performance is not important, and the
extra debug check in compound_mapcount() could be useful instead.
The bloat-o-meter difference without DEBUG_VM is the following:
add/remove: 0/0 grow/shrink: 1/4 up/down: 32/-56 (-24)
Function old new delta
__split_huge_pmd 2867 2899 +32
shrink_page_list 3860 3847 -13
reuse_swap_page 762 748 -14
page_trans_huge_mapcount 153 139 -14
total_mapcount 187 172 -15
Total: Before=8687306, After=8687282, chg -0.00%
This just shows that compiler wasn't able to prove we have a head page by
itself. In __split_huge_pmd() the eliminated check probably led to different
optimization decisions thus code size increased.
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
---
mm/huge_memory.c | 6 +++---
mm/swapfile.c | 2 +-
mm/vmscan.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 90733cefa528..5927874b7894 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -2125,7 +2125,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
* Set PG_double_map before dropping compound_mapcount to avoid
* false-negative page_mapped().
*/
- if (compound_mapcount(page) > 1 && !TestSetPageDoubleMap(page)) {
+ if (head_mapcount(page) > 1 && !TestSetPageDoubleMap(page)) {
for (i = 0; i < HPAGE_PMD_NR; i++)
atomic_inc(&page[i]._mapcount);
}
@@ -2467,7 +2467,7 @@ int total_mapcount(struct page *page)
if (likely(!PageCompound(page)))
return atomic_read(&page->_mapcount) + 1;
- compound = compound_mapcount(page);
+ compound = head_mapcount(page);
if (PageHuge(page))
return compound;
ret = compound;
@@ -2531,7 +2531,7 @@ int page_trans_huge_mapcount(struct page *page, int *total_mapcount)
ret -= 1;
_total_mapcount -= HPAGE_PMD_NR;
}
- mapcount = compound_mapcount(page);
+ mapcount = head_mapcount(page);
ret += mapcount;
_total_mapcount += mapcount;
if (total_mapcount)
diff --git a/mm/swapfile.c b/mm/swapfile.c
index 9ee4211835c6..c5e722de38b8 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1673,7 +1673,7 @@ static int page_trans_huge_map_swapcount(struct page *page, int *total_mapcount,
map_swapcount -= 1;
_total_mapcount -= HPAGE_PMD_NR;
}
- mapcount = compound_mapcount(page);
+ mapcount = head_mapcount(page);
map_swapcount += mapcount;
_total_mapcount += mapcount;
if (total_mapcount)
diff --git a/mm/vmscan.c b/mm/vmscan.c
index a086c104a9a6..72218cdfd902 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -1248,7 +1248,7 @@ static unsigned int shrink_page_list(struct list_head *page_list,
* away. Chances are some or all of the
* tail pages can be freed without IO.
*/
- if (!compound_mapcount(page) &&
+ if (!head_mapcount(page) &&
split_huge_page_to_list(page,
page_list))
goto activate_locked;
--
2.28.0
next prev parent reply other threads:[~2020-08-06 11:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-04 21:48 [PATCH v2] mm, dump_page: do not crash with bad compound_mapcount() John Hubbard
2020-08-06 11:45 ` Vlastimil Babka [this message]
2020-08-06 13:48 ` Matthew Wilcox
2020-08-06 15:13 ` Vlastimil Babka
2020-08-06 15:39 ` Matthew Wilcox
2020-08-06 15:53 ` Vlastimil Babka
2020-08-06 17:15 ` Matthew Wilcox
2020-08-07 14:53 ` Kirill A. Shutemov
2020-08-07 14:35 ` Kirill A. Shutemov
2020-08-07 15:10 ` Matthew Wilcox
2020-08-07 16:48 ` Kirill A. Shutemov
2020-08-07 18:33 ` [PATCH] mm, dump_page: rename head_mapcount() --> head_compound_mapcount() John Hubbard
2020-08-07 22:40 ` [PATCH v2] mm, dump_page: do not crash with bad compound_mapcount() John Hubbard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac97deea-4638-badd-9495-c9ca313837bb@suse.cz \
--to=vbabka@suse.cz \
--cc=akpm@linux-foundation.org \
--cc=cai@lca.pw \
--cc=jhubbard@nvidia.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=rppt@linux.ibm.com \
--cc=william.kucharski@oracle.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).