Linux-mm Archive on lore.kernel.org
 help / color / Atom feed
From: Rong Chen <rong.a.chen@intel.com>
To: Michal Hocko <mhocko@kernel.org>
Cc: Oscar Salvador <OSalvador@suse.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Matthew Wilcox <willy@infradead.org>,
	Mike Rapoport <rppt@linux.ibm.com>,
	linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
	lkp@01.org
Subject: Re: [LKP] [RFC PATCH] mm, memory_hotplug: fix off-by-one in is_pageblock_removable
Date: Thu, 21 Feb 2019 11:18:07 +0800
Message-ID: <e3fc1372-f3bb-d734-9e3f-d715b85d781d@intel.com> (raw)
In-Reply-To: <20190220125732.GB4525@dhcp22.suse.cz>

Hi,

The patch can fix the issue for me.

Best Regards,
Rong Chen

On 2/20/19 8:57 PM, Michal Hocko wrote:
> Rong Chen,
> coudl you double check this indeed fixes the issue for you please?
>
> On Mon 18-02-19 19:15:44, Michal Hocko wrote:
>> From: Michal Hocko <mhocko@suse.com>
>>
>> Rong Chen has reported the following boot crash
>> [   40.305212] PGD 0 P4D 0
>> [   40.308255] Oops: 0000 [#1] PREEMPT SMP PTI
>> [   40.313055] CPU: 1 PID: 239 Comm: udevd Not tainted 5.0.0-rc4-00149-gefad4e4 #1
>> [   40.321348] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
>> [   40.330813] RIP: 0010:page_mapping+0x12/0x80
>> [   40.335709] Code: 5d c3 48 89 df e8 0e ad 02 00 85 c0 75 da 89 e8 5b 5d c3 0f 1f 44 00 00 53 48 89 fb 48 8b 43 08 48 8d 50 ff a8 01 48 0f 45 da <48> 8b 53 08 48 8d 42 ff 83 e2 01 48 0f 44 c3 48 83 38 ff 74 2f 48
>> [   40.356704] RSP: 0018:ffff88801fa87cd8 EFLAGS: 00010202
>> [   40.362714] RAX: ffffffffffffffff RBX: fffffffffffffffe RCX: 000000000000000a
>> [   40.370798] RDX: fffffffffffffffe RSI: ffffffff820b9a20 RDI: ffff88801e5c0000
>> [   40.378830] RBP: 6db6db6db6db6db7 R08: ffff88801e8bb000 R09: 0000000001b64d13
>> [   40.386902] R10: ffff88801fa87cf8 R11: 0000000000000001 R12: ffff88801e640000
>> [   40.395033] R13: ffffffff820b9a20 R14: ffff88801f145258 R15: 0000000000000001
>> [   40.403138] FS:  00007fb2079817c0(0000) GS:ffff88801dd00000(0000) knlGS:0000000000000000
>> [   40.412243] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [   40.418846] CR2: 0000000000000006 CR3: 000000001fa82000 CR4: 00000000000006a0
>> [   40.426951] Call Trace:
>> [   40.429843]  __dump_page+0x14/0x2c0
>> [   40.433947]  is_mem_section_removable+0x24c/0x2c0
>> [   40.439327]  removable_show+0x87/0xa0
>> [   40.443613]  dev_attr_show+0x25/0x60
>> [   40.447763]  sysfs_kf_seq_show+0xba/0x110
>> [   40.452363]  seq_read+0x196/0x3f0
>> [   40.456282]  __vfs_read+0x34/0x180
>> [   40.460233]  ? lock_acquire+0xb6/0x1e0
>> [   40.464610]  vfs_read+0xa0/0x150
>> [   40.468372]  ksys_read+0x44/0xb0
>> [   40.472129]  ? do_syscall_64+0x1f/0x4a0
>> [   40.476593]  do_syscall_64+0x5e/0x4a0
>> [   40.480809]  ? trace_hardirqs_off_thunk+0x1a/0x1c
>> [   40.486195]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> and bisected it down to efad4e475c31 ("mm, memory_hotplug:
>> is_mem_section_removable do not pass the end of a zone"). The reason for
>> the crash is that the mapping is garbage for poisoned (uninitialized) page.
>> This shouldn't happen as all pages in the zone's boundary should be
>> initialized. Later debugging revealed that the actual problem is an
>> off-by-one when evaluating the end_page. start_pfn + nr_pages resp.
>> zone_end_pfn refers to a pfn after the range and as such it might belong
>> to a differen memory section. This along with CONFIG_SPARSEMEM then
>> makes the loop condition completely bogus because a pointer arithmetic
>> doesn't work for pages from two different sections in that memory model.
>>
>> Fix the issue by reworking is_pageblock_removable to be pfn based and
>> only use struct page where necessary. This makes the code slightly
>> easier to follow and we will remove the problematic pointer arithmetic
>> completely.
>>
>> Fixes: efad4e475c31 ("mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone")
>> Reported-by: <rong.a.chen@intel.com>
>> Signed-off-by: Michal Hocko <mhocko@suse.com>
>> ---
>>   mm/memory_hotplug.c | 27 +++++++++++++++------------
>>   1 file changed, 15 insertions(+), 12 deletions(-)
>>
>> diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
>> index 124e794867c5..1ad28323fb9f 100644
>> --- a/mm/memory_hotplug.c
>> +++ b/mm/memory_hotplug.c
>> @@ -1188,11 +1188,13 @@ static inline int pageblock_free(struct page *page)
>>   	return PageBuddy(page) && page_order(page) >= pageblock_order;
>>   }
>>   
>> -/* Return the start of the next active pageblock after a given page */
>> -static struct page *next_active_pageblock(struct page *page)
>> +/* Return the pfn of the start of the next active pageblock after a given pfn */
>> +static unsigned long next_active_pageblock(unsigned long pfn)
>>   {
>> +	struct page *page = pfn_to_page(pfn);
>> +
>>   	/* Ensure the starting page is pageblock-aligned */
>> -	BUG_ON(page_to_pfn(page) & (pageblock_nr_pages - 1));
>> +	BUG_ON(pfn & (pageblock_nr_pages - 1));
>>   
>>   	/* If the entire pageblock is free, move to the end of free page */
>>   	if (pageblock_free(page)) {
>> @@ -1200,16 +1202,16 @@ static struct page *next_active_pageblock(struct page *page)
>>   		/* be careful. we don't have locks, page_order can be changed.*/
>>   		order = page_order(page);
>>   		if ((order < MAX_ORDER) && (order >= pageblock_order))
>> -			return page + (1 << order);
>> +			return pfn + (1 << order);
>>   	}
>>   
>> -	return page + pageblock_nr_pages;
>> +	return pfn + pageblock_nr_pages;
>>   }
>>   
>> -static bool is_pageblock_removable_nolock(struct page *page)
>> +static bool is_pageblock_removable_nolock(unsigned long pfn)
>>   {
>> +	struct page *page = pfn_to_page(pfn);
>>   	struct zone *zone;
>> -	unsigned long pfn;
>>   
>>   	/*
>>   	 * We have to be careful here because we are iterating over memory
>> @@ -1232,13 +1234,14 @@ static bool is_pageblock_removable_nolock(struct page *page)
>>   /* Checks if this range of memory is likely to be hot-removable. */
>>   bool is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages)
>>   {
>> -	struct page *page = pfn_to_page(start_pfn);
>> -	unsigned long end_pfn = min(start_pfn + nr_pages, zone_end_pfn(page_zone(page)));
>> -	struct page *end_page = pfn_to_page(end_pfn);
>> +	unsigned long end_pfn, pfn;
>> +
>> +	end_pfn = min(start_pfn + nr_pages,
>> +			zone_end_pfn(page_zone(pfn_to_page(start_pfn))));
>>   
>>   	/* Check the starting page of each pageblock within the range */
>> -	for (; page < end_page; page = next_active_pageblock(page)) {
>> -		if (!is_pageblock_removable_nolock(page))
>> +	for (pfn = start_pfn; pfn < end_pfn; pfn = next_active_pageblock(pfn)) {
>> +		if (!is_pageblock_removable_nolock(pfn))
>>   			return false;
>>   		cond_resched();
>>   	}
>> -- 
>> 2.20.1
>>


  reply index

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-18  5:28 [LKP] efad4e475c [ 40.308255] Oops: 0000 [#1] PREEMPT SMP PTI kernel test robot
2019-02-18  7:08 ` Michal Hocko
2019-02-18  8:47   ` Rong Chen
2019-02-18  9:03     ` Michal Hocko
2019-02-18  9:11       ` Rong Chen
2019-02-18  9:29         ` Michal Hocko
2019-02-18  8:55   ` Michal Hocko
2019-02-18 10:01     ` Rong Chen
2019-02-18 10:30       ` Michal Hocko
2019-02-18 14:05         ` Mike Rapoport
2019-02-18 15:20           ` Michal Hocko
2019-02-18 15:22             ` Michal Hocko
2019-02-18 16:48               ` Mike Rapoport
2019-02-18 17:05                 ` Michal Hocko
2019-02-18 17:48                   ` Mike Rapoport
2019-02-18 17:57                   ` Matthew Wilcox
2019-02-18 18:11                     ` Michal Hocko
2019-02-18 19:05                       ` Matthew Wilcox
2019-02-18 18:15 ` [RFC PATCH] mm, memory_hotplug: fix off-by-one in is_pageblock_removable Michal Hocko
2019-02-18 18:31   ` Mike Rapoport
2019-02-20  8:33   ` Oscar Salvador
2019-02-20 12:57   ` Michal Hocko
2019-02-21  3:18     ` Rong Chen [this message]
2019-02-21  7:25       ` [LKP] " Michal Hocko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e3fc1372-f3bb-d734-9e3f-d715b85d781d@intel.com \
    --to=rong.a.chen@intel.com \
    --cc=OSalvador@suse.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=lkp@01.org \
    --cc=mhocko@kernel.org \
    --cc=rppt@linux.ibm.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-mm Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-mm/0 linux-mm/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-mm linux-mm/ https://lore.kernel.org/linux-mm \
		linux-mm@kvack.org
	public-inbox-index linux-mm

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kvack.linux-mm


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git