linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Zi Yan <zi.yan@cs.rutgers.edu>
Cc: Fengguang Wu <fengguang.wu@intel.com>,
	Linux Memory Management List <linux-mm@kvack.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Vineet Gupta <Vineet.Gupta1@synopsys.com>,
	"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
	Dan Williams <dan.j.williams@intel.com>,
	Geliang Tang <geliangtang@163.com>
Subject: Re: [pgtable_trans_huge_withdraw] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
Date: Mon, 30 Oct 2017 16:24:29 +0300	[thread overview]
Message-ID: <20171030132429.ctve2f2zcofclydo@node.shutemov.name> (raw)
In-Reply-To: <3121F405-9F96-41B0-BD28-73BD8EA85B07@cs.rutgers.edu>

On Mon, Oct 30, 2017 at 08:40:01AM -0400, Zi Yan wrote:
> On 30 Oct 2017, at 7:58, Kirill A. Shutemov wrote:
> 
> > On Mon, Oct 30, 2017 at 12:37:01AM +0100, Fengguang Wu wrote:
> >> CC MM people.
> >>
> >> On Sun, Oct 29, 2017 at 11:51:55PM +0100, Fengguang Wu wrote:
> >>> Hi Linus,
> >>>
> >>> Up to now we see the below boot error/warnings when testing v4.14-rc6.
> >>>
> >>> They hit the RC release mainly due to various imperfections in 0day's
> >>> auto bisection. So I manually list them here and CC the likely easy to
> >>> debug ones to the corresponding maintainers in the followup emails.
> >>>
> >>> boot_successes: 4700
> >>> boot_failures: 247
> >>>
> >>> BUG:kernel_hang_in_test_stage: 152
> >>> BUG:kernel_reboot-without-warning_in_test_stage: 10
> >>> BUG:sleeping_function_called_from_invalid_context_at_kernel/locking/mutex.c: 1
> >>> BUG:sleeping_function_called_from_invalid_context_at_kernel/locking/rwsem.c: 3
> >>> BUG:sleeping_function_called_from_invalid_context_at_mm/page_alloc.c: 21
> >>> BUG:soft_lockup-CPU##stuck_for#s: 1
> >>> BUG:unable_to_handle_kernel: 13
> >>
> >> Here is the call trace:
> >>
> >> [  956.669197] [  956.670421] stress-ng: fail:  [27945] stress-ng-numa:
> >> get_mempolicy: errno=22 (Invalid argument)
> >> [  956.670422] [  956.671375] stress-ng: info:  [27945] 5 failures reached,
> >> aborting stress process
> >> [  956.671376] [  956.671551] BUG: unable to handle kernel NULL pointer
> >> dereference at 0000000000000020
> >> [  956.671557] IP: pgtable_trans_huge_withdraw+0x4c/0xc0
> >> [  956.671558] PGD 0 P4D 0 [  956.671560] Oops: 0000 [#1] SMP
> >> [  956.671562] Modules linked in: salsa20_generic salsa20_x86_64 camellia_generic camellia_aesni_avx2 camellia_aesni_avx_x86_64 camellia_x86_64 cast6_avx_x86_64 cast6_generic cast_common serpent_avx2 serpent_avx_x86_64 serpent_sse2_x86_64 serpent_generic twofish_generic twofish_avx_x86_64 ablk_helper twofish_x86_64_3way twofish_x86_64 twofish_common lrw tgr192 wp512 rmd320 rmd256 rmd160 rmd128 md4 sha512_ssse3 sha512_generic rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver intel_rapl sb_edac x86_pkg_temp_thermal intel_powerclamp sd_mod sg coretemp kvm_intel kvm mgag200 irqbypass ttm crct10dif_pclmul crc32_pclmul drm_kms_helper crc32c_intel syscopyarea ghash_clmulni_intel snd_pcm sysfillrect snd_timer pcbc sysimgblt fb_sys_fops ahci snd aesni_intel crypto_simd mxm_wmi glue_helper libahci soundcore cryptd
> >> [  956.671592]  drm ipmi_si pcspkr libata shpchp ipmi_devintf ipmi_msghandler acpi_pad acpi_power_meter wmi ip_tables
> >> [  956.671600] CPU: 78 PID: 28007 Comm: stress-ng-numa Not tainted 4.14.0-rc6 #1
> >> [  956.671600] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0020.122820161512 12/28/2016
> >> [  956.671601] task: ffff88101c97cd00 task.stack: ffffc90026b04000
> >> [  956.671603] RIP: 0010:pgtable_trans_huge_withdraw+0x4c/0xc0
> >> [  956.671604] RSP: 0018:ffffc90026b07c20 EFLAGS: 00010202
> >> [  956.671604] RAX: ffffea00404c7b80 RBX: 0000000000000000 RCX: 0000000000000001
> >> [  956.671605] RDX: 0000000000000001 RSI: ffff8810931ee000 RDI: ffff881020f11000
> >> [  956.671605] RBP: ffffc90026b07c28 R08: ffff88101a96a190 R09: 000055c2d5137000
> >> [  956.671606] R10: 0000000000000000 R11: 0000000000000000 R12: ffff881020f11000
> >> [  956.671606] R13: ffffc90026b07dd8 R14: ffff8810131ee538 R15: ffffea00404c7bb0
> >> [  956.671607] FS:  0000000000000000(0000) GS:ffff882023080000(0000) knlGS:0000000000000000
> >> [  956.671608] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> [  956.671609] CR2: 0000000000000020 CR3: 000000207ee09001 CR4: 00000000003606e0
> >> [  956.671609] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >> [  956.671610] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >> [  956.671610] Call Trace:
> >> [  956.671614]  zap_huge_pmd+0x28a/0x3a0
> >> [  956.671617]  unmap_page_range+0x918/0x9c0
> >> [  956.671619]  unmap_single_vma+0x7d/0xe0
> >> [  956.671621]  unmap_vmas+0x51/0xa0
> >> [  956.671622]  exit_mmap+0x96/0x190
> >> [  956.671625]  mmput+0x6e/0x160
> >> [  956.671626]  do_exit+0x2b3/0xb90
> >> [  956.671627]  do_group_exit+0x43/0xb0
> >> [  956.671628]  SyS_exit_group+0x14/0x20
> >> [  956.671630]  entry_SYSCALL_64_fastpath+0x1a/0xa5
> >> [  956.671631] RIP: 0033:0x7f92a15e11c8
> >> [  956.671631] RSP: 002b:00007fff12384aa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> >> [  956.671632] RAX: ffffffffffffffda RBX: 00007f92a1dea000 RCX: 00007f92a15e11c8
> >> [  956.671633] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> >> [  956.671633] RBP: 00007fff12384aa0 R08: 00000000000000e7 R09: ffffffffffffff90
> >> [  956.671634] R10: 00007f92a088b070 R11: 0000000000000246 R12: 00007f92a088add8
> >> [  956.671634] R13: 00007fff12384a18 R14: 00007f92a1df4048 R15: 0000000000000000
> >> [  956.671635] Code: 77 00 00 48 01 f0 48 ba 00 00 00 00 00 ea ff ff 48 c1
> >> e8 0c 48 c1 e0 06 48 01 d0 8b 50 30 85 d2 74 6d 55 48 89 e5 53 48 8b 58 28
> >> <48> 8b 53 20 48 8d 7b 20 48 39 d7 74 49 48 83 ea 20 48 85 d2 48 [
> >> 956.671650] RIP: pgtable_trans_huge_withdraw+0x4c/0xc0 RSP: ffffc90026b07c20
> >> [  956.671651] CR2: 0000000000000020
> >> [  956.671695] ---[ end trace 9ac71716a2cdb192 ]---
> >> [  956.672896] stress-ng: fail:  [27986] stress-ng-numa: get_mempolicy: errno=22 (Invalid argument)
> >
> > +Zi Yan.
> >
> > Could you check if the patch below helps?
> >
> > It seems we forgot to deposit page table on copying pmd migration entry.
> > Current code just leaks newly allocated page table.
> >
> > diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> > index 269b5df58543..84beba5dedda 100644
> > --- a/mm/huge_memory.c
> > +++ b/mm/huge_memory.c
> > @@ -941,6 +941,7 @@ int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm,
> >  				pmd = pmd_swp_mksoft_dirty(pmd);
> >  			set_pmd_at(src_mm, addr, src_pmd, pmd);
> >  		}
> > +		pgtable_trans_huge_deposit(dst_mm, dst_pmd, pgtable);
> >  		set_pmd_at(dst_mm, addr, dst_pmd, pmd);
> >  		ret = 0;
> >  		goto out_unlock;
> > -- 
> >  Kirill A. Shutemov
> 
> Thanks for fixing it.
> 
> It seems I also forgot to increase the corresponding counters. Does the patch below look good to you?

Yeah, my bad.

Could you post proper patch to Andrew?

> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 269b5df58543..1981ed697dab 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -941,6 +941,9 @@ int copy_huge_pmd(struct mm_struct *dst_mm, struct mm_struct *src_mm,
>                                 pmd = pmd_swp_mksoft_dirty(pmd);
>                         set_pmd_at(src_mm, addr, src_pmd, pmd);
>                 }
> +               add_mm_counter(dst_mm, MM_ANONPAGES, HPAGE_PMD_NR);
> +               atomic_long_inc(&dst_mm->nr_ptes);
> +               pgtable_trans_huge_deposit(dst_mm, dst_pmd, pgtable);
>                 set_pmd_at(dst_mm, addr, dst_pmd, pmd);
>                 ret = 0;
>                 goto out_unlock;
> 
> 
> 
> —
> Best Regards,
> Yan Zi



-- 
 Kirill A. Shutemov

  reply	other threads:[~2017-10-30 13:24 UTC|newest]

Thread overview: 79+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-23 11:03 Linux 4.14-rc6 Linus Torvalds
2017-10-29 22:51 ` Fengguang Wu
2017-10-29 23:02   ` [perf_event_ctx_lock_nested] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:97 Fengguang Wu
2017-10-30  8:42     ` Peter Zijlstra
2017-10-30  8:52       ` Fengguang Wu
2017-10-29 23:10   ` [o2nm_depend_item] BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:52 Fengguang Wu
2017-10-29 23:23     ` Fengguang Wu
2017-10-30  1:48       ` Eric Ren
2017-10-30  2:04       ` piaojun
2017-10-29 23:18   ` [ghes_copy_tofrom_phys] BUG: sleeping function called from invalid context at mm/page_alloc.c:4150 Fengguang Wu
2017-10-30 11:05     ` Borislav Petkov
2017-10-30 14:01       ` Tyler Baicar
2017-10-30 14:06         ` Borislav Petkov
2017-10-30 14:17           ` Tyler Baicar
2017-10-30 14:56             ` Borislav Petkov
2017-10-30 17:20       ` Linus Torvalds
2017-10-30 17:42         ` Borislav Petkov
2017-10-30 17:46         ` Linus Torvalds
2017-10-30 17:49           ` Will Deacon
2017-10-30 18:00             ` Linus Torvalds
2017-10-30 20:14           ` Tyler Baicar
2017-10-31 10:38             ` Will Deacon
2017-10-31 12:29               ` Mark Rutland
     [not found]             ` <20171106224635.qopgsszwxzuitkpf@wfg-t540p.sh.intel.com>
2017-11-06 22:57               ` [v4.14-rc8 ghes_copy_tofrom_phys] BUG: sleeping function called from invalid context at lib/ioremap.c:165 Linus Torvalds
2017-11-06 23:20                 ` Fengguang Wu
2017-11-06 23:02               ` Borislav Petkov
2017-11-06 23:04                 ` Rafael J. Wysocki
2017-11-07 13:39                 ` Fengguang Wu
     [not found]               ` <20171106225354.6ucl4f4ipsjlntzl@wfg-t540p.sh.intel.com>
2017-11-06 23:12                 ` [ata_scsi_offline_dev] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:238 Linus Torvalds
2017-11-07  0:12                   ` Tejun Heo
2017-11-07  3:34                   ` Martin K. Petersen
2017-11-07  6:55                   ` Hannes Reinecke
2017-10-29 23:37   ` [pgtable_trans_huge_withdraw] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 Fengguang Wu
2017-10-30  9:19     ` Kirill A. Shutemov
2017-10-30  9:28       ` Fengguang Wu
2017-10-30 11:27         ` Kirill A. Shutemov
2017-10-30 11:58     ` Kirill A. Shutemov
2017-10-30 12:40       ` Zi Yan
2017-10-30 13:24         ` Kirill A. Shutemov [this message]
2017-10-29 23:48   ` [run_timer_softirq] BUG: unable to handle kernel paging request at 0000000000010007 Fengguang Wu
2017-10-30 19:29     ` Linus Torvalds
2017-10-30 20:37       ` Fengguang Wu
     [not found]       ` <20171109051905.pdlsyrbzrwlsjbrs@wfg-t540p.sh.intel.com>
2017-11-10 20:08         ` Linus Torvalds
2017-11-10 21:29           ` Thomas Gleixner
2017-11-11 15:35             ` Fengguang Wu
2017-10-30  6:27   ` Linux 4.14-rc6: WARNING: CPU: 9 PID: 5377 at arch/x86/events/intel/core.c:2228 intel_pmu_handle_irq+0x4a8/0x4c0 Fengguang Wu
2017-10-30 10:02     ` Peter Zijlstra
2017-10-30 22:49       ` Fengguang Wu
2017-10-31 14:57         ` Peter Zijlstra
2017-10-30  6:44   ` [migration_cpu_stop] WARNING: CPU: 0 PID: 11 at arch/x86/kernel/smp.c:128 native_smp_send_reschedule+0x69/0x9e Fengguang Wu
2017-10-30  7:00   ` [haswell_crtc_enable] WARNING: CPU: 3 PID: 109 at drivers/gpu/drm/drm_vblank.c:1066 drm_wait_one_vblank+0x18f/0x1a0 [drm] Fengguang Wu
2017-10-30 19:10     ` Linus Torvalds
2017-10-30 20:03       ` [Intel-gfx] " Rodrigo Vivi
2017-10-30 23:17         ` Fengguang Wu
2017-10-30 20:18       ` Fengguang Wu
2017-10-30  7:20   ` [btrfs] WARNING: CPU: 0 PID: 6379 at fs/direct-io.c:293 dio_complete+0x1d4/0x220 Fengguang Wu
2017-10-30  7:44     ` Eryu Guan
2017-10-31  0:10       ` Fengguang Wu
2017-10-31  6:54         ` Eryu Guan
2017-10-31  7:10           ` Fengguang Wu
2017-11-06  1:13           ` Eric Biggers
2017-11-13 19:13             ` Eric Biggers
2017-11-13 19:16               ` Jens Axboe
2017-11-13 19:21                 ` Linus Torvalds
2017-11-13 21:56                   ` Darrick J. Wong
2017-11-13 22:01                     ` Linus Torvalds
2017-11-14 17:17                       ` Theodore Ts'o
2017-10-31 15:13       ` Filipe Manana
2017-10-30  7:35   ` [locking/paravirt] static_key_disable_cpuslocked(): static key 'virt_spin_lock_key+0x0/0x20' used before call to jump_label_init() Fengguang Wu
2017-10-30  7:47     ` Juergen Gross
2017-10-30  8:38       ` Fengguang Wu
2017-10-30  9:56         ` Fengguang Wu
2017-10-30  8:43     ` Dou Liyang
2017-10-30  7:40   ` [pmem_attach_disk] WARNING: CPU: 46 PID: 518 at kernel/memremap.c:363 devm_memremap_pages+0x350/0x4b0 Fengguang Wu
2017-10-30 15:59     ` Dan Williams
2017-10-31  0:00       ` Fengguang Wu
2017-10-31  0:24         ` Dan Williams
2017-10-31  7:08           ` Fengguang Wu
2017-11-12  0:15           ` Theodore Ts'o

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171030132429.ctve2f2zcofclydo@node.shutemov.name \
    --to=kirill@shutemov.name \
    --cc=Vineet.Gupta1@synopsys.com \
    --cc=aneesh.kumar@linux.vnet.ibm.com \
    --cc=dan.j.williams@intel.com \
    --cc=fengguang.wu@intel.com \
    --cc=geliangtang@163.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=torvalds@linux-foundation.org \
    --cc=zi.yan@cs.rutgers.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).