[PATCH 0/4] mm, xfs, dax: Fixes for memory_failure() handling

[PATCH 0/4] mm, xfs, dax: Fixes for memory_failure() handling

[Dan Williams]

I failed to run the memory error injection section of the ndctl test
suite on linux-next prior to the merge window and as a result some bugs
were missed. While the new enabling targeted reflink enabled XFS
filesystems the bugs cropped up in the surrounding cases of DAX error
injection on ext4-fsdax and device-dax.

One new assumption / clarification in this set is the notion that if a
filesystem's ->notify_failure() handler returns -EOPNOTSUPP, then it
must be the case that the fsdax usage of page->index and page->mapping
are valid. I am fairly certain this is true for
xfs_dax_notify_failure(), but would appreciate another set of eyes.

The bulk of the change is in mm/memory-failure.c, so perhaps this set
should go through Andrew's tree.

---

Dan Williams (4):
      xfs: Quiet notify_failure EOPNOTSUPP cases
      xfs: Fix SB_BORN check in xfs_dax_notify_failure()
      mm/memory-failure: Fix detection of memory_failure() handlers
      mm/memory-failure: Fall back to vma_address() when ->notify_failure() fails


 fs/xfs/xfs_notify_failure.c |    6 +++---
 include/linux/memremap.h    |    5 +++++
 mm/memory-failure.c         |   24 +++++++++++++-----------
 3 files changed, 21 insertions(+), 14 deletions(-)

base-commit: 1c23f9e627a7b412978b4e852793c5e3c3efc555

[PATCH 1/4] xfs: Quiet notify_failure EOPNOTSUPP cases

[Dan Williams]

XFS always registers dax_holder_operations regardless of whether the
filesystem is capable of handling the notifications. The expectation is
that if the notify_failure handler cannot run then there are no
scenarios where it needs to run. In other words the expected semantic is
that page->index and page->mapping are valid for memory_failure() when
the conditions that cause -EOPNOTSUPP in xfs_dax_notify_failure() are
present.

A fallback to the generic memory_failure() path is expected so do not
warn when that happens.

Fixes: 6f643c57d57c ("xfs: implement ->notify_failure() for XFS")
Cc: Shiyang Ruan <ruansy.fnst@fujitsu.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Darrick J. Wong <djwong@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Goldwyn Rodrigues <rgoldwyn@suse.de>
Cc: Jane Chu <jane.chu@oracle.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Ritesh Harjani <riteshh@linux.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 fs/xfs/xfs_notify_failure.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/xfs/xfs_notify_failure.c b/fs/xfs/xfs_notify_failure.c
index 69d9c83ea4b2..01e2721589c4 100644
--- a/fs/xfs/xfs_notify_failure.c
+++ b/fs/xfs/xfs_notify_failure.c
@@ -181,7 +181,7 @@ xfs_dax_notify_failure(
 	}
 
 	if (mp->m_rtdev_targp && mp->m_rtdev_targp->bt_daxdev == dax_dev) {
-		xfs_warn(mp,
+		xfs_debug(mp,
 			 "notify_failure() not supported on realtime device!");
 		return -EOPNOTSUPP;
 	}
@@ -194,7 +194,7 @@ xfs_dax_notify_failure(
 	}
 
 	if (!xfs_has_rmapbt(mp)) {
-		xfs_warn(mp, "notify_failure() needs rmapbt enabled!");
+		xfs_debug(mp, "notify_failure() needs rmapbt enabled!");
 		return -EOPNOTSUPP;
 	}
 

[PATCH 2/4] xfs: Fix SB_BORN check in xfs_dax_notify_failure()

[Dan Williams]

The SB_BORN flag is stored in the vfs superblock, not xfs_sb.

Fixes: 6f643c57d57c ("xfs: implement ->notify_failure() for XFS")
Cc: Shiyang Ruan <ruansy.fnst@fujitsu.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Darrick J. Wong <djwong@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Goldwyn Rodrigues <rgoldwyn@suse.de>
Cc: Jane Chu <jane.chu@oracle.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Ritesh Harjani <riteshh@linux.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 fs/xfs/xfs_notify_failure.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/xfs/xfs_notify_failure.c b/fs/xfs/xfs_notify_failure.c
index 01e2721589c4..5b1f9a24ed59 100644
--- a/fs/xfs/xfs_notify_failure.c
+++ b/fs/xfs/xfs_notify_failure.c
@@ -175,7 +175,7 @@ xfs_dax_notify_failure(
 	u64			ddev_start;
 	u64			ddev_end;
 
-	if (!(mp->m_sb.sb_flags & SB_BORN)) {
+	if (!(mp->m_super->s_flags & SB_BORN)) {
 		xfs_warn(mp, "filesystem is not ready for notify_failure()!");
 		return -EIO;
 	}

[PATCH 3/4] mm/memory-failure: Fix detection of memory_failure() handlers

[Dan Williams]

Some pagemap types, like MEMORY_DEVICE_GENERIC (device-dax) do not even
have pagemap ops which results in crash signatures like this:

  BUG: kernel NULL pointer dereference, address: 0000000000000010
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 8000000205073067 P4D 8000000205073067 PUD 2062b3067 PMD 0
  Oops: 0000 [#1] PREEMPT SMP PTI
  CPU: 22 PID: 4535 Comm: device-dax Tainted: G           OE    N 6.0.0-rc2+ #59
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
  RIP: 0010:memory_failure+0x667/0xba0
 [..]
  Call Trace:
   <TASK>
   ? _printk+0x58/0x73
   do_madvise.part.0.cold+0xaf/0xc5

Check for ops before checking if the ops have a memory_failure()
handler.

Fixes: 33a8f7f2b3a3 ("pagemap,pmem: introduce ->memory_failure()")
Cc: Shiyang Ruan <ruansy.fnst@fujitsu.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Darrick J. Wong <djwong@kernel.org>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Goldwyn Rodrigues <rgoldwyn@suse.de>
Cc: Jane Chu <jane.chu@oracle.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Ritesh Harjani <riteshh@linux.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 include/linux/memremap.h |    5 +++++
 mm/memory-failure.c      |    2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/include/linux/memremap.h b/include/linux/memremap.h
index 19010491a603..c3b4cc84877b 100644
--- a/include/linux/memremap.h
+++ b/include/linux/memremap.h
@@ -139,6 +139,11 @@ struct dev_pagemap {
 	};
 };
 
+static inline bool pgmap_has_memory_failure(struct dev_pagemap *pgmap)
+{
+	return pgmap->ops && pgmap->ops->memory_failure;
+}
+
 static inline struct vmem_altmap *pgmap_altmap(struct dev_pagemap *pgmap)
 {
 	if (pgmap->flags & PGMAP_ALTMAP_VALID)
diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 14439806b5ef..8a4294afbfa0 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1928,7 +1928,7 @@ static int memory_failure_dev_pagemap(unsigned long pfn, int flags,
 	 * Call driver's implementation to handle the memory failure, otherwise
 	 * fall back to generic handler.
 	 */
-	if (pgmap->ops->memory_failure) {
+	if (pgmap_has_memory_failure(pgmap)) {
 		rc = pgmap->ops->memory_failure(pgmap, pfn, 1, flags);
 		/*
 		 * Fall back to generic handler too if operation is not

[PATCH 4/4] mm/memory-failure: Fall back to vma_address() when ->notify_failure() fails

[Dan Williams]

In the case where a filesystem is polled to take over the memory failure
and receives -EOPNOTSUPP it indicates that page->index and page->mapping
are valid for reverse mapping the failure address. Introduce
FSDAX_INVALID_PGOFF to distinguish when add_to_kill() is being called
from mf_dax_kill_procs() by a filesytem vs the typical memory_failure()
path.

Otherwise, vma_pgoff_address() is called with an invalid fsdax_pgoff
which then trips this failing signature:

 kernel BUG at mm/memory-failure.c:319!
 invalid opcode: 0000 [#1] PREEMPT SMP PTI
 CPU: 13 PID: 1262 Comm: dax-pmd Tainted: G           OE    N 6.0.0-rc2+ #62
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
 RIP: 0010:add_to_kill.cold+0x19d/0x209
 [..]
 Call Trace:
  <TASK>
  collect_procs.part.0+0x2c4/0x460
  memory_failure+0x71b/0xba0
  ? _printk+0x58/0x73
  do_madvise.part.0.cold+0xaf/0xc5

Fixes: c36e20249571 ("mm: introduce mf_dax_kill_procs() for fsdax case")
Cc: Shiyang Ruan <ruansy.fnst@fujitsu.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Darrick J. Wong <djwong@kernel.org>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Goldwyn Rodrigues <rgoldwyn@suse.de>
Cc: Jane Chu <jane.chu@oracle.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Ritesh Harjani <riteshh@linux.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 mm/memory-failure.c |   22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 8a4294afbfa0..e424a9dac749 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -345,13 +345,17 @@ static unsigned long dev_pagemap_mapping_shift(struct vm_area_struct *vma,
  * not much we can do.	We just print a message and ignore otherwise.
  */
 
+#define FSDAX_INVALID_PGOFF ULONG_MAX
+
 /*
  * Schedule a process for later kill.
  * Uses GFP_ATOMIC allocations to avoid potential recursions in the VM.
  *
- * Notice: @fsdax_pgoff is used only when @p is a fsdax page.
- *   In other cases, such as anonymous and file-backend page, the address to be
- *   killed can be caculated by @p itself.
+ * Note: @fsdax_pgoff is used only when @p is a fsdax page and a
+ * filesystem with a memory failure handler has claimed the
+ * memory_failure event. In all other cases, page->index and
+ * page->mapping are sufficient for mapping the page back to its
+ * corresponding user virtual address.
  */
 static void add_to_kill(struct task_struct *tsk, struct page *p,
 			pgoff_t fsdax_pgoff, struct vm_area_struct *vma,
@@ -367,11 +371,7 @@ static void add_to_kill(struct task_struct *tsk, struct page *p,
 
 	tk->addr = page_address_in_vma(p, vma);
 	if (is_zone_device_page(p)) {
-		/*
-		 * Since page->mapping is not used for fsdax, we need
-		 * calculate the address based on the vma.
-		 */
-		if (p->pgmap->type == MEMORY_DEVICE_FS_DAX)
+		if (fsdax_pgoff != FSDAX_INVALID_PGOFF)
 			tk->addr = vma_pgoff_address(fsdax_pgoff, 1, vma);
 		tk->size_shift = dev_pagemap_mapping_shift(vma, tk->addr);
 	} else
@@ -523,7 +523,8 @@ static void collect_procs_anon(struct page *page, struct list_head *to_kill,
 			if (!page_mapped_in_vma(page, vma))
 				continue;
 			if (vma->vm_mm == t->mm)
-				add_to_kill(t, page, 0, vma, to_kill);
+				add_to_kill(t, page, FSDAX_INVALID_PGOFF, vma,
+					    to_kill);
 		}
 	}
 	read_unlock(&tasklist_lock);
@@ -559,7 +560,8 @@ static void collect_procs_file(struct page *page, struct list_head *to_kill,
 			 * to be informed of all such data corruptions.
 			 */
 			if (vma->vm_mm == t->mm)
-				add_to_kill(t, page, 0, vma, to_kill);
+				add_to_kill(t, page, FSDAX_INVALID_PGOFF, vma,
+					    to_kill);
 		}
 	}
 	read_unlock(&tasklist_lock);

Re: [PATCH 3/4] mm/memory-failure: Fix detection of memory_failure() handlers

[HORIGUCHI NAOYA(堀口 直也)]

On Fri, Aug 26, 2022 at 10:18:07AM -0700, Dan Williams wrote:
> Some pagemap types, like MEMORY_DEVICE_GENERIC (device-dax) do not even
> have pagemap ops which results in crash signatures like this:
> 
>   BUG: kernel NULL pointer dereference, address: 0000000000000010
>   #PF: supervisor read access in kernel mode
>   #PF: error_code(0x0000) - not-present page
>   PGD 8000000205073067 P4D 8000000205073067 PUD 2062b3067 PMD 0
>   Oops: 0000 [#1] PREEMPT SMP PTI
>   CPU: 22 PID: 4535 Comm: device-dax Tainted: G           OE    N 6.0.0-rc2+ #59
>   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
>   RIP: 0010:memory_failure+0x667/0xba0
>  [..]
>   Call Trace:
>    <TASK>
>    ? _printk+0x58/0x73
>    do_madvise.part.0.cold+0xaf/0xc5
> 
> Check for ops before checking if the ops have a memory_failure()
> handler.
> 
> Fixes: 33a8f7f2b3a3 ("pagemap,pmem: introduce ->memory_failure()")
> Cc: Shiyang Ruan <ruansy.fnst@fujitsu.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Darrick J. Wong <djwong@kernel.org>
> Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Dave Chinner <david@fromorbit.com>
> Cc: Goldwyn Rodrigues <rgoldwyn@suse.de>
> Cc: Jane Chu <jane.chu@oracle.com>
> Cc: Matthew Wilcox <willy@infradead.org>
> Cc: Miaohe Lin <linmiaohe@huawei.com>
> Cc: Ritesh Harjani <riteshh@linux.ibm.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>

Thank you for sending patches, this looks fine to me.

Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>

> ---
>  include/linux/memremap.h |    5 +++++
>  mm/memory-failure.c      |    2 +-
>  2 files changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/include/linux/memremap.h b/include/linux/memremap.h
> index 19010491a603..c3b4cc84877b 100644
> --- a/include/linux/memremap.h
> +++ b/include/linux/memremap.h
> @@ -139,6 +139,11 @@ struct dev_pagemap {
>  	};
>  };
>  
> +static inline bool pgmap_has_memory_failure(struct dev_pagemap *pgmap)
> +{
> +	return pgmap->ops && pgmap->ops->memory_failure;
> +}
> +
>  static inline struct vmem_altmap *pgmap_altmap(struct dev_pagemap *pgmap)
>  {
>  	if (pgmap->flags & PGMAP_ALTMAP_VALID)
> diff --git a/mm/memory-failure.c b/mm/memory-failure.c
> index 14439806b5ef..8a4294afbfa0 100644
> --- a/mm/memory-failure.c
> +++ b/mm/memory-failure.c
> @@ -1928,7 +1928,7 @@ static int memory_failure_dev_pagemap(unsigned long pfn, int flags,
>  	 * Call driver's implementation to handle the memory failure, otherwise
>  	 * fall back to generic handler.
>  	 */
> -	if (pgmap->ops->memory_failure) {
> +	if (pgmap_has_memory_failure(pgmap)) {
>  		rc = pgmap->ops->memory_failure(pgmap, pfn, 1, flags);
>  		/*
>  		 * Fall back to generic handler too if operation is not

Re: [PATCH 4/4] mm/memory-failure: Fall back to vma_address() when ->notify_failure() fails

[HORIGUCHI NAOYA(堀口 直也)]

On Fri, Aug 26, 2022 at 10:18:14AM -0700, Dan Williams wrote:
> In the case where a filesystem is polled to take over the memory failure
> and receives -EOPNOTSUPP it indicates that page->index and page->mapping
> are valid for reverse mapping the failure address. Introduce
> FSDAX_INVALID_PGOFF to distinguish when add_to_kill() is being called
> from mf_dax_kill_procs() by a filesytem vs the typical memory_failure()
> path.
> 
> Otherwise, vma_pgoff_address() is called with an invalid fsdax_pgoff
> which then trips this failing signature:
> 
>  kernel BUG at mm/memory-failure.c:319!
>  invalid opcode: 0000 [#1] PREEMPT SMP PTI
>  CPU: 13 PID: 1262 Comm: dax-pmd Tainted: G           OE    N 6.0.0-rc2+ #62
>  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
>  RIP: 0010:add_to_kill.cold+0x19d/0x209
>  [..]
>  Call Trace:
>   <TASK>
>   collect_procs.part.0+0x2c4/0x460
>   memory_failure+0x71b/0xba0
>   ? _printk+0x58/0x73
>   do_madvise.part.0.cold+0xaf/0xc5
> 
> Fixes: c36e20249571 ("mm: introduce mf_dax_kill_procs() for fsdax case")
> Cc: Shiyang Ruan <ruansy.fnst@fujitsu.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Darrick J. Wong <djwong@kernel.org>
> Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Dave Chinner <david@fromorbit.com>
> Cc: Goldwyn Rodrigues <rgoldwyn@suse.de>
> Cc: Jane Chu <jane.chu@oracle.com>
> Cc: Matthew Wilcox <willy@infradead.org>
> Cc: Miaohe Lin <linmiaohe@huawei.com>
> Cc: Ritesh Harjani <riteshh@linux.ibm.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>

Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>

Re: [PATCH 3/4] mm/memory-failure: Fix detection of memory_failure() handlers

[Miaohe Lin]

On 2022/8/27 1:18, Dan Williams wrote:
> Some pagemap types, like MEMORY_DEVICE_GENERIC (device-dax) do not even
> have pagemap ops which results in crash signatures like this:
> 
>   BUG: kernel NULL pointer dereference, address: 0000000000000010
>   #PF: supervisor read access in kernel mode
>   #PF: error_code(0x0000) - not-present page
>   PGD 8000000205073067 P4D 8000000205073067 PUD 2062b3067 PMD 0
>   Oops: 0000 [#1] PREEMPT SMP PTI
>   CPU: 22 PID: 4535 Comm: device-dax Tainted: G           OE    N 6.0.0-rc2+ #59
>   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
>   RIP: 0010:memory_failure+0x667/0xba0
>  [..]
>   Call Trace:
>    <TASK>
>    ? _printk+0x58/0x73
>    do_madvise.part.0.cold+0xaf/0xc5
> 
> Check for ops before checking if the ops have a memory_failure()
> handler.
> 
> Fixes: 33a8f7f2b3a3 ("pagemap,pmem: introduce ->memory_failure()")
> Cc: Shiyang Ruan <ruansy.fnst@fujitsu.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Darrick J. Wong <djwong@kernel.org>
> Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Dave Chinner <david@fromorbit.com>
> Cc: Goldwyn Rodrigues <rgoldwyn@suse.de>
> Cc: Jane Chu <jane.chu@oracle.com>
> Cc: Matthew Wilcox <willy@infradead.org>
> Cc: Miaohe Lin <linmiaohe@huawei.com>
> Cc: Ritesh Harjani <riteshh@linux.ibm.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>

LGTM. Thanks for fixing this.

Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>

Thanks,
Miaohe Lin


> ---
>  include/linux/memremap.h |    5 +++++
>  mm/memory-failure.c      |    2 +-
>  2 files changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/include/linux/memremap.h b/include/linux/memremap.h
> index 19010491a603..c3b4cc84877b 100644
> --- a/include/linux/memremap.h
> +++ b/include/linux/memremap.h
> @@ -139,6 +139,11 @@ struct dev_pagemap {
>  	};
>  };
>  
> +static inline bool pgmap_has_memory_failure(struct dev_pagemap *pgmap)
> +{
> +	return pgmap->ops && pgmap->ops->memory_failure;
> +}
> +
>  static inline struct vmem_altmap *pgmap_altmap(struct dev_pagemap *pgmap)
>  {
>  	if (pgmap->flags & PGMAP_ALTMAP_VALID)
> diff --git a/mm/memory-failure.c b/mm/memory-failure.c
> index 14439806b5ef..8a4294afbfa0 100644
> --- a/mm/memory-failure.c
> +++ b/mm/memory-failure.c
> @@ -1928,7 +1928,7 @@ static int memory_failure_dev_pagemap(unsigned long pfn, int flags,
>  	 * Call driver's implementation to handle the memory failure, otherwise
>  	 * fall back to generic handler.
>  	 */
> -	if (pgmap->ops->memory_failure) {
> +	if (pgmap_has_memory_failure(pgmap)) {
>  		rc = pgmap->ops->memory_failure(pgmap, pfn, 1, flags);
>  		/*
>  		 * Fall back to generic handler too if operation is not
> 
> 
> .
> 

Re: [PATCH 4/4] mm/memory-failure: Fall back to vma_address() when ->notify_failure() fails

[Miaohe Lin]

On 2022/8/27 1:18, Dan Williams wrote:
> In the case where a filesystem is polled to take over the memory failure
> and receives -EOPNOTSUPP it indicates that page->index and page->mapping
> are valid for reverse mapping the failure address. Introduce
> FSDAX_INVALID_PGOFF to distinguish when add_to_kill() is being called
> from mf_dax_kill_procs() by a filesytem vs the typical memory_failure()
> path.

Thanks for fixing.
I'm sorry but I can't find the bug report email. Do you mean mf_dax_kill_procs() can
pass an invalid pgoff to the add_to_kill()? But it seems pgoff is guarded against invalid
value by vma_interval_tree_foreach() in collect_procs_fsdax(). So pgoff should be an valid
value. Or am I miss something?

Thanks,
Miaohe Lin

> 
> Otherwise, vma_pgoff_address() is called with an invalid fsdax_pgoff
> which then trips this failing signature:
> 
>  kernel BUG at mm/memory-failure.c:319!
>  invalid opcode: 0000 [#1] PREEMPT SMP PTI
>  CPU: 13 PID: 1262 Comm: dax-pmd Tainted: G           OE    N 6.0.0-rc2+ #62
>  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
>  RIP: 0010:add_to_kill.cold+0x19d/0x209
>  [..]
>  Call Trace:
>   <TASK>
>   collect_procs.part.0+0x2c4/0x460
>   memory_failure+0x71b/0xba0
>   ? _printk+0x58/0x73
>   do_madvise.part.0.cold+0xaf/0xc5
> 
> Fixes: c36e20249571 ("mm: introduce mf_dax_kill_procs() for fsdax case")
> Cc: Shiyang Ruan <ruansy.fnst@fujitsu.com>
> Cc: Christoph Hellwig <hch@lst.de>
> Cc: Darrick J. Wong <djwong@kernel.org>
> Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Dave Chinner <david@fromorbit.com>
> Cc: Goldwyn Rodrigues <rgoldwyn@suse.de>
> Cc: Jane Chu <jane.chu@oracle.com>
> Cc: Matthew Wilcox <willy@infradead.org>
> Cc: Miaohe Lin <linmiaohe@huawei.com>
> Cc: Ritesh Harjani <riteshh@linux.ibm.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  mm/memory-failure.c |   22 ++++++++++++----------
>  1 file changed, 12 insertions(+), 10 deletions(-)
> 
> diff --git a/mm/memory-failure.c b/mm/memory-failure.c
> index 8a4294afbfa0..e424a9dac749 100644
> --- a/mm/memory-failure.c
> +++ b/mm/memory-failure.c
> @@ -345,13 +345,17 @@ static unsigned long dev_pagemap_mapping_shift(struct vm_area_struct *vma,
>   * not much we can do.	We just print a message and ignore otherwise.
>   */
>  
> +#define FSDAX_INVALID_PGOFF ULONG_MAX
> +
>  /*
>   * Schedule a process for later kill.
>   * Uses GFP_ATOMIC allocations to avoid potential recursions in the VM.
>   *
> - * Notice: @fsdax_pgoff is used only when @p is a fsdax page.
> - *   In other cases, such as anonymous and file-backend page, the address to be
> - *   killed can be caculated by @p itself.
> + * Note: @fsdax_pgoff is used only when @p is a fsdax page and a
> + * filesystem with a memory failure handler has claimed the
> + * memory_failure event. In all other cases, page->index and
> + * page->mapping are sufficient for mapping the page back to its
> + * corresponding user virtual address.
>   */
>  static void add_to_kill(struct task_struct *tsk, struct page *p,
>  			pgoff_t fsdax_pgoff, struct vm_area_struct *vma,
> @@ -367,11 +371,7 @@ static void add_to_kill(struct task_struct *tsk, struct page *p,
>  
>  	tk->addr = page_address_in_vma(p, vma);
>  	if (is_zone_device_page(p)) {
> -		/*
> -		 * Since page->mapping is not used for fsdax, we need
> -		 * calculate the address based on the vma.
> -		 */
> -		if (p->pgmap->type == MEMORY_DEVICE_FS_DAX)
> +		if (fsdax_pgoff != FSDAX_INVALID_PGOFF)
>  			tk->addr = vma_pgoff_address(fsdax_pgoff, 1, vma);
>  		tk->size_shift = dev_pagemap_mapping_shift(vma, tk->addr);
>  	} else
> @@ -523,7 +523,8 @@ static void collect_procs_anon(struct page *page, struct list_head *to_kill,
>  			if (!page_mapped_in_vma(page, vma))
>  				continue;
>  			if (vma->vm_mm == t->mm)
> -				add_to_kill(t, page, 0, vma, to_kill);
> +				add_to_kill(t, page, FSDAX_INVALID_PGOFF, vma,
> +					    to_kill);
>  		}
>  	}
>  	read_unlock(&tasklist_lock);
> @@ -559,7 +560,8 @@ static void collect_procs_file(struct page *page, struct list_head *to_kill,
>  			 * to be informed of all such data corruptions.
>  			 */
>  			if (vma->vm_mm == t->mm)
> -				add_to_kill(t, page, 0, vma, to_kill);
> +				add_to_kill(t, page, FSDAX_INVALID_PGOFF, vma,
> +					    to_kill);
>  		}
>  	}
>  	read_unlock(&tasklist_lock);
> 
> 
> .
> 

Re: [PATCH 4/4] mm/memory-failure: Fall back to vma_address() when ->notify_failure() fails

[Dan Williams]

Miaohe Lin wrote:
> On 2022/8/27 1:18, Dan Williams wrote:
> > In the case where a filesystem is polled to take over the memory failure
> > and receives -EOPNOTSUPP it indicates that page->index and page->mapping
> > are valid for reverse mapping the failure address. Introduce
> > FSDAX_INVALID_PGOFF to distinguish when add_to_kill() is being called
> > from mf_dax_kill_procs() by a filesytem vs the typical memory_failure()
> > path.
> 
> Thanks for fixing.
> I'm sorry but I can't find the bug report email. 

Report is here:

https://lore.kernel.org/all/63069db388d43_1b3229426@dwillia2-xfh.jf.intel.com.notmuch/

> Do you mean mf_dax_kill_procs() can pass an invalid pgoff to the
> add_to_kill()? 

No, the problem is that ->notify_failure() returns -EOPNOTSUPP so
memory_failure_dev_pagemap() falls back to mf_generic_kill_procs().
However, mf_generic_kill_procs() end up passing '0' for fsdax_pgoff from
collect_procs_file() to add_to_kill(). A '0' for fsdax_pgoff results in
vma_pgoff_address() returning -EFAULT which causes the VM_BUG_ON() in
dev_pagemap_mapping_shift().

Re: [PATCH 4/4] mm/memory-failure: Fall back to vma_address() when ->notify_failure() fails

[Miaohe Lin]

On 2022/8/30 11:57, Dan Williams wrote:
> Miaohe Lin wrote:
>> On 2022/8/27 1:18, Dan Williams wrote:
>>> In the case where a filesystem is polled to take over the memory failure
>>> and receives -EOPNOTSUPP it indicates that page->index and page->mapping
>>> are valid for reverse mapping the failure address. Introduce
>>> FSDAX_INVALID_PGOFF to distinguish when add_to_kill() is being called
>>> from mf_dax_kill_procs() by a filesytem vs the typical memory_failure()
>>> path.
>>
>> Thanks for fixing.
>> I'm sorry but I can't find the bug report email. 
> 
> Report is here:
> 
> https://lore.kernel.org/all/63069db388d43_1b3229426@dwillia2-xfh.jf.intel.com.notmuch/
> 
>> Do you mean mf_dax_kill_procs() can pass an invalid pgoff to the
>> add_to_kill()? 
> 
> No, the problem is that ->notify_failure() returns -EOPNOTSUPP so
> memory_failure_dev_pagemap() falls back to mf_generic_kill_procs().
> However, mf_generic_kill_procs() end up passing '0' for fsdax_pgoff from
> collect_procs_file() to add_to_kill(). A '0' for fsdax_pgoff results in
> vma_pgoff_address() returning -EFAULT which causes the VM_BUG_ON() in
> dev_pagemap_mapping_shift().

Many thanks for your explanation.

Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>

Thanks,
Miaohe Lin

Re: [PATCH 1/4] xfs: Quiet notify_failure EOPNOTSUPP cases

[Christoph Hellwig]

On Fri, Aug 26, 2022 at 10:17:54AM -0700, Dan Williams wrote:
> XFS always registers dax_holder_operations regardless of whether the
> filesystem is capable of handling the notifications. The expectation is
> that if the notify_failure handler cannot run then there are no
> scenarios where it needs to run. In other words the expected semantic is
> that page->index and page->mapping are valid for memory_failure() when
> the conditions that cause -EOPNOTSUPP in xfs_dax_notify_failure() are
> present.
> 
> A fallback to the generic memory_failure() path is expected so do not
> warn when that happens.

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH 2/4] xfs: Fix SB_BORN check in xfs_dax_notify_failure()

[Christoph Hellwig]

On Fri, Aug 26, 2022 at 10:18:01AM -0700, Dan Williams wrote:
> The SB_BORN flag is stored in the vfs superblock, not xfs_sb.

Oops, yes:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH 3/4] mm/memory-failure: Fix detection of memory_failure() handlers

[Christoph Hellwig]

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH 4/4] mm/memory-failure: Fall back to vma_address() when ->notify_failure() fails

[Christoph Hellwig]

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>