Received: by 10.223.148.5 with SMTP id 5csp7569938wrq;
        Thu, 18 Jan 2018 06:59:46 -0800 (PST)
X-Google-Smtp-Source: ACJfBos7O84yd1oti3B8zNAaNBzlY8BTSQLbEjVPFjm9ER0VWWDy+Ty+qXYSu4cOhP0BnKjM6k5R
X-Received: by 10.98.137.75 with SMTP id v72mr4321783pfd.189.1516287586450;
        Thu, 18 Jan 2018 06:59:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516287586; cv=none;
        d=google.com; s=arc-20160816;
        b=AZkb+SaPQzgbgBA4JurGPSl4c4Y2NfAyzXKpCUS268SLgYUMP+9szGsBALa6+fYQ+m
         5TMcNSRv17IgmBpAbP/IAgWhu9id8wS97FZqfX6K8KZe+pyHY0ZCYT2fwcfovJY5R1x9
         DGdYd4xFXbHP2WPqFWFJyBAolp1SQei/bJbhfUct0bGIS/NRYnYRm1d7EfyBimttqqiX
         jq1DaTVWQXhihtCjm9jJHn8BLGx5UBZA4X1zGZwOGTarWd0MdY+4GRRgpoV+pcDugFdY
         8R0k8jZGKrQ8E/ZSBuwxB4GAc6nlaanTQgPwsnR8aXPN/PLOkeVzJiQeOe12NcGGqUn1
         qA4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=GRudmaK5wFyTFJ5G28zUJCGE3Jjv7szwYIkjyw15mx8=;
        b=jywoPd0eEsQnSdAcHoY1S5mrhjANrAMiqiFTClGbdjoLa7gYr3HtUYNE6BzJMX6Xal
         yF3LpteBCVzFdWRhXTihu6NSI5yMnM0iwoqZM6no5uFf3ubH+S9CXL5HZ1ber2WSfX93
         PzBPMqOyD5F2zq+QA1FU1uVIpzqdJDWIVVchOFo+/chlz4Q1DbHVE7RFKpwGVhJcg5Kn
         XUvyjNMkkUg5AElXQQFrYG13KwCqr/U6tZJ13QN5RW/ba9BxoSvjT27IxDNpMa9IvnKb
         3Hnmei9xYRKOvJgvAw+IBzz1F50yDdQAKfOQt2/ubxlJPviinshiMpV2NOOwfWlDJdjT
         WvYQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@shutemov-name.20150623.gappssmtp.com header.s=20150623 header.b=NRV+Ze13;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 84si5872453pfp.230.2018.01.18.06.59.32;
        Thu, 18 Jan 2018 06:59:46 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@shutemov-name.20150623.gappssmtp.com header.s=20150623 header.b=NRV+Ze13;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756104AbeARNMQ (ORCPT <rfc822;tibaldi.amos@gmail.com>
        + 99 others); Thu, 18 Jan 2018 08:12:16 -0500
Received: from mail-wm0-f65.google.com ([74.125.82.65]:46849 "EHLO
        mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755820AbeARNMO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Jan 2018 08:12:14 -0500
Received: by mail-wm0-f65.google.com with SMTP id 143so21799467wma.5
        for <linux-kernel@vger.kernel.org>; Thu, 18 Jan 2018 05:12:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=shutemov-name.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=GRudmaK5wFyTFJ5G28zUJCGE3Jjv7szwYIkjyw15mx8=;
        b=NRV+Ze13uzoH+QqV+ZNz3dWJPW2QQmk3T6qzW5yIiVtJW8Qm2wZIKrRSDxrioYgc0c
         9ihXQ45rXAJTkUGdXeFbDsDVXsplP5fE0QwkLkoYbCZk0k4FxYWhF1WAHWMeY7/NPjiK
         1hOhd5cLQDHxQhaAN+Jb3kyaXrsEsFtbeWD9HtiDuuatkb1PHBtlBuXKsP4oHiFvjUGg
         e2CBefyn6uDtxezDBLto7Fv6BAgZjDAlHxLul4wTdABDDGRL+UfvYzabRG0BQRXW8bRy
         uxiippOtyzTOh1bVH3dmPo6V5OhE0tVFZfTqvnx4sKUzlncHqWhYaG7/Qv9VaLyj5Xre
         WOKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=GRudmaK5wFyTFJ5G28zUJCGE3Jjv7szwYIkjyw15mx8=;
        b=Nu+QJ5muC15q83VO8JhWqqBA2yvaZaikiaaBV58qLNVdxsMGXlwrNf9SzJ2VKWJ62h
         TfY53F1rzK1airlCNiEMe2wWTlyzB1p0NQ4gmuGaU5xjEaZMCtd8QpJAnWedcB0fjbhk
         gZ0ab0kW3lElViG3jS4Mk6xNMuhr893KPuFQvgIVtCjs7RyzPfZqqjTG2PZozimq1jFJ
         AZmG7f9SXiY75KBot2NWDdCAd5njT8mmvnaZtCCXrghXW5MZIsXJvcHsyUTOPdlHYuBN
         /1gk6c4gHhf1APUId3cdAYgqTmGfTtbxLhyxdqhcyj0aymgVelYTxHFVSO0uVx+71unA
         79IA==
X-Gm-Message-State: AKwxytd+LXcZxBPjiwhJWtd5reRbavnrJNzyzDYJ6PjxJAVxKYnOKypp
        8OFhJ+72YsNfnZMnJyyvt1Wf5Q==
X-Received: by 10.80.241.152 with SMTP id x24mr7702908edl.59.1516281133316;
        Thu, 18 Jan 2018 05:12:13 -0800 (PST)
Received: from node.shutemov.name ([178.122.206.50])
        by smtp.gmail.com with ESMTPSA id x18sm4557472edb.89.2018.01.18.05.12.11
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 18 Jan 2018 05:12:12 -0800 (PST)
Received: by node.shutemov.name (Postfix, from userid 1000)
        id E7411648D520; Thu, 18 Jan 2018 16:12:10 +0300 (+03)
Date:   Thu, 18 Jan 2018 16:12:10 +0300
From:   "Kirill A. Shutemov" <kirill@shutemov.name>
To:     Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc:     torvalds@linux-foundation.org, kirill.shutemov@linux.intel.com,
        akpm@linux-foundation.org, hannes@cmpxchg.org,
        iamjoonsoo.kim@lge.com, mgorman@techsingularity.net,
        tony.luck@intel.com, vbabka@suse.cz, mhocko@kernel.org,
        aarcange@redhat.com, hillf.zj@alibaba-inc.com, hughd@google.com,
        oleg@redhat.com, peterz@infradead.org, riel@redhat.com,
        srikar@linux.vnet.ibm.com, vdavydov.dev@gmail.com,
        dave.hansen@linux.intel.com, mingo@kernel.org,
        linux-kernel@vger.kernel.org, linux-mm@kvack.org, x86@kernel.org
Subject: Re: [mm 4.15-rc8] Random oopses under memory pressure.
Message-ID: <20180118131210.456oyh6fw4scwv53@node.shutemov.name>
References: <201801160115.w0G1FOIG057203@www262.sakura.ne.jp>
 <CA+55aFxOn5n4O2JNaivi8rhDmeFhTQxEHD4xE33J9xOrFu=7kQ@mail.gmail.com>
 <201801170233.JDG21842.OFOJMQSHtOFFLV@I-love.SAKURA.ne.jp>
 <CA+55aFyxyjN0Mqnz66B4a0R+uR8DdfxdMhcg5rJVi8LwnpSRfA@mail.gmail.com>
 <201801172008.CHH39543.FFtMHOOVSQJLFO@I-love.SAKURA.ne.jp>
 <201801181712.BFD13039.LtHOSVMFJQFOFO@I-love.SAKURA.ne.jp>
 <20180118122550.2lhsjx7hg5drcjo4@node.shutemov.name>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180118122550.2lhsjx7hg5drcjo4@node.shutemov.name>
User-Agent: NeoMutt/20171215
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jan 18, 2018 at 03:25:50PM +0300, Kirill A. Shutemov wrote:
> On Thu, Jan 18, 2018 at 05:12:45PM +0900, Tetsuo Handa wrote:
> > Tetsuo Handa wrote:
> > > OK. I missed the mark. I overlooked that 4.11 already has this problem.
> > > 
> > > I needed to bisect between 4.10 and 4.11, and I got plausible culprit.
> > > 
> > > I haven't completed bisecting between b4fb8f66f1ae2e16 and c470abd4fde40ea6, but
> > > b4fb8f66f1ae2e16 ("mm, page_alloc: Add missing check for memory holes") and
> > > 13ad59df67f19788 ("mm, page_alloc: avoid page_to_pfn() when merging buddies")
> > > are talking about memory holes, which matches the situation that I'm trivially
> > > hitting the bug if CONFIG_SPARSEMEM=y .
> > > 
> > > Thus, I call for an attention by speculative execution. ;-)
> > 
> > Speculative execution failed. I was confused by jiffies precision bug.
> > The final culprit is c7ab0d2fdc840266 ("mm: convert try_to_unmap_one() to use page_vma_mapped_walk()").
> 
> I think I've tracked it down. check_pte() in mm/page_vma_mapped.c doesn't
> work as intended.
> 
> I've added instrumentation below to prove it.
> 
> The BUG() triggers with following output:
> 
> [   10.084024] diff: -858690919
> [   10.084258] hpage_nr_pages: 1
> [   10.084386] check1: 0
> [   10.084478] check2: 0
> 
> Basically, pte_page(*pvmw->pte) is below pvmw->page, but
> (pte_page(*pvmw->pte) < pvmw->page) doesn't catch it.
> 
> Well, I can see how C lawyer can argue that you can only compare pointers
> of the same memory object which is not the case here. But this is kinda
> insane.
> 
> Any suggestions how to rewrite it in a way that compiler would
> understand?

The patch below makes the crash go away for me.

But this is situation is scary. So we cannot compare arbitrary pointers in
kernel?

Don't we rely on this for lock ordering in some cases? Like in
mutex_lock_double()?

diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c
index d22b84310f6d..1f0f512fd127 100644
--- a/mm/page_vma_mapped.c
+++ b/mm/page_vma_mapped.c
@@ -51,6 +51,8 @@ static bool check_pte(struct page_vma_mapped_walk *pvmw)
 		WARN_ON_ONCE(1);
 #endif
 	} else {
+		unsigned long ptr1, ptr2;
+
 		if (is_swap_pte(*pvmw->pte)) {
 			swp_entry_t entry;
 
@@ -63,12 +65,14 @@ static bool check_pte(struct page_vma_mapped_walk *pvmw)
 		if (!pte_present(*pvmw->pte))
 			return false;
 
-		/* THP can be referenced by any subpage */
-		if (pte_page(*pvmw->pte) - pvmw->page >=
-				hpage_nr_pages(pvmw->page)) {
+		ptr1 = (unsigned long)pte_page(*pvmw->pte);
+		ptr2 = (unsigned long)pvmw->page;
+
+		if (ptr1 < ptr2)
 			return false;
-		}
-		if (pte_page(*pvmw->pte) < pvmw->page)
+
+		/* THP can be referenced by any subpage */
+		if (ptr1 - ptr2 >= hpage_nr_pages(pvmw->page))
 			return false;
 	}
 
-- 
 Kirill A. Shutemov