Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3316192imu; Sun, 11 Nov 2018 12:12:45 -0800 (PST) X-Google-Smtp-Source: AJdET5di/6lLeJ3T8b7TzFjeM/vzTKw0An8LbdA01oMwCXMTVYdsXKVDhZw7pqt1WuasuX9BVohG X-Received: by 2002:a63:dd55:: with SMTP id g21mr2118150pgj.86.1541967165878; Sun, 11 Nov 2018 12:12:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541967165; cv=none; d=google.com; s=arc-20160816; b=cSykQZk3ACW5SAH8I8X8uNyRpGO2oDg3280H40btQMPMchGIRotbDXqyYbmh0psTTQ d2D99oSV64wb7LwW3W8/05GUkLN2V2UEGjluivKvKepu2YxsYZ6ZkpUw9TQhQCaxXJvV Ml+oT7XojQrAqMjXybQ8+pzkQDoItETCIE/HdrYMkN8N16qf9ASruzCwNmwOYyDF1r84 IOq6pW5HNVysvFfm1tyA5oZyiOjjnxXFRncm3Kg3BWdvBp/TbpQ/ku2U1yPIAvm+zMoN M3LXEPaM9YhCyv+/zuZI8sCDe54pfCcRrur+dmzW8Oe3pF9CFBwpGRLX7steR6DB5oVS 9fLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=QqIJgkME66ZmJcWDubrf+6+/3hbo+dna/Hv+g+q0DJA=; b=kG1E7ZYDbyCDH9l9IkmiDu6BBm4SOw4MPAMPU2npPn23m0ESZ3HQNmbw7dAEgw+mQT kaHEr5FM7WCh3YPYDpE9U071wDPEOwdz9bFOTxx7Ok2tlsU3JQtmil/YyY8hXOc2uCZi R1PupJY0Ib6DEJWKAAUGcUaULk5Ol5cGjB9EebpfCAWLURiblorCYzxZk02XGqvuRDd0 v6iLS5gnOQdxTwccvbCODU+kkEHltsBX9L43gGs87EeWQ48HbmZJMN//qxhNxdK3Rk5f EqUVZ6gNU1to+oweIN2/WsBMrybKgyKplHbLjetGHKBCclCz1/Kpg4ZEhE95gTP6jPIV GzVQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u7si14815130pgg.357.2018.11.11.12.12.30; Sun, 11 Nov 2018 12:12:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731555AbeKLGBA (ORCPT + 99 others); Mon, 12 Nov 2018 01:01:00 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:52494 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730739AbeKLGA7 (ORCPT ); Mon, 12 Nov 2018 01:00:59 -0500 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gLvt1-0000oM-Ls; Sun, 11 Nov 2018 19:59:11 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gLvsS-0001Xq-46; Sun, 11 Nov 2018 19:58:36 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Suzuki K Poulose" , "Andrea Arcangeli" , "Linus Torvalds" , "Mike Rapoport" , "Arvind Yadav" , "Jia He" , "Claudio Imbrenda" , "Minchan Kim" , "Jia He" Date: Sun, 11 Nov 2018 19:49:05 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 136/366] mm/ksm.c: ignore STABLE_FLAG of rmap_item->address in rmap_walk_ksm() In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.61-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jia He commit 1105a2fc022f3c7482e32faf516e8bc44095f778 upstream. In our armv8a server(QDF2400), I noticed lots of WARN_ON caused by PAGE_SIZE unaligned for rmap_item->address under memory pressure tests(start 20 guests and run memhog in the host). WARNING: CPU: 4 PID: 4641 at virt/kvm/arm/mmu.c:1826 kvm_age_hva_handler+0xc0/0xc8 CPU: 4 PID: 4641 Comm: memhog Tainted: G W 4.17.0-rc3+ #8 Call trace: kvm_age_hva_handler+0xc0/0xc8 handle_hva_to_gpa+0xa8/0xe0 kvm_age_hva+0x4c/0xe8 kvm_mmu_notifier_clear_flush_young+0x54/0x98 __mmu_notifier_clear_flush_young+0x6c/0xa0 page_referenced_one+0x154/0x1d8 rmap_walk_ksm+0x12c/0x1d0 rmap_walk+0x94/0xa0 page_referenced+0x194/0x1b0 shrink_page_list+0x674/0xc28 shrink_inactive_list+0x26c/0x5b8 shrink_node_memcg+0x35c/0x620 shrink_node+0x100/0x430 do_try_to_free_pages+0xe0/0x3a8 try_to_free_pages+0xe4/0x230 __alloc_pages_nodemask+0x564/0xdc0 alloc_pages_vma+0x90/0x228 do_anonymous_page+0xc8/0x4d0 __handle_mm_fault+0x4a0/0x508 handle_mm_fault+0xf8/0x1b0 do_page_fault+0x218/0x4b8 do_translation_fault+0x90/0xa0 do_mem_abort+0x68/0xf0 el0_da+0x24/0x28 In rmap_walk_ksm, the rmap_item->address might still have the STABLE_FLAG, then the start and end in handle_hva_to_gpa might not be PAGE_SIZE aligned. Thus it will cause exceptions in handle_hva_to_gpa on arm64. This patch fixes it by ignoring (not removing) the low bits of address when doing rmap_walk_ksm. IMO, it should be backported to stable tree. the storm of WARN_ONs is very easy for me to reproduce. More than that, I watched a panic (not reproducible) as follows: page:ffff7fe003742d80 count:-4871 mapcount:-2126053375 mapping: (null) index:0x0 flags: 0x1fffc00000000000() raw: 1fffc00000000000 0000000000000000 0000000000000000 ffffecf981470000 raw: dead000000000100 dead000000000200 ffff8017c001c000 0000000000000000 page dumped because: nonzero _refcount CPU: 29 PID: 18323 Comm: qemu-kvm Tainted: G W 4.14.15-5.hxt.aarch64 #1 Hardware name: Call trace: dump_backtrace+0x0/0x22c show_stack+0x24/0x2c dump_stack+0x8c/0xb0 bad_page+0xf4/0x154 free_pages_check_bad+0x90/0x9c free_pcppages_bulk+0x464/0x518 free_hot_cold_page+0x22c/0x300 __put_page+0x54/0x60 unmap_stage2_range+0x170/0x2b4 kvm_unmap_hva_handler+0x30/0x40 handle_hva_to_gpa+0xb0/0xec kvm_unmap_hva_range+0x5c/0xd0 I even injected a fault on purpose in kvm_unmap_hva_range by seting size=size-0x200, the call trace is similar as above. So I thought the panic is similarly caused by the root cause of WARN_ON. Andrea said: : It looks a straightforward safe fix, on x86 hva_to_gfn_memslot would : zap those bits and hide the misalignment caused by the low metadata : bits being erroneously left set in the address, but the arm code : notices when that's the last page in the memslot and the hva_end is : getting aligned and the size is below one page. : : I think the problem triggers in the addr += PAGE_SIZE of : unmap_stage2_ptes that never matches end because end is aligned but : addr is not. : : } while (pte++, addr += PAGE_SIZE, addr != end); : : x86 again only works on hva_start/hva_end after converting it to : gfn_start/end and that being in pfn units the bits are zapped before : they risk to cause trouble. Jia He said: : I've tested by myself in arm64 server (QDF2400,46 cpus,96G mem) Without : this patch, the WARN_ON is very easy for reproducing. After this patch, I : have run the same benchmarch for a whole day without any WARN_ONs Link: http://lkml.kernel.org/r/1525403506-6750-1-git-send-email-hejianet@gmail.com Signed-off-by: Jia He Reviewed-by: Andrea Arcangeli Tested-by: Jia He Cc: Suzuki K Poulose Cc: Minchan Kim Cc: Claudio Imbrenda Cc: Arvind Yadav Cc: Mike Rapoport Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- mm/ksm.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) --- a/mm/ksm.c +++ b/mm/ksm.c @@ -181,6 +181,8 @@ struct rmap_item { #define SEQNR_MASK 0x0ff /* low bits of unstable tree seqnr */ #define UNSTABLE_FLAG 0x100 /* is a node of the unstable tree */ #define STABLE_FLAG 0x200 /* is listed from the stable tree */ +#define KSM_FLAG_MASK (SEQNR_MASK|UNSTABLE_FLAG|STABLE_FLAG) + /* to mask all the flags */ /* The stable and unstable tree heads */ static struct rb_root one_stable_tree[1] = { RB_ROOT }; @@ -1919,10 +1921,15 @@ again: anon_vma_lock_read(anon_vma); anon_vma_interval_tree_foreach(vmac, &anon_vma->rb_root, 0, ULONG_MAX) { + unsigned long addr; + cond_resched(); vma = vmac->vma; - if (rmap_item->address < vma->vm_start || - rmap_item->address >= vma->vm_end) + + /* Ignore the stable/unstable/sqnr flags */ + addr = rmap_item->address & ~KSM_FLAG_MASK; + + if (addr < vma->vm_start || addr >= vma->vm_end) continue; /* * Initially we examine only the vma which covers this @@ -1936,8 +1943,7 @@ again: if (rwc->invalid_vma && rwc->invalid_vma(vma, rwc->arg)) continue; - ret = rwc->rmap_one(page, vma, - rmap_item->address, rwc->arg); + ret = rwc->rmap_one(page, vma, addr, rwc->arg); if (ret != SWAP_AGAIN) { anon_vma_unlock_read(anon_vma); goto out;