Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4831129ybl; Wed, 22 Jan 2020 05:32:54 -0800 (PST) X-Google-Smtp-Source: APXvYqzTUVCpMe7CYgSryCHJ8FX3Y0O4yTvTDSr7yaMWR7BfcmrpHdD0BYpAUTddluu/r43Pdtsf X-Received: by 2002:aca:d6d2:: with SMTP id n201mr6891331oig.112.1579699973867; Wed, 22 Jan 2020 05:32:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579699973; cv=none; d=google.com; s=arc-20160816; b=xteNsmSyaZdlxXHGbzG/O+ZUwVqKI8pZp457qvu5BOTJF/cPegidSANL97wU5p8x+r Dp54z2TbEh/aTfvZFWGIQu5LW0zIF8kEVCR9MjvNBxtDH/xszCkGszHHMPxJSzQ9c/oB pEc79935Z2fSmuWR73NQw2d5Y2LUrYTC38T4rLyQw9sXhDL2WfgEnJysbiyh2iAFfZDz rnMYLhvXSRlenKdlVLg0XcitTfyFw1V3s5ppAzpN6heGO/3O4n9AOThOy4mAk9tW8mpH TdJB6u4ZzPxVSlRWnSGtm2CmBau7y/XnfZYiIThvvmMtLwUBDjZBEZyC8DnXb0F78Gue BT0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=qgkqgUVAZLMRsa6NZ2dt6pK8UzRdoYvXgq8+CG8g49s=; b=SR703GkoRfSY+USqUOTwi91Jc5PJQ9P3E/i/wWonI6Xb926SGAHDECANAur5YMLN82 2sGpkrSqKooLfMmRGlNMqnVKAAk0CVZhnJfakXWTzQL1s9+eSet9oinm7yvzxcZ+Ag6B fdPhRyrZu/bxXCMLVx9M45SWex3lm7hSpevtrROg19NMGcYwga9XMNCm7nEHtELoeRX0 Zah7ubFL4CTGOh7a8xP/Hg9wsNVR0GvAcSZFbLJwlx/QFyhforGHR6fKguVT0djOFxQO PIEIHx/KS56GlYlInJ91vQQX9vP9nhsBj4JZUP74d0pdm97dUg89MToAb8c1+cnVkrPf /JrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iqZr9KC9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h11si23203864otr.197.2020.01.22.05.32.31; Wed, 22 Jan 2020 05:32:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=iqZr9KC9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729590AbgAVNVG (ORCPT + 99 others); Wed, 22 Jan 2020 08:21:06 -0500 Received: from mail.kernel.org ([198.145.29.99]:37636 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729030AbgAVNVC (ORCPT ); Wed, 22 Jan 2020 08:21:02 -0500 Received: from localhost (unknown [84.241.205.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CC95D24688; Wed, 22 Jan 2020 13:21:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579699261; bh=oZ3D/2tSzQfYgmBD0f7Y8DUisUQLp+WfsagJ3bkMHM0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=iqZr9KC9O9Dx4om7oEqsCEIBx93kvrtpNsPQr5ka3xjWsHlImacerHTxRHU2M3okp GESvWBPO/o6TN68Rpe8qa2mEdFEv812LuAtvEyJx7qwuwqb+koUq5A3H/mJjAN0SHs OGsl/z9r4Ydo3A9WnQCKyXNXTrVyfJth/8X09TeE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Hildenbrand , Pingfan Liu , Dan Williams , Oscar Salvador , Michal Hocko , Andrew Morton , Linus Torvalds Subject: [PATCH 5.4 090/222] mm/memory_hotplug: dont free usage map when removing a re-added early section Date: Wed, 22 Jan 2020 10:27:56 +0100 Message-Id: <20200122092840.175336528@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200122092833.339495161@linuxfoundation.org> References: <20200122092833.339495161@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Hildenbrand commit 8068df3b60373c390198f660574ea14c8098de57 upstream. When we remove an early section, we don't free the usage map, as the usage maps of other sections are placed into the same page. Once the section is removed, it is no longer an early section (especially, the memmap is freed). When we re-add that section, the usage map is reused, however, it is no longer an early section. When removing that section again, we try to kfree() a usage map that was allocated during early boot - bad. Let's check against PageReserved() to see if we are dealing with an usage map that was allocated during boot. We could also check against !(PageSlab(usage_page) || PageCompound(usage_page)), but PageReserved() is cleaner. Can be triggered using memtrace under ppc64/powernv: $ mount -t debugfs none /sys/kernel/debug/ $ echo 0x20000000 > /sys/kernel/debug/powerpc/memtrace/enable $ echo 0x20000000 > /sys/kernel/debug/powerpc/memtrace/enable ------------[ cut here ]------------ kernel BUG at mm/slub.c:3969! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=3D64K MMU=3DHash SMP NR_CPUS=3D2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 154 Comm: sh Not tainted 5.5.0-rc2-next-20191216-00005-g0be1dba7b7c0 #61 NIP kfree+0x338/0x3b0 LR section_deactivate+0x138/0x200 Call Trace: section_deactivate+0x138/0x200 __remove_pages+0x114/0x150 arch_remove_memory+0x3c/0x160 try_remove_memory+0x114/0x1a0 __remove_memory+0x20/0x40 memtrace_enable_set+0x254/0x850 simple_attr_write+0x138/0x160 full_proxy_write+0x8c/0x110 __vfs_write+0x38/0x70 vfs_write+0x11c/0x2a0 ksys_write+0x84/0x140 system_call+0x5c/0x68 ---[ end trace 4b053cbd84e0db62 ]--- The first invocation will offline+remove memory blocks. The second invocation will first add+online them again, in order to offline+remove them again (usually we are lucky and the exact same memory blocks will get "reallocated"). Tested on powernv with boot memory: The usage map will not get freed. Tested on x86-64 with DIMMs: The usage map will get freed. Using Dynamic Memory under a Power DLAPR can trigger it easily. Triggering removal (I assume after previously removed+re-added) of memory from the HMC GUI can crash the kernel with the same call trace and is fixed by this patch. Link: http://lkml.kernel.org/r/20191217104637.5509-1-david@redhat.com Fixes: 326e1b8f83a4 ("mm/sparsemem: introduce a SECTION_IS_EARLY flag") Signed-off-by: David Hildenbrand Tested-by: Pingfan Liu Cc: Dan Williams Cc: Oscar Salvador Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/sparse.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/mm/sparse.c +++ b/mm/sparse.c @@ -775,7 +775,14 @@ static void section_deactivate(unsigned if (bitmap_empty(subsection_map, SUBSECTIONS_PER_SECTION)) { unsigned long section_nr = pfn_to_section_nr(pfn); - if (!section_is_early) { + /* + * When removing an early section, the usage map is kept (as the + * usage maps of other sections fall into the same page). It + * will be re-used when re-adding the section - which is then no + * longer an early section. If the usage map is PageReserved, it + * was allocated during boot. + */ + if (!PageReserved(virt_to_page(ms->usage))) { kfree(ms->usage); ms->usage = NULL; }