Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp555349ybk; Wed, 13 May 2020 07:08:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyYPK0Fv7qg8V09wUgomxmUfgEJFLLQ3MBlEpYjaKYSyHnyFBLfaIpXIIapeynqtX3YJC9K X-Received: by 2002:a17:906:52da:: with SMTP id w26mr9102801ejn.143.1589378884723; Wed, 13 May 2020 07:08:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589378884; cv=none; d=google.com; s=arc-20160816; b=aBM7WMEU6xdMvbJ3FF8lrz5ybHEUTu0udXWRSdZA9LfLRjFBz11qE53+GN4/OtSwgo KhI8CjQkKYwHSryXLN9Iu1xRVwbOUxXODRaU24qj3cHiL/FgOJUm0YDAnaWCZxlJyWBZ ZfNdkieB+tyUa1z+ASJSMrF/3vGSOtHj7AlK/tSeJph6f5Ga0euaMr1xCDLNm9hUq4D9 KOWWaRoZuBltyNblE0mySj9hMReEPkDDHTcEFyn7na1J6fs/dYcUHTMKGctxkk2HjRk2 lEcMc1+qzrkljppa35WF4py5xD8dTbgtC0ywAZezp20ZNnv3rGq53OcM2uYOfQa/P1dh B9AA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:message-id:date:to:from:subject:dkim-signature; bh=YcgwTTe1UbCJlZpmvqFenHMREDNQ+pyRS2BjsAD24bI=; b=nM6K81wpuOIk5g427pPkJ2P6NgJ2Y4oIpJhvUu9b8gaZcx7PbPGQhfQ6F+L7bF+tjm KZCcy57O2I9BXs6EKuvUWJN+Y2w4SnxEOf8tWNJHptf+o2BwYrxe9CmY4gnIursNo4HO KFvvH+2ilC8oQCk5dDBHbjNCOxvkWtvk63mN2jPZdvNstiJwhmtZPkQZRZPF6pZzwocL ZL7lcmseeXgtGlFWfuNWDRZeDTO1JPRdyCAgdDzhNGIQaH+5ypcJP7R0Pg8kZFsiGiLL Z8Ccw5kejQcNHTzcLUT6EAO+QvMUgtbsGMurzQJ5hG8u1fsvRya35HRWfyxmm1Ocjhzk 58+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yandex-team.ru header.s=default header.b=uKlmcMdr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex-team.ru Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a16si5546660ejs.58.2020.05.13.07.07.41; Wed, 13 May 2020 07:08:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@yandex-team.ru header.s=default header.b=uKlmcMdr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex-team.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388907AbgEMOFc (ORCPT + 99 others); Wed, 13 May 2020 10:05:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388325AbgEMOFc (ORCPT ); Wed, 13 May 2020 10:05:32 -0400 Received: from forwardcorp1p.mail.yandex.net (forwardcorp1p.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b6:217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D491C061A0C for ; Wed, 13 May 2020 07:05:31 -0700 (PDT) Received: from mxbackcorp1o.mail.yandex.net (mxbackcorp1o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::301]) by forwardcorp1p.mail.yandex.net (Yandex) with ESMTP id 8DD192E1574; Wed, 13 May 2020 17:05:26 +0300 (MSK) Received: from vla5-58875c36c028.qloud-c.yandex.net (vla5-58875c36c028.qloud-c.yandex.net [2a02:6b8:c18:340b:0:640:5887:5c36]) by mxbackcorp1o.mail.yandex.net (mxbackcorp/Yandex) with ESMTP id lDNVHsY2qe-5PpWqbZP; Wed, 13 May 2020 17:05:26 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1589378726; bh=YcgwTTe1UbCJlZpmvqFenHMREDNQ+pyRS2BjsAD24bI=; h=Message-ID:Date:To:From:Subject; b=uKlmcMdrccVnLpz/QJl9j1Ey7nEKddWJIRk1JUu4m/QIveLUfUYAWEKqDIYGbb800 mBsTcVVjP+JjseIGcjGGTkrpT3E3d4T0ecgMmvFQfM3RphHi1iibKy1oumAEn23d58 aQV6jUfXskRAFLYwhM72Uw8k7ErDA1NYw3Z1JXeg= Authentication-Results: mxbackcorp1o.mail.yandex.net; dkim=pass header.i=@yandex-team.ru Received: from dynamic-vpn.dhcp.yndx.net (dynamic-vpn.dhcp.yndx.net [2a02:6b8:b080:8207::1:2]) by vla5-58875c36c028.qloud-c.yandex.net (smtpcorp/Yandex) with ESMTPSA id MK10jIJZJE-5PXuZchK; Wed, 13 May 2020 17:05:25 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) Subject: [PATCH] mm/compaction: avoid VM_BUG_ON(PageSlab()) in page_mapcount() From: Konstantin Khlebnikov To: linux-kernel@vger.kernel.org, linux-mm@kvack.org, Andrew Morton Date: Wed, 13 May 2020 17:05:25 +0300 Message-ID: <158937872515.474360.5066096871639561424.stgit@buzz> User-Agent: StGit/0.22-39-gd257 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Function isolate_migratepages_block() runs some checks out of lru_lock when choose pages for migration. After checking PageLRU() it checks extra page references by comparing page_count() and page_mapcount(). Between these two checks page could be removed from lru, freed and taken by slab. As a result this race triggers VM_BUG_ON(PageSlab()) in page_mapcount(). Race window is tiny. For certain workload this happens around once a year. page:ffffea0105ca9380 count:1 mapcount:0 mapping:ffff88ff7712c180 index:0x0 compound_mapcount: 0 flags: 0x500000000008100(slab|head) raw: 0500000000008100 dead000000000100 dead000000000200 ffff88ff7712c180 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) ------------[ cut here ]------------ kernel BUG at ./include/linux/mm.h:628! invalid opcode: 0000 [#1] SMP NOPTI CPU: 77 PID: 504 Comm: kcompactd1 Tainted: G W 4.19.109-27 #1 Hardware name: Yandex T175-N41-Y3N/MY81-EX0-Y3N, BIOS R05 06/20/2019 RIP: 0010:isolate_migratepages_block+0x986/0x9b0 To fix just opencode page_mapcount() in racy check for 0-order case and recheck carefully under lru_lock when page cannot escape from lru. Also add checking extra references for file pages and swap cache. Signed-off-by: Konstantin Khlebnikov Fixes: 119d6d59dcc0 ("mm, compaction: avoid isolating pinned pages") Fixes: 1d148e218a0d ("mm: add VM_BUG_ON_PAGE() to page_mapcount()") --- mm/compaction.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/mm/compaction.c b/mm/compaction.c index 46f0fcc93081..91bb87fd9420 100644 --- a/mm/compaction.c +++ b/mm/compaction.c @@ -935,12 +935,16 @@ isolate_migratepages_block(struct compact_control *cc, unsigned long low_pfn, } /* - * Migration will fail if an anonymous page is pinned in memory, + * Migration will fail if an page is pinned in memory, * so avoid taking lru_lock and isolating it unnecessarily in an - * admittedly racy check. + * admittedly racy check simplest case for 0-order pages. + * + * Open code page_mapcount() to avoid VM_BUG_ON(PageSlab(page)). + * Page could have extra reference from mapping or swap cache. */ - if (!page_mapping(page) && - page_count(page) > page_mapcount(page)) + if (!PageCompound(page) && + page_count(page) > atomic_read(&page->_mapcount) + 1 + + (!PageAnon(page) || PageSwapCache(page))) goto isolate_fail; /* @@ -975,6 +979,11 @@ isolate_migratepages_block(struct compact_control *cc, unsigned long low_pfn, low_pfn += compound_nr(page) - 1; goto isolate_fail; } + + /* Recheck page extra references under lock */ + if (page_count(page) > page_mapcount(page) + + (!PageAnon(page) || PageSwapCache(page))) + goto isolate_fail; } lruvec = mem_cgroup_page_lruvec(page, pgdat);