Received: by 2002:a05:7412:a9a8:b0:f9:92ae:e617 with SMTP id o40csp44826rdh;
        Wed, 20 Dec 2023 15:32:23 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFjsrW59wwBtzDTE4poFfFSk8Mga2XanzgVlvqUxgjFlQK1+zO+VIxn8ZPfaFDVc+eXBMng
X-Received: by 2002:a05:6512:370a:b0:50e:4e29:4ebb with SMTP id z10-20020a056512370a00b0050e4e294ebbmr632353lfr.153.1703115142868;
        Wed, 20 Dec 2023 15:32:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1703115142; cv=none;
        d=google.com; s=arc-20160816;
        b=hED5qir4OnLJg5buagGysf8j5/rYkEyyJt7SiceixYjcmRHcOmj89VDgQ4YXaOyZrJ
         q6y9nqXz7OqJcCMHzeyGk4KPLLLIx6uMUaKts5+dNs/zzJtCSym/Ycc6LcWxbQ7BvT3I
         RMhk8qVgtz4rx0yylnVgK+2beFGb74pOQ6EvPXHSe/amEs6036G+yvBgKIQx1MYj67ge
         LhbM4bCDAxnNPKzZWAyxgi+yypj50nihZumZNtgSBdX9TUdLx9Ty0GViJsj88dv6lOMx
         UYAQYBh5pjtFwAnMGrXpPyUiARr/6/OxVvoiDsHhDWDWrqHAOwx/SgfUHkMLl47NTu+e
         F5jg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe
         :list-id:precedence:dkim-signature;
        bh=JafTjfhsfvTQO5zxFRDVKmKyIqXWE2U91+So3wUJ3Ds=;
        fh=bHJRiuymQKRmIXWDWf9A6JYYyk29t7yEnQg19C/JWDI=;
        b=EJKGBCz5k40oTWgwQOVdHbpnbsvvS2o2kWpPw0tX8Kxt6b4SnRJv48AAwnbgsLHHyi
         b7Iq1iIMNCDT3loYjIRXzLIXGi3dxDhrs9g31CI0p+sC//TXLt9sMwPx1pVQWPkC9eFB
         fCC6OMSgY1hlZDoEaBZDEeuuJAZoPltBZ1rkj0TrkG7EI8EmqDzGZoumqgTSQAS9oW5U
         2FtDBKu5hPw+Yi66g71PVCVYtvrpxGQc/ntiMvgbLKvnjA2BkRfAGrHwVCFQchPROERv
         ZH0TdpRPX1HVExvvtrQbD27R7SjRS/ANzXfOAdGm8/ahTJ3AayzLTayFUSOXWFybMJC/
         CJ+A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=IXisQJzW;
       spf=pass (google.com: domain of linux-kernel+bounces-7634-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-7634-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel+bounces-7634-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id b60-20020a509f42000000b0055379e76b90si271661edf.249.2023.12.20.15.32.22
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 20 Dec 2023 15:32:22 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-7634-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=IXisQJzW;
       spf=pass (google.com: domain of linux-kernel+bounces-7634-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-7634-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 703E91F2389B
	for <linux.lists.archive@gmail.com>; Wed, 20 Dec 2023 23:32:22 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 53C5D4B13B;
	Wed, 20 Dec 2023 23:32:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IXisQJzW"
X-Original-To: linux-kernel@vger.kernel.org
Received: from mail-oi1-f172.google.com (mail-oi1-f172.google.com [209.85.167.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D7C24A9A9;
	Wed, 20 Dec 2023 23:32:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-oi1-f172.google.com with SMTP id 5614622812f47-3bb6ed2b913so120669b6e.2;
        Wed, 20 Dec 2023 15:32:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1703115131; x=1703719931; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=JafTjfhsfvTQO5zxFRDVKmKyIqXWE2U91+So3wUJ3Ds=;
        b=IXisQJzWEkIywi31J8fkqcG1MP5aDJyOu4k39eQfjVzFXurcvjnvgdMElE8tFbWiRV
         yLxWA5l7jevFQGOaCzPmWNj9Z7JFh675fr2qG2BgtWAJ0VlIM9JntPYDK0/xJMiCfa0K
         dc0lqvyIwQmvxj/J58qs0nRuCgzPEvWasHTuFdGdlczUeTo44d6OfAaSncdVO22tFa4C
         2OLRWHbaw3NPTOYUcY//VYdmFU6GmoNrC4DIr4slLhIDP6NorLcMVQbVk0CtUUUBHrcF
         RxDIzkzwnbyoCM3JTUu/BmtLH4ku0vV6Nd7OwmsKfY/kbpfOT3uaQkQIuTVwAzkewxk2
         jQRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1703115131; x=1703719931;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=JafTjfhsfvTQO5zxFRDVKmKyIqXWE2U91+So3wUJ3Ds=;
        b=ov6DQHJwMdbY8jOvDA0c4Y4/HhhTKMdemegBp1BXQESedcl0hurULjueCMMDZTPQDx
         Np9JH/Me9JPLwBEGSkJy7bLYEn3bLOZvlqNwinR3DH5139lmmpaX5uUQfgrUzkRfiajj
         Iy0i1pq/TdrovsJv1usqkI4aeu9FcjMPwLODMbPZJPS/EJuLTARnVAj69x1fpBzquHjl
         +UGNWmIYV7/V1zOk/dX/F2iy8DwPcuiUKveX7pyO/Qc7GblvF0omC5dHqREv7JCM9oSU
         Paml+ox2KW66sPXbCY+qxIXZ/sX705otHZ/LUGT6FVmZXS8VSv7l8CYMzVkay+jdjvxA
         VnoA==
X-Gm-Message-State: AOJu0YwEXzbuFuRyzUlJ0ICKokHBsdBSPwRs0JB0531q/nkHsmoK+HfC
	8YsRLliBkuigtAAXVuAJlyLQFT3BeEJyDbLSgJU=
X-Received: by 2002:a05:6358:c3a3:b0:170:21ef:3e71 with SMTP id
 fl35-20020a056358c3a300b0017021ef3e71mr322479rwb.42.1703115130989; Wed, 20
 Dec 2023 15:32:10 -0800 (PST)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <61273e5e9b490682388377c20f52d19de4a80460.1703054559.git.baolin.wang@linux.alibaba.com>
In-Reply-To: <61273e5e9b490682388377c20f52d19de4a80460.1703054559.git.baolin.wang@linux.alibaba.com>
From: Yang Shi <shy828301@gmail.com>
Date: Wed, 20 Dec 2023 15:31:58 -0800
Message-ID: <CAHbLzkqhS3Qyz2xrnfx0iY5sPq+91NJfXv-MYqCJ5XpQC+bnXw@mail.gmail.com>
Subject: Re: [PATCH] mm: memcg: fix split queue list crash when large folio migration
To: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: akpm@linux-foundation.org, hannes@cmpxchg.org, mhocko@kernel.org, 
	roman.gushchin@linux.dev, shakeelb@google.com, muchun.song@linux.dev, 
	nphamcs@gmail.com, david@redhat.com, ying.huang@intel.com, ziy@nvidia.com, 
	linux-mm@kvack.org, linux-kernel@vger.kernel.org, cgroups@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 19, 2023 at 10:52=E2=80=AFPM Baolin Wang
<baolin.wang@linux.alibaba.com> wrote:
>
> When running autonuma with enabling multi-size THP, I encountered the fol=
lowing
> kernel crash issue:
>
> [  134.290216] list_del corruption. prev->next should be fffff9ad42e1c490=
,
> but was dead000000000100. (prev=3Dfffff9ad42399890)
> [  134.290877] kernel BUG at lib/list_debug.c:62!
> [  134.291052] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
> [  134.291210] CPU: 56 PID: 8037 Comm: numa01 Kdump: loaded Tainted:
> G            E      6.7.0-rc4+ #20
> [  134.291649] RIP: 0010:__list_del_entry_valid_or_report+0x97/0xb0
> ......
> [  134.294252] Call Trace:
> [  134.294362]  <TASK>
> [  134.294440]  ? die+0x33/0x90
> [  134.294561]  ? do_trap+0xe0/0x110
> ......
> [  134.295681]  ? __list_del_entry_valid_or_report+0x97/0xb0
> [  134.295842]  folio_undo_large_rmappable+0x99/0x100
> [  134.296003]  destroy_large_folio+0x68/0x70
> [  134.296172]  migrate_folio_move+0x12e/0x260
> [  134.296264]  ? __pfx_remove_migration_pte+0x10/0x10
> [  134.296389]  migrate_pages_batch+0x495/0x6b0
> [  134.296523]  migrate_pages+0x1d0/0x500
> [  134.296646]  ? __pfx_alloc_misplaced_dst_folio+0x10/0x10
> [  134.296799]  migrate_misplaced_folio+0x12d/0x2b0
> [  134.296953]  do_numa_page+0x1f4/0x570
> [  134.297121]  __handle_mm_fault+0x2b0/0x6c0
> [  134.297254]  handle_mm_fault+0x107/0x270
> [  134.300897]  do_user_addr_fault+0x167/0x680
> [  134.304561]  exc_page_fault+0x65/0x140
> [  134.307919]  asm_exc_page_fault+0x22/0x30
>
> The reason for the crash is that, the commit 85ce2c517ade ("memcontrol: o=
nly
> transfer the memcg data for migration") removed the charging and unchargi=
ng
> operations of the migration folios and cleared the memcg data of the old =
folio.
>
> During the subsequent release process of the old large folio in destroy_l=
arge_folio(),
> if the large folio needs to be removed from the split queue, an incorrect=
 split
> queue can be obtained (which is pgdat->deferred_split_queue) because the =
old
> folio's memcg is NULL now. This can lead to list operations being perform=
ed
> under the wrong split queue lock protection, resulting in a list crash as=
 above.
>
> After the migration, the old folio is going to be freed, so we can remove=
 it
> from the split queue in mem_cgroup_migrate() a bit earlier before clearin=
g the
> memcg data to avoid getting incorrect split queue.

Nice catch! The fix looks good to me. Reviewed-by: Yang Shi
<shy828301@gmail.com>

>
> Fixes: 85ce2c517ade ("memcontrol: only transfer the memcg data for migrat=
ion")
> Signed-off-by: Baolin Wang <baolin.wang@linux.alibaba.com>
> ---
>  mm/huge_memory.c |  2 +-
>  mm/memcontrol.c  | 11 +++++++++++
>  2 files changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 6be1a380a298..c50dc2e1483f 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -3124,7 +3124,7 @@ void folio_undo_large_rmappable(struct folio *folio=
)
>         spin_lock_irqsave(&ds_queue->split_queue_lock, flags);
>         if (!list_empty(&folio->_deferred_list)) {
>                 ds_queue->split_queue_len--;
> -               list_del(&folio->_deferred_list);
> +               list_del_init(&folio->_deferred_list);
>         }
>         spin_unlock_irqrestore(&ds_queue->split_queue_lock, flags);
>  }
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index ae8c62c7aa53..e66e0811cccc 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -7575,6 +7575,17 @@ void mem_cgroup_migrate(struct folio *old, struct =
folio *new)
>
>         /* Transfer the charge and the css ref */
>         commit_charge(new, memcg);
> +       /*
> +        * If the old folio a large folio and is in the split queue, it n=
eeds
> +        * to be removed from the split queue now, in case getting an inc=
orrect
> +        * split queue in destroy_large_folio() after the memcg of the ol=
d folio
> +        * is cleared.
> +        *
> +        * In addition, the old folio is about to be freed after migratio=
n, so
> +        * removing from the split queue a bit earlier seems reasonable.
> +        */
> +       if (folio_test_large(old) && folio_test_large_rmappable(old))
> +               folio_undo_large_rmappable(old);
>         old->memcg_data =3D 0;
>  }
>
> --
> 2.39.3
>