From patchwork Mon Aug 14 20:36:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13353241 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5233EB64DD for ; Mon, 14 Aug 2023 20:37:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3C1A990000A; Mon, 14 Aug 2023 16:37:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 37187900006; Mon, 14 Aug 2023 16:37:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 212B490000A; Mon, 14 Aug 2023 16:37:33 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 10E64900006 for ; Mon, 14 Aug 2023 16:37:33 -0400 (EDT) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id AFE8D14017B for ; Mon, 14 Aug 2023 20:37:32 +0000 (UTC) X-FDA: 81123870744.08.EBE7510 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by imf15.hostedemail.com (Postfix) with ESMTP id DB345A000D for ; Mon, 14 Aug 2023 20:37:30 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=oalxsU2+; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf15.hostedemail.com: domain of jannh@google.com designates 209.85.128.49 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1692045451; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=l+mxKdG4Ol6Hz2Wq+bm6V6z9RGpAReV66kl1RzPgk0E=; b=AlVn6hKv4jCSTm+BE0tm0EXplgZOdywOFc8ATtbgMVDV5mYlsbeNuAEh2LiR+qGxi58I3K PEJ0wFMkx9JZnzDxVoNtLnK+XDalqDPrsCtChg9PemuWpsUXSuC4vVmJ3neQzjUoNH38yJ YE92dKY9uWnkyAhTSYdw+UxXl9esbfI= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=oalxsU2+; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf15.hostedemail.com: domain of jannh@google.com designates 209.85.128.49 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1692045451; a=rsa-sha256; cv=none; b=7J08QIBNrP2OLIwQHqIBFvMjAqfGM9LWbacb6DWsdl3bqzqIo92fx9naAu8CB3WNDYXhIo IrBAYqmTWXU5EfzWuSoHwEzDgjA4qqEGY0xAMvDeekN/Ew6Z70Y047SI8IPKNxFiE8cbXj xzcV3Xr+nL7oLjYRJcHDRj34jVGKyHE= Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-3fe2d620d17so7935e9.0 for ; Mon, 14 Aug 2023 13:37:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1692045449; x=1692650249; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=l+mxKdG4Ol6Hz2Wq+bm6V6z9RGpAReV66kl1RzPgk0E=; b=oalxsU2+jQ9cT3fVTCpQGRdbwbKK8Iu2ZWjEcVM1oP5kJ7aiO8qRjI77CcsEp34vs5 D/3+Bahr/IxNTnF9PxktVwP681DXpx2+4epAQ/GMckJ7kfBw7+I/x6VMoOAez1iH3ECx g8JsOfEm9AgJwB02FQMj5ChH4S+sTA7BP8cGDtCxx+6BA7b8jqxZGrPSa3lAkIJmAGtd MNDs55nI89EW+QG955q50VDQZxpMoap8/iQlOB4LCzCg4TmkqMqRKUHgP4Wc6pwJtIOZ rsvsNDxdH23CjHJRa9AyKrWBuHoMorqIlJ/kmR9KwbAsyQnB39g7+BgM4HGsB+JlVxkA 1Olg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692045449; x=1692650249; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=l+mxKdG4Ol6Hz2Wq+bm6V6z9RGpAReV66kl1RzPgk0E=; b=bQ295gtp05nLbHCUveN9ymr+k63Tb97a/BjmYcwA+xdODazvkFuVbc57ahyFZZoy6L 4AMSdArjKGbJ+3+D1wS1KlAAoiQu5Mg6m/Gq17Uh8F4xjIikRUjA4NgiXc1iITZ08z0/ nWZmOzj+tPK4us48X0/Cf64syRgGMbQaO4JyekYIBwpgkFDaxhEaoeDnTRVqrUHvN939 dtqrExc2pcD3HoTUEKjjArGMTF8pLKAy+N/PoQRKxKrX7Q8ag9xGm+3dzwjQ1hxLEgK0 LmXKdyHQHE9ZYnZ78M4QBMzAafj0C63yYSPpTBrhYGblVZ7zHmcJwku1mlG1KDc7+p5l NS7g== X-Gm-Message-State: AOJu0YwC9JHZFBzXqxjKdO+vYYJ3TNrg45HBhNCikfsh5MvKeVt0BnD8 IhDU1JOivY0nijk7FDtF0pJa81UUHMGF9UZV+fYDGg== X-Google-Smtp-Source: AGHT+IEY8CT3hvyBTRx7jwSfo+JZaL1VNgCRnMYjtExHKr4rSNymxxb98FGC0EJOHSC7Q9QsgOcS+iPtfxuWDLbfWZI= X-Received: by 2002:a1c:7901:0:b0:3fc:75d:8f85 with SMTP id l1-20020a1c7901000000b003fc075d8f85mr338604wme.6.1692045449258; Mon, 14 Aug 2023 13:37:29 -0700 (PDT) MIME-Version: 1.0 References: <7cd843a9-aa80-14f-5eb2-33427363c20@google.com> In-Reply-To: From: Jann Horn Date: Mon, 14 Aug 2023 22:36:52 +0200 Message-ID: Subject: [BUG] Re: [PATCH v3 10/13] mm/khugepaged: collapse_pte_mapped_thp() with mmap_read_lock() To: Hugh Dickins Cc: Andrew Morton , Mike Kravetz , Mike Rapoport , "Kirill A. Shutemov" , Matthew Wilcox , David Hildenbrand , Suren Baghdasaryan , Qi Zheng , Yang Shi , Mel Gorman , Peter Xu , Peter Zijlstra , Will Deacon , Yu Zhao , Alistair Popple , Ralph Campbell , Ira Weiny , Steven Price , SeongJae Park , Lorenzo Stoakes , Huang Ying , Naoya Horiguchi , Christophe Leroy , Zack Rusin , Jason Gunthorpe , Axel Rasmussen , Anshuman Khandual , Pasha Tatashin , Miaohe Lin , Minchan Kim , Christoph Hellwig , Song Liu , Thomas Hellstrom , Russell King , "David S. Miller" , Michael Ellerman , "Aneesh Kumar K.V" , Heiko Carstens , Christian Borntraeger , Claudio Imbrenda , Alexander Gordeev , Gerald Schaefer , Vasily Gorbik , Vishal Moola , Vlastimil Babka , Zi Yan , Linux ARM , sparclinux@vger.kernel.org, linuxppc-dev , linux-s390 , kernel list , Linux-MM X-Rspamd-Queue-Id: DB345A000D X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: nkfxpyhdx9erajj9kzq36n1kxynexswf X-HE-Tag: 1692045450-864392 X-HE-Meta: U2FsdGVkX1+PEIJLJq0xEK0hhUx/d1I7b16vJZ6OVfSbBcEzlhTD2gnVjB4ZzxqM7Pf/8LRmBHYFUZAAzCYOWImqbS/tAUz7rvT+FFdFxPRVg4WIesc812EW9mnsN61R5VveGNTyRxI40VWcI2Q3kCB4SBYmepe9Fnl2Ezj4gZELfu2OoUso3YRZovaaXkDhvuBpDzqRqwBlGXhnMfGg0dYMO4xaMcBVgA4SnuF922ZPcorjnyEWXR7tWbwoZnyhZJmKC8aVWdGysMt+DXEAYwE5ZUf9X3VNq92r+vxEYeoeo3km3jPCRS1+bwFagrmpVSo2mrnl9dwMcgpAO4WPpo7L8lejtn2wQtcI4jxawtnbwWM1/wJY9ZsqLVHMSWW6i9KaXGBL7GHc20vN3GVK99wSPM0weLWGvo2vPPQuoqGxXBqYOYqemfsK6xgwJMZzOy+QZIkoruhRovuiQD7hajYLeLl5ACPXFTDsp1+mZ64dYX3O2UoaMpsH9FvudZZ+Rku7eR6S6xYDhoRl5LUP3HtMNyLESS3nXyvs2Na+S/DfYaJuJ1ktxRhzU3CHwBsIKzf+Nfqxxzz6m9vsmvC8t453i5W2F/MwWNG0a0bhHnNaIw8aWVXhMhxxeSk2JO4SNDXRLe2OYuwRjHFKBx+D0bLVgMTdRg+WdQZDynpdCyOnEvlPtYePF5QJ3fE3WBIAw04DbYy2EVt0rZEQCdG1D6bPO85LplHgvbrOZKLoAL4JvXu/TXkCTRETVoFZ0yE89nVjI0kbuWa4enHpHXLCx4S34a1QcMHae3b4SDBzg4774vr+HgKcqPR/03sI+DVUTbMuNRdzKESFCixtqf/NFjdoH/Et+yOUsOmwgNMZB3y2TcMUPm5Tx9KqsszzX4PuN9kxhLGWtbRgdBaZC2s3K6XYiU/wDi0CFUIG4OTUbSjw8s2J4D3AadKx0xpWGvUdMzJRiVIFm4L7PsNhu36 pO3u0Fv+ AHMYs1YURZPeR+3mtQE8qCijK35wA721ivYBBRMaLVXRToBqb5CrLNZuP97h7YB0k5kdPC0AHY8zwY0guD5G6a/l/A3LHk9FJbitS3Oy24777V2x+Fyyc2J60RXGvMdEklmCWP6eCy8vYqANgqRyJSgldtnVfcg4FXJnP1vWH7N+Ji4pSqO5YBED3DCKA3MVMwYAWKVEKxzvCW3xAUSOw2abRIF4VW/BCX7oYVq/kAM+23cLfdTjtsQxHTyASqundVZUTAQQTTC7Y5SWgZi3F25nKDzZtLhHXheNLawfQ+HoEm0USWStO/8Ojs23PZPn3ocnBGsIk3A/PiDo31WRqTE9Vn/xnk/iB6/GeqPTkK4U1s17ejczOpikkzc1FW4dDZySDhfZvDTs67D0Si95ckwYfXsLsjTi+o5t/KpwtMD2X0miWaMEQ02TMINEPhs/XQkI4ZTh+xuPNVPEHON+DFxOxYjDC29G2aHyDUZHsnNqm5C+Di3WSaEa/1p97l0BWN90CYTrlWke99tUURhMf8JhOa78bD4zY84IDzLQBymANfiWr/sCCL5betX7rSjyx/0ziNBRYn22BcX5I45c+BluJ+gkB0Cg+w1SGaYAtxmzu4aOzvOoPSUn8oErTGlQE2yjxI/K0vzjuPYmXA+WEMQ+W1A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Jul 12, 2023 at 6:42 AM Hugh Dickins wrote: > Bring collapse_and_free_pmd() back into collapse_pte_mapped_thp(). > It does need mmap_read_lock(), but it does not need mmap_write_lock(), > nor vma_start_write() nor i_mmap lock nor anon_vma lock. All racing > paths are relying on pte_offset_map_lock() and pmd_lock(), so use those. We can still have a racing userfaultfd operation at the "/* step 4: remove page table */" point that installs a new PTE before the page table is removed. To reproduce, patch a delay into the kernel like this: pml = pmd_lock(mm, pmd); And then run the attached reproducer against mm/mm-everything. You should get this in dmesg: [ 206.578096] BUG: Bad rss-counter state mm:000000000942ebea type:MM_ANONPAGES val:1 diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 9a6e0d507759..27cc8dfbf3a7 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include @@ -1617,6 +1618,11 @@ int collapse_pte_mapped_thp(struct mm_struct *mm, unsigned long addr, } /* step 4: remove page table */ + if (strcmp(current->comm, "DELAYME") == 0) { + pr_warn("%s: BEGIN DELAY INJECTION\n", __func__); + mdelay(5000); + pr_warn("%s: END DELAY INJECTION\n", __func__); + } /* Huge page lock is still held, so page table must remain empty */