diff options
| author | Kirill A. Shutemov <kirill.shutemov@linux.intel.com> | 2014-04-18 18:07:25 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-04-18 19:40:09 -0400 |
| commit | b5a8cad376eebbd8598642697e92a27983aee802 (patch) | |
| tree | 6e03a03ca52b36bc18167e993c3ed9a8c812944c /mm | |
| parent | b59b8cbca6291a23928f1a103defba03d1cdab2c (diff) | |
thp: close race between split and zap huge pages
Sasha Levin has reported two THP BUGs[1][2]. I believe both of them
have the same root cause. Let's look to them one by one.
The first bug[1] is "kernel BUG at mm/huge_memory.c:1829!". It's
BUG_ON(mapcount != page_mapcount(page)) in __split_huge_page(). From my
testing I see that page_mapcount() is higher than mapcount here.
I think it happens due to race between zap_huge_pmd() and
page_check_address_pmd(). page_check_address_pmd() misses PMD which is
under zap:
CPU0 CPU1
zap_huge_pmd()
pmdp_get_and_clear()
__split_huge_page()
anon_vma_interval_tree_foreach()
__split_huge_page_splitting()
page_check_address_pmd()
mm_find_pmd()
/*
* We check if PMD present without taking ptl: no
* serialization against zap_huge_pmd(). We miss this PMD,
* it's not accounted to 'mapcount' in __split_huge_page().
*/
pmd_present(pmd) == 0
BUG_ON(mapcount != page_mapcount(page)) // CRASH!!!
page_remove_rmap(page)
atomic_add_negative(-1, &page->_mapcount)
The second bug[2] is "kernel BUG at mm/huge_memory.c:1371!".
It's VM_BUG_ON_PAGE(!PageHead(page), page) in zap_huge_pmd().
This happens in similar way:
CPU0 CPU1
zap_huge_pmd()
pmdp_get_and_clear()
page_remove_rmap(page)
atomic_add_negative(-1, &page->_mapcount)
__split_huge_page()
anon_vma_interval_tree_foreach()
__split_huge_page_splitting()
page_check_address_pmd()
mm_find_pmd()
pmd_present(pmd) == 0 /* The same comment as above */
/*
* No crash this time since we already decremented page->_mapcount in
* zap_huge_pmd().
*/
BUG_ON(mapcount != page_mapcount(page))
/*
* We split the compound page here into small pages without
* serialization against zap_huge_pmd()
*/
__split_huge_page_refcount()
VM_BUG_ON_PAGE(!PageHead(page), page); // CRASH!!!
So my understanding the problem is pmd_present() check in mm_find_pmd()
without taking page table lock.
The bug was introduced by me commit with commit 117b0791ac42. Sorry for
that. :(
Let's open code mm_find_pmd() in page_check_address_pmd() and do the
check under page table lock.
Note that __page_check_address() does the same for PTE entires
if sync != 0.
I've stress tested split and zap code paths for 36+ hours by now and
don't see crashes with the patch applied. Before it took <20 min to
trigger the first bug and few hours for second one (if we ignore
first).
[1] https://lkml.kernel.org/g/<53440991.9090001@oracle.com>
[2] https://lkml.kernel.org/g/<5310C56C.60709@oracle.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Bob Liu <lliubbo@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Michel Lespinasse <walken@google.com>
Cc: Dave Jones <davej@redhat.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org> [3.13+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm')
| -rw-r--r-- | mm/huge_memory.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 64635f5278ff..b4b1feba6472 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c | |||
| @@ -1536,16 +1536,23 @@ pmd_t *page_check_address_pmd(struct page *page, | |||
| 1536 | enum page_check_address_pmd_flag flag, | 1536 | enum page_check_address_pmd_flag flag, |
| 1537 | spinlock_t **ptl) | 1537 | spinlock_t **ptl) |
| 1538 | { | 1538 | { |
| 1539 | pgd_t *pgd; | ||
| 1540 | pud_t *pud; | ||
| 1539 | pmd_t *pmd; | 1541 | pmd_t *pmd; |
| 1540 | 1542 | ||
| 1541 | if (address & ~HPAGE_PMD_MASK) | 1543 | if (address & ~HPAGE_PMD_MASK) |
| 1542 | return NULL; | 1544 | return NULL; |
| 1543 | 1545 | ||
| 1544 | pmd = mm_find_pmd(mm, address); | 1546 | pgd = pgd_offset(mm, address); |
| 1545 | if (!pmd) | 1547 | if (!pgd_present(*pgd)) |
| 1546 | return NULL; | 1548 | return NULL; |
| 1549 | pud = pud_offset(pgd, address); | ||
| 1550 | if (!pud_present(*pud)) | ||
| 1551 | return NULL; | ||
| 1552 | pmd = pmd_offset(pud, address); | ||
| 1553 | |||
| 1547 | *ptl = pmd_lock(mm, pmd); | 1554 | *ptl = pmd_lock(mm, pmd); |
| 1548 | if (pmd_none(*pmd)) | 1555 | if (!pmd_present(*pmd)) |
| 1549 | goto unlock; | 1556 | goto unlock; |
| 1550 | if (pmd_page(*pmd) != page) | 1557 | if (pmd_page(*pmd) != page) |
| 1551 | goto unlock; | 1558 | goto unlock; |