diff for duplicates of <1499418627229186@kroah.com> diff --git a/a/1.txt b/N1/1.txt index 480c29b..f402863 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -12,3 +12,127 @@ and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@vger.kernel.org> know about it. + + +>From vbabka@suse.cz Fri Jul 7 11:06:31 2017 +From: Vlastimil Babka <vbabka@suse.cz> +Date: Tue, 4 Jul 2017 10:45:43 +0200 +Subject: mm: fix classzone_idx underflow in shrink_zones() +To: stable <stable@vger.kernel.org> +Cc: Johannes Weiner <hannes@cmpxchg.org>, Minchan Kim <minchan@kernel.org>, Michal Hocko <mhocko@kernel.org>, linux-mm <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, Mel Gorman <mgorman@techsingularity.net> +Message-ID: <cf25f1a5-5276-90ea-1eac-f2a2aceffaef@suse.cz> + +From: Vlastimil Babka <vbabka@suse.cz> + +[Not upstream as that would take 34+ patches] + +We've got reported a BUG in do_try_to_free_pages(): + +BUG: unable to handle kernel paging request at ffff8ffffff28990 +IP: [<ffffffff8119abe0>] do_try_to_free_pages+0x140/0x490 +PGD 0 +Oops: 0000 [#1] SMP +megaraid_sas sg scsi_mod efivarfs autofs4 +Supported: No, Unsupported modules are loaded +Workqueue: kacpi_hotplug acpi_hotplug_work_fn +task: ffff88ffd0d4c540 ti: ffff88ffd0e48000 task.ti: ffff88ffd0e48000 +RIP: 0010:[<ffffffff8119abe0>] [<ffffffff8119abe0>] do_try_to_free_pages+0x140/0x490 +RSP: 0018:ffff88ffd0e4ba60 EFLAGS: 00010206 +RAX: 000006fffffff900 RBX: 00000000ffffffff RCX: ffff88fffff29000 +RDX: 000000ffffffff00 RSI: 0000000000000003 RDI: 00000000024200c8 +RBP: 0000000001320122 R08: 0000000000000000 R09: ffff88ffd0e4bbac +R10: 0000000000000000 R11: 0000000000000000 R12: ffff88ffd0e4bae0 +R13: 0000000000000e00 R14: ffff88fffff2a500 R15: ffff88fffff2b300 +FS: 0000000000000000(0000) GS:ffff88ffe6440000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffff8ffffff28990 CR3: 0000000001c0a000 CR4: 00000000003406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Stack: + 00000002db570a80 024200c80000001e ffff88fffff2b300 0000000000000000 + ffff88fffffd5700 ffff88ffd0d4c540 ffff88ffd0d4c540 ffffffff0000000c + 0000000000000000 0000000000000040 00000000024200c8 ffff88ffd0e4bae0 +Call Trace: + [<ffffffff8119afea>] try_to_free_pages+0xba/0x170 + [<ffffffff8118cf2f>] __alloc_pages_nodemask+0x53f/0xb20 + [<ffffffff811d39ff>] alloc_pages_current+0x7f/0x100 + [<ffffffff811e2232>] migrate_pages+0x202/0x710 + [<ffffffff815dadaa>] __offline_pages.constprop.23+0x4ba/0x790 + [<ffffffff81463263>] memory_subsys_offline+0x43/0x70 + [<ffffffff8144cbed>] device_offline+0x7d/0xa0 + [<ffffffff81392fa2>] acpi_bus_offline+0xa5/0xef + [<ffffffff81394a77>] acpi_device_hotplug+0x21b/0x41f + [<ffffffff8138dab7>] acpi_hotplug_work_fn+0x1a/0x23 + [<ffffffff81093cee>] process_one_work+0x14e/0x410 + [<ffffffff81094546>] worker_thread+0x116/0x490 + [<ffffffff810999ed>] kthread+0xbd/0xe0 + [<ffffffff815e4e7f>] ret_from_fork+0x3f/0x70 + +This translates to the loop in shrink_zone(): + +classzone_idx = requested_highidx; +while (!populated_zone(zone->zone_pgdat->node_zones + + classzone_idx)) + classzone_idx--; + +where no zone is populated, so classzone_idx becomes -1 (in RBX). + +Added debugging output reveals that we enter the function with +sc->gfp_mask == GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE +requested_highidx = gfp_zone(sc->gfp_mask) == 2 (ZONE_NORMAL) + +Inside the for loop, however: +gfp_zone(sc->gfp_mask) == 3 (ZONE_MOVABLE) + +This means we have gone through this branch: + +if (buffer_heads_over_limit) + sc->gfp_mask |= __GFP_HIGHMEM; + +This changes the gfp_zone() result, but requested_highidx remains unchanged. +On nodes where the only populated zone is movable, the inner while loop will +check only lower zones, which are not populated, and underflow classzone_idx. + +To sum up, the bug occurs in configurations with ZONE_MOVABLE (such as when +booted with the movable_node parameter) and only in situations when +buffer_heads_over_limit is true, and there's an allocation with __GFP_MOVABLE +and without __GFP_HIGHMEM performing direct reclaim. + +This patch makes sure that classzone_idx starts with the correct zone. + +Mainline has been affected in versions 4.6 and 4.7, but the culprit commit has +been also included in stable trees. +In mainline, this has been fixed accidentally as part of 34-patch series (plus +follow-up fixes) "Move LRU page reclaim from zones to nodes", which makes the +mainline commit unsuitable for stable backport, unfortunately. + +Fixes: 7bf52fb891b6 ("mm: vmscan: reclaim highmem zone if buffer_heads is over limit") +Obsoleted-by: b2e18757f2c9 ("mm, vmscan: begin reclaiming pages on a per-node basis") +Debugged-by: Michal Hocko <mhocko@suse.cz> +Signed-off-by: Vlastimil Babka <vbabka@suse.cz> +Cc: Minchan Kim <minchan@kernel.org> +Cc: Johannes Weiner <hannes@cmpxchg.org> +Acked-by: Mel Gorman <mgorman@techsingularity.net> +Acked-by: Michal Hocko <mhocko@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + mm/vmscan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2529,7 +2529,7 @@ static bool shrink_zones(struct zonelist + if (!populated_zone(zone)) + continue; + +- classzone_idx = requested_highidx; ++ classzone_idx = gfp_zone(sc->gfp_mask); + while (!populated_zone(zone->zone_pgdat->node_zones + + classzone_idx)) + classzone_idx--; + + +Patches currently in stable-queue which might be from vbabka@suse.cz are + +queue-4.4/mm-fix-classzone_idx-underflow-in-shrink_zones.patch diff --git a/a/content_digest b/N1/content_digest index 88a9a4a..a74c87e 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -13,7 +13,8 @@ mhocko@suse.cz minchan@kernel.org " stable@vger.kernel.org\0" - "Cc\0stable-commits@vger.kernel.org\0" + "Cc\0<stable@vger.kernel.org>" + " <stable-commits@vger.kernel.org>\0" "\00:1\0" "b\0" "\n" @@ -29,6 +30,130 @@ "and it can be found in the queue-4.4 subdirectory.\n" "\n" "If you, or anyone else, feels it should not be added to the stable tree,\n" - please let <stable@vger.kernel.org> know about it. + "please let <stable@vger.kernel.org> know about it.\n" + "\n" + "\n" + ">From vbabka@suse.cz Fri Jul 7 11:06:31 2017\n" + "From: Vlastimil Babka <vbabka@suse.cz>\n" + "Date: Tue, 4 Jul 2017 10:45:43 +0200\n" + "Subject: mm: fix classzone_idx underflow in shrink_zones()\n" + "To: stable <stable@vger.kernel.org>\n" + "Cc: Johannes Weiner <hannes@cmpxchg.org>, Minchan Kim <minchan@kernel.org>, Michal Hocko <mhocko@kernel.org>, linux-mm <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, Mel Gorman <mgorman@techsingularity.net>\n" + "Message-ID: <cf25f1a5-5276-90ea-1eac-f2a2aceffaef@suse.cz>\n" + "\n" + "From: Vlastimil Babka <vbabka@suse.cz>\n" + "\n" + "[Not upstream as that would take 34+ patches]\n" + "\n" + "We've got reported a BUG in do_try_to_free_pages():\n" + "\n" + "BUG: unable to handle kernel paging request at ffff8ffffff28990\n" + "IP: [<ffffffff8119abe0>] do_try_to_free_pages+0x140/0x490\n" + "PGD 0\n" + "Oops: 0000 [#1] SMP\n" + "megaraid_sas sg scsi_mod efivarfs autofs4\n" + "Supported: No, Unsupported modules are loaded\n" + "Workqueue: kacpi_hotplug acpi_hotplug_work_fn\n" + "task: ffff88ffd0d4c540 ti: ffff88ffd0e48000 task.ti: ffff88ffd0e48000\n" + "RIP: 0010:[<ffffffff8119abe0>] [<ffffffff8119abe0>] do_try_to_free_pages+0x140/0x490\n" + "RSP: 0018:ffff88ffd0e4ba60 EFLAGS: 00010206\n" + "RAX: 000006fffffff900 RBX: 00000000ffffffff RCX: ffff88fffff29000\n" + "RDX: 000000ffffffff00 RSI: 0000000000000003 RDI: 00000000024200c8\n" + "RBP: 0000000001320122 R08: 0000000000000000 R09: ffff88ffd0e4bbac\n" + "R10: 0000000000000000 R11: 0000000000000000 R12: ffff88ffd0e4bae0\n" + "R13: 0000000000000e00 R14: ffff88fffff2a500 R15: ffff88fffff2b300\n" + "FS: 0000000000000000(0000) GS:ffff88ffe6440000(0000) knlGS:0000000000000000\n" + "CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n" + "CR2: ffff8ffffff28990 CR3: 0000000001c0a000 CR4: 00000000003406e0\n" + "DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n" + "DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n" + "Stack:\n" + " 00000002db570a80 024200c80000001e ffff88fffff2b300 0000000000000000\n" + " ffff88fffffd5700 ffff88ffd0d4c540 ffff88ffd0d4c540 ffffffff0000000c\n" + " 0000000000000000 0000000000000040 00000000024200c8 ffff88ffd0e4bae0\n" + "Call Trace:\n" + " [<ffffffff8119afea>] try_to_free_pages+0xba/0x170\n" + " [<ffffffff8118cf2f>] __alloc_pages_nodemask+0x53f/0xb20\n" + " [<ffffffff811d39ff>] alloc_pages_current+0x7f/0x100\n" + " [<ffffffff811e2232>] migrate_pages+0x202/0x710\n" + " [<ffffffff815dadaa>] __offline_pages.constprop.23+0x4ba/0x790\n" + " [<ffffffff81463263>] memory_subsys_offline+0x43/0x70\n" + " [<ffffffff8144cbed>] device_offline+0x7d/0xa0\n" + " [<ffffffff81392fa2>] acpi_bus_offline+0xa5/0xef\n" + " [<ffffffff81394a77>] acpi_device_hotplug+0x21b/0x41f\n" + " [<ffffffff8138dab7>] acpi_hotplug_work_fn+0x1a/0x23\n" + " [<ffffffff81093cee>] process_one_work+0x14e/0x410\n" + " [<ffffffff81094546>] worker_thread+0x116/0x490\n" + " [<ffffffff810999ed>] kthread+0xbd/0xe0\n" + " [<ffffffff815e4e7f>] ret_from_fork+0x3f/0x70\n" + "\n" + "This translates to the loop in shrink_zone():\n" + "\n" + "classzone_idx = requested_highidx;\n" + "while (!populated_zone(zone->zone_pgdat->node_zones +\n" + "\t\t\t\t\tclasszone_idx))\n" + "\tclasszone_idx--;\n" + "\n" + "where no zone is populated, so classzone_idx becomes -1 (in RBX).\n" + "\n" + "Added debugging output reveals that we enter the function with\n" + "sc->gfp_mask == GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE\n" + "requested_highidx = gfp_zone(sc->gfp_mask) == 2 (ZONE_NORMAL)\n" + "\n" + "Inside the for loop, however:\n" + "gfp_zone(sc->gfp_mask) == 3 (ZONE_MOVABLE)\n" + "\n" + "This means we have gone through this branch:\n" + "\n" + "if (buffer_heads_over_limit)\n" + " sc->gfp_mask |= __GFP_HIGHMEM;\n" + "\n" + "This changes the gfp_zone() result, but requested_highidx remains unchanged.\n" + "On nodes where the only populated zone is movable, the inner while loop will\n" + "check only lower zones, which are not populated, and underflow classzone_idx.\n" + "\n" + "To sum up, the bug occurs in configurations with ZONE_MOVABLE (such as when\n" + "booted with the movable_node parameter) and only in situations when\n" + "buffer_heads_over_limit is true, and there's an allocation with __GFP_MOVABLE\n" + "and without __GFP_HIGHMEM performing direct reclaim.\n" + "\n" + "This patch makes sure that classzone_idx starts with the correct zone.\n" + "\n" + "Mainline has been affected in versions 4.6 and 4.7, but the culprit commit has\n" + "been also included in stable trees.\n" + "In mainline, this has been fixed accidentally as part of 34-patch series (plus\n" + "follow-up fixes) \"Move LRU page reclaim from zones to nodes\", which makes the\n" + "mainline commit unsuitable for stable backport, unfortunately.\n" + "\n" + "Fixes: 7bf52fb891b6 (\"mm: vmscan: reclaim highmem zone if buffer_heads is over limit\")\n" + "Obsoleted-by: b2e18757f2c9 (\"mm, vmscan: begin reclaiming pages on a per-node basis\")\n" + "Debugged-by: Michal Hocko <mhocko@suse.cz>\n" + "Signed-off-by: Vlastimil Babka <vbabka@suse.cz>\n" + "Cc: Minchan Kim <minchan@kernel.org>\n" + "Cc: Johannes Weiner <hannes@cmpxchg.org>\n" + "Acked-by: Mel Gorman <mgorman@techsingularity.net>\n" + "Acked-by: Michal Hocko <mhocko@suse.com>\n" + "Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\n" + "\n" + "---\n" + " mm/vmscan.c | 2 +-\n" + " 1 file changed, 1 insertion(+), 1 deletion(-)\n" + "\n" + "--- a/mm/vmscan.c\n" + "+++ b/mm/vmscan.c\n" + "@@ -2529,7 +2529,7 @@ static bool shrink_zones(struct zonelist\n" + " \t\tif (!populated_zone(zone))\n" + " \t\t\tcontinue;\n" + " \n" + "-\t\tclasszone_idx = requested_highidx;\n" + "+\t\tclasszone_idx = gfp_zone(sc->gfp_mask);\n" + " \t\twhile (!populated_zone(zone->zone_pgdat->node_zones +\n" + " \t\t\t\t\t\t\tclasszone_idx))\n" + " \t\t\tclasszone_idx--;\n" + "\n" + "\n" + "Patches currently in stable-queue which might be from vbabka@suse.cz are\n" + "\n" + queue-4.4/mm-fix-classzone_idx-underflow-in-shrink_zones.patch -6e6be97e0737f48b1d1a3b800dde5715a79a479a779fcc4c30210fb8f1a6373c +0e3a94df961dc83c8ea60735b35006c676f05d7e26aceab5495e72610a73087a
diff --git a/a/1.txt b/N2/1.txt index 480c29b..fc43476 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -12,3 +12,133 @@ and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@vger.kernel.org> know about it. + + +>From vbabka@suse.cz Fri Jul 7 11:06:31 2017 +From: Vlastimil Babka <vbabka@suse.cz> +Date: Tue, 4 Jul 2017 10:45:43 +0200 +Subject: mm: fix classzone_idx underflow in shrink_zones() +To: stable <stable@vger.kernel.org> +Cc: Johannes Weiner <hannes@cmpxchg.org>, Minchan Kim <minchan@kernel.org>, Michal Hocko <mhocko@kernel.org>, linux-mm <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, Mel Gorman <mgorman@techsingularity.net> +Message-ID: <cf25f1a5-5276-90ea-1eac-f2a2aceffaef@suse.cz> + +From: Vlastimil Babka <vbabka@suse.cz> + +[Not upstream as that would take 34+ patches] + +We've got reported a BUG in do_try_to_free_pages(): + +BUG: unable to handle kernel paging request at ffff8ffffff28990 +IP: [<ffffffff8119abe0>] do_try_to_free_pages+0x140/0x490 +PGD 0 +Oops: 0000 [#1] SMP +megaraid_sas sg scsi_mod efivarfs autofs4 +Supported: No, Unsupported modules are loaded +Workqueue: kacpi_hotplug acpi_hotplug_work_fn +task: ffff88ffd0d4c540 ti: ffff88ffd0e48000 task.ti: ffff88ffd0e48000 +RIP: 0010:[<ffffffff8119abe0>] [<ffffffff8119abe0>] do_try_to_free_pages+0x140/0x490 +RSP: 0018:ffff88ffd0e4ba60 EFLAGS: 00010206 +RAX: 000006fffffff900 RBX: 00000000ffffffff RCX: ffff88fffff29000 +RDX: 000000ffffffff00 RSI: 0000000000000003 RDI: 00000000024200c8 +RBP: 0000000001320122 R08: 0000000000000000 R09: ffff88ffd0e4bbac +R10: 0000000000000000 R11: 0000000000000000 R12: ffff88ffd0e4bae0 +R13: 0000000000000e00 R14: ffff88fffff2a500 R15: ffff88fffff2b300 +FS: 0000000000000000(0000) GS:ffff88ffe6440000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffff8ffffff28990 CR3: 0000000001c0a000 CR4: 00000000003406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Stack: + 00000002db570a80 024200c80000001e ffff88fffff2b300 0000000000000000 + ffff88fffffd5700 ffff88ffd0d4c540 ffff88ffd0d4c540 ffffffff0000000c + 0000000000000000 0000000000000040 00000000024200c8 ffff88ffd0e4bae0 +Call Trace: + [<ffffffff8119afea>] try_to_free_pages+0xba/0x170 + [<ffffffff8118cf2f>] __alloc_pages_nodemask+0x53f/0xb20 + [<ffffffff811d39ff>] alloc_pages_current+0x7f/0x100 + [<ffffffff811e2232>] migrate_pages+0x202/0x710 + [<ffffffff815dadaa>] __offline_pages.constprop.23+0x4ba/0x790 + [<ffffffff81463263>] memory_subsys_offline+0x43/0x70 + [<ffffffff8144cbed>] device_offline+0x7d/0xa0 + [<ffffffff81392fa2>] acpi_bus_offline+0xa5/0xef + [<ffffffff81394a77>] acpi_device_hotplug+0x21b/0x41f + [<ffffffff8138dab7>] acpi_hotplug_work_fn+0x1a/0x23 + [<ffffffff81093cee>] process_one_work+0x14e/0x410 + [<ffffffff81094546>] worker_thread+0x116/0x490 + [<ffffffff810999ed>] kthread+0xbd/0xe0 + [<ffffffff815e4e7f>] ret_from_fork+0x3f/0x70 + +This translates to the loop in shrink_zone(): + +classzone_idx = requested_highidx; +while (!populated_zone(zone->zone_pgdat->node_zones + + classzone_idx)) + classzone_idx--; + +where no zone is populated, so classzone_idx becomes -1 (in RBX). + +Added debugging output reveals that we enter the function with +sc->gfp_mask == GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE +requested_highidx = gfp_zone(sc->gfp_mask) == 2 (ZONE_NORMAL) + +Inside the for loop, however: +gfp_zone(sc->gfp_mask) == 3 (ZONE_MOVABLE) + +This means we have gone through this branch: + +if (buffer_heads_over_limit) + sc->gfp_mask |= __GFP_HIGHMEM; + +This changes the gfp_zone() result, but requested_highidx remains unchanged. +On nodes where the only populated zone is movable, the inner while loop will +check only lower zones, which are not populated, and underflow classzone_idx. + +To sum up, the bug occurs in configurations with ZONE_MOVABLE (such as when +booted with the movable_node parameter) and only in situations when +buffer_heads_over_limit is true, and there's an allocation with __GFP_MOVABLE +and without __GFP_HIGHMEM performing direct reclaim. + +This patch makes sure that classzone_idx starts with the correct zone. + +Mainline has been affected in versions 4.6 and 4.7, but the culprit commit has +been also included in stable trees. +In mainline, this has been fixed accidentally as part of 34-patch series (plus +follow-up fixes) "Move LRU page reclaim from zones to nodes", which makes the +mainline commit unsuitable for stable backport, unfortunately. + +Fixes: 7bf52fb891b6 ("mm: vmscan: reclaim highmem zone if buffer_heads is over limit") +Obsoleted-by: b2e18757f2c9 ("mm, vmscan: begin reclaiming pages on a per-node basis") +Debugged-by: Michal Hocko <mhocko@suse.cz> +Signed-off-by: Vlastimil Babka <vbabka@suse.cz> +Cc: Minchan Kim <minchan@kernel.org> +Cc: Johannes Weiner <hannes@cmpxchg.org> +Acked-by: Mel Gorman <mgorman@techsingularity.net> +Acked-by: Michal Hocko <mhocko@suse.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> + +--- + mm/vmscan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2529,7 +2529,7 @@ static bool shrink_zones(struct zonelist + if (!populated_zone(zone)) + continue; + +- classzone_idx = requested_highidx; ++ classzone_idx = gfp_zone(sc->gfp_mask); + while (!populated_zone(zone->zone_pgdat->node_zones + + classzone_idx)) + classzone_idx--; + + +Patches currently in stable-queue which might be from vbabka@suse.cz are + +queue-4.4/mm-fix-classzone_idx-underflow-in-shrink_zones.patch + +-- +To unsubscribe, send a message with 'unsubscribe linux-mm' in +the body to majordomo@kvack.org. For more info on Linux MM, +see: http://www.linux-mm.org/ . +Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> diff --git a/a/content_digest b/N2/content_digest index 88a9a4a..b215bdc 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -3,17 +3,18 @@ "Subject\0Patch \"mm: fix classzone_idx underflow in shrink_zones()\" has been added to the 4.4-stable tree\0" "Date\0Fri, 07 Jul 2017 11:10:27 +0200\0" "To\0vbabka@suse.cz" - gregkh@linuxfoundation.org - hannes@cmpxchg.org - linux-kernel@vger.kernel.org - linux-mm@kvack.org - mgorman@techsingularity.net - mhocko@kernel.org - mhocko@suse.com - mhocko@suse.cz - minchan@kernel.org - " stable@vger.kernel.org\0" - "Cc\0stable-commits@vger.kernel.org\0" + gregkh@linuxfoundation.org + hannes@cmpxchg.org + linux-kernel@vger.kernel.org + linux-mm@kvack.org + mgorman@techsingularity.net + mhocko@kernel.org + mhocko@suse.com + mhocko@suse.cz + minchan@kernel.org + "stable@vger.kernel.org\0" + "Cc\0<stable@vger.kernel.org>" + " <stable-commits@vger.kernel.org>\0" "\00:1\0" "b\0" "\n" @@ -29,6 +30,136 @@ "and it can be found in the queue-4.4 subdirectory.\n" "\n" "If you, or anyone else, feels it should not be added to the stable tree,\n" - please let <stable@vger.kernel.org> know about it. + "please let <stable@vger.kernel.org> know about it.\n" + "\n" + "\n" + ">From vbabka@suse.cz Fri Jul 7 11:06:31 2017\n" + "From: Vlastimil Babka <vbabka@suse.cz>\n" + "Date: Tue, 4 Jul 2017 10:45:43 +0200\n" + "Subject: mm: fix classzone_idx underflow in shrink_zones()\n" + "To: stable <stable@vger.kernel.org>\n" + "Cc: Johannes Weiner <hannes@cmpxchg.org>, Minchan Kim <minchan@kernel.org>, Michal Hocko <mhocko@kernel.org>, linux-mm <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>, Mel Gorman <mgorman@techsingularity.net>\n" + "Message-ID: <cf25f1a5-5276-90ea-1eac-f2a2aceffaef@suse.cz>\n" + "\n" + "From: Vlastimil Babka <vbabka@suse.cz>\n" + "\n" + "[Not upstream as that would take 34+ patches]\n" + "\n" + "We've got reported a BUG in do_try_to_free_pages():\n" + "\n" + "BUG: unable to handle kernel paging request at ffff8ffffff28990\n" + "IP: [<ffffffff8119abe0>] do_try_to_free_pages+0x140/0x490\n" + "PGD 0\n" + "Oops: 0000 [#1] SMP\n" + "megaraid_sas sg scsi_mod efivarfs autofs4\n" + "Supported: No, Unsupported modules are loaded\n" + "Workqueue: kacpi_hotplug acpi_hotplug_work_fn\n" + "task: ffff88ffd0d4c540 ti: ffff88ffd0e48000 task.ti: ffff88ffd0e48000\n" + "RIP: 0010:[<ffffffff8119abe0>] [<ffffffff8119abe0>] do_try_to_free_pages+0x140/0x490\n" + "RSP: 0018:ffff88ffd0e4ba60 EFLAGS: 00010206\n" + "RAX: 000006fffffff900 RBX: 00000000ffffffff RCX: ffff88fffff29000\n" + "RDX: 000000ffffffff00 RSI: 0000000000000003 RDI: 00000000024200c8\n" + "RBP: 0000000001320122 R08: 0000000000000000 R09: ffff88ffd0e4bbac\n" + "R10: 0000000000000000 R11: 0000000000000000 R12: ffff88ffd0e4bae0\n" + "R13: 0000000000000e00 R14: ffff88fffff2a500 R15: ffff88fffff2b300\n" + "FS: 0000000000000000(0000) GS:ffff88ffe6440000(0000) knlGS:0000000000000000\n" + "CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n" + "CR2: ffff8ffffff28990 CR3: 0000000001c0a000 CR4: 00000000003406e0\n" + "DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n" + "DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n" + "Stack:\n" + " 00000002db570a80 024200c80000001e ffff88fffff2b300 0000000000000000\n" + " ffff88fffffd5700 ffff88ffd0d4c540 ffff88ffd0d4c540 ffffffff0000000c\n" + " 0000000000000000 0000000000000040 00000000024200c8 ffff88ffd0e4bae0\n" + "Call Trace:\n" + " [<ffffffff8119afea>] try_to_free_pages+0xba/0x170\n" + " [<ffffffff8118cf2f>] __alloc_pages_nodemask+0x53f/0xb20\n" + " [<ffffffff811d39ff>] alloc_pages_current+0x7f/0x100\n" + " [<ffffffff811e2232>] migrate_pages+0x202/0x710\n" + " [<ffffffff815dadaa>] __offline_pages.constprop.23+0x4ba/0x790\n" + " [<ffffffff81463263>] memory_subsys_offline+0x43/0x70\n" + " [<ffffffff8144cbed>] device_offline+0x7d/0xa0\n" + " [<ffffffff81392fa2>] acpi_bus_offline+0xa5/0xef\n" + " [<ffffffff81394a77>] acpi_device_hotplug+0x21b/0x41f\n" + " [<ffffffff8138dab7>] acpi_hotplug_work_fn+0x1a/0x23\n" + " [<ffffffff81093cee>] process_one_work+0x14e/0x410\n" + " [<ffffffff81094546>] worker_thread+0x116/0x490\n" + " [<ffffffff810999ed>] kthread+0xbd/0xe0\n" + " [<ffffffff815e4e7f>] ret_from_fork+0x3f/0x70\n" + "\n" + "This translates to the loop in shrink_zone():\n" + "\n" + "classzone_idx = requested_highidx;\n" + "while (!populated_zone(zone->zone_pgdat->node_zones +\n" + "\t\t\t\t\tclasszone_idx))\n" + "\tclasszone_idx--;\n" + "\n" + "where no zone is populated, so classzone_idx becomes -1 (in RBX).\n" + "\n" + "Added debugging output reveals that we enter the function with\n" + "sc->gfp_mask == GFP_NOFS|__GFP_NOFAIL|__GFP_HARDWALL|__GFP_MOVABLE\n" + "requested_highidx = gfp_zone(sc->gfp_mask) == 2 (ZONE_NORMAL)\n" + "\n" + "Inside the for loop, however:\n" + "gfp_zone(sc->gfp_mask) == 3 (ZONE_MOVABLE)\n" + "\n" + "This means we have gone through this branch:\n" + "\n" + "if (buffer_heads_over_limit)\n" + " sc->gfp_mask |= __GFP_HIGHMEM;\n" + "\n" + "This changes the gfp_zone() result, but requested_highidx remains unchanged.\n" + "On nodes where the only populated zone is movable, the inner while loop will\n" + "check only lower zones, which are not populated, and underflow classzone_idx.\n" + "\n" + "To sum up, the bug occurs in configurations with ZONE_MOVABLE (such as when\n" + "booted with the movable_node parameter) and only in situations when\n" + "buffer_heads_over_limit is true, and there's an allocation with __GFP_MOVABLE\n" + "and without __GFP_HIGHMEM performing direct reclaim.\n" + "\n" + "This patch makes sure that classzone_idx starts with the correct zone.\n" + "\n" + "Mainline has been affected in versions 4.6 and 4.7, but the culprit commit has\n" + "been also included in stable trees.\n" + "In mainline, this has been fixed accidentally as part of 34-patch series (plus\n" + "follow-up fixes) \"Move LRU page reclaim from zones to nodes\", which makes the\n" + "mainline commit unsuitable for stable backport, unfortunately.\n" + "\n" + "Fixes: 7bf52fb891b6 (\"mm: vmscan: reclaim highmem zone if buffer_heads is over limit\")\n" + "Obsoleted-by: b2e18757f2c9 (\"mm, vmscan: begin reclaiming pages on a per-node basis\")\n" + "Debugged-by: Michal Hocko <mhocko@suse.cz>\n" + "Signed-off-by: Vlastimil Babka <vbabka@suse.cz>\n" + "Cc: Minchan Kim <minchan@kernel.org>\n" + "Cc: Johannes Weiner <hannes@cmpxchg.org>\n" + "Acked-by: Mel Gorman <mgorman@techsingularity.net>\n" + "Acked-by: Michal Hocko <mhocko@suse.com>\n" + "Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\n" + "\n" + "---\n" + " mm/vmscan.c | 2 +-\n" + " 1 file changed, 1 insertion(+), 1 deletion(-)\n" + "\n" + "--- a/mm/vmscan.c\n" + "+++ b/mm/vmscan.c\n" + "@@ -2529,7 +2529,7 @@ static bool shrink_zones(struct zonelist\n" + " \t\tif (!populated_zone(zone))\n" + " \t\t\tcontinue;\n" + " \n" + "-\t\tclasszone_idx = requested_highidx;\n" + "+\t\tclasszone_idx = gfp_zone(sc->gfp_mask);\n" + " \t\twhile (!populated_zone(zone->zone_pgdat->node_zones +\n" + " \t\t\t\t\t\t\tclasszone_idx))\n" + " \t\t\tclasszone_idx--;\n" + "\n" + "\n" + "Patches currently in stable-queue which might be from vbabka@suse.cz are\n" + "\n" + "queue-4.4/mm-fix-classzone_idx-underflow-in-shrink_zones.patch\n" + "\n" + "--\n" + "To unsubscribe, send a message with 'unsubscribe linux-mm' in\n" + "the body to majordomo@kvack.org. For more info on Linux MM,\n" + "see: http://www.linux-mm.org/ .\n" + "Don't email: <a href=mailto:\"dont@kvack.org\"> email@kvack.org </a>" -6e6be97e0737f48b1d1a3b800dde5715a79a479a779fcc4c30210fb8f1a6373c +870c39b3bbcf4ee0a6e3a1c5184fff2016969189e8a9ce088cb503a12bc2d7e0
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.