From: Johannes Weiner <hannes@cmpxchg.org>
To: Michal Hocko <mhocko@suse.cz>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>,
Zhouping Liu <zliu@redhat.com>, Hugh Dickins <hughd@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Glauber Costa <glommer@parallels.com>,
linux-mm@kvack.org, LKML <linux-kernel@vger.kernel.org>,
caiqian <caiqian@redhat.com>, Caspar Zhang <czhang@redhat.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>
Subject: Re: [v3.9-rc8]: kernel BUG at mm/memcontrol.c:3994! (was: Re: [BUG][s390x] mm: system crashed)
Date: Wed, 24 Apr 2013 11:20:43 -0400 [thread overview]
Message-ID: <20130424152043.GP2018@cmpxchg.org> (raw)
In-Reply-To: <20130424131851.GC31960@dhcp22.suse.cz>
On Wed, Apr 24, 2013 at 03:18:51PM +0200, Michal Hocko wrote:
> On Wed 24-04-13 12:42:55, Heiko Carstens wrote:
> > On Thu, Apr 18, 2013 at 09:13:03AM +0200, Heiko Carstens wrote:
> > > Ok, thanks for verifying! I'll look into it; hopefully I can reproduce it
> > > here as well.
> >
> > That seems to be a common code bug. I can easily trigger the VM_BUG_ON()
> > below (when I force the system to swap):
> >
> > [ 48.347963] ------------[ cut here ]------------
> > [ 48.347972] kernel BUG at mm/memcontrol.c:3994!
> > [ 48.348012] illegal operation: 0001 [#1] SMP
> > [ 48.348015] Modules linked in:
> > [ 48.348017] CPU: 1 Not tainted 3.9.0-rc8+ #38
> > [ 48.348020] Process mmap2 (pid: 635, task: 0000000029476100, ksp: 000000002e91b938)
> > [ 48.348022] Krnl PSW : 0704f00180000000 000000000026552c (__mem_cgroup_uncharge_common+0x2c4/0x33c)
> > [ 48.348032] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 EA:3
> > Krnl GPRS: 0000000000000008 0000000000000009 000003d1002a9200 0000000000000000
> > [ 48.348039] 0000000000000000 00000000006812d8 000003ffdf339000 00000000321a6f98
> > [ 48.348043] 000003fffce11000 0000000000000000 0000000000000001 000003d1002a9200
> > [ 48.348046] 0000000000000001 0000000000681b88 000000002e91bc18 000000002e91bbd0
> > [ 48.348057] Krnl Code: 000000000026551e: c0e5fffaa2a1 brasl %r14,1b9a60
> > 0000000000265524: a7f4ff7d brc 15,26541e
> > #0000000000265528: a7f40001 brc 15,26552a
> > >000000000026552c: e3c0b8200124 stg %r12,6176(%r11)
> > 0000000000265532: a7f4ff57 brc 15,2653e0
> > 0000000000265536: e310b8280104 lg %r1,6184(%r11)
> > 000000000026553c: a71b0001 aghi %r1,1
> > 0000000000265540: e310b8280124 stg %r1,6184(%r11)
> > [ 48.348099] Call Trace:
> > [ 48.348100] ([<000003d1002a91c0>] 0x3d1002a91c0)
> > [ 48.348102] [<00000000002404aa>] page_remove_rmap+0xf2/0x16c
> > [ 48.348106] [<0000000000232dc8>] unmap_single_vma+0x494/0x7d8
> > [ 48.348107] [<0000000000233ac0>] unmap_vmas+0x50/0x74
> > [ 48.348109] [<00000000002396ec>] unmap_region+0x9c/0x110
> > [ 48.348110] [<000000000023bd18>] do_munmap+0x284/0x470
> > [ 48.348111] [<000000000023bf56>] vm_munmap+0x52/0x70
> > [ 48.348113] [<000000000023cf32>] SyS_munmap+0x3a/0x4c
> > [ 48.348114] [<0000000000665e14>] sysc_noemu+0x22/0x28
> > [ 48.348118] [<000003fffcf187b2>] 0x3fffcf187b2
> > [ 48.348119] Last Breaking-Event-Address:
> > [ 48.348120] [<0000000000265528>] __mem_cgroup_uncharge_common+0x2c0/0x33c
> >
> > Looking at the code, the code flow is:
> >
> > page_remove_rmap() -> mem_cgroup_uncharge_page() -> __mem_cgroup_uncharge_common()
> >
> > Note that in mem_cgroup_uncharge_page() the page in question passed the check:
> >
> > [...]
> > if (PageSwapCache(page))
> > return;
> > [...]
> >
> > and just a couple of instructions later the VM_BUG_ON() within
> > __mem_cgroup_uncharge_common() triggers:
> >
> > [...]
> > if (mem_cgroup_disabled())
> > return NULL;
> >
> > VM_BUG_ON(PageSwapCache(page));
> > [...]
> >
> > Which means that another cpu changed the pageflags concurrently. In fact,
> > looking at the dump a different cpu is indeed busy with running kswapd.
>
> Hmm, maybe I am missing something but it really looks like we can race
> here. Reclaim path takes the page lock while zap_pte takes page table
> lock so nothing prevents them from racing here:
> shrink_page_list zap_pte_range
> trylock_page pte_offset_map_lock
> add_to_swap page_remove_rmap
> /* Page can be still mapped */
> add_to_swap_cache atomic_add_negative(_mapcount)
> __add_to_swap_cache mem_cgroup_uncharge_page
> (PageSwapCache(page)) && return
> SetPageSwapCache
> __mem_cgroup_uncharge_common
> VM_BUG_ON(PageSwapCache(page))
>
> Maybe not many people run with CONFIG_DEBUG_VM enabled these days so we
> do not this more often (even me testing configs are not consistent in
> that regards and only few have it on). The only thing that changed in
> this area recently is 0c59b89c which made the test VM_BUG_ON rather then
> simple return in 3.6
> And maybe the BUG_ON is too harsh as CgroupUsed should guarantee that
> the uncharge will eventually go away. What do you think Johannes?
Interesting. We need to ensure there is ordering between setting
PG_swapcache and installing swap entries because I think we are the
only ones looking at PG_swapcache without the page lock held. So we
don't have a safe way to check for PG_swapcache but if we get it
wrong, we may steal an uncharge that uncharge_swapcache() should be
doing instead and that means we mess up the swap statistics
accounting.
So how can we, without holding the page lock, either safely back off
from a page in swapcache or make sure we do the swap statistics
accounting when uncharging a swapcache page from the final unmap?
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Johannes Weiner <hannes@cmpxchg.org>
To: Michal Hocko <mhocko@suse.cz>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>,
Zhouping Liu <zliu@redhat.com>, Hugh Dickins <hughd@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Glauber Costa <glommer@parallels.com>,
linux-mm@kvack.org, LKML <linux-kernel@vger.kernel.org>,
caiqian <caiqian@redhat.com>, Caspar Zhang <czhang@redhat.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>
Subject: Re: [v3.9-rc8]: kernel BUG at mm/memcontrol.c:3994! (was: Re: [BUG][s390x] mm: system crashed)
Date: Wed, 24 Apr 2013 11:20:43 -0400 [thread overview]
Message-ID: <20130424152043.GP2018@cmpxchg.org> (raw)
In-Reply-To: <20130424131851.GC31960@dhcp22.suse.cz>
On Wed, Apr 24, 2013 at 03:18:51PM +0200, Michal Hocko wrote:
> On Wed 24-04-13 12:42:55, Heiko Carstens wrote:
> > On Thu, Apr 18, 2013 at 09:13:03AM +0200, Heiko Carstens wrote:
> > > Ok, thanks for verifying! I'll look into it; hopefully I can reproduce it
> > > here as well.
> >
> > That seems to be a common code bug. I can easily trigger the VM_BUG_ON()
> > below (when I force the system to swap):
> >
> > [ 48.347963] ------------[ cut here ]------------
> > [ 48.347972] kernel BUG at mm/memcontrol.c:3994!
> > [ 48.348012] illegal operation: 0001 [#1] SMP
> > [ 48.348015] Modules linked in:
> > [ 48.348017] CPU: 1 Not tainted 3.9.0-rc8+ #38
> > [ 48.348020] Process mmap2 (pid: 635, task: 0000000029476100, ksp: 000000002e91b938)
> > [ 48.348022] Krnl PSW : 0704f00180000000 000000000026552c (__mem_cgroup_uncharge_common+0x2c4/0x33c)
> > [ 48.348032] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 EA:3
> > Krnl GPRS: 0000000000000008 0000000000000009 000003d1002a9200 0000000000000000
> > [ 48.348039] 0000000000000000 00000000006812d8 000003ffdf339000 00000000321a6f98
> > [ 48.348043] 000003fffce11000 0000000000000000 0000000000000001 000003d1002a9200
> > [ 48.348046] 0000000000000001 0000000000681b88 000000002e91bc18 000000002e91bbd0
> > [ 48.348057] Krnl Code: 000000000026551e: c0e5fffaa2a1 brasl %r14,1b9a60
> > 0000000000265524: a7f4ff7d brc 15,26541e
> > #0000000000265528: a7f40001 brc 15,26552a
> > >000000000026552c: e3c0b8200124 stg %r12,6176(%r11)
> > 0000000000265532: a7f4ff57 brc 15,2653e0
> > 0000000000265536: e310b8280104 lg %r1,6184(%r11)
> > 000000000026553c: a71b0001 aghi %r1,1
> > 0000000000265540: e310b8280124 stg %r1,6184(%r11)
> > [ 48.348099] Call Trace:
> > [ 48.348100] ([<000003d1002a91c0>] 0x3d1002a91c0)
> > [ 48.348102] [<00000000002404aa>] page_remove_rmap+0xf2/0x16c
> > [ 48.348106] [<0000000000232dc8>] unmap_single_vma+0x494/0x7d8
> > [ 48.348107] [<0000000000233ac0>] unmap_vmas+0x50/0x74
> > [ 48.348109] [<00000000002396ec>] unmap_region+0x9c/0x110
> > [ 48.348110] [<000000000023bd18>] do_munmap+0x284/0x470
> > [ 48.348111] [<000000000023bf56>] vm_munmap+0x52/0x70
> > [ 48.348113] [<000000000023cf32>] SyS_munmap+0x3a/0x4c
> > [ 48.348114] [<0000000000665e14>] sysc_noemu+0x22/0x28
> > [ 48.348118] [<000003fffcf187b2>] 0x3fffcf187b2
> > [ 48.348119] Last Breaking-Event-Address:
> > [ 48.348120] [<0000000000265528>] __mem_cgroup_uncharge_common+0x2c0/0x33c
> >
> > Looking at the code, the code flow is:
> >
> > page_remove_rmap() -> mem_cgroup_uncharge_page() -> __mem_cgroup_uncharge_common()
> >
> > Note that in mem_cgroup_uncharge_page() the page in question passed the check:
> >
> > [...]
> > if (PageSwapCache(page))
> > return;
> > [...]
> >
> > and just a couple of instructions later the VM_BUG_ON() within
> > __mem_cgroup_uncharge_common() triggers:
> >
> > [...]
> > if (mem_cgroup_disabled())
> > return NULL;
> >
> > VM_BUG_ON(PageSwapCache(page));
> > [...]
> >
> > Which means that another cpu changed the pageflags concurrently. In fact,
> > looking at the dump a different cpu is indeed busy with running kswapd.
>
> Hmm, maybe I am missing something but it really looks like we can race
> here. Reclaim path takes the page lock while zap_pte takes page table
> lock so nothing prevents them from racing here:
> shrink_page_list zap_pte_range
> trylock_page pte_offset_map_lock
> add_to_swap page_remove_rmap
> /* Page can be still mapped */
> add_to_swap_cache atomic_add_negative(_mapcount)
> __add_to_swap_cache mem_cgroup_uncharge_page
> (PageSwapCache(page)) && return
> SetPageSwapCache
> __mem_cgroup_uncharge_common
> VM_BUG_ON(PageSwapCache(page))
>
> Maybe not many people run with CONFIG_DEBUG_VM enabled these days so we
> do not this more often (even me testing configs are not consistent in
> that regards and only few have it on). The only thing that changed in
> this area recently is 0c59b89c which made the test VM_BUG_ON rather then
> simple return in 3.6
> And maybe the BUG_ON is too harsh as CgroupUsed should guarantee that
> the uncharge will eventually go away. What do you think Johannes?
Interesting. We need to ensure there is ordering between setting
PG_swapcache and installing swap entries because I think we are the
only ones looking at PG_swapcache without the page lock held. So we
don't have a safe way to check for PG_swapcache but if we get it
wrong, we may steal an uncharge that uncharge_swapcache() should be
doing instead and that means we mess up the swap statistics
accounting.
So how can we, without holding the page lock, either safely back off
from a page in swapcache or make sure we do the swap statistics
accounting when uncharging a swapcache page from the final unmap?
next prev parent reply other threads:[~2013-04-24 15:21 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <156480624.266924.1365995933797.JavaMail.root@redhat.com>
2013-04-15 3:28 ` [BUG][s390x] mm: system crashed Zhouping Liu
2013-04-15 3:28 ` Zhouping Liu
2013-04-15 5:56 ` Heiko Carstens
2013-04-15 5:56 ` Heiko Carstens
2013-04-15 6:16 ` Zhouping Liu
2013-04-15 6:16 ` Zhouping Liu
2013-04-16 7:50 ` Heiko Carstens
2013-04-16 7:50 ` Heiko Carstens
2013-04-16 7:56 ` Simon Jeons
2013-04-16 7:56 ` Simon Jeons
2013-04-16 8:03 ` Heiko Carstens
2013-04-16 8:03 ` Heiko Carstens
2013-04-16 8:26 ` Zhouping Liu
2013-04-16 8:26 ` Zhouping Liu
2013-04-18 6:27 ` Zhouping Liu
2013-04-18 6:27 ` Zhouping Liu
2013-04-18 7:13 ` Heiko Carstens
2013-04-18 7:13 ` Heiko Carstens
2013-04-24 10:42 ` [v3.9-rc8]: kernel BUG at mm/memcontrol.c:3994! (was: Re: [BUG][s390x] mm: system crashed) Heiko Carstens
2013-04-24 10:42 ` Heiko Carstens
2013-04-24 13:18 ` Michal Hocko
2013-04-24 13:18 ` Michal Hocko
2013-04-24 15:20 ` Johannes Weiner [this message]
2013-04-24 15:20 ` Johannes Weiner
2013-04-25 3:50 ` Hugh Dickins
2013-04-25 3:50 ` Hugh Dickins
2013-04-30 17:27 ` Johannes Weiner
2013-04-30 17:27 ` Johannes Weiner
2013-05-01 15:28 ` Hugh Dickins
2013-05-01 15:28 ` Hugh Dickins
2013-05-01 19:10 ` Johannes Weiner
2013-05-01 19:10 ` Johannes Weiner
2013-05-02 4:57 ` Hugh Dickins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130424152043.GP2018@cmpxchg.org \
--to=hannes@cmpxchg.org \
--cc=akpm@linux-foundation.org \
--cc=caiqian@redhat.com \
--cc=czhang@redhat.com \
--cc=glommer@parallels.com \
--cc=heiko.carstens@de.ibm.com \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.cz \
--cc=schwidefsky@de.ibm.com \
--cc=zliu@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.