From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yh0-f45.google.com (mail-yh0-f45.google.com [209.85.213.45]) by kanga.kvack.org (Postfix) with ESMTP id 7440F6B0038 for ; Wed, 26 Mar 2014 11:13:36 -0400 (EDT) Received: by mail-yh0-f45.google.com with SMTP id a41so2198458yho.32 for ; Wed, 26 Mar 2014 08:13:36 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com. [141.146.126.69]) by mx.google.com with ESMTPS id l53si23743723yhh.132.2014.03.26.08.13.35 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 26 Mar 2014 08:13:35 -0700 (PDT) Message-ID: <5332EE97.4050604@oracle.com> Date: Wed, 26 Mar 2014 11:13:27 -0400 From: Sasha Levin MIME-Version: 1.0 Subject: mm: BUG: Bad page state in process ksmd Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: "linux-mm@kvack.org" Cc: Andrew Morton , LKML Hi all, While fuzzing with trinity inside a KVM tools guest running the latest -next kernel I've stumbled on the following. Out of curiosity, is there a reason not to do bad flag checks when actually setting flag? Obviously it'll be slower but it'll be easier catching these issues. [ 3926.683948] BUG: Bad page state in process ksmd pfn:5a6246 [ 3926.689336] page:ffffea0016989180 count:0 mapcount:0 mapping: (null) index: [ 3926.696507] page flags: 0x56fffff8028001c(referenced|uptodate|dirty|swapbacked|mlock [ 3926.709201] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 3926.711216] bad because of flags: [ 3926.712136] page flags: 0x200000(mlocked) [ 3926.713574] Modules linked in: [ 3926.714466] CPU: 26 PID: 3864 Comm: ksmd Tainted: G W 3.14.0-rc7-next-201 [ 3926.720942] ffffffff85688060 ffff8806ec7abc38 ffffffff844bd702 0000000000002fa0 [ 3926.728107] ffffea0016989180 ffff8806ec7abc68 ffffffff844b158f 000fffff80000000 [ 3926.730563] 0000000000000000 000fffff80000000 ffffffff85688060 ffff8806ec7abcb8 [ 3926.737653] Call Trace: [ 3926.738347] dump_stack (lib/dump_stack.c:52) [ 3926.739841] bad_page (arch/x86/include/asm/atomic.h:38 include/linux/mm.h:432 mm/page_alloc.c:339) [ 3926.741296] free_pages_prepare (mm/page_alloc.c:644 mm/page_alloc.c:738) [ 3926.742818] free_hot_cold_page (mm/page_alloc.c:1371) [ 3926.749425] __put_single_page (mm/swap.c:71) [ 3926.751074] put_page (mm/swap.c:237) [ 3926.752398] ksm_do_scan (mm/ksm.c:1480 mm/ksm.c:1704) [ 3926.753957] ksm_scan_thread (mm/ksm.c:1723) [ 3926.755940] ? bit_waitqueue (kernel/sched/wait.c:291) [ 3926.758644] ? ksm_do_scan (mm/ksm.c:1715) [ 3926.760420] kthread (kernel/kthread.c:219) [ 3926.761605] ? kthread_create_on_node (kernel/kthread.c:185) [ 3926.763149] ret_from_fork (arch/x86/kernel/entry_64.S:555) [ 3926.764323] ? kthread_create_on_node (kernel/kthread.c:185) Thanks, Sasha -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f53.google.com (mail-pa0-f53.google.com [209.85.220.53]) by kanga.kvack.org (Postfix) with ESMTP id DC5046B0035 for ; Wed, 26 Mar 2014 15:55:28 -0400 (EDT) Received: by mail-pa0-f53.google.com with SMTP id ld10so2371566pab.26 for ; Wed, 26 Mar 2014 12:55:28 -0700 (PDT) Received: from mail.linuxfoundation.org (mail.linuxfoundation.org. [140.211.169.12]) by mx.google.com with ESMTP id tm9si14458815pab.387.2014.03.26.12.55.26 for ; Wed, 26 Mar 2014 12:55:26 -0700 (PDT) Date: Wed, 26 Mar 2014 12:55:25 -0700 From: Andrew Morton Subject: Re: mm: BUG: Bad page state in process ksmd Message-Id: <20140326125525.4e8090096f647f654eb7329d@linux-foundation.org> In-Reply-To: <5332EE97.4050604@oracle.com> References: <5332EE97.4050604@oracle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Sasha Levin Cc: "linux-mm@kvack.org" , LKML , Hugh Dickins On Wed, 26 Mar 2014 11:13:27 -0400 Sasha Levin wrote: > Hi all, > > While fuzzing with trinity inside a KVM tools guest running the latest -next > kernel I've stumbled on the following. (cc Hugh) > Out of curiosity, is there a reason not to do bad flag checks when actually > setting flag? Obviously it'll be slower but it'll be easier catching these > issues. Tricky. Each code site must determine what are and are not valid page states depending upon the current context. The one place where we've made that effort is at the point where a page is returned to the free page pool. Any other sites would require similar amounts of effort and each one would be different from all the others. We do this in a small way all over the place, against individual page flags. grep PageLocked */*.c. > [ 3926.683948] BUG: Bad page state in process ksmd pfn:5a6246 > [ 3926.689336] page:ffffea0016989180 count:0 mapcount:0 mapping: (null) index: > [ 3926.696507] page flags: 0x56fffff8028001c(referenced|uptodate|dirty|swapbacked|mlock > [ 3926.709201] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set > [ 3926.711216] bad because of flags: > [ 3926.712136] page flags: 0x200000(mlocked) > [ 3926.713574] Modules linked in: > [ 3926.714466] CPU: 26 PID: 3864 Comm: ksmd Tainted: G W 3.14.0-rc7-next-201 > [ 3926.720942] ffffffff85688060 ffff8806ec7abc38 ffffffff844bd702 0000000000002fa0 > [ 3926.728107] ffffea0016989180 ffff8806ec7abc68 ffffffff844b158f 000fffff80000000 > [ 3926.730563] 0000000000000000 000fffff80000000 ffffffff85688060 ffff8806ec7abcb8 > [ 3926.737653] Call Trace: > [ 3926.738347] dump_stack (lib/dump_stack.c:52) > [ 3926.739841] bad_page (arch/x86/include/asm/atomic.h:38 include/linux/mm.h:432 mm/page_alloc.c:339) > [ 3926.741296] free_pages_prepare (mm/page_alloc.c:644 mm/page_alloc.c:738) > [ 3926.742818] free_hot_cold_page (mm/page_alloc.c:1371) > [ 3926.749425] __put_single_page (mm/swap.c:71) > [ 3926.751074] put_page (mm/swap.c:237) > [ 3926.752398] ksm_do_scan (mm/ksm.c:1480 mm/ksm.c:1704) > [ 3926.753957] ksm_scan_thread (mm/ksm.c:1723) > [ 3926.755940] ? bit_waitqueue (kernel/sched/wait.c:291) > [ 3926.758644] ? ksm_do_scan (mm/ksm.c:1715) > [ 3926.760420] kthread (kernel/kthread.c:219) > [ 3926.761605] ? kthread_create_on_node (kernel/kthread.c:185) > [ 3926.763149] ret_from_fork (arch/x86/kernel/entry_64.S:555) > [ 3926.764323] ? kthread_create_on_node (kernel/kthread.c:185) -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pb0-f43.google.com (mail-pb0-f43.google.com [209.85.160.43]) by kanga.kvack.org (Postfix) with ESMTP id E30E96B0031 for ; Wed, 26 Mar 2014 17:46:20 -0400 (EDT) Received: by mail-pb0-f43.google.com with SMTP id um1so2518124pbc.2 for ; Wed, 26 Mar 2014 14:46:20 -0700 (PDT) Received: from userp1040.oracle.com (userp1040.oracle.com. [156.151.31.81]) by mx.google.com with ESMTPS id et3si14409926pbc.377.2014.03.26.14.46.19 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 26 Mar 2014 14:46:20 -0700 (PDT) Message-ID: <5333492D.2030300@oracle.com> Date: Wed, 26 Mar 2014 17:39:57 -0400 From: Sasha Levin MIME-Version: 1.0 Subject: Re: mm: BUG: Bad page state in process ksmd References: <5332EE97.4050604@oracle.com> <20140326125525.4e8090096f647f654eb7329d@linux-foundation.org> In-Reply-To: <20140326125525.4e8090096f647f654eb7329d@linux-foundation.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Andrew Morton Cc: "linux-mm@kvack.org" , LKML , Hugh Dickins On 03/26/2014 03:55 PM, Andrew Morton wrote: > On Wed, 26 Mar 2014 11:13:27 -0400 Sasha Levin wrote: >> Out of curiosity, is there a reason not to do bad flag checks when actually >> setting flag? Obviously it'll be slower but it'll be easier catching these >> issues. > > Tricky. Each code site must determine what are and are not valid page > states depending upon the current context. The one place where we've > made that effort is at the point where a page is returned to the free > page pool. Any other sites would require similar amounts of effort and > each one would be different from all the others. > > We do this in a small way all over the place, against individual page > flags. grep PageLocked */*.c. What if we define generic page types and group page flags under them? It would be easier to put these checks in key sites around the code and no need to fully customize them to each site. For exmaple, swap_readpage() is doing this: VM_BUG_ON_PAGE(!PageLocked(page), page); VM_BUG_ON_PAGE(PageUptodate(page), page); But what if instead of that we'd do: VM_BUG_ON_PAGE(!PageSwap(page), page); Where PageSwap would test "not locked", "uptodate", and in addition a set of "sanity" flags which it didn't make sense to test individually everywhere (PageError()? PageReclaim()?). I can add the infrastructure if that sounds good (and people promise to work with me on defining page types). I'd be happy to do all the testing involved in getting this to work right. Thanks, Sasha -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pd0-f179.google.com (mail-pd0-f179.google.com [209.85.192.179]) by kanga.kvack.org (Postfix) with ESMTP id 5C5856B0031 for ; Thu, 27 Mar 2014 11:22:30 -0400 (EDT) Received: by mail-pd0-f179.google.com with SMTP id w10so3503936pde.38 for ; Thu, 27 Mar 2014 08:22:30 -0700 (PDT) Received: from mail-pb0-x22e.google.com (mail-pb0-x22e.google.com [2607:f8b0:400e:c01::22e]) by mx.google.com with ESMTPS id xj10si1732856pab.450.2014.03.27.08.22.29 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 27 Mar 2014 08:22:29 -0700 (PDT) Received: by mail-pb0-f46.google.com with SMTP id rq2so3631432pbb.33 for ; Thu, 27 Mar 2014 08:22:29 -0700 (PDT) Date: Thu, 27 Mar 2014 08:21:27 -0700 (PDT) From: Hugh Dickins Subject: Re: mm: BUG: Bad page state in process ksmd In-Reply-To: <5332EE97.4050604@oracle.com> Message-ID: References: <5332EE97.4050604@oracle.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-linux-mm@kvack.org List-ID: To: Sasha Levin Cc: "linux-mm@kvack.org" , Andrew Morton , LKML On Wed, 26 Mar 2014, Sasha Levin wrote: > Hi all, > > While fuzzing with trinity inside a KVM tools guest running the latest -next > kernel I've stumbled on the following. > > Out of curiosity, is there a reason not to do bad flag checks when actually > setting flag? Obviously it'll be slower but it'll be easier catching these > issues.o I don't see how it would help here. > > [ 3926.683948] BUG: Bad page state in process ksmd pfn:5a6246 > [ 3926.689336] page:ffffea0016989180 count:0 mapcount:0 mapping: > (null) index: > [ 3926.696507] page flags: > 0x56fffff8028001c(referenced|uptodate|dirty|swapbacked|mlock > [ 3926.709201] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set > [ 3926.711216] bad because of flags: > [ 3926.712136] page flags: 0x200000(mlocked) > [ 3926.713574] Modules linked in: > [ 3926.714466] CPU: 26 PID: 3864 Comm: ksmd Tainted: G W > 3.14.0-rc7-next-201 > [ 3926.720942] ffffffff85688060 ffff8806ec7abc38 ffffffff844bd702 > 0000000000002fa0 > [ 3926.728107] ffffea0016989180 ffff8806ec7abc68 ffffffff844b158f > 000fffff80000000 > [ 3926.730563] 0000000000000000 000fffff80000000 ffffffff85688060 > ffff8806ec7abcb8 > [ 3926.737653] Call Trace: > [ 3926.738347] dump_stack (lib/dump_stack.c:52) > [ 3926.739841] bad_page (arch/x86/include/asm/atomic.h:38 > include/linux/mm.h:432 mm/page_alloc.c:339) > [ 3926.741296] free_pages_prepare (mm/page_alloc.c:644 mm/page_alloc.c:738) > [ 3926.742818] free_hot_cold_page (mm/page_alloc.c:1371) > [ 3926.749425] __put_single_page (mm/swap.c:71) > [ 3926.751074] put_page (mm/swap.c:237) > [ 3926.752398] ksm_do_scan (mm/ksm.c:1480 mm/ksm.c:1704) > [ 3926.753957] ksm_scan_thread (mm/ksm.c:1723) > [ 3926.755940] ? bit_waitqueue (kernel/sched/wait.c:291) > [ 3926.758644] ? ksm_do_scan (mm/ksm.c:1715) > [ 3926.760420] kthread (kernel/kthread.c:219) > [ 3926.761605] ? kthread_create_on_node (kernel/kthread.c:185) > [ 3926.763149] ret_from_fork (arch/x86/kernel/entry_64.S:555) > [ 3926.764323] ? kthread_create_on_node (kernel/kthread.c:185) I've thought about this some, and slept on it, but don't yet see how it comes about. I'll have to come back to it later. Was it a one-off, or do you find it fairly easy to reproduce? If the latter, it would be interesting to know if it comes from recent changes or not. mm/mlock.c does appear to have been under continuous revision for several releases (but barely changed in next). Thanks, Hugh -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f41.google.com (mail-pa0-f41.google.com [209.85.220.41]) by kanga.kvack.org (Postfix) with ESMTP id 050D16B0031 for ; Thu, 27 Mar 2014 11:36:20 -0400 (EDT) Received: by mail-pa0-f41.google.com with SMTP id fa1so3660847pad.28 for ; Thu, 27 Mar 2014 08:36:20 -0700 (PDT) Received: from userp1040.oracle.com (userp1040.oracle.com. [156.151.31.81]) by mx.google.com with ESMTPS id ph6si1770583pab.308.2014.03.27.08.36.19 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 27 Mar 2014 08:36:20 -0700 (PDT) Message-ID: <53344452.7090107@oracle.com> Date: Thu, 27 Mar 2014 11:31:30 -0400 From: Sasha Levin MIME-Version: 1.0 Subject: Re: mm: BUG: Bad page state in process ksmd References: <5332EE97.4050604@oracle.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-linux-mm@kvack.org List-ID: To: Hugh Dickins Cc: "linux-mm@kvack.org" , Andrew Morton , LKML On 03/27/2014 11:21 AM, Hugh Dickins wrote: > I've thought about this some, and slept on it, but don't yet see > how it comes about. I'll have to come back to it later. > > Was it a one-off, or do you find it fairly easy to reproduce? > > If the latter, it would be interesting to know if it comes from > recent changes or not. mm/mlock.c does appear to have been under > continuous revision for several releases (but barely changed in next). I can't say it's easy to reproduce but it did happen 5-6 times at this point. As far as I can tell there were no big changes in trinity for the last week or so while we were in lsf/mm, and this issue being reproducible makes me believe it has something to do with recent changes to mm code. Thanks, Sasha -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pd0-f179.google.com (mail-pd0-f179.google.com [209.85.192.179]) by kanga.kvack.org (Postfix) with ESMTP id 8D0756B0035 for ; Thu, 27 Mar 2014 11:37:44 -0400 (EDT) Received: by mail-pd0-f179.google.com with SMTP id w10so3494091pde.24 for ; Thu, 27 Mar 2014 08:37:44 -0700 (PDT) Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [2607:f8b0:400e:c03::22b]) by mx.google.com with ESMTPS id qj1si1787962pbb.170.2014.03.27.08.37.42 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 27 Mar 2014 08:37:43 -0700 (PDT) Received: by mail-pa0-f43.google.com with SMTP id bj1so3635703pad.16 for ; Thu, 27 Mar 2014 08:37:42 -0700 (PDT) Date: Thu, 27 Mar 2014 08:36:47 -0700 (PDT) From: Hugh Dickins Subject: Re: mm: BUG: Bad page state in process ksmd In-Reply-To: <5333492D.2030300@oracle.com> Message-ID: References: <5332EE97.4050604@oracle.com> <20140326125525.4e8090096f647f654eb7329d@linux-foundation.org> <5333492D.2030300@oracle.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-linux-mm@kvack.org List-ID: To: Sasha Levin Cc: Andrew Morton , "linux-mm@kvack.org" , LKML , Hugh Dickins On Wed, 26 Mar 2014, Sasha Levin wrote: > On 03/26/2014 03:55 PM, Andrew Morton wrote: > > On Wed, 26 Mar 2014 11:13:27 -0400 Sasha Levin > > wrote: > > > Out of curiosity, is there a reason not to do bad flag checks when > > > actually > > > setting flag? Obviously it'll be slower but it'll be easier catching these > > > issues. > > > > Tricky. Each code site must determine what are and are not valid page > > states depending upon the current context. The one place where we've > > made that effort is at the point where a page is returned to the free > > page pool. Any other sites would require similar amounts of effort and > > each one would be different from all the others. > > > > We do this in a small way all over the place, against individual page > > flags. grep PageLocked */*.c. > > What if we define generic page types and group page flags under them? > It would be easier to put these checks in key sites around the code > and no need to fully customize them to each site. > > For exmaple, swap_readpage() is doing this: > > VM_BUG_ON_PAGE(!PageLocked(page), page); > VM_BUG_ON_PAGE(PageUptodate(page), page); > > But what if instead of that we'd do: > > VM_BUG_ON_PAGE(!PageSwap(page), page); > > Where PageSwap would test "not locked", "uptodate", and in addition > a set of "sanity" flags which it didn't make sense to test individually > everywhere (PageError()? PageReclaim()?). > > I can add the infrastructure if that sounds good (and people promise to > work with me on defining page types). I'd be happy to do all the testing > involved in getting this to work right. Sorry, I don't understand how you see that as a good idea. I wonder if you have cleverly put that suggestion into the thread, to push me into a more timely response to the BUG than you usually get ?-) It seems a bad idea to me in at least three ways: expending more developer time on establishing what set of page flags to test at each site; expending more developer time on fixing all the false positives that would result; and spoiling the greppability of the source tree by hiding flag checks in obscure combinations. Page flags are separate flags because they are largely independent. Developers have inserted the VM_BUG_ONs they think are needed, please leave them at that. There may be a good case for removing some of the older ones that have served their purpose (we rather overused PageLocked checks in 2.4 for example), but not for putting effort into adding more to what's there. Hugh -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754916AbaCZPNh (ORCPT ); Wed, 26 Mar 2014 11:13:37 -0400 Received: from aserp1040.oracle.com ([141.146.126.69]:17290 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750956AbaCZPNg (ORCPT ); Wed, 26 Mar 2014 11:13:36 -0400 Message-ID: <5332EE97.4050604@oracle.com> Date: Wed, 26 Mar 2014 11:13:27 -0400 From: Sasha Levin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: "linux-mm@kvack.org" CC: Andrew Morton , LKML Subject: mm: BUG: Bad page state in process ksmd Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet22.oracle.com [141.146.126.238] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi all, While fuzzing with trinity inside a KVM tools guest running the latest -next kernel I've stumbled on the following. Out of curiosity, is there a reason not to do bad flag checks when actually setting flag? Obviously it'll be slower but it'll be easier catching these issues. [ 3926.683948] BUG: Bad page state in process ksmd pfn:5a6246 [ 3926.689336] page:ffffea0016989180 count:0 mapcount:0 mapping: (null) index: [ 3926.696507] page flags: 0x56fffff8028001c(referenced|uptodate|dirty|swapbacked|mlock [ 3926.709201] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set [ 3926.711216] bad because of flags: [ 3926.712136] page flags: 0x200000(mlocked) [ 3926.713574] Modules linked in: [ 3926.714466] CPU: 26 PID: 3864 Comm: ksmd Tainted: G W 3.14.0-rc7-next-201 [ 3926.720942] ffffffff85688060 ffff8806ec7abc38 ffffffff844bd702 0000000000002fa0 [ 3926.728107] ffffea0016989180 ffff8806ec7abc68 ffffffff844b158f 000fffff80000000 [ 3926.730563] 0000000000000000 000fffff80000000 ffffffff85688060 ffff8806ec7abcb8 [ 3926.737653] Call Trace: [ 3926.738347] dump_stack (lib/dump_stack.c:52) [ 3926.739841] bad_page (arch/x86/include/asm/atomic.h:38 include/linux/mm.h:432 mm/page_alloc.c:339) [ 3926.741296] free_pages_prepare (mm/page_alloc.c:644 mm/page_alloc.c:738) [ 3926.742818] free_hot_cold_page (mm/page_alloc.c:1371) [ 3926.749425] __put_single_page (mm/swap.c:71) [ 3926.751074] put_page (mm/swap.c:237) [ 3926.752398] ksm_do_scan (mm/ksm.c:1480 mm/ksm.c:1704) [ 3926.753957] ksm_scan_thread (mm/ksm.c:1723) [ 3926.755940] ? bit_waitqueue (kernel/sched/wait.c:291) [ 3926.758644] ? ksm_do_scan (mm/ksm.c:1715) [ 3926.760420] kthread (kernel/kthread.c:219) [ 3926.761605] ? kthread_create_on_node (kernel/kthread.c:185) [ 3926.763149] ret_from_fork (arch/x86/kernel/entry_64.S:555) [ 3926.764323] ? kthread_create_on_node (kernel/kthread.c:185) Thanks, Sasha From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756153AbaCZTz2 (ORCPT ); Wed, 26 Mar 2014 15:55:28 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:57112 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755967AbaCZTz0 (ORCPT ); Wed, 26 Mar 2014 15:55:26 -0400 Date: Wed, 26 Mar 2014 12:55:25 -0700 From: Andrew Morton To: Sasha Levin Cc: "linux-mm@kvack.org" , LKML , Hugh Dickins Subject: Re: mm: BUG: Bad page state in process ksmd Message-Id: <20140326125525.4e8090096f647f654eb7329d@linux-foundation.org> In-Reply-To: <5332EE97.4050604@oracle.com> References: <5332EE97.4050604@oracle.com> X-Mailer: Sylpheed 3.2.0beta5 (GTK+ 2.24.10; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 26 Mar 2014 11:13:27 -0400 Sasha Levin wrote: > Hi all, > > While fuzzing with trinity inside a KVM tools guest running the latest -next > kernel I've stumbled on the following. (cc Hugh) > Out of curiosity, is there a reason not to do bad flag checks when actually > setting flag? Obviously it'll be slower but it'll be easier catching these > issues. Tricky. Each code site must determine what are and are not valid page states depending upon the current context. The one place where we've made that effort is at the point where a page is returned to the free page pool. Any other sites would require similar amounts of effort and each one would be different from all the others. We do this in a small way all over the place, against individual page flags. grep PageLocked */*.c. > [ 3926.683948] BUG: Bad page state in process ksmd pfn:5a6246 > [ 3926.689336] page:ffffea0016989180 count:0 mapcount:0 mapping: (null) index: > [ 3926.696507] page flags: 0x56fffff8028001c(referenced|uptodate|dirty|swapbacked|mlock > [ 3926.709201] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set > [ 3926.711216] bad because of flags: > [ 3926.712136] page flags: 0x200000(mlocked) > [ 3926.713574] Modules linked in: > [ 3926.714466] CPU: 26 PID: 3864 Comm: ksmd Tainted: G W 3.14.0-rc7-next-201 > [ 3926.720942] ffffffff85688060 ffff8806ec7abc38 ffffffff844bd702 0000000000002fa0 > [ 3926.728107] ffffea0016989180 ffff8806ec7abc68 ffffffff844b158f 000fffff80000000 > [ 3926.730563] 0000000000000000 000fffff80000000 ffffffff85688060 ffff8806ec7abcb8 > [ 3926.737653] Call Trace: > [ 3926.738347] dump_stack (lib/dump_stack.c:52) > [ 3926.739841] bad_page (arch/x86/include/asm/atomic.h:38 include/linux/mm.h:432 mm/page_alloc.c:339) > [ 3926.741296] free_pages_prepare (mm/page_alloc.c:644 mm/page_alloc.c:738) > [ 3926.742818] free_hot_cold_page (mm/page_alloc.c:1371) > [ 3926.749425] __put_single_page (mm/swap.c:71) > [ 3926.751074] put_page (mm/swap.c:237) > [ 3926.752398] ksm_do_scan (mm/ksm.c:1480 mm/ksm.c:1704) > [ 3926.753957] ksm_scan_thread (mm/ksm.c:1723) > [ 3926.755940] ? bit_waitqueue (kernel/sched/wait.c:291) > [ 3926.758644] ? ksm_do_scan (mm/ksm.c:1715) > [ 3926.760420] kthread (kernel/kthread.c:219) > [ 3926.761605] ? kthread_create_on_node (kernel/kthread.c:185) > [ 3926.763149] ret_from_fork (arch/x86/kernel/entry_64.S:555) > [ 3926.764323] ? kthread_create_on_node (kernel/kthread.c:185) From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756666AbaCZVkE (ORCPT ); Wed, 26 Mar 2014 17:40:04 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:33817 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754894AbaCZVkC (ORCPT ); Wed, 26 Mar 2014 17:40:02 -0400 Message-ID: <5333492D.2030300@oracle.com> Date: Wed, 26 Mar 2014 17:39:57 -0400 From: Sasha Levin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Andrew Morton CC: "linux-mm@kvack.org" , LKML , Hugh Dickins Subject: Re: mm: BUG: Bad page state in process ksmd References: <5332EE97.4050604@oracle.com> <20140326125525.4e8090096f647f654eb7329d@linux-foundation.org> In-Reply-To: <20140326125525.4e8090096f647f654eb7329d@linux-foundation.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/26/2014 03:55 PM, Andrew Morton wrote: > On Wed, 26 Mar 2014 11:13:27 -0400 Sasha Levin wrote: >> Out of curiosity, is there a reason not to do bad flag checks when actually >> setting flag? Obviously it'll be slower but it'll be easier catching these >> issues. > > Tricky. Each code site must determine what are and are not valid page > states depending upon the current context. The one place where we've > made that effort is at the point where a page is returned to the free > page pool. Any other sites would require similar amounts of effort and > each one would be different from all the others. > > We do this in a small way all over the place, against individual page > flags. grep PageLocked */*.c. What if we define generic page types and group page flags under them? It would be easier to put these checks in key sites around the code and no need to fully customize them to each site. For exmaple, swap_readpage() is doing this: VM_BUG_ON_PAGE(!PageLocked(page), page); VM_BUG_ON_PAGE(PageUptodate(page), page); But what if instead of that we'd do: VM_BUG_ON_PAGE(!PageSwap(page), page); Where PageSwap would test "not locked", "uptodate", and in addition a set of "sanity" flags which it didn't make sense to test individually everywhere (PageError()? PageReclaim()?). I can add the infrastructure if that sounds good (and people promise to work with me on defining page types). I'd be happy to do all the testing involved in getting this to work right. Thanks, Sasha From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756777AbaC0PWb (ORCPT ); Thu, 27 Mar 2014 11:22:31 -0400 Received: from mail-pb0-f43.google.com ([209.85.160.43]:46639 "EHLO mail-pb0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754659AbaC0PW3 (ORCPT ); Thu, 27 Mar 2014 11:22:29 -0400 Date: Thu, 27 Mar 2014 08:21:27 -0700 (PDT) From: Hugh Dickins X-X-Sender: hugh@eggly.anvils To: Sasha Levin cc: "linux-mm@kvack.org" , Andrew Morton , LKML Subject: Re: mm: BUG: Bad page state in process ksmd In-Reply-To: <5332EE97.4050604@oracle.com> Message-ID: References: <5332EE97.4050604@oracle.com> User-Agent: Alpine 2.11 (LSU 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 26 Mar 2014, Sasha Levin wrote: > Hi all, > > While fuzzing with trinity inside a KVM tools guest running the latest -next > kernel I've stumbled on the following. > > Out of curiosity, is there a reason not to do bad flag checks when actually > setting flag? Obviously it'll be slower but it'll be easier catching these > issues.o I don't see how it would help here. > > [ 3926.683948] BUG: Bad page state in process ksmd pfn:5a6246 > [ 3926.689336] page:ffffea0016989180 count:0 mapcount:0 mapping: > (null) index: > [ 3926.696507] page flags: > 0x56fffff8028001c(referenced|uptodate|dirty|swapbacked|mlock > [ 3926.709201] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set > [ 3926.711216] bad because of flags: > [ 3926.712136] page flags: 0x200000(mlocked) > [ 3926.713574] Modules linked in: > [ 3926.714466] CPU: 26 PID: 3864 Comm: ksmd Tainted: G W > 3.14.0-rc7-next-201 > [ 3926.720942] ffffffff85688060 ffff8806ec7abc38 ffffffff844bd702 > 0000000000002fa0 > [ 3926.728107] ffffea0016989180 ffff8806ec7abc68 ffffffff844b158f > 000fffff80000000 > [ 3926.730563] 0000000000000000 000fffff80000000 ffffffff85688060 > ffff8806ec7abcb8 > [ 3926.737653] Call Trace: > [ 3926.738347] dump_stack (lib/dump_stack.c:52) > [ 3926.739841] bad_page (arch/x86/include/asm/atomic.h:38 > include/linux/mm.h:432 mm/page_alloc.c:339) > [ 3926.741296] free_pages_prepare (mm/page_alloc.c:644 mm/page_alloc.c:738) > [ 3926.742818] free_hot_cold_page (mm/page_alloc.c:1371) > [ 3926.749425] __put_single_page (mm/swap.c:71) > [ 3926.751074] put_page (mm/swap.c:237) > [ 3926.752398] ksm_do_scan (mm/ksm.c:1480 mm/ksm.c:1704) > [ 3926.753957] ksm_scan_thread (mm/ksm.c:1723) > [ 3926.755940] ? bit_waitqueue (kernel/sched/wait.c:291) > [ 3926.758644] ? ksm_do_scan (mm/ksm.c:1715) > [ 3926.760420] kthread (kernel/kthread.c:219) > [ 3926.761605] ? kthread_create_on_node (kernel/kthread.c:185) > [ 3926.763149] ret_from_fork (arch/x86/kernel/entry_64.S:555) > [ 3926.764323] ? kthread_create_on_node (kernel/kthread.c:185) I've thought about this some, and slept on it, but don't yet see how it comes about. I'll have to come back to it later. Was it a one-off, or do you find it fairly easy to reproduce? If the latter, it would be interesting to know if it comes from recent changes or not. mm/mlock.c does appear to have been under continuous revision for several releases (but barely changed in next). Thanks, Hugh From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755581AbaC0Pbh (ORCPT ); Thu, 27 Mar 2014 11:31:37 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:51092 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751469AbaC0Pbg (ORCPT ); Thu, 27 Mar 2014 11:31:36 -0400 Message-ID: <53344452.7090107@oracle.com> Date: Thu, 27 Mar 2014 11:31:30 -0400 From: Sasha Levin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Hugh Dickins CC: "linux-mm@kvack.org" , Andrew Morton , LKML Subject: Re: mm: BUG: Bad page state in process ksmd References: <5332EE97.4050604@oracle.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet21.oracle.com [141.146.126.237] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/27/2014 11:21 AM, Hugh Dickins wrote: > I've thought about this some, and slept on it, but don't yet see > how it comes about. I'll have to come back to it later. > > Was it a one-off, or do you find it fairly easy to reproduce? > > If the latter, it would be interesting to know if it comes from > recent changes or not. mm/mlock.c does appear to have been under > continuous revision for several releases (but barely changed in next). I can't say it's easy to reproduce but it did happen 5-6 times at this point. As far as I can tell there were no big changes in trinity for the last week or so while we were in lsf/mm, and this issue being reproducible makes me believe it has something to do with recent changes to mm code. Thanks, Sasha From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756505AbaC0Pho (ORCPT ); Thu, 27 Mar 2014 11:37:44 -0400 Received: from mail-pd0-f182.google.com ([209.85.192.182]:46147 "EHLO mail-pd0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754457AbaC0Phn (ORCPT ); Thu, 27 Mar 2014 11:37:43 -0400 Date: Thu, 27 Mar 2014 08:36:47 -0700 (PDT) From: Hugh Dickins X-X-Sender: hugh@eggly.anvils To: Sasha Levin cc: Andrew Morton , "linux-mm@kvack.org" , LKML , Hugh Dickins Subject: Re: mm: BUG: Bad page state in process ksmd In-Reply-To: <5333492D.2030300@oracle.com> Message-ID: References: <5332EE97.4050604@oracle.com> <20140326125525.4e8090096f647f654eb7329d@linux-foundation.org> <5333492D.2030300@oracle.com> User-Agent: Alpine 2.11 (LSU 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 26 Mar 2014, Sasha Levin wrote: > On 03/26/2014 03:55 PM, Andrew Morton wrote: > > On Wed, 26 Mar 2014 11:13:27 -0400 Sasha Levin > > wrote: > > > Out of curiosity, is there a reason not to do bad flag checks when > > > actually > > > setting flag? Obviously it'll be slower but it'll be easier catching these > > > issues. > > > > Tricky. Each code site must determine what are and are not valid page > > states depending upon the current context. The one place where we've > > made that effort is at the point where a page is returned to the free > > page pool. Any other sites would require similar amounts of effort and > > each one would be different from all the others. > > > > We do this in a small way all over the place, against individual page > > flags. grep PageLocked */*.c. > > What if we define generic page types and group page flags under them? > It would be easier to put these checks in key sites around the code > and no need to fully customize them to each site. > > For exmaple, swap_readpage() is doing this: > > VM_BUG_ON_PAGE(!PageLocked(page), page); > VM_BUG_ON_PAGE(PageUptodate(page), page); > > But what if instead of that we'd do: > > VM_BUG_ON_PAGE(!PageSwap(page), page); > > Where PageSwap would test "not locked", "uptodate", and in addition > a set of "sanity" flags which it didn't make sense to test individually > everywhere (PageError()? PageReclaim()?). > > I can add the infrastructure if that sounds good (and people promise to > work with me on defining page types). I'd be happy to do all the testing > involved in getting this to work right. Sorry, I don't understand how you see that as a good idea. I wonder if you have cleverly put that suggestion into the thread, to push me into a more timely response to the BUG than you usually get ?-) It seems a bad idea to me in at least three ways: expending more developer time on establishing what set of page flags to test at each site; expending more developer time on fixing all the false positives that would result; and spoiling the greppability of the source tree by hiding flag checks in obscure combinations. Page flags are separate flags because they are largely independent. Developers have inserted the VM_BUG_ONs they think are needed, please leave them at that. There may be a good case for removing some of the older ones that have served their purpose (we rather overused PageLocked checks in 2.4 for example), but not for putting effort into adding more to what's there. Hugh