From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933066AbcFBPWT (ORCPT ); Thu, 2 Jun 2016 11:22:19 -0400 Received: from e06smtp10.uk.ibm.com ([195.75.94.106]:60146 "EHLO e06smtp10.uk.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932764AbcFBPWS (ORCPT ); Thu, 2 Jun 2016 11:22:18 -0400 X-IBM-Helo: d06dlp02.portsmouth.uk.ibm.com X-IBM-MailFrom: gerald.schaefer@de.ibm.com X-IBM-RcptTo: linux-kernel@vger.kernel.org Date: Thu, 2 Jun 2016 17:21:41 +0200 From: Gerald Schaefer To: "Kirill A. Shutemov" Cc: Andrea Arcangeli , "Aneesh Kumar K.V" , Mel Gorman , Hugh Dickins , Johannes Weiner , Dave Hansen , Vlastimil Babka , Andrew Morton , Linus Torvalds , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Christian Borntraeger , Martin Schwidefsky , Heiko Carstens Subject: [BUG/REGRESSION] THP: broken page count after commit aa88b68c Message-ID: <20160602172141.75c006a9@thinkpad> Organization: IBM Deutschland Research & Development GmbH / Vorsitzende des Aufsichtsrats: Martina Koederitz / Geschaeftsfuehrung: Dirk Wittkopp / Sitz der Gesellschaft: Boeblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.23; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16060215-0041-0000-0000-000020797B93 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Christian Borntraeger reported a kernel panic after corrupt page counts, and it turned out to be a regression introduced with commit aa88b68c "thp: keep huge zero page pinned until tlb flush", at least on s390. put_huge_zero_page() was moved over from zap_huge_pmd() to release_pages(), and it was replaced by tlb_remove_page(). However, release_pages() might not always be triggered by (the arch-specific) tlb_remove_page(). On s390 we call free_page_and_swap_cache() from tlb_remove_page(), and not tlb_flush_mmu() -> free_pages_and_swap_cache() like the generic version, because we don't use the MMU-gather logic. Although both functions have very similar names, they are doing very unsimilar things, in particular free_page_xxx is just doing a put_page(), while free_pages_xxx calls release_pages(). This of course results in very harmful put_page()s on the huge zero page, on architectures where tlb_remove_page() is implemented in this way. It seems to affect only s390 and sh, but sh doesn't have THP support, so the problem (currently) probably only exists on s390. The following quick hack fixed the issue: diff --git a/mm/swap_state.c b/mm/swap_state.c index 0d457e7..c99463a 100644 --- a/mm/swap_state.c +++ b/mm/swap_state.c @@ -252,7 +252,10 @@ static inline void free_swap_cache(struct page *page) void free_page_and_swap_cache(struct page *page) { free_swap_cache(page); - put_page(page); + if (is_huge_zero_page(page)) + put_huge_zero_page(); + else + put_page(page); } /* But of course there might be a better solution, and there still are some questions left: - Why does free_page_xxx() behave so differently from free_pages_xxx()? - Would it be OK to implement free_page_xxx() by calling free_pages_xxx() with nr = 1, similar to free_page() vs. free_pages()? - Would it be OK to replace the put_page() in free_page_xxx() with a call to release_pages() with nr = 1? - Would it be better to fix this in the arch-specific tlb_remove_page(), by calling free_pages_xxx() with nr = 1 instead of free_page_xxx()? Regards, Gerald