From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1762948AbdEWJWt (ORCPT ); Tue, 23 May 2017 05:22:49 -0400 Received: from szxga01-in.huawei.com ([45.249.212.187]:6803 "EHLO szxga01-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1762900AbdEWJWo (ORCPT ); Tue, 23 May 2017 05:22:44 -0400 Message-ID: <5923FF31.5020801@huawei.com> Date: Tue, 23 May 2017 17:21:53 +0800 From: zhong jiang User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Vlastimil Babka CC: Hugh Dickins , Xishi Qiu , "Andrew Morton" , Tejun Heo , Michal Hocko , Johannes Weiner , Mel Gorman , Michal Hocko , Minchan Kim , David Rientjes , Joonsoo Kim , , , Rik van Riel , Linux MM , LKML Subject: Re: mm, something wring in page_lock_anon_vma_read()? References: <591D6D79.7030704@huawei.com> <591EB25C.9080901@huawei.com> <591EBE71.7080402@huawei.com> <591F9A09.6010707@huawei.com> <591FA78E.9050307@huawei.com> <591FB173.4020409@huawei.com> In-Reply-To: Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.177.29.68] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090205.5923FF47.00AE,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 45fe998c3501af5cd2e05e09dc4a2ace Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2017/5/23 0:51, Vlastimil Babka wrote: > On 05/20/2017 05:01 AM, zhong jiang wrote: >> On 2017/5/20 10:40, Hugh Dickins wrote: >>> On Sat, 20 May 2017, Xishi Qiu wrote: >>>> Here is a bug report form redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1305620 >>>> And I meet the bug too. However it is hard to reproduce, and >>>> 624483f3ea82598("mm: rmap: fix use-after-free in __put_anon_vma") is not help. >>>> >>>> From the vmcore, it seems that the page is still mapped(_mapcount=0 and _count=2), >>>> and the value of mapping is a valid address(mapping = 0xffff8801b3e2a101), >>>> but anon_vma has been corrupted. >>>> >>>> Any ideas? >>> Sorry, no. I assume that _mapcount has been misaccounted, for example >>> a pte mapped in on top of another pte; but cannot begin tell you where >>> in Red Hat's kernel-3.10.0-229.4.2.el7 that might happen. >>> >>> Hugh >>> >>> . >>> >> Hi, Hugh >> >> I find the following message from the dmesg. >> >> [26068.316592] BUG: Bad rss-counter state mm:ffff8800a7de2d80 idx:1 val:1 >> >> I can prove that the __mapcount is misaccount. when task is exited. the rmap >> still exist. > Check if the kernel in question contains this commit: ad33bb04b2a6 ("mm: > thp: fix SMP race condition between THP page fault and MADV_DONTNEED") HI, Vlastimil I miss the patch. when I read the patch. I find the following issue. but I am sure it is right. if (unlikely(pmd_trans_unstable(pmd))) return 0; /* * A regular pmd is established and it can't morph into a huge pmd * from under us anymore at this point because we hold the mmap_sem * read mode and khugepaged takes it in write mode. So now it's * safe to run pte_offset_map(). */ pte = pte_offset_map(pmd, address); after pmd_trans_unstable call, without any protect method. by the comments, it think the pte_offset_map is safe. before pte_offset_map call, it still may be unstable. it is possible? Thanks zhongjiang >> Thanks >> zhongjiang >> >> -- >> To unsubscribe, send a message with 'unsubscribe linux-mm' in >> the body to majordomo@kvack.org. For more info on Linux MM, >> see: http://www.linux-mm.org/ . >> Don't email: email@kvack.org >> > > . >