On Tue, Aug 13, 2024 at 8:03 PM Usama Arif <usamaarif642@xxxxxxxxx> wrote:
>
> From: Yu Zhao <yuzhao@xxxxxxxxxx>
>
> If a tail page has only two references left, one inherited from the
> isolation of its head and the other from lru_add_page_tail() which we
> are about to drop, it means this tail page was concurrently zapped.
> Then we can safely free it and save page reclaim or migration the
> trouble of trying it.
>
> Signed-off-by: Yu Zhao <yuzhao@xxxxxxxxxx>
> Tested-by: Shuang Zhai <zhais@xxxxxxxxxx>
> Signed-off-by: Usama Arif <usamaarif642@xxxxxxxxx>
> Acked-by: Johannes Weiner <hannes@xxxxxxxxxxx>
> ---
> mm/huge_memory.c | 27 +++++++++++++++++++++++++++
> 1 file changed, 27 insertions(+)
Hi, Usama, Yu
This commit is causing the kernel to panic very quickly with build
kernel test on top of tmpfs with all mTHP enabled, the panic comes
after:
[ 207.147705] BUG: Bad page state in process tar pfn:14ae70
[ 207.149376] page: refcount:3 mapcount:2 mapping:0000000000000000
index:0x562d23b70 pfn:0x14ae70
[ 207.151750] flags:
0x17ffffc0020019(locked|uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x1fffff)
[ 207.154325] raw: 0017ffffc0020019 dead000000000100 dead000000000122
0000000000000000
[ 207.156442] raw: 0000000562d23b70 0000000000000000 0000000300000001
0000000000000000
[ 207.158561] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
[ 207.160325] Modules linked in:
[ 207.161194] CPU: 22 UID: 0 PID: 2650 Comm: tar Not tainted
6.11.0-rc3.ptch+ #136
[ 207.163198] Hardware name: Red Hat KVM/RHEL-AV, BIOS 0.0.0 02/06/2015
[ 207.164946] Call Trace:
[ 207.165636] <TASK>
[ 207.166226] dump_stack_lvl+0x53/0x70
[ 207.167241] bad_page+0x70/0x120
[ 207.168131] free_page_is_bad+0x5f/0x70
[ 207.169193] free_unref_folios+0x3a5/0x620
[ 207.170320] ? __mem_cgroup_uncharge_folios+0x7e/0xa0
[ 207.171705] __split_huge_page+0xb02/0xcf0
[ 207.172839] ? smp_call_function_many_cond+0x105/0x4b0
[ 207.174250] ? __pfx_flush_tlb_func+0x10/0x10
[ 207.175410] ? on_each_cpu_cond_mask+0x29/0x50
[ 207.176603] split_huge_page_to_list_to_order+0x857/0x9b0
[ 207.178052] shrink_folio_list+0x4e1/0x1200
[ 207.179198] evict_folios+0x468/0xab0
[ 207.180202] try_to_shrink_lruvec+0x1f3/0x280
[ 207.181394] shrink_lruvec+0x89/0x780
[ 207.182398] ? mem_cgroup_iter+0x66/0x290
[ 207.183488] shrink_node+0x243/0xb00
[ 207.184474] do_try_to_free_pages+0xbd/0x4e0
[ 207.185621] try_to_free_mem_cgroup_pages+0x107/0x230
[ 207.186994] try_charge_memcg+0x184/0x5d0
[ 207.188092] charge_memcg+0x3a/0x60
[ 207.189046] __mem_cgroup_charge+0x2c/0x80
[ 207.190162] shmem_alloc_and_add_folio+0x1a3/0x470
[ 207.191469] shmem_get_folio_gfp+0x24a/0x670
[ 207.192635] shmem_write_begin+0x56/0xd0
[ 207.193703] generic_perform_write+0x140/0x330
[ 207.194919] shmem_file_write_iter+0x89/0x90
[ 207.196082] vfs_write+0x2f3/0x420
[ 207.197019] ksys_write+0x5d/0xd0
[ 207.197914] do_syscall_64+0x47/0x110
[ 207.198915] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 207.200293] RIP: 0033:0x7f2e6099c784
[ 207.201278] Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f
84 00 00 00 00 00 f3 0f 1e fa 80 3d c5 08 0e 00 00 74 13 b8 01 00 00
00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 $
8 89 e5 48 83 ec 20 48 89
[ 207.206280] RSP: 002b:00007ffdb1a0e7d8 EFLAGS: 00000202 ORIG_RAX:
0000000000000001
[ 207.208312] RAX: ffffffffffffffda RBX: 00000000000005e7 RCX: 00007f2e6099c784
[ 207.210225] RDX: 00000000000005e7 RSI: 0000562d23b77000 RDI: 0000000000000004
[ 207.212145] RBP: 00007ffdb1a0e820 R08: 00000000000005e7 R09: 0000000000000007
[ 207.214064] R10: 0000000000000180 R11: 0000000000000202 R12: 0000562d23b77000
[ 207.215974] R13: 0000000000000004 R14: 00000000000005e7 R15: 0000000000000000
[ 207.217888] </TASK>
Test is done using ZRAM as SWAP, 1G memcg, and run:
cd /mnt/tmpfs
time tar zxf "$linux_src"
make -j64 clean
make defconfig
/usr/bin/time make -j64
>
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 04ee8abd6475..85a424e954be 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -3059,7 +3059,9 @@ static void __split_huge_page(struct page *page, struct list_head *list,
> unsigned int new_nr = 1 << new_order;
> int order = folio_order(folio);
> unsigned int nr = 1 << order;
> + struct folio_batch free_folios;
>
> + folio_batch_init(&free_folios);
> /* complete memcg works before add pages to LRU */
> split_page_memcg(head, order, new_order);
>
> @@ -3143,6 +3145,26 @@ static void __split_huge_page(struct page *page, struct list_head *list,
> if (subpage == page)
> continue;
> folio_unlock(new_folio);
> + /*
> + * If a folio has only two references left, one inherited
> + * from the isolation of its head and the other from
> + * lru_add_page_tail() which we are about to drop, it means this
> + * folio was concurrently zapped. Then we can safely free it
> + * and save page reclaim or migration the trouble of trying it.
> + */
> + if (list && folio_ref_freeze(new_folio, 2)) {
> + VM_WARN_ON_ONCE_FOLIO(folio_test_lru(new_folio), new_folio);
> + VM_WARN_ON_ONCE_FOLIO(folio_test_large(new_folio), new_folio);
> + VM_WARN_ON_ONCE_FOLIO(folio_mapped(new_folio), new_folio);
> +
> + folio_clear_active(new_folio);
> + folio_clear_unevictable(new_folio);
> + if (!folio_batch_add(&free_folios, folio)) {
> + mem_cgroup_uncharge_folios(&free_folios);
> + free_unref_folios(&free_folios);
> + }
> + continue;
> + }
>
> /*
> * Subpages may be freed if there wasn't any mapping
> @@ -3153,6 +3175,11 @@ static void __split_huge_page(struct page *page, struct list_head *list,
> */
> free_page_and_swap_cache(subpage);
> }
> +
> + if (free_folios.nr) {
> + mem_cgroup_uncharge_folios(&free_folios);
> + free_unref_folios(&free_folios);
> + }
> }
>
> /* Racy check whether the huge page can be split */
> --
> 2.43.5
>
>
