I am getting a very similar error on v4.11 with an arm64 board. I, too, also see page->mem_cgroup checked to make sure that it is not NULL and then several instructions later it is NULL. It does appear that someone is changing that member without taking the lock. In my setup, I see crash> bt PID: 72 TASK: e1f48640 CPU: 0 COMMAND: "mmcqd/1" #0 [<c00ad35c>] (__crash_kexec) from [<c0101080>] #1 [<c0101080>] (panic) from [<c028cd6c>] #2 [<c028cd6c>] (svcerr_panic) from [<c028cdc4>] #3 [<c028cdc4>] (_SvcErr_) from [<c001474c>] #4 [<c001474c>] (die) from [<c00241f8>] #5 [<c00241f8>] (__do_kernel_fault) from [<c0560600>] #6 [<c0560600>] (do_page_fault) from [<c00092e8>] #7 [<c00092e8>] (do_DataAbort) from [<c055f9f0>] pc : [<c0112540>] lr : [<c0112518>] psr: a0000193 sp : c1a19cc8 ip : 00000000 fp : c1a19d04 r10: 0006ae29 r9 : 00000000 r8 : dfbf1800 r7 : dfbf1800 r6 : 00000001 r5 : f3c1107c r4 : e2fb6424 r3 : 00000000 r2 : 00040228 r1 : 221e3000 r0 : a0000113 Flags: NzCv IRQs off FIQs on Mode SVC_32 ISA ARM #8 [<c055f9f0>] (__dabt_svc) from [<c0112518>] #9 [<c0112540>] (test_clear_page_writeback) from [<c01046d4>] #10 [<c01046d4>] (end_page_writeback) from [<c0149bcc>] #11 [<c0149bcc>] (end_swap_bio_write) from [<c0261460>] #12 [<c0261460>] (bio_endio) from [<c042c800>] #13 [<c042c800>] (dec_pending) from [<c042e648>] #14 [<c042e648>] (clone_endio) from [<c0261460>] #15 [<c0261460>] (bio_endio) from [<bf60aa00>] #16 [<bf60aa00>] (crypt_dec_pending [dm_crypt]) from [<bf60c1e8>] #17 [<bf60c1e8>] (crypt_endio [dm_crypt]) from [<c0261460>] #18 [<c0261460>] (bio_endio) from [<c0269e34>] #19 [<c0269e34>] (blk_update_request) from [<c026a058>] #20 [<c026a058>] (blk_update_bidi_request) from [<c026a444>] #21 [<c026a444>] (blk_end_bidi_request) from [<c026a494>] #22 [<c026a494>] (blk_end_request) from [<c0458dbc>] #23 [<c0458dbc>] (mmc_blk_issue_rw_rq) from [<c0459e24>] #24 [<c0459e24>] (mmc_blk_issue_rq) from [<c045a018>] #25 [<c045a018>] (mmc_queue_thread) from [<c0048890>] #26 [<c0048890>] (kthread) from [<c0010388>] crash> sym c0112540 c0112540 (T) test_clear_page_writeback+512 /kernel-source/include/linux/memcontrol.h: 518 crash> bt 35 PID: 35 TASK: e1d45dc0 CPU: 1 COMMAND: "kswapd0" #0 [<c0559ab8>] (__schedule) from [<c0559edc>] #1 [<c0559edc>] (schedule) from [<c055e54c>] #2 [<c055e54c>] (schedule_timeout) from [<c055a3a4>] #3 [<c055a3a4>] (io_schedule_timeout) from [<c0106cb0>] #4 [<c0106cb0>] (mempool_alloc) from [<c0261668>] #5 [<c0261668>] (bio_alloc_bioset) from [<c0149d68>] #6 [<c0149d68>] (get_swap_bio) from [<c014a280>] #7 [<c014a280>] (__swap_writepage) from [<c014a3bc>] #8 [<c014a3bc>] (swap_writepage) from [<c011e5c8>] #9 [<c011e5c8>] (shmem_writepage) from [<c011a9b8>] #10 [<c011a9b8>] (shrink_page_list) from [<c011b528>] #11 [<c011b528>] (shrink_inactive_list) from [<c011c160>] #12 [<c011c160>] (shrink_node_memcg) from [<c011c400>] #13 [<c011c400>] (shrink_node) from [<c011d7dc>] #14 [<c011d7dc>] (kswapd) from [<c0048890>] #15 [<c0048890>] (kthread) from [<c0010388>] It appears that uncharge_list() in mm/memcontrol.c is not taking the page lock when it sets mem_cgroup to NULL. I am not familiar with the mm code so I do not know if this is on purpose or not. There is a comment in uncharge_list that makes me believe that the crashing code should not have been running: /* * Nobody should be changing or seriously looking at * page->mem_cgroup at this point, we have fully * exclusive access to the page. */ However, I am new to looking at this area of the kernel so I am not sure. I was able to create a reproducible scenario by using a udelay to increase the time between the if (page->mem_cgroup) check and the later dereference of it to increase the race window. I then mounted an empty ext4 partition and ran the following no more than twice before it crashed. dd if=/dev/zero of=/tmp/ext4disk/test bs=1M count=100 I added page_lock/page_unlock to uncharge_list() and it fixes my problem, but I do not know what other effects this would have. Hopefully, some of this information can help someone more knowledgable than me. Thanks. Brad Bolen -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>