On Thu, 25 Jan 2018, Tetsuo Handa wrote: > Using a debug patch and a reproducer shown below, we can trivially form > a circular locking dependency shown below. > > ---------------------------------------- > diff --git a/mm/oom_kill.c b/mm/oom_kill.c > index 8219001..240efb1 100644 > --- a/mm/oom_kill.c > +++ b/mm/oom_kill.c > @@ -950,7 +950,7 @@ static void oom_kill_process(struct oom_control *oc, const char *message) > } > task_unlock(p); > > - if (__ratelimit(&oom_rs)) > + if (0 && __ratelimit(&oom_rs)) > dump_header(oc, p); > > pr_err("%s: Kill process %d (%s) score %u or sacrifice child\n", > diff --git a/mm/vmscan.c b/mm/vmscan.c > index 1afb2af..9858449 100644 > --- a/mm/vmscan.c > +++ b/mm/vmscan.c > @@ -410,6 +410,9 @@ static unsigned long do_shrink_slab(struct shrink_control *shrinkctl, > return freed; > } > > +struct lockdep_map __shrink_slab_map = > + STATIC_LOCKDEP_MAP_INIT("shrink_slab", &__shrink_slab_map); > + > /** > * shrink_slab - shrink slab caches > * @gfp_mask: allocation context > @@ -453,6 +456,8 @@ static unsigned long shrink_slab(gfp_t gfp_mask, int nid, > goto out; > } > > + lock_map_acquire(&__shrink_slab_map); > + > list_for_each_entry(shrinker, &shrinker_list, list) { > struct shrink_control sc = { > .gfp_mask = gfp_mask, > @@ -491,6 +496,8 @@ static unsigned long shrink_slab(gfp_t gfp_mask, int nid, > } > } > > + lock_map_release(&__shrink_slab_map); > + > up_read(&shrinker_rwsem); > out: > cond_resched(); > ---------------------------------------- > > ---------------------------------------- > #include <stdlib.h> > > int main(int argc, char *argv[]) > { > unsigned long long size; > char *buf = NULL; > unsigned long long i; > for (size = 1048576; size < 512ULL * (1 << 30); size *= 2) { > char *cp = realloc(buf, size); > if (!cp) { > size /= 2; > break; > } > buf = cp; > } > for (i = 0; i < size; i += 4096) > buf[i] = 0; > return 0; > } Hi Tetsuo, Thank you for looking into this! I tried running this C program in 4.14.15 but did not get a deadlock, just OOM kills. Is the patch required to induce the deadlock? Also, what are you doing to XFS to make it trigger? -- Eric Wheeler > ---------------------------------------- > > ---------------------------------------- > CentOS Linux 7 (Core) > Kernel 4.15.0-rc8-next-20180119+ on an x86_64 > > localhost login: [ 36.954893] cp (2850) used greatest stack depth: 10816 bytes left > [ 89.216085] Out of memory: Kill process 6981 (a.out) score 876 or sacrifice child > [ 89.225853] Killed process 6981 (a.out) total-vm:4264020kB, anon-rss:3346832kB, file-rss:8kB, shmem-rss:0kB > [ 89.313597] oom_reaper: reaped process 6981 (a.out), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB > [ 92.640566] Out of memory: Kill process 6983 (a.out) score 876 or sacrifice child > [ 92.642153] > [ 92.643464] Killed process 6983 (a.out) total-vm:4264020kB, anon-rss:3348624kB, file-rss:4kB, shmem-rss:0kB > [ 92.644416] ====================================================== > [ 92.644417] WARNING: possible circular locking dependency detected > [ 92.644418] 4.15.0-rc8-next-20180119+ #222 Not tainted > [ 92.644419] ------------------------------------------------------ > [ 92.644419] kworker/u256:29/401 is trying to acquire lock: > [ 92.644420] (shrink_slab){+.+.}, at: [<0000000040040aca>] shrink_slab.part.42+0x73/0x350 > [ 92.644428] > [ 92.644428] but task is already holding lock: > [ 92.665257] (&xfs_nondir_ilock_class){++++}, at: [<00000000ae515ec8>] xfs_ilock+0xa3/0x180 [xfs] > [ 92.668490] > [ 92.668490] which lock already depends on the new lock. > [ 92.668490] > [ 92.672781] > [ 92.672781] the existing dependency chain (in reverse order) is: > [ 92.676310] > [ 92.676310] -> #1 (&xfs_nondir_ilock_class){++++}: > [ 92.679519] xfs_free_eofblocks+0x9d/0x210 [xfs] > [ 92.681716] xfs_fs_destroy_inode+0x9e/0x220 [xfs] > [ 92.683962] dispose_list+0x30/0x40 > [ 92.685822] prune_icache_sb+0x4d/0x70 > [ 92.687961] super_cache_scan+0x136/0x180 > [ 92.690017] shrink_slab.part.42+0x205/0x350 > [ 92.692109] shrink_node+0x313/0x320 > [ 92.694177] kswapd+0x386/0x6d0 > [ 92.695951] kthread+0xeb/0x120 > [ 92.697889] ret_from_fork+0x3a/0x50 > [ 92.699800] > [ 92.699800] -> #0 (shrink_slab){+.+.}: > [ 92.702676] shrink_slab.part.42+0x93/0x350 > [ 92.704756] shrink_node+0x313/0x320 > [ 92.706660] do_try_to_free_pages+0xde/0x350 > [ 92.708737] try_to_free_pages+0xc5/0x100 > [ 92.710734] __alloc_pages_slowpath+0x41c/0xd60 > [ 92.712470] oom_reaper: reaped process 6983 (a.out), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB > [ 92.712978] __alloc_pages_nodemask+0x22a/0x270 > [ 92.713013] xfs_buf_allocate_memory+0x16b/0x2d0 [xfs] > [ 92.721378] xfs_buf_get_map+0xaf/0x140 [xfs] > [ 92.723562] xfs_buf_read_map+0x1f/0xc0 [xfs] > [ 92.726105] xfs_trans_read_buf_map+0xf5/0x2d0 [xfs] > [ 92.728461] xfs_btree_read_buf_block.constprop.36+0x69/0xc0 [xfs] > [ 92.731321] xfs_btree_lookup_get_block+0x82/0x180 [xfs] > [ 92.733739] xfs_btree_lookup+0x118/0x450 [xfs] > [ 92.735982] xfs_alloc_ag_vextent_near+0xb2/0xb80 [xfs] > [ 92.738380] xfs_alloc_ag_vextent+0x1cc/0x320 [xfs] > [ 92.740646] xfs_alloc_vextent+0x416/0x480 [xfs] > [ 92.743023] xfs_bmap_btalloc+0x340/0x8b0 [xfs] > [ 92.745597] xfs_bmapi_write+0x6c1/0x1270 [xfs] > [ 92.747749] xfs_iomap_write_allocate+0x16c/0x360 [xfs] > [ 92.750317] xfs_map_blocks+0x175/0x230 [xfs] > [ 92.752745] xfs_do_writepage+0x232/0x6e0 [xfs] > [ 92.754843] write_cache_pages+0x1d1/0x3b0 > [ 92.756801] xfs_vm_writepages+0x60/0xa0 [xfs] > [ 92.758838] do_writepages+0x12/0x60 > [ 92.760822] __writeback_single_inode+0x2c/0x170 > [ 92.762895] writeback_sb_inodes+0x267/0x460 > [ 92.764851] __writeback_inodes_wb+0x82/0xb0 > [ 92.766821] wb_writeback+0x203/0x210 > [ 92.768676] wb_workfn+0x266/0x2e0 > [ 92.770494] process_one_work+0x253/0x460 > [ 92.772378] worker_thread+0x42/0x3e0 > [ 92.774153] kthread+0xeb/0x120 > [ 92.775775] ret_from_fork+0x3a/0x50 > [ 92.777513] > [ 92.777513] other info that might help us debug this: > [ 92.777513] > [ 92.781361] Possible unsafe locking scenario: > [ 92.781361] > [ 92.784382] CPU0 CPU1 > [ 92.786276] ---- ---- > [ 92.788130] lock(&xfs_nondir_ilock_class); > [ 92.790048] lock(shrink_slab); > [ 92.792256] lock(&xfs_nondir_ilock_class); > [ 92.794756] lock(shrink_slab); > [ 92.796251] > [ 92.796251] *** DEADLOCK *** > [ 92.796251] > [ 92.799521] 6 locks held by kworker/u256:29/401: > [ 92.801573] #0: ((wq_completion)"writeback"){+.+.}, at: [<0000000087382bbf>] process_one_work+0x1f0/0x460 > [ 92.804947] #1: ((work_completion)(&(&wb->dwork)->work)){+.+.}, at: [<0000000087382bbf>] process_one_work+0x1f0/0x460 > [ 92.808596] #2: (&type->s_umount_key#31){++++}, at: [<0000000048ea98d7>] trylock_super+0x11/0x50 > [ 92.811957] #3: (sb_internal){.+.+}, at: [<0000000058532c48>] xfs_trans_alloc+0xe4/0x120 [xfs] > [ 92.815280] #4: (&xfs_nondir_ilock_class){++++}, at: [<00000000ae515ec8>] xfs_ilock+0xa3/0x180 [xfs] > [ 92.819075] #5: (shrinker_rwsem){++++}, at: [<0000000039dd500e>] shrink_slab.part.42+0x3c/0x350 > [ 92.822354] > [ 92.822354] stack backtrace: > [ 92.824820] CPU: 1 PID: 401 Comm: kworker/u256:29 Not tainted 4.15.0-rc8-next-20180119+ #222 > [ 92.827894] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017 > [ 92.831609] Workqueue: writeback wb_workfn (flush-8:0) > [ 92.833759] Call Trace: > [ 92.835144] dump_stack+0x7d/0xb6 > [ 92.836761] print_circular_bug.isra.37+0x1d7/0x1e4 > [ 92.838908] __lock_acquire+0x10da/0x15b0 > [ 92.840744] ? __lock_acquire+0x390/0x15b0 > [ 92.842603] ? lock_acquire+0x51/0x70 > [ 92.844308] lock_acquire+0x51/0x70 > [ 92.845980] ? shrink_slab.part.42+0x73/0x350 > [ 92.847896] shrink_slab.part.42+0x93/0x350 > [ 92.849799] ? shrink_slab.part.42+0x73/0x350 > [ 92.851710] ? mem_cgroup_iter+0x140/0x530 > [ 92.853890] ? mem_cgroup_iter+0x158/0x530 > [ 92.855897] shrink_node+0x313/0x320 > [ 92.857609] do_try_to_free_pages+0xde/0x350 > [ 92.859502] try_to_free_pages+0xc5/0x100 > [ 92.861328] __alloc_pages_slowpath+0x41c/0xd60 > [ 92.863298] __alloc_pages_nodemask+0x22a/0x270 > [ 92.865285] xfs_buf_allocate_memory+0x16b/0x2d0 [xfs] > [ 92.867621] xfs_buf_get_map+0xaf/0x140 [xfs] > [ 92.869562] xfs_buf_read_map+0x1f/0xc0 [xfs] > [ 92.871494] xfs_trans_read_buf_map+0xf5/0x2d0 [xfs] > [ 92.873589] xfs_btree_read_buf_block.constprop.36+0x69/0xc0 [xfs] > [ 92.876322] ? kmem_zone_alloc+0x7e/0x100 [xfs] > [ 92.878320] xfs_btree_lookup_get_block+0x82/0x180 [xfs] > [ 92.880527] xfs_btree_lookup+0x118/0x450 [xfs] > [ 92.882528] ? kmem_zone_alloc+0x7e/0x100 [xfs] > [ 92.884511] xfs_alloc_ag_vextent_near+0xb2/0xb80 [xfs] > [ 92.886974] xfs_alloc_ag_vextent+0x1cc/0x320 [xfs] > [ 92.889088] xfs_alloc_vextent+0x416/0x480 [xfs] > [ 92.891098] xfs_bmap_btalloc+0x340/0x8b0 [xfs] > [ 92.893087] xfs_bmapi_write+0x6c1/0x1270 [xfs] > [ 92.895085] xfs_iomap_write_allocate+0x16c/0x360 [xfs] > [ 92.897277] xfs_map_blocks+0x175/0x230 [xfs] > [ 92.899228] xfs_do_writepage+0x232/0x6e0 [xfs] > [ 92.901218] write_cache_pages+0x1d1/0x3b0 > [ 92.903102] ? xfs_add_to_ioend+0x290/0x290 [xfs] > [ 92.905170] ? xfs_vm_writepages+0x4b/0xa0 [xfs] > [ 92.907182] xfs_vm_writepages+0x60/0xa0 [xfs] > [ 92.909114] do_writepages+0x12/0x60 > [ 92.910778] __writeback_single_inode+0x2c/0x170 > [ 92.912735] writeback_sb_inodes+0x267/0x460 > [ 92.914561] __writeback_inodes_wb+0x82/0xb0 > [ 92.916413] wb_writeback+0x203/0x210 > [ 92.918050] ? cpumask_next+0x20/0x30 > [ 92.919790] ? wb_workfn+0x266/0x2e0 > [ 92.921384] wb_workfn+0x266/0x2e0 > [ 92.922908] process_one_work+0x253/0x460 > [ 92.924687] ? process_one_work+0x1f0/0x460 > [ 92.926518] worker_thread+0x42/0x3e0 > [ 92.928077] kthread+0xeb/0x120 > [ 92.929512] ? process_one_work+0x460/0x460 > [ 92.931330] ? kthread_create_worker_on_cpu+0x70/0x70 > [ 92.933313] ret_from_fork+0x3a/0x50 > ---------------------------------------- > > Normally shrinker_rwsem acts like a shared lock. But when > register_shrinker()/unregister_shrinker() called down_write(), > shrinker_rwsem suddenly starts acting like an exclusive lock. > > What is unfortunate is that down_write() is called independent of > memory allocation requests. That is, shrinker_rwsem is essentially > a mutex (and hence the debug patch shown above). > > ---------------------------------------- > [<ffffffffac7538d3>] call_rwsem_down_write_failed+0x13/0x20 > [<ffffffffac1cb985>] register_shrinker+0x45/0xa0 > [<ffffffffac250f68>] sget_userns+0x468/0x4a0 > [<ffffffffac25106a>] mount_nodev+0x2a/0xa0 > [<ffffffffac251be4>] mount_fs+0x34/0x150 > [<ffffffffac2701f2>] vfs_kern_mount+0x62/0x120 > [<ffffffffac272a0e>] do_mount+0x1ee/0xc50 > [<ffffffffac27377e>] SyS_mount+0x7e/0xd0 > [<ffffffffac003831>] do_syscall_64+0x61/0x1a0 > [<ffffffffac80012c>] entry_SYSCALL64_slow_path+0x25/0x25 > [<ffffffffffffffff>] 0xffffffffffffffff > ---------------------------------------- > > Therefore, I think that when do_shrink_slab() for GFP_KERNEL is in progress > and down_read_trylock() starts failing because somebody else started waiting at > down_write(), do_shrink_slab() for GFP_NOFS or GFP_NOIO cannot be called. > Doesn't such race cause unexpected results? > > Michal Hocko wrote: > > I would rather understand the problem than speculate here. I strongly > > suspect somebody simply didn't unlock the page. > > Then, can we please please have a mechanism which tells whether somebody > else was stuck doing memory allocation requests? It is basically > https://lkml.kernel.org/r/1510833448-19918-1-git-send-email-penguin-kernel@xxxxxxxxxxxxxxxxxxx . > -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>