Hi, > With this patch, the problem yet not happen after 4 tests(5.10.x). With this patch , another problem happened at 6th test. kernel BUG at mm/huge_memory.c:2343! static void unmap_page(struct page *page) { enum ttu_flags ttu_flags = TTU_IGNORE_MLOCK | TTU_RMAP_LOCKED | TTU_SPLIT_HUGE_PMD; bool unmap_success; VM_BUG_ON_PAGE(!PageHead(page), page); if (PageAnon(page)) ttu_flags |= TTU_SPLIT_FREEZE; unmap_success = try_to_unmap(page, ttu_flags); L2343:VM_BUG_ON_PAGE(!unmap_success,page); } This is the full dmesg output. T7610 login: [59085.082973] page:000000008becb0e6 refcount:512 mapcount:0 mapping:0000000000000000 index:0x7f3eb7382 pfn:0x2804a00 [59085.093430] head:000000008becb0e6 order:9 compound_mapcount:0 compound_pincount:0 [59085.100999] anon flags: 0x57ffffc009001d(locked|uptodate|dirty|lru|head|swapbacked) [59085.108750] raw: 0057ffffc009001d ffffc140640e0008 ffffc1405fc80008 ffff8afa82038581 [59085.116572] raw: 00000007f3eb7382 0000000000000000 00000200ffffffff ffff8b05c2a1c000 [59085.124388] page dumped because: VM_BUG_ON_PAGE(!unmap_success) [59085.130361] page->mem_cgroup:ffff8b05c2a1c000 [59085.134766] ------------[ cut here ]------------ [59085.139426] kernel BUG at mm/huge_memory.c:2343! [59085.144091] invalid opcode: 0000 [#1] SMP NOPTI [59085.145083] CPU: 19 PID: 377 Comm: kswapd1 Tainted: G S 5.10.32-2.el7.x86_64 #1 [59085.145083] Hardware name: Dell Inc. Precision T7610/0NK70N, BIOS A18 09/11/2019 [59085.145083] RIP: 0010:split_huge_page_to_list+0x7a2/0xb30 [59085.145083] Code: e8 b3 be fc ff e9 42 fb ff ff 48 c7 c6 98 6b 3a 98 4c 89 e7 e8 bf 7f f9 ff 0f 0b 48 c7 c6 88 f5 3a 98 4c 89 e7 e8 ae 7f f9 ff <0f> 0b 48 c7 c6 a8 f5 3a 98 4c 89 e7 e8 9d 7f f9 ff 0f 0b 49 8b 54 [59085.145083] RSP: 0018:ffff9a234d183b10 EFLAGS: 00010286 [59085.145083] RAX: 0000000000000000 RBX: ffff8b05c2a1cae0 RCX: 0000000000000000 [59085.145083] RDX: 0000000000000000 RSI: ffff8b156fa58a80 RDI: ffff8b156fa58a80 [59085.145083] RBP: ffffc14060128080 R08: 0000000000000000 R09: c0000000ffffbfff [59085.145083] R10: 0000000000000001 R11: ffff9a234d1837e8 R12: ffffc14060128000 [59085.145083] R13: 0000000000000000 R14: ffff8afa82038580 R15: ffff8b15affd3000 [59085.145083] FS: 0000000000000000(0000) GS:ffff8b156fa40000(0000) knlGS:0000000000000000 [59085.145083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [59085.145083] CR2: 00007f5c226c01a8 CR3: 00000020792b6006 CR4: 00000000001706e0 [59085.145083] Call Trace: [59085.145083] ? free_unref_page_commit+0x9b/0x110 [59085.145083] deferred_split_scan+0x1ca/0x320 [59085.145083] do_shrink_slab+0x11f/0x250 [59085.145083] shrink_slab+0x20f/0x2c0 [59085.145083] shrink_node+0x24b/0x6d0 [59085.145083] balance_pgdat+0x2db/0x550 [59085.145083] kswapd+0x201/0x390 [59085.145083] ? finish_wait+0x80/0x80 [59085.145083] ? balance_pgdat+0x550/0x550 [59085.145083] kthread+0x116/0x130 [59085.145083] ? kthread_park+0x80/0x80 [59085.145083] ret_from_fork+0x1f/0x30 [59085.145083] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache rfkill rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_umad snd_hda_codec_realtek intel_rapl_msr snd_hda_codec_generic intel_rapl_common ledtrig_audio snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg soundwire_intel soundwire_generic_allocation snd_soc_core sb_edac x86_pkg_temp_thermal snd_compress intel_powerclamp snd_pcm_dmaengine coretemp soundwire_cadence iTCO_wdt dcdbas intel_pmc_bxt mei_hdcp mei_wdt iTCO_vendor_support snd_hda_codec dell_smm_hwmon kvm_intel snd_hda_core ac97_bus snd_hwdep snd_seq kvm snd_seq_device irqbypass snd_pcm rapl snd_timer mei_me intel_cstate i2c_i801 intel_uncore i2c_smbus mei lpc_ich snd soundcore nvme_rdma nvme_fabrics rdma_cm iw_cm ib_cm nfsd rdmavt rdma_rxe ib_uverbs ip6_udp_tunnel auth_rpcgss udp_tunnel ib_core nfs_acl lockd grace nfs_ssc ip_tables xfs radeon i2c_al go_bit t tm [59085.145083] drm_kms_helper cec bnx2x crct10dif_pclmul crc32_pclmul crc32c_intel nvme drm ghash_clmulni_intel mpt3sas e1000e pcspkr mdio nvme_core raid_class scsi_transport_sas wmi dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua btrfs xor raid6_pq sunrpc i2c_dev [59085.410667] ---[ end trace c12d9c5dce775958 ]--- [59085.583739] RIP: 0010:split_huge_page_to_list+0x7a2/0xb30 [59085.589189] Code: e8 b3 be fc ff e9 42 fb ff ff 48 c7 c6 98 6b 3a 98 4c 89 e7 e8 bf 7f f9 ff 0f 0b 48 c7 c6 88 f5 3a 98 4c 89 e7 e8 ae 7f f9 ff <0f> 0b 48 c7 c6 a8 f5 3a 98 4c 89 e7 e8 9d 7f f9 ff 0f 0b 49 8b 54 [59085.608129] RSP: 0018:ffff9a234d183b10 EFLAGS: 00010286 [59085.613405] RAX: 0000000000000000 RBX: ffff8b05c2a1cae0 RCX: 0000000000000000 [59085.620606] RDX: 0000000000000000 RSI: ffff8b156fa58a80 RDI: ffff8b156fa58a80 [59085.627806] RBP: ffffc14060128080 R08: 0000000000000000 R09: c0000000ffffbfff [59085.635016] R10: 0000000000000001 R11: ffff9a234d1837e8 R12: ffffc14060128000 [59085.642218] R13: 0000000000000000 R14: ffff8afa82038580 R15: ffff8b15affd3000 [59085.649422] FS: 0000000000000000(0000) GS:ffff8b156fa40000(0000) knlGS:0000000000000000 [59085.657588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [59085.663388] CR2: 00007f5c226c01a8 CR3: 00000020792b6006 CR4: 00000000001706e0 [59085.670590] Kernel panic - not syncing: Fatal exception [59085.671587] Kernel Offset: 0x16000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [59085.671587] ---[ end Kernel panic - not syncing: Fatal exception ]--- Best Regards Wang Yugui (wangyugui@xxxxxxxxxxxx) 2021/04/23 > Hi, > > > On Sat, Apr 17, 2021 at 1:33 AM Wang Yugui <wangyugui@xxxxxxxxxxxx> wrote: > > > > > > Hi, > > > > > > > On Mon, Apr 12, 2021 at 3:07 AM Wang Yugui <wangyugui@xxxxxxxxxxxx> wrote: > > > > > > > > > > Hi, > > > > > > > > > > kernel BUG at mm/huge_memory.c:2736(linux 5.10.29) is triggered > > > > > by some files write test. > > > > > > > > > > mm/huge_memory.c: > > > > > if (IS_ENABLED(CONFIG_DEBUG_VM) && mapcount) { > > > > > pr_alert("total_mapcount: %u, page_count(): %u\n", > > > > > mapcount, count); > > > > > if (PageTail(page)) > > > > > dump_page(head, NULL); > > > > > dump_page(page, "total_mapcount(head) > 0"); > > > > > L2736: BUG(); > > > > > } > > > > > > > > We just can tell the mapcount of the page is not zero from the current > > > > log, it might mean the unmap_page() call is failed. It seems you have > > > > CONFIG_DEBUG_VM enabled, could you please paste more log? There is > > > > "VM_BUG_ON_PAGE(!unmap_success, page)" in unmap_page(). It should be > > > > able to tell us if unmap_page() is failed or not, or something else > > > > happened. > > > > > > This is the full dmesg output > > > > > > [63080.331513] huge_memory: total_mapcount: 511, page_count(): 512 > > > [63080.332167] page:00000000d2e1a982 refcount:512 mapcount:0 mapping:0000000000000000 index:0x7fe260582 pfn:0x676a00 > > > [63080.332167] head:00000000d2e1a982 order:9 compound_mapcount:0 compound_pincount:0 > > > [63080.332167] anon flags: 0x17ffffc009001d(locked|uptodate|dirty|lru|head|swapbacked) > > > [63080.332167] raw: 0017ffffc009001d ffffc93cda0d0008 ffffc93cd9ab0008 ffff8f21be9f0cb9 > > > [63080.332167] raw: 00000007fe260582 0000000000000000 00000200ffffffff ffff8f1021810000 > > > [63080.332167] page->mem_cgroup:ffff8f1021810000 > > > [63080.332167] page:00000000bc78ac24 refcount:512 mapcount:1 mapping:0000000000000000 index:0x7fe260584 pfn:0x676a02 > > > [63080.332167] head:00000000d2e1a982 order:9 compound_mapcount:0 compound_pincount:0 > > > [63080.332167] anon flags: 0x17ffffc009001d(locked|uptodate|dirty|lru|head|swapbacked) > > > [63080.332167] raw: 0017ffffc0000000 ffffc93cd9da8001 dead000000000000 ffffc93d428d0098 > > > [63080.332167] raw: ffffa002cd183bf0 0000000000000000 0000000000000000 0000000000000000 > > > [63080.332167] head: 0017ffffc009001d ffffc93cda0d0008 ffffc93cd9ab0008 ffff8f21be9f0cb9 > > > [63080.332167] head: 00000007fe260582 0000000000000000 00000200ffffffff ffff8f1021810000 > > > [63080.332167] page dumped because: total_mapcount(head) > 0 > > > > Added Kirill in this loop too, he may have some insights. > > > > Thanks a lot for pasting the full log. It seems the BUG_ON in > > unmap_page() and VM_BUG_ON_PAGE(compound_mapcount(head), head) were > > not triggered. But the dumped page shows its total_mapcount is 511. It > > means 511 subpages of the huge page are PTE mapped. It seems all tail > > pages are PTE mapped. It may be because unmap_page() is failed or they > > are mapped again after unmap_page(). > > > > But the VM_BUG_ON_PAGE just checks compound_mapcount, and it seems > > page_mapcount() call in unmap_page() also just checks > > compound_mapcount and the mapcount of the head page. If the mapcount > > of the head page is 0 and compound_mapcount is also 0, try_to_unmap() > > considers unmap is successful. > > > > So we can't tell which case it is although I don't think of how > > unmap_page() could fail for this case. I think we should check the > > total mapcount in try_to_unmap() instead. > > > > Can you please try the below debug patch (untested) to help narrow > > down the problem? > > > > diff --git a/mm/huge_memory.c b/mm/huge_memory.c > > index ae907a9c2050..c10e89be1c99 100644 > > --- a/mm/huge_memory.c > > +++ b/mm/huge_memory.c > > @@ -2726,7 +2726,7 @@ int split_huge_page_to_list(struct page *page, > > struct list_head *list) > > } > > > > unmap_page(head); > > - VM_BUG_ON_PAGE(compound_mapcount(head), head); > > + VM_BUG_ON_PAGE(total_mapcount(head), head); > > > > /* block interrupt reentry in xa_lock and spinlock */ > > local_irq_disable(); > > diff --git a/mm/rmap.c b/mm/rmap.c > > index b0fc27e77d6d..537dfc557744 100644 > > --- a/mm/rmap.c > > +++ b/mm/rmap.c > > @@ -1777,7 +1777,7 @@ bool try_to_unmap(struct page *page, enum ttu_flags flags) > > else > > rmap_walk(page, &rwc); > > > > - return !page_mapcount(page) ? true : false; > > + return !total_mapcount(page) ? true : false; > > } > > > > /** > > > > > > With this patch, the problem yet not happen after 4 tests(5.10.x). > > By the way, the problem does not happen in 5.4.x.(>about 120 tests) > does this match the code version? > > Best Regards > Wang Yugui (wangyugui@xxxxxxxxxxxx) > 2021/04/23 > > > >