| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Mar 2021 15:27:27 +0200
From: Christian Borntraeger <borntraeger@...ibm.com>
To: Stephen Rothwell <sfr@...b.auug.org.au>,
Linux Next Mailing List <linux-next@...r.kernel.org>,
Yang Shi <shy828301@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Muchun Song <songmuchun@...edance.com>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-s390 <linux-s390@...r.kernel.org>,
Johannes Weiner <hannes@...xchg.org>,
Michal Hocko <mhocko@...nel.org>, Roman Gushchin <guro@...com>,
Shakeel Butt <shakeelb@...gle.com>,
Vladimir Davydov <vdavydov.dev@...il.com>,
Xiongchun Duan <duanxiongchun@...edance.com>
Subject: Re: kernel warning percpu ref in obj_cgroup_release
So bisect shows this for belows warning:
636c3ef8229ecb4e7d045e86f36505d24a8f019a is the first bad commit
commit 636c3ef8229ecb4e7d045e86f36505d24a8f019a
Author: Muchun Song <songmuchun@...edance.com>
Date: Mon Mar 29 11:12:06 2021 +1100
mm: memcontrol: use obj_cgroup APIs to charge kmem pages
Since Roman's series "The new cgroup slab memory controller" applied. All
slab objects are charged via the new APIs of obj_cgroup. The new APIs
introduce a struct obj_cgroup to charge slab objects. It prevents
long-living objects from pinning the original memory cgroup in the memory.
But there are still some corner objects (e.g. allocations larger than
order-1 page on SLUB) which are not charged via the new APIs. Those
objects (include the pages which are allocated from buddy allocator
directly) are charged as kmem pages which still hold a reference to the
memory cgroup.
We want to reuse the obj_cgroup APIs to charge the kmem pages. If we do
that, we should store an object cgroup pointer to page->memcg_data for the
kmem pages.
Finally, page->memcg_data will have 3 different meanings.
1) For the slab pages, page->memcg_data points to an object cgroups
vector.
2) For the kmem pages (exclude the slab pages), page->memcg_data
points to an object cgroup.
3) For the user pages (e.g. the LRU pages), page->memcg_data points
to a memory cgroup.
We do not change the behavior of page_memcg() and page_memcg_rcu(). They
are also suitable for LRU pages and kmem pages. Why?
Because memory allocations pinning memcgs for a long time - it exists at a
larger scale and is causing recurring problems in the real world: page
cache doesn't get reclaimed for a long time, or is used by the second,
third, fourth, ... instance of the same job that was restarted into a new
cgroup every time. Unreclaimable dying cgroups pile up, waste memory, and
make page reclaim very inefficient.
We can convert LRU pages and most other raw memcg pins to the objcg
direction to fix this problem, and then the page->memcg will always point
to an object cgroup pointer. At that time, LRU pages and kmem pages will
be treated the same. The implementation of page_memcg() will remove the
kmem page check.
This patch aims to charge the kmem pages by using the new APIs of
obj_cgroup. Finally, the page->memcg_data of the kmem page points to an
object cgroup. We can use the __page_objcg() to get the object cgroup
associated with a kmem page. Or we can use page_memcg() to get the memory
cgroup associated with a kmem page, but caller must ensure that the
returned memcg won't be released (e.g. acquire the rcu_read_lock or
css_set_lock).
Link: https://lkml.kernel.org/r/20210319163821.20704-6-songmuchun@bytedance.com
Signed-off-by: Muchun Song <songmuchun@...edance.com>
Acked-by: Johannes Weiner <hannes@...xchg.org>
Cc: Michal Hocko <mhocko@...nel.org>
Cc: Roman Gushchin <guro@...com>
Cc: Shakeel Butt <shakeelb@...gle.com>
Cc: Vladimir Davydov <vdavydov.dev@...il.com>
Cc: Xiongchun Duan <duanxiongchun@...edance.com>
Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@...b.auug.org.au>
include/linux/memcontrol.h | 116 +++++++++++++++++++++++++++++++++++----------
mm/memcontrol.c | 110 +++++++++++++++++++++---------------------
2 files changed, 145 insertions(+), 81 deletions(-)
On 30.03.21 13:32, Christian Borntraeger wrote:
[...]
>
> This next (328 is fine) triggers several bugs during our KVM CI run:
>
> [ 1506.494716] ------------[ cut here ]------------
> [ 1506.494730] percpu ref (obj_cgroup_release) <= 0 (-1) after switching to atomic
> [ 1506.494766] WARNING: CPU: 6 PID: 0 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x1ea/0x1f8
> [ 1506.494774] Modules linked in: kvm vhost_vsock vmw_vsock_virtio_transport_common vsock vhost vhost_iotlb xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT xt_tcpudp nft_compat nf_nat_tftp nft_objref nf_conntrack_tftp nft_counter bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct dm_service_time nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink zfcp scsi_transport_fc rpcrdma sunrpc dm_multipath rdma_ucm scsi_dh_rdac scsi_dh_emc rdma_cm scsi_dh_alua iw_cm ib_cm mlx5_ib ib_uverbs dm_mod ib_core s390_trng vfio_ccw vfio_mdev mdev vfio_iommu_type1 zcrypt_cex4 vfio eadm_sch sch_fq_codel configfs ip_tables x_tables ghash_s390 prng aes_s390 des_s390 libdes sha3_512_s390 sha3_256_s390 mlx5_core sha512_s390 sha256_s390 sha1_s390 sha_common nvme nvme_core pkey zcrypt rng_core autofs4 [last unloaded: vfio_ap]
> [ 1506.494832] CPU: 6 PID: 0 Comm: swapper/6 Not tainted 5.12.0-20210330.rc4.git0.9d49ed9ca93b.300.fc33.s390x+next #1
> [ 1506.494834] Hardware name: IBM 8561 T01 703 (LPAR)
> [ 1506.494836] Krnl PSW : 0704c00180000000 00000002d71dd21e (percpu_ref_switch_to_atomic_rcu+0x1ee/0x1f8)
> [ 1506.494840] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
> [ 1506.494842] Krnl GPRS: c0000000fffeffff 00000002f7256818 0000000000000043 00000000fffeffff
> [ 1506.494844] 00000000ffffffea 0000038000000001 0000000000000000 000003800000017c
> [ 1506.494846] 00000002d7924988 0000000227eb97a0 000003ff5413c7e0 7fffffffffffffff
> [ 1506.494848] 0000000080360000 00000002f726b570 00000002d71dd21a 00000380000bba28
> [ 1506.494856] Krnl Code: 00000002d71dd20e: e3309fe8ff04 lg %r3,-24(%r9)
> 00000002d71dd214: c0e5001eb556 brasl %r14,00000002d75b3cc0
> #00000002d71dd21a: af000000 mc 0,0
> >00000002d71dd21e: a7f4ffcc brc 15,00000002d71dd1b6
> 00000002d71dd222: 0707 bcr 0,%r7
> 00000002d71dd224: 0707 bcr 0,%r7
> 00000002d71dd226: 0707 bcr 0,%r7
> 00000002d71dd228: eb6ff0480024 stmg %r6,%r15,72(%r15)
> [ 1506.494928] Call Trace:
> [ 1506.494933] [<00000002d71dd21e>] percpu_ref_switch_to_atomic_rcu+0x1ee/0x1f8
> [ 1506.494940] ([<00000002d71dd21a>] percpu_ref_switch_to_atomic_rcu+0x1ea/0x1f8)
> [ 1506.494942] [<00000002d6b8a6c6>] rcu_do_batch+0x146/0x608
> [ 1506.494946] [<00000002d6b8ec04>] rcu_core+0x124/0x1d0
> [ 1506.494948] [<00000002d75d0222>] __do_softirq+0x13a/0x3c8
> [ 1506.494952] [<00000002d6b05306>] irq_exit+0xce/0xf8
> [ 1506.494955] [<00000002d75c1eb4>] do_ext_irq+0xdc/0x170
> [ 1506.494957] [<00000002d75cdea4>] ext_int_handler+0xc4/0xf4
> [ 1506.494959] [<0000000000000000>] 0x0
> [ 1506.494963] [<00000002d75cd9c2>] default_idle_call+0x42/0x110
> [ 1506.494965] [<00000002d6b411a0>] do_idle+0xd8/0x168
> [ 1506.494968] [<00000002d6b413ee>] cpu_startup_entry+0x36/0x40
> [ 1506.494971] [<00000002d6ac730a>] smp_start_secondary+0x82/0x88
> [ 1506.494974] Last Breaking-Event-Address:
> [ 1506.494975] [<00000002d6b71898>] vprintk_emit+0xa8/0x110
> [ 1506.494978] Kernel panic - not syncing: panic_on_warn set ...
>
>
>
> I will try to bisect this, but if anyone has an idea. CC some candidates.
Powered by blists - more mailing lists