lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4419611b-3282-2197-884c-332025cdada8@de.ibm.com>
Date:   Tue, 30 Mar 2021 15:27:27 +0200
From:   Christian Borntraeger <borntraeger@...ibm.com>
To:     Stephen Rothwell <sfr@...b.auug.org.au>,
        Linux Next Mailing List <linux-next@...r.kernel.org>,
        Yang Shi <shy828301@...il.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Muchun Song <songmuchun@...edance.com>
Cc:     Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-s390 <linux-s390@...r.kernel.org>,
        Johannes Weiner <hannes@...xchg.org>,
        Michal Hocko <mhocko@...nel.org>, Roman Gushchin <guro@...com>,
        Shakeel Butt <shakeelb@...gle.com>,
        Vladimir Davydov <vdavydov.dev@...il.com>,
        Xiongchun Duan <duanxiongchun@...edance.com>
Subject: Re: kernel warning percpu ref in obj_cgroup_release

So bisect shows this for belows warning:

636c3ef8229ecb4e7d045e86f36505d24a8f019a is the first bad commit
commit 636c3ef8229ecb4e7d045e86f36505d24a8f019a
Author: Muchun Song <songmuchun@...edance.com>
Date:   Mon Mar 29 11:12:06 2021 +1100

     mm: memcontrol: use obj_cgroup APIs to charge kmem pages
     
     Since Roman's series "The new cgroup slab memory controller" applied.  All
     slab objects are charged via the new APIs of obj_cgroup.  The new APIs
     introduce a struct obj_cgroup to charge slab objects.  It prevents
     long-living objects from pinning the original memory cgroup in the memory.
     But there are still some corner objects (e.g.  allocations larger than
     order-1 page on SLUB) which are not charged via the new APIs.  Those
     objects (include the pages which are allocated from buddy allocator
     directly) are charged as kmem pages which still hold a reference to the
     memory cgroup.
     
     We want to reuse the obj_cgroup APIs to charge the kmem pages.  If we do
     that, we should store an object cgroup pointer to page->memcg_data for the
     kmem pages.
     
     Finally, page->memcg_data will have 3 different meanings.
     
       1) For the slab pages, page->memcg_data points to an object cgroups
          vector.
     
       2) For the kmem pages (exclude the slab pages), page->memcg_data
          points to an object cgroup.
     
       3) For the user pages (e.g. the LRU pages), page->memcg_data points
          to a memory cgroup.
     
     We do not change the behavior of page_memcg() and page_memcg_rcu().  They
     are also suitable for LRU pages and kmem pages.  Why?
     
     Because memory allocations pinning memcgs for a long time - it exists at a
     larger scale and is causing recurring problems in the real world: page
     cache doesn't get reclaimed for a long time, or is used by the second,
     third, fourth, ...  instance of the same job that was restarted into a new
     cgroup every time.  Unreclaimable dying cgroups pile up, waste memory, and
     make page reclaim very inefficient.
     
     We can convert LRU pages and most other raw memcg pins to the objcg
     direction to fix this problem, and then the page->memcg will always point
     to an object cgroup pointer.  At that time, LRU pages and kmem pages will
     be treated the same.  The implementation of page_memcg() will remove the
     kmem page check.
     
     This patch aims to charge the kmem pages by using the new APIs of
     obj_cgroup.  Finally, the page->memcg_data of the kmem page points to an
     object cgroup.  We can use the __page_objcg() to get the object cgroup
     associated with a kmem page.  Or we can use page_memcg() to get the memory
     cgroup associated with a kmem page, but caller must ensure that the
     returned memcg won't be released (e.g.  acquire the rcu_read_lock or
     css_set_lock).
     
     Link: https://lkml.kernel.org/r/20210319163821.20704-6-songmuchun@bytedance.com
     Signed-off-by: Muchun Song <songmuchun@...edance.com>
     Acked-by: Johannes Weiner <hannes@...xchg.org>
     Cc: Michal Hocko <mhocko@...nel.org>
     Cc: Roman Gushchin <guro@...com>
     Cc: Shakeel Butt <shakeelb@...gle.com>
     Cc: Vladimir Davydov <vdavydov.dev@...il.com>
     Cc: Xiongchun Duan <duanxiongchun@...edance.com>
     Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
     Signed-off-by: Stephen Rothwell <sfr@...b.auug.org.au>

  include/linux/memcontrol.h | 116 +++++++++++++++++++++++++++++++++++----------
  mm/memcontrol.c            | 110 +++++++++++++++++++++---------------------
  2 files changed, 145 insertions(+), 81 deletions(-)





On 30.03.21 13:32, Christian Borntraeger wrote:
[...]
> 
> This next (328 is fine) triggers several bugs during our KVM CI run:
> 
> [ 1506.494716] ------------[ cut here ]------------
> [ 1506.494730] percpu ref (obj_cgroup_release) <= 0 (-1) after switching to atomic
> [ 1506.494766] WARNING: CPU: 6 PID: 0 at lib/percpu-refcount.c:196 percpu_ref_switch_to_atomic_rcu+0x1ea/0x1f8
> [ 1506.494774] Modules linked in: kvm vhost_vsock vmw_vsock_virtio_transport_common vsock vhost vhost_iotlb xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT xt_tcpudp nft_compat nf_nat_tftp nft_objref nf_conntrack_tftp nft_counter bridge stp llc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct dm_service_time nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink zfcp scsi_transport_fc rpcrdma sunrpc dm_multipath rdma_ucm scsi_dh_rdac scsi_dh_emc rdma_cm scsi_dh_alua iw_cm ib_cm mlx5_ib ib_uverbs dm_mod ib_core s390_trng vfio_ccw vfio_mdev mdev vfio_iommu_type1 zcrypt_cex4 vfio eadm_sch sch_fq_codel configfs ip_tables x_tables ghash_s390 prng aes_s390 des_s390 libdes sha3_512_s390 sha3_256_s390 mlx5_core sha512_s390 sha256_s390 sha1_s390 sha_common nvme nvme_core pkey zcrypt rng_core autofs4 [last unloaded: vfio_ap]
> [ 1506.494832] CPU: 6 PID: 0 Comm: swapper/6 Not tainted 5.12.0-20210330.rc4.git0.9d49ed9ca93b.300.fc33.s390x+next #1
> [ 1506.494834] Hardware name: IBM 8561 T01 703 (LPAR)
> [ 1506.494836] Krnl PSW : 0704c00180000000 00000002d71dd21e (percpu_ref_switch_to_atomic_rcu+0x1ee/0x1f8)
> [ 1506.494840]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
> [ 1506.494842] Krnl GPRS: c0000000fffeffff 00000002f7256818 0000000000000043 00000000fffeffff
> [ 1506.494844]            00000000ffffffea 0000038000000001 0000000000000000 000003800000017c
> [ 1506.494846]            00000002d7924988 0000000227eb97a0 000003ff5413c7e0 7fffffffffffffff
> [ 1506.494848]            0000000080360000 00000002f726b570 00000002d71dd21a 00000380000bba28
> [ 1506.494856] Krnl Code: 00000002d71dd20e: e3309fe8ff04        lg      %r3,-24(%r9)
>                            00000002d71dd214: c0e5001eb556        brasl   %r14,00000002d75b3cc0
>                           #00000002d71dd21a: af000000            mc      0,0
>                           >00000002d71dd21e: a7f4ffcc            brc     15,00000002d71dd1b6
>                            00000002d71dd222: 0707                bcr     0,%r7
>                            00000002d71dd224: 0707                bcr     0,%r7
>                            00000002d71dd226: 0707                bcr     0,%r7
>                            00000002d71dd228: eb6ff0480024        stmg    %r6,%r15,72(%r15)
> [ 1506.494928] Call Trace:
> [ 1506.494933]  [<00000002d71dd21e>] percpu_ref_switch_to_atomic_rcu+0x1ee/0x1f8
> [ 1506.494940] ([<00000002d71dd21a>] percpu_ref_switch_to_atomic_rcu+0x1ea/0x1f8)
> [ 1506.494942]  [<00000002d6b8a6c6>] rcu_do_batch+0x146/0x608
> [ 1506.494946]  [<00000002d6b8ec04>] rcu_core+0x124/0x1d0
> [ 1506.494948]  [<00000002d75d0222>] __do_softirq+0x13a/0x3c8
> [ 1506.494952]  [<00000002d6b05306>] irq_exit+0xce/0xf8
> [ 1506.494955]  [<00000002d75c1eb4>] do_ext_irq+0xdc/0x170
> [ 1506.494957]  [<00000002d75cdea4>] ext_int_handler+0xc4/0xf4
> [ 1506.494959]  [<0000000000000000>] 0x0
> [ 1506.494963]  [<00000002d75cd9c2>] default_idle_call+0x42/0x110
> [ 1506.494965]  [<00000002d6b411a0>] do_idle+0xd8/0x168
> [ 1506.494968]  [<00000002d6b413ee>] cpu_startup_entry+0x36/0x40
> [ 1506.494971]  [<00000002d6ac730a>] smp_start_secondary+0x82/0x88
> [ 1506.494974] Last Breaking-Event-Address:
> [ 1506.494975]  [<00000002d6b71898>] vprintk_emit+0xa8/0x110
> [ 1506.494978] Kernel panic - not syncing: panic_on_warn set ...
> 
> 
> 
> I will try to bisect this, but if anyone has an idea. CC some candidates.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ