Bug 214961

Summary: ubifs: kernel BUG at include/linux/page_ref.h:184!
Product: File System Reporter: Zhihao Cheng (chengzhihao1)
Component: OtherAssignee: fs_other
Status: NEW ---    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.15-rc5 Subsystem:
Regression: No Bisected commit-id:
Attachments: diff
setup.sh
diff2

Description Zhihao Cheng 2021-11-06 07:33:25 UTC
[  179.487190] page:00000000cdbbe567 refcount:-1 mapcount:0 mapping:00000000c89fe2cd index:0xf1 pfn:0xa8b2
[  179.488651] memcg:ffff88801930a000
[  179.488653] aops:ubifs_file_address_operations [ubifs] ino:132 dentry name:"f6d"
[  179.489515] flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0|zone=1|lastcpupid=0x1fffff)
[  179.489524] raw: 001fffff80002405 ffffea00002a2c48 ffffc90000157df0 ffff8880125293d0
[  179.491353] raw: 00000000000000f1 0000000000000000 ffffffffffffffff ffff88801930a000
[  179.493535] page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0)
[  179.493556] ------------[ cut here ]------------
[  179.496788] kernel BUG at include/linux/page_ref.h:184!
[  179.497471] invalid opcode: 0000 [#1] SMP
[  179.497977] CPU: 3 PID: 37 Comm: kcompactd0 Not tainted 5.15.0-rc5-00263-g918d36132eb5-dirty #183
[  179.499069] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[  179.500711] RIP: 0010:migrate_page_move_mapping+0xac3/0xe70
[  179.501430] Code: 0b 01 48 8d 42 ff e9 6e f7 ff ff 48 c7 c6 58 16 9a 82 4c 89 ff 48 83 05 d2 b7 88 0b 01 e8 85 ff f5 ff 48 83 05 cd b7 88 0b 01 <0f> b
[  179.504208] RSP: 0018:ffffc90000157af8 EFLAGS: 00010002
[  179.504217] RAX: 000000000000003a RBX: 0000000000000000 RCX: 0000000000000027
[  179.504219] RDX: 0000000000000000 RSI: ffff88803fd97bd8 RDI: ffff88803fd97bd0
[  179.504220] RBP: 0000000000000002 R08: ffffffff82d0d5e0 R09: 67617028746e756f
[  179.504221] R10: 7028746e756f635f R11: 6567617028454741 R12: ffff8880125293d0
[  179.504223] R13: 0000000000000001 R14: 0000000000000001 R15: ffffea00002a2c80
[  179.510910] FS:  0000000000000000(0000) GS:ffff88803fd80000(0000) knlGS:0000000000000000
[  179.511927] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  179.512649] CR2: 00007f78c3479030 CR3: 0000000002c0a000 CR4: 00000000000006e0
[  179.513540] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  179.514398] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  179.515258] Call Trace:
[  179.516405]  ubifs_migrate_page+0x22/0xc0 [ubifs]
[  179.517822]  move_to_new_page+0xb4/0x600
[  179.518301]  ? page_counter_cancel+0x37/0xa0
[  179.518820]  ? free_unref_page_commit.isra.0+0xa9/0x1e0
[  179.519456]  ? __count_memcg_events+0x48/0x60
[  179.519986]  migrate_pages+0x1523/0x1cc0
[  179.520462]  ? isolate_freepages_block+0x5a0/0x5a0
[  179.521043]  ? __ClearPageMovable+0x70/0x70
[  179.521551]  compact_zone+0x8c5/0x14b0
[  179.522011]  ? pick_next_task_fair+0x258/0x640
[  179.522549]  proactive_compact_node+0xd1/0x140
[  179.523089]  ? prepare_to_wait_event+0xa0/0x250
[  179.523638]  kcompactd+0x2bc/0x560
[  179.524057]  ? woken_wake_function+0x30/0x30
[  179.524574]  ? proactive_compact_node+0x140/0x140
[  179.525150]  kthread+0x18c/0x1e0
[  179.525957]  ? set_kthread_struct+0x70/0x70
[  179.527215]  ret_from_fork+0x1f/0x30
[  179.527957] Modules linked in: zstd zstd_compress ubifs ubi nandsim
[  179.528729] ---[ end trace b57cbb36065ae2e7 ]---
[  179.528731] RIP: 0010:migrate_page_move_mapping+0xac3/0xe70
Comment 1 Zhihao Cheng 2021-11-06 07:45:55 UTC
Reproduce:
1. Config qemu:
   -smp 4 # multi-cores
    -m 1024 # low memory
2. Apply diff and compile kernel (nandsim=m, ubi=m, ubifs=m)
3. ./setup.sh 1
4. fsstress -d /root/temp/ -l 0 -n 10000 -p 4

(About 5 minutes later ...)
[  119.246740] page count -1
[  119.246869] Do ref dec
[  119.247294] page:0000000022851bc8 refcount:-1 mapcount:0 mapping:0000000059e259ce index:0x6f pfn:0x143a6
[  119.247305] memcg:ffff88801bb61000
[  119.247860] Wait page ffffea00005efec0 migrate
[  119.248557] Do ref dec
[  119.248579] Wait page ffffea00005c3a00 migrate
[  119.249406] aops:ubifs_file_address_operations [ubifs] ino:5f7 dentry name:"f22f"
[  119.252208] Do ref dec
[  119.253319] flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0|zone=1|lastcpupid=0x1fffff)
[  119.253774] Wait page ffffea00005d68c0 migrate
[  119.255495] raw: 001fffff80002405 ffffea000050e848 ffffea000050fbc8 ffff888018d06c50
[  119.255505] raw: 000000000000006f 0000000000000000 ffffffffffffffff ffff88801bb61000
[  119.258589] Do ref dec
[  119.259035] page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0)
[  119.259072] ------------[ cut here ]------------
[  119.259507] Wait page ffffea00005ac2c0 migrate
[  119.260040] Do ref dec
[  119.260059] Wait page ffffea000062f700 migrate
[  119.260777] kernel BUG at include/linux/page_ref.h:184!
[  119.260820] invalid opcode: 0000 [#1] SMP
[  119.260825] CPU: 2 PID: 37 Comm: kcompactd0 Not tainted 5.15.0-rc5-00267-g734f7058ee89-dirty #185
[  119.260829] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[  119.260832] RIP: 0010:migrate_page_move_mapping+0xac3/0xe70
[  119.260852] Code: 0b 01 48 8d 42 ff e9 6e f7 ff ff 48 c7 c6 58 16 9a 82 4c 89 ff 48 83 05 d2 b7 88 0b 01 e8 85 ff f5 ff 48 83 05 cd b7 88 0b 01 <0f> b
[  119.260855] RSP: 0018:ffffc90000157af8 EFLAGS: 00010002
[  119.266303] Do ref dec
[  119.266848] 
[  119.269075] Wait page ffffea00005d6ac0 migrate
[  119.270049] RAX: 000000000000003a RBX: 0000000000000000 RCX: 0000000000000027
[  119.270054] RDX: 0000000000000000 RSI: ffff88803fd17bd8 RDI: ffff88803fd17bd0
[  119.270056] RBP: 0000000000000002 R08: ffffffff82d0d5e0 R09: 67617028746e756f
[  119.270058] R10: 7028746e756f635f R11: 6567617028454741 R12: ffff888018d06c50
[  119.270060] R13: 0000000000000001 R14: 0000000000000001 R15: ffffea000050e980
[  119.270062] FS:  0000000000000000(0000) GS:ffff88803fd00000(0000) knlGS:0000000000000000
[  119.270065] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  119.270067] Do ref dec
[  119.270107] Wait page ffffea00006aa3c0 migrate
[  119.271722] Do ref dec
[  119.271814] Wait page ffffea00005ac900 migrate
[  119.280117] Do ref dec
[  119.280538] CR2: 00007f22724f4080 CR3: 000000001515e000 CR4: 00000000000006e0
[  119.281809] Wait page ffffea000068af40 migrate
[  119.281823] Do ref dec
[  119.281846] Wait page ffffea000050ab40 migrate
[  119.283181] Do ref dec
[  119.283187] Wait page ffffea00005d7bc0 migrate
[  119.283241] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  119.283245] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  119.283248] Call Trace:
[  119.283256]  ubifs_migrate_page+0x22/0xc0 [ubifs]
[  119.291857] Do ref dec
[  119.292896]  move_to_new_page+0xb4/0x600
[  119.292907]  ? page_counter_cancel+0x37/0xa0
[  119.293196] Do ref dec
[  119.293202] Wait page ffffea00005ab800 migrate
[  119.294203] Wait page ffffea000059b980 migrate
[  119.294234] Do ref dec
[  119.294254] Wait page ffffea00006a6500 migrate
[  119.294642]  ? free_unref_page_commit.isra.0+0xa9/0x1e0
[  119.301975]  ? __count_memcg_events+0x48/0x60
[  119.302960]  migrate_pages+0x1523/0x1cc0
[  119.303210] Do ref dec
[  119.303689]  ? isolate_freepages_block+0x5a0/0x5a0
[  119.304181] Wait page ffffea00005abd00 migrate
[  119.304264] Do ref dec
[  119.304288] Wait page ffffea00006a42c0 migrate
[  119.305066]  ? __ClearPageMovable+0x70/0x70
[  119.305076]  compact_zone+0x8c5/0x14b0
[  119.305081]  ? pick_next_task_fair+0x51/0x640
[  119.305463] Do ref dec
[  119.305485] Wait page ffffea00005d6800 migrate
[  119.310511]  proactive_compact_node+0xd1/0x140
[  119.311331]  ? prepare_to_wait_event+0xa0/0x250
[  119.312132]  kcompactd+0x2bc/0x560
[  119.312727]  ? woken_wake_function+0x30/0x30
[  119.313474]  ? proactive_compact_node+0x140/0x140
[  119.314298] Do ref dec
[  119.314321]  kthread+0x18c/0x1e0
[  119.314768] Wait page ffffea0000699a00 migrate
[  119.315374]  ? set_kthread_struct+0x70/0x70
[  119.315381]  ret_from_fork+0x1f/0x30
[  119.315498] Do ref dec
[  119.315517] Wait page ffffea0000648e40 migrate
[  119.315858] Do ref dec
[  119.315862] Wait page ffffea000069a000 migrate
[  119.320013] Modules linked in: zstd zstd_compress ubifs ubi nandsim
[  119.321173] ---[ end trace 50ba649f4247abbc ]---
Comment 2 Zhihao Cheng 2021-11-06 07:47:16 UTC
Created attachment 299475 [details]
diff
Comment 3 Zhihao Cheng 2021-11-06 07:47:26 UTC
Created attachment 299477 [details]
setup.sh
Comment 4 Zhihao Cheng 2021-11-11 12:40:06 UTC
Reproducer 2:
1. Config qemu:
   -smp 4 # multi-cores
    -m 1024 # low memory
2. open CONFIG_PANIC_ON_OOPS and apply diff.patch(diff2)
3. ./setup.sh 1
4. fsstress -d /root/temp/ -l 0 -n 10000 -p 4 op_name=write,read

(several minutes later)

[  439.586396] Add lru page ffffea00002ae6c0 lru 0
[  439.586397] Add lru page2 ffffea00002ae6c0 lru 1
[  439.591389] Wait page ffffea00002ae6c0 2 lru 1 fsstress 9007197107266588
[  439.591448] compat add page ffffea00002ae6c0 count 3 lru 0
[  439.597771] Add lru page ffffea00006ce200 lru 0
[  439.598404] Add lru page2 ffffea00006ce200 lru 1
[  439.598994] Add lru page ffffea00006ce240 lru 0
[  439.599578] Add lru page2 ffffea00006ce240 lru 1
[  439.600170] Add lru page ffffea00006ce280 lru 0
[  439.600741] Add lru page2 ffffea00006ce280 lru 1
[  439.601332] Add lru page ffffea00006ce2c0 lru 0
[  439.601904] Add lru page2 ffffea00006ce2c0 lru 1
[  439.602505] Add lru page ffffea00006b7300 lru 0
[  439.603083] Add lru page2 ffffea00006b7300 lru 1
[  439.603675] Add lru page ffffea00005e9240 lru 0
[  439.603695] Wait page ffffea00006b7300 2 lru 1 fsstress 9007197107266588
[  439.603774] page ffffea00002ae6c0 count -1 exp 3 lru 0
[  439.603780] page:ffffea00002ae6c0 refcount:-1 mapcount:0 mapping:000000006c401981 index:0x5b pfn:0xab9b
[  439.603787] memcg:ffff88800fdde000
[  439.603790] aops:ubifs_file_address_operations [ubifs] ino:51e4 dentry name:"f7e"
[  439.603892] flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0|zone=1|lastcpupid=0x1fffff)
[  439.603916] raw: 001fffff80002405 ffffea00002ae688 ffffc90000157df0 ffff88801242d3d0
[  439.603926] raw: 000000000000005b 0000000000000000 ffffffffffffffff ffff88800fdde000
[  439.603928] page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0)
[  439.603956] ------------[ cut here ]------------
[  439.603960] kernel BUG at include/linux/page_ref.h:184!
[  439.603981] invalid opcode: 0000 [#1] SMP
[  439.603985] CPU: 1 PID: 37 Comm: kcompactd0 Not tainted 5.15.0-rc5-00267-gec9914a13caf-dirty #274
[  439.603989] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[  439.603991] RIP: 0010:migrate_page_move_mapping+0xac3/0xe70
[  439.604009] Code: 0b 01 48 8d 42 ff e9 6e f7 ff ff 48 c7 c6 b0 1a bc 82 4c 89 ff 48 83 05 72 16 af 0b 01 e8 d5 f4 f5 ff 48 83 05 6d 16 af 0b 01 <0f> b
[  439.604011] RSP: 0018:ffffc90000157af0 EFLAGS: 00010002
[  439.604019] RAX: 000000000000003a RBX: 0000000000000000 RCX: 0000000000000027
[  439.604021] RDX: 0000000000000000 RSI: ffff88803fc97bd8 RDI: ffff88803fc97bd0
[  439.604023] RBP: 0000000000000002 R08: ffffffff82f0d5e0 R09: 67617028746e756f
[  439.604024] R10: 7028746e756f635f R11: 6567617028454741 R12: ffff88801242d3d0
[  439.604026] R13: 0000000000000001 R14: 0000000000000001 R15: ffffea00002ae6c0
[  439.604028] FS:  0000000000000000(0000) GS:ffff88803fc80000(0000) knlGS:0000000000000000
[  439.604030] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  439.604033] CR2: 00007fc4213e2000 CR3: 0000000002e0a000 CR4: 00000000000006e0
[  439.604038] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  439.604039] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  439.604041] Call Trace:
[  439.604045]  ubifs_migrate_page+0x22/0xc0 [ubifs]
[  439.604068]  move_to_new_page+0xb4/0x600
[  439.604072]  ? free_unref_page_commit.isra.0+0xa9/0x1e0
[  439.604076]  ? __count_memcg_events+0x48/0x60
[  439.604083]  migrate_pages+0x1575/0x1d40
[  439.604087]  ? isolate_freepages_block+0x5a0/0x5a0
[  439.604092]  ? __ClearPageMovable+0x70/0x70
[  439.604096]  compact_zone+0x8c5/0x14b0
[  439.604099]  ? pick_next_task_fair+0x51/0x640
[  439.604105]  proactive_compact_node+0xd1/0x140
[  439.604109]  ? prepare_to_wait_event+0xa0/0x250
[  439.604112]  kcompactd+0x2bc/0x560
[  439.604116]  ? woken_wake_function+0x30/0x30
[  439.604118]  ? proactive_compact_node+0x140/0x140
[  439.604122]  kthread+0x18c/0x1e0
[  439.604126]  ? set_kthread_struct+0x70/0x70
[  439.604130]  ret_from_fork+0x1f/0x30
[  439.604142] Modules linked in: ubifs ubi nandsim
[  439.604160] ---[ end trace 35c998daa80d7f56 ]---
[  439.604162] RIP: 0010:migrate_page_move_mapping+0xac3/0xe70
Comment 5 Zhihao Cheng 2021-11-11 12:40:18 UTC
Created attachment 299531 [details]
diff2