bisecting cause commit starting from 22051d9c4a57d3b4a8b5a7407efc80c71c7bfb16 building syzkaller on 7bb222f7bcce6f16c2e110f4c3270e009aaf55e7 testing commit 22051d9c4a57d3b4a8b5a7407efc80c71c7bfb16 with gcc (GCC) 8.1.0 run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: WARNING in __mmdrop run #3: crashed: WARNING in __mmdrop run #4: crashed: BUG: Bad rss-counter state run #5: crashed: WARNING in __mmdrop run #6: crashed: WARNING in __mmdrop run #7: crashed: BUG: Bad rss-counter state run #8: crashed: WARNING in __mmdrop run #9: crashed: BUG: Bad rss-counter state testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 all runs: OK # git bisect start 22051d9c4a57d3b4a8b5a7407efc80c71c7bfb16 v5.2 Bisecting: 5788 revisions left to test after this (roughly 13 steps) [2c207985f354dfb549e5a543102a3e084eea81f6] mm/oom_kill.c: remove redundant OOM score normalization in select_bad_process() testing commit 2c207985f354dfb549e5a543102a3e084eea81f6 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 2c207985f354dfb549e5a543102a3e084eea81f6 Bisecting: 3045 revisions left to test after this (roughly 12 steps) [168869492e7009b6861b615f1d030c99bc805e83] docs: kbuild: fix build with pdf and fix some minor issues testing commit 168869492e7009b6861b615f1d030c99bc805e83 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 168869492e7009b6861b615f1d030c99bc805e83 Bisecting: 1371 revisions left to test after this (roughly 11 steps) [d7929c1e13e3788e7cb741d75b5baec5e53eff21] Merge branch 'drm-next' into drm-next-5.3 testing commit d7929c1e13e3788e7cb741d75b5baec5e53eff21 with gcc (GCC) 8.1.0 all runs: OK # git bisect good d7929c1e13e3788e7cb741d75b5baec5e53eff21 Bisecting: 678 revisions left to test after this (roughly 10 steps) [9637d517347e80ee2fe1c5d8ce45ba1b88d8b5cd] Merge tag 'for-linus-20190715' of git://git.kernel.dk/linux-block testing commit 9637d517347e80ee2fe1c5d8ce45ba1b88d8b5cd with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9637d517347e80ee2fe1c5d8ce45ba1b88d8b5cd Bisecting: 312 revisions left to test after this (roughly 8 steps) [47ebe00b684c2bc183a766bc33c8b5943bc0df85] Merge tag 'dmaengine-5.3-rc1' of git://git.infradead.org/users/vkoul/slave-dma testing commit 47ebe00b684c2bc183a766bc33c8b5943bc0df85 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 47ebe00b684c2bc183a766bc33c8b5943bc0df85 Bisecting: 158 revisions left to test after this (roughly 7 steps) [dfe1d3a2830d607bbd66bae8bb86ae7ffde04f38] Merge branches 'clk-bulk-optional', 'clk-kirkwood', 'clk-socfpga' and 'clk-docs' into clk-next testing commit dfe1d3a2830d607bbd66bae8bb86ae7ffde04f38 with gcc (GCC) 8.1.0 all runs: OK # git bisect good dfe1d3a2830d607bbd66bae8bb86ae7ffde04f38 Bisecting: 63 revisions left to test after this (roughly 6 steps) [916f562fb28a49457d3d99d156ca415b50d6750e] Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux testing commit 916f562fb28a49457d3d99d156ca415b50d6750e with gcc (GCC) 8.1.0 all runs: OK # git bisect good 916f562fb28a49457d3d99d156ca415b50d6750e Bisecting: 38 revisions left to test after this (roughly 5 steps) [7636b7589f81940c6d6518786f93de74495575fa] Merge tag 'rpmsg-v5.3' of git://github.com/andersson/remoteproc testing commit 7636b7589f81940c6d6518786f93de74495575fa with gcc (GCC) 8.1.0 run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: BUG: Bad rss-counter state run #3: crashed: BUG: Bad rss-counter state run #4: crashed: BUG: Bad rss-counter state run #5: crashed: WARNING in __mmdrop run #6: crashed: WARNING in __mmdrop run #7: crashed: BUG: Bad rss-counter state run #8: crashed: WARNING in __mmdrop run #9: crashed: BUG: Bad rss-counter state # git bisect bad 7636b7589f81940c6d6518786f93de74495575fa Bisecting: 12 revisions left to test after this (roughly 4 steps) [edcd69ab9a323b7ac7a86e1c44b6c9c46598391f] iommu: Add virtio-iommu driver testing commit edcd69ab9a323b7ac7a86e1c44b6c9c46598391f with gcc (GCC) 8.1.0 run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: BUG: Bad rss-counter state run #3: crashed: BUG: Bad rss-counter state run #4: crashed: BUG: Bad rss-counter state run #5: crashed: BUG: Bad rss-counter state run #6: crashed: WARNING in __mmdrop run #7: crashed: WARNING in __mmdrop run #8: crashed: BUG: Bad rss-counter state run #9: crashed: BUG: Bad rss-counter state # git bisect bad edcd69ab9a323b7ac7a86e1c44b6c9c46598391f Bisecting: 5 revisions left to test after this (roughly 3 steps) [7f466032dc9e5a61217f22ea34b2df932786bbfc] vhost: access vq metadata through kernel virtual address testing commit 7f466032dc9e5a61217f22ea34b2df932786bbfc with gcc (GCC) 8.1.0 run #0: crashed: BUG: Bad rss-counter state run #1: crashed: BUG: Bad rss-counter state run #2: crashed: BUG: Bad rss-counter state run #3: crashed: BUG: Bad rss-counter state run #4: crashed: BUG: Bad rss-counter state run #5: crashed: BUG: Bad rss-counter state run #6: crashed: WARNING in __mmdrop run #7: crashed: BUG: Bad rss-counter state run #8: crashed: BUG: Bad rss-counter state run #9: crashed: BUG: Bad rss-counter state # git bisect bad 7f466032dc9e5a61217f22ea34b2df932786bbfc Bisecting: 2 revisions left to test after this (roughly 2 steps) [9b5e830b7120847da6c636af2d101f8380e73fa0] vhost: rename vq_iotlb_prefetch() to vq_meta_prefetch() testing commit 9b5e830b7120847da6c636af2d101f8380e73fa0 with gcc (GCC) 8.1.0 all runs: OK # git bisect good 9b5e830b7120847da6c636af2d101f8380e73fa0 Bisecting: 0 revisions left to test after this (roughly 1 step) [feebcaeac79ad86fb289ef55fa92f4a97ab8314e] vhost: factor out setting vring addr and num testing commit feebcaeac79ad86fb289ef55fa92f4a97ab8314e with gcc (GCC) 8.1.0 all runs: OK # git bisect good feebcaeac79ad86fb289ef55fa92f4a97ab8314e 7f466032dc9e5a61217f22ea34b2df932786bbfc is the first bad commit commit 7f466032dc9e5a61217f22ea34b2df932786bbfc Author: Jason Wang Date: Fri May 24 04:12:18 2019 -0400 vhost: access vq metadata through kernel virtual address It was noticed that the copy_to/from_user() friends that was used to access virtqueue metdata tends to be very expensive for dataplane implementation like vhost since it involves lots of software checks, speculation barriers, hardware feature toggling (e.g SMAP). The extra cost will be more obvious when transferring small packets since the time spent on metadata accessing become more significant. This patch tries to eliminate those overheads by accessing them through direct mapping of those pages. Invalidation callbacks is implemented for co-operation with general VM management (swap, KSM, THP or NUMA balancing). We will try to get the direct mapping of vq metadata before each round of packet processing if it doesn't exist. If we fail, we will simplely fallback to copy_to/from_user() friends. This invalidation and direct mapping access are synchronized through spinlock and RCU. All matedata accessing through direct map is protected by RCU, and the setup or invalidation are done under spinlock. This method might does not work for high mem page which requires temporary mapping so we just fallback to normal copy_to/from_user() and may not for arch that has virtual tagged cache since extra cache flushing is needed to eliminate the alias. This will result complex logic and bad performance. For those archs, this patch simply go for copy_to/from_user() friends. This is done by ruling out kernel mapping codes through ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE. Note that this is only done when device IOTLB is not enabled. We could use similar method to optimize IOTLB in the future. Tests shows at most about 23% improvement on TX PPS when using virtio-user + vhost_net + xdp1 + TAP on 2.6GHz Broadwell: SMAP on | SMAP off Before: 5.2Mpps | 7.1Mpps After: 6.4Mpps | 8.2Mpps Cc: Andrea Arcangeli Cc: James Bottomley Cc: Christoph Hellwig Cc: David Miller Cc: Jerome Glisse Cc: linux-mm@kvack.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-parisc@vger.kernel.org Signed-off-by: Jason Wang Signed-off-by: Michael S. Tsirkin :040000 040000 c368bf7940686a2134ad239d743eb0f5846c15cf 26c5227d261b8ee18909d17eb2dd9631fe1c5b2b M drivers revisions tested: 14, total time: 3h26m33.943218987s (build: 1h21m54.829059124s, test: 1h59m55.193618929s) first bad commit: 7f466032dc9e5a61217f22ea34b2df932786bbfc vhost: access vq metadata through kernel virtual address cc: ["aarcange@redhat.com" "davem@davemloft.net" "hch@infradead.org" "james.bottomley@hansenpartnership.com" "jasowang@redhat.com" "jglisse@redhat.com" "linux-arm-kernel@lists.infradead.org" "linux-mm@kvack.org" "linux-parisc@vger.kernel.org" "mst@redhat.com"] crash: BUG: Bad rss-counter state BUG: Bad rss-counter state mm:00000000d427a2e3 idx:0 val:186 BUG: Bad rss-counter state mm:00000000d427a2e3 idx:1 val:541 BUG: non-zero pgtables_bytes on freeing mm: 49152