From nobody Sat Apr 18 09:09:33 2026 Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 482832C2360 for ; Sat, 28 Feb 2026 16:10:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772295016; cv=none; b=t86jTDGybIDZQW7G1PMPLl2dTVlqWIf8eXEmsL4Ms+gcSHq2FJlBgLTOPutY0KiJVg5Fdb60vrt3LdVk39tldqK5FnqKKbBMNDBoMW0lV/ZI8CV+hyyPvbkTt2GUWH1Z+B1JlLF5JPydMFM27RGtozAputNdYmRmd2Uk4ZlgFig= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772295016; c=relaxed/simple; bh=ouZpJlm4B8Z2UWBs84HxuQjjgIVrDst4zxK1WLTEC1g=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=OymbwTQOhbB4qBfNml2oU7fgL94Ec6SxVCr7/K9LH7l4wD4Au8W5n4hAkCxXQBir/sGOzmlSX2g0FGY7/UPYFq5e7ILc6D19Omr6OFyC1kMaPRN7DugUToc4rHNPenIlKlC+9Y5B59XXRa6y54SOlZ/qUa+at9pZ66tTGixO5lE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gxDAvXoF; arc=none smtp.client-ip=209.85.210.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gxDAvXoF" Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-82748095892so1329625b3a.0 for ; Sat, 28 Feb 2026 08:10:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772295014; x=1772899814; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=MmNLVdGchA1yBtCPglJZ3Pu9g12dPbvz5wu2t4UwJbM=; b=gxDAvXoF/kz/OyUp2f/fW9BpzqM3Zg75kgML/5vxhKsWpZleG+yVPBiGCwIt7FFl9h Tjpi3mRQZSOU1rz3s4GXmDVSppVIrfK3Xw7zKYVGg8DwB5b2gbyXaWEb7+n49hO1sFMq EY+BAQ+HlFIpq78TQXWFnDLY2j0FZ/oQ2Xf+g8a3BvHXAdpg6qE1jNT7vG1u69OqMcKZ w50L202kdmSxKRNhQOw+3eq348mpZWY+tqyXpamashGj2yATCa8AEr4TVlWqlGrnNofb agDRmZaBq00aioZQC8csA9mlbi2hQ8ck6xeKxHBmXkLvJ14LOggg4rrElLTnOqMF6gCa rbaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772295014; x=1772899814; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=MmNLVdGchA1yBtCPglJZ3Pu9g12dPbvz5wu2t4UwJbM=; b=RzSrQwxz23vgru/ol007P+pCVujwqB/ZGcmK1K21CtkVh0j0dtmlvMjm0gxKAEIPGQ 2Cy3E8h/4ZYgdg1FQrQl2pAuQLNrjiOA/0ZgCMcYDn33/4QTdxVS1SeG0kTUr2+heh2Z IG8UN1fv0UoxjwaZZVRJOqTbqkW2i/QxpIvLffv7HkFPmIB2q2CGKhihk6QHzb86/QSC F1DwdQOAosdIkxbdHSITHUoZwB56M09ZYKE1/QxaukRXQpAe79v9oy5xQAuqSjNiwOH+ M16XBLw+8Qqg+aiyqiTek9/KZTYcHRRJ9gB/6Xb3ieKo9hQAobJbjTVrGEECO2JNgra7 HRvQ== X-Forwarded-Encrypted: i=1; AJvYcCW8QfeBMwCSyxhdkGOSmi/WJ4Np1tMEjrmItAF82YKiwFJOIXJuxqqykQ+3B6LREWlHpwt66NgKMUrzbDg=@vger.kernel.org X-Gm-Message-State: AOJu0Yw/HcKrnygVJXflPqvZfb/pSwhDXZiGuo+6NMs72aQgAwaklx6k 211XPXel41ANBl2xzkN7e0dB8FqKnn1853CKiae6LZkBS3XV9U9S+bxg X-Gm-Gg: ATEYQzwVcy59kjT9LXWu/T/3lgeaUk/0Z8q2JUb7hV/Z8RpqHOqpYwihpkhorG+R+hY ZuTVtMHYnp/MuzJ/5P12tUURhmnXOInp4WOzCm1DjCFwY51OAox4ec2wqAkRny1Xsqw9pWoSloA OBswgElh0IgaUHg/yOVsNJ7d0fGxXjN+GHLO7iW0CM8PQq7FNZbaTGxU3rh7eJLEamyt2nVLv/M H/dKkAP2qmny31VYExMuifyzwiFZ/KMbFCsnUbQ2MAXsiYa9I9ncrZFU3KdkAi+5zl7yFpQSeVA gf1AaT9C26Cw81ArssQOUsp+XqAU5eYbT0obPKo/IcNBGNshLdFKiNe1a/M/KeKM0rssoQp4KWV NMH3b06xDsREuzvJ2/Z+HrJqxuZyni3Wl0avKl0asgwuKIHxYqyk+cqEO6gL0a/a8TBoDzh2sWZ yFibHYnegzQqrJE7HJfn0uQ0YFiEu63LN7Bv3g+7jn98zPXUrNoVd5Stzk+OQ= X-Received: by 2002:a05:6a00:2e86:b0:827:2792:e40e with SMTP id d2e1a72fcca58-8274d9505cemr6761749b3a.26.1772295014111; Sat, 28 Feb 2026 08:10:14 -0800 (PST) Received: from localhost ([124.79.56.150]) by smtp.gmail.com with UTF8SMTPSA id d2e1a72fcca58-8273a05c0b0sm8192679b3a.61.2026.02.28.08.10.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Feb 2026 08:10:13 -0800 (PST) From: Leno Hou To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: Leno Hou , Andrew Morton , Axel Rasmussen , Yuanchu Xie , Wei Xu , Barry Song <21cnbao@gmail.com>, Jialing Wang , Yafang Shao , Yu Zhao Subject: [PATCH] mm/mglru: fix cgroup OOM during MGLRU state switching Date: Sun, 1 Mar 2026 00:10:08 +0800 Message-ID: <20260228161008.707-1-lenohou@gmail.com> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When the Multi-Gen LRU (MGLRU) state is toggled dynamically, a race condition exists between the state switching and the memory reclaim path. This can lead to unexpected cgroup OOM kills, even when plenty of reclaimable memory is available. *** Problem Description *** The issue arises from a "reclaim vacuum" during the transition: 1. When disabling MGLRU, lru_gen_change_state() sets lrugen->enabled to false before the pages are drained from MGLRU lists back to traditional LRU lists. 2. Concurrent reclaimers in shrink_lruvec() see lrugen->enabled as false and skip the MGLRU path. 3. However, these pages might not have reached the traditional LRU lists yet, or the changes are not yet visible to all CPUs due to a lack of synchronization. 4. get_scan_count() subsequently finds traditional LRU lists empty, concludes there is no reclaimable memory, and triggers an OOM kill. A similar race can occur during enablement, where the reclaimer sees the new state but the MGLRU lists haven't been populated via fill_evictable() yet. *** Solution *** Introduce a 'draining' state to bridge the gap during transitions: - Use smp_store_release() and smp_load_acquire() to ensure the visibility of 'enabled' and 'draining' flags across CPUs. - Modify shrink_lruvec() to allow a "joint reclaim" period. If an lruvec is in the 'draining' state, the reclaimer will attempt to scan MGLRU lists first, and then fall through to traditional LRU lists instead of returning early. This ensures that folios are visible to at least one reclaim path at any given time. *** Reproduction *** The issue was consistently reproduced on v6.1.157 and v6.18.3 using a high-pressure memory cgroup (v1) environment. Reproduction steps: 1. Create a 16GB memcg and populate it with 10GB file cache (5GB active) and 8GB active anonymous memory. 2. Toggle MGLRU state while performing new memory allocations to force direct reclaim. Reproduction script: --- #!/bin/bash # Fixed reproduction for memcg OOM during MGLRU toggle set -euo pipefail MGLRU_FILE=3D"/sys/kernel/mm/lru_gen/enabled" CGROUP_PATH=3D"/sys/fs/cgroup/memory/memcg_oom_test" # Switch MGLRU dynamically in the background switch_mglru() { local orig_val=3D$(cat "$MGLRU_FILE") if [[ "$orig_val" !=3D "0x0000" ]]; then echo n > "$MGLRU_FILE" & else echo y > "$MGLRU_FILE" & fi } # Setup 16G memcg mkdir -p "$CGROUP_PATH" echo $((16 * 1024 * 1024 * 1024)) > "$CGROUP_PATH/memory.limit_in_bytes" echo $$ > "$CGROUP_PATH/cgroup.procs" # 1. Build memory pressure (File + Anon) dd if=3D/dev/urandom of=3D/tmp/test_file bs=3D1M count=3D10240 dd if=3D/tmp/test_file of=3D/dev/null bs=3D1M # Warm up cache stress-ng --vm 1 --vm-bytes 8G --vm-keep -t 600 & sleep 5 # 2. Trigger switch and concurrent allocation switch_mglru stress-ng --vm 1 --vm-bytes 2G --vm-populate --timeout 5s || echo "OOM Trig= gered" # Check OOM counter grep oom_kill "$CGROUP_PATH/memory.oom_control" --- Signed-off-by: Leno Hou --- To: linux-mm@kvack.org To: linux-kernel@vger.kernel.org Cc: Andrew Morton Cc: Axel Rasmussen Cc: Yuanchu Xie Cc: Wei Xu Cc: Barry Song <21cnbao@gmail.com> Cc: Jialing Wang Cc: Yafang Shao Cc: Yu Zhao --- include/linux/mmzone.h | 2 ++ mm/vmscan.c | 14 +++++++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h index 7fb7331c5725..0648ce91dbc6 100644 --- a/include/linux/mmzone.h +++ b/include/linux/mmzone.h @@ -509,6 +509,8 @@ struct lru_gen_folio { atomic_long_t refaulted[NR_HIST_GENS][ANON_AND_FILE][MAX_NR_TIERS]; /* whether the multi-gen LRU is enabled */ bool enabled; + /* whether the multi-gen LRU is draining to LRU */ + bool draining; /* the memcg generation this lru_gen_folio belongs to */ u8 gen; /* the list segment this lru_gen_folio belongs to */ diff --git a/mm/vmscan.c b/mm/vmscan.c index 06071995dacc..629a00681163 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -5222,7 +5222,8 @@ static void lru_gen_change_state(bool enabled) VM_WARN_ON_ONCE(!seq_is_valid(lruvec)); VM_WARN_ON_ONCE(!state_is_valid(lruvec)); =20 - lruvec->lrugen.enabled =3D enabled; + smp_store_release(&lruvec->lrugen.enabled, enabled); + smp_store_release(&lruvec->lrugen.draining, true); =20 while (!(enabled ? fill_evictable(lruvec) : drain_evictable(lruvec))) { spin_unlock_irq(&lruvec->lru_lock); @@ -5230,6 +5231,8 @@ static void lru_gen_change_state(bool enabled) spin_lock_irq(&lruvec->lru_lock); } =20 + smp_store_release(&lruvec->lrugen.draining, false); + spin_unlock_irq(&lruvec->lru_lock); } =20 @@ -5813,10 +5816,15 @@ static void shrink_lruvec(struct lruvec *lruvec, st= ruct scan_control *sc) unsigned long nr_to_reclaim =3D sc->nr_to_reclaim; bool proportional_reclaim; struct blk_plug plug; + bool lrugen_enabled =3D smp_load_acquire(&lruvec->lrugen.enabled); + bool lru_draining =3D smp_load_acquire(&lruvec->lrugen.draining); =20 - if (lru_gen_enabled() && !root_reclaim(sc)) { + if (lrugen_enabled || lru_draining && !root_reclaim(sc)) { lru_gen_shrink_lruvec(lruvec, sc); - return; + + if (!lru_draining) + return; + } =20 get_scan_count(lruvec, sc, nr); --=20 2.52.0