mem_cg related splat on top of current export branch #597
Description
Pre-requisites
- A similar issue has not been reported before.
- mptcp.dev website does not cover my case.
- An up-to-date kernel is being used.
- This case is not fixed with the latest stable (or LTS) version listed on kernel.org
What did you do?
Performing a iperf3 transfer using mptcpize and an additional subflow over 2 different high-speed links,
What happened?
I consistently observe the following splat:
[ 154.428832] ------------[ cut here ]------------
[ 154.433457] page_counter underflow: -55 nr_pages=66
[ 154.438379] WARNING: CPU: 3 PID: 3239 at mm/page_counter.c:60 page_counter_uncharge+0x7e/0x90
[ 154.446920] Modules linked in: qrtr(E) rfkill(E) sunrpc(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) amd64_edac(E) edac_mce_amd(E) ipmi_ssif(E) kvm_amd(E) mlx5_ib(E) kvm(E) ib_uverbs(E) irqbypass(E) macsec(E) platform_profile(E) i2c_piix4(E) dell_smbios(E) dcdbas(E) rapl(E) wmi_bmof(E) dell_wmi_descriptor(E) ib_core(E) ptdma(E) i2c_smbus(E) pcspkr(E) k10temp(E) acpi_power_meter(E) ipmi_si(E) acpi_ipmi(E) ipmi_devintf(E) ipmi_msghandler(E) xfs(E) sd_mod(E) sg(E) ahci(E) libahci(E) mlx5_core(E) mgag200(E) i40e(E) mlxfw(E) libata(E) tg3(E) ghash_clmulni_intel(E) i2c_algo_bit(E) libie(E) libie_adminq(E) tls(E) ccp(E) psample(E) sp5100_tco(E) megaraid_sas(E) wmi(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) fuse(E)
[ 154.446967] Unloaded tainted modules: nfnetlink(E):2 nf_tables(E):2 dell_pc(E):1 fjes(E):2 [last unloaded: nfnetlink(E)]
[ 154.522035] CPU: 3 UID: 0 PID: 3239 Comm: iperf3 Kdump: loaded Tainted: G E 6.18.0-rc4.backlog_9b02b94c71e7+ #159 PREEMPT(voluntary)
[ 154.535506] Tainted: [E]=UNSIGNED_MODULE
[ 154.539439] Hardware name: Dell Inc. PowerEdge R7525/0YHMCJ, BIOS 2.2.5 04/08/2021
[ 154.547016] RIP: 0010:page_counter_uncharge+0x7e/0x90
[ 154.552077] Code: 75 d6 5b 5d 41 5c c3 cc cc cc cc 80 3d 79 74 ee 01 00 75 18 48 89 ea 48 c7 c7 20 fe 04 af c6 05 66 74 ee 01 01 e8 42 42 c5 ff <0f> 0b 48 c7 03 00 00 00 00 31 f6 eb ae 0f 1f 44 00 00 90 90 90 90
[ 154.570849] RSP: 0018:ffffd1de244bb990 EFLAGS: 00010282
[ 154.576083] RAX: 0000000000000000 RBX: ffff8b290bc889c0 RCX: 0000000000000000
[ 154.583224] RDX: ffff8b383ecea5c0 RSI: 0000000000000001 RDI: ffff8b383ecdc280
[ 154.590366] RBP: 0000000000000042 R08: 0000000000000000 R09: ffffd1de244bb838
[ 154.597507] R10: ffffd1de244bb830 R11: ffffffffafbe4868 R12: ffffffffffffffbe
[ 154.604646] R13: 0000000000000016 R14: 0000000000007898 R15: ffff8b29080b9500
[ 154.611789] FS: 00007fc0bf20bb80(0000) GS:ffff8b388e55b000(0000) knlGS:0000000000000000
[ 154.619884] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 154.625637] CR2: 00007fc0befff000 CR3: 0000000180467000 CR4: 0000000000350ef0
[ 154.632780] Call Trace:
[ 154.635238] <TASK>
[ 154.637347] memcg_uncharge+0x1b/0x40
[ 154.641023] drain_stock+0x45/0x90
[ 154.644438] refill_stock+0x11f/0x170
[ 154.648107] __sk_mem_reduce_allocated+0x89/0xd0
[ 154.652739] __mptcp_recvmsg_mskq+0x25c/0x2a0
[ 154.657108] mptcp_recvmsg+0xe2/0x430
[ 154.660782] ? selinux_socket_recvmsg+0x9c/0xc0
[ 154.665325] ? avc_has_extended_perms+0x3c2/0x440
[ 154.670037] inet6_recvmsg+0x11e/0x130
[ 154.673798] ? security_socket_recvmsg+0x54/0x110
[ 154.678512] sock_recvmsg+0x58/0xd0
[ 154.682013] sock_read_iter+0x92/0x100
[ 154.685775] vfs_read+0x30b/0x340
[ 154.689102] ksys_read+0xb8/0xe0
[ 154.692369] ? syscall_trace_enter+0xfa/0x1a0
[ 154.696740] do_syscall_64+0x7f/0x800
[ 154.700415] ? syscall_exit_work+0x108/0x140
[ 154.704696] ? do_syscall_64+0xb1/0x800
[ 154.708544] ? do_pselect.constprop.0+0xdd/0x170
[ 154.713170] ? syscall_exit_work+0x108/0x140
[ 154.717457] ? do_syscall_64+0xb1/0x800
[ 154.721297] ? vfs_read+0x30b/0x340
[ 154.724793] ? syscall_exit_work+0x108/0x140
[ 154.729071] ? do_syscall_64+0xb1/0x800
[ 154.732911] ? do_syscall_64+0xb1/0x800
[ 154.736750] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 154.741807] RIP: 0033:0x7fc0bf0fe2d2
[ 154.745393] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 0a 15 0c 00 e8 65 e1 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[ 154.764157] RSP: 002b:00007fff5b24f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 154.771737] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fc0bf0fe2d2
[ 154.778875] RDX: 0000000000020000 RSI: 00007fc0befe0000 RDI: 0000000000000005
[ 154.786015] RBP: 00007fc0befe0000 R08: 0000000000000000 R09: 0000000000000000
[ 154.793150] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff5b24f400
[ 154.800289] R13: 00007fff5b24f3e8 R14: 0000000000020000 R15: 0000563638c912a0
[ 154.807436] </TASK>
[ 154.809629] ---[ end trace 0000000000000000 ]---
my wild guess is that the server-side does not initialize consistently the mem_cg for subflows and msk
What did you expect to have?
no splat
System info: Client
# ip mptcp endpoint
192.168.255.1 id 1 subflow dev ens2f0np0
192.168.254.1 id 2 subflow dev ens2f1np1
# uname -a
Linux wsfd-advnetlab67.anl.eng.rdu2.dc.redhat.com 6.18.0-rc4.backlog_9b02b94c71e7+ #159 SMP PREEMPT_DYNAMIC Fri Nov 7 09:42:43 EST 2025 x86_64 x86_64 x86_64 GNU/Linux
# ip mptcp limits
add_addr_accepted 0 subflows 2System info: Server
# ip mptcp endpoint
# no endpoints
# uname -a
Linux wsfd-advnetlab67.anl.eng.rdu2.dc.redhat.com 6.18.0-rc4.backlog_9b02b94c71e7+ #159 SMP PREEMPT_DYNAMIC Fri Nov 7 09:42:43 EST 2025 x86_64 x86_64 x86_64 GNU/Linux
# ip mptcp limits
add_addr_accepted 0 subflows 2Additional context
No response