From patchwork Tue May 18 23:12:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Naoya Horiguchi X-Patchwork-Id: 12265761 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03962C433B4 for ; Tue, 18 May 2021 23:13:15 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 9B45B61059 for ; Tue, 18 May 2021 23:13:14 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9B45B61059 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 35D9E8E005E; Tue, 18 May 2021 19:13:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 332C58E002F; Tue, 18 May 2021 19:13:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 187D28E005E; Tue, 18 May 2021 19:13:14 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0144.hostedemail.com [216.40.44.144]) by kanga.kvack.org (Postfix) with ESMTP id DAC808E002F for ; Tue, 18 May 2021 19:13:13 -0400 (EDT) Received: from smtpin31.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 70D9D181AF5C6 for ; Tue, 18 May 2021 23:13:13 +0000 (UTC) X-FDA: 78155904666.31.E81782F Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by imf13.hostedemail.com (Postfix) with ESMTP id 68CAEE000101 for ; Tue, 18 May 2021 23:13:12 +0000 (UTC) Received: by mail-pg1-f173.google.com with SMTP id k15so8077673pgb.10 for ; Tue, 18 May 2021 16:13:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=huCBrE9a/oWNLiRVwLfWwsvpIpFCkRlFZQ5wu5G4KFk=; b=ZwuG7+88G0fq+W7g33WE2tS7NoGQ2tAENO0XHJWiui/ToYyj/fKlIdX5YNqk7ykWXz Ukc8MQZY5PjLBOlCL/U7e0+PumD3Gf18+6SNQ33ZZ3BqEmc/GQz95i5A3ekO3uKoQFGt iMdyr+/4gz282q0MqYnBjBB8cKpLwMK7R5Cs3mz3Z2jCQbKXqgpyf9RFBK83luHyVnwL 3QL5lFKe1do4YvbilBeA/J7aOp/nSTAI73xj1icWlLTJXdt5KqWSwbykE/UkPEHh+e5P 1ZzKdV0OMPG4LQGHDRiwLnHDMTV3T/JMOclsYkHmzzIYaOMM7geeH0jDQR16MBD2UV/W B04g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=huCBrE9a/oWNLiRVwLfWwsvpIpFCkRlFZQ5wu5G4KFk=; b=s2Dv9V29SsB3syCyMq9ImOQdgpdHl4fpx+Cxy/7y9xqUC96NlzaLB4IiTmwEjb0pW+ tEJ8dIW99Ry/hP05NQHp/gqu/jQMcwXD4NdzdsGk62bf6sq2Jovl7zCFSpkrUUkgOHZ7 oYzUy2J1vxaBebjjMcctD4Lxq4IllPr6MhN/sYkwxLEhN20+0w3yfdcOiXwceVtNy82v GpDFMvxe5vpnpwZwzoLbBZs4ma6U+lqgy1OZIJ1Jlt3jtT+9tMm/6G26ANkEvAOhGUzn VBLaWOdye9Dd78hjDXP4vZtI/qxjDQU0GzJh7KXKWJGD2oJ4qG5Nfx3xs38kBJPxrxg7 Bu/g== X-Gm-Message-State: AOAM533jrGjnMbozTg8Vgl/IyTVLYYgeq7GBH5hvBjrc4tORvr240axq IJqvESsf5y6QkbpSQ4EZng== X-Google-Smtp-Source: ABdhPJxMenOrrbrJAPDR1sdVGWDgPgURf6Eg/1zu39tJ0kgEUHLXl3RjlKbYCl5SE6zSDU7DcEsYhQ== X-Received: by 2002:a63:5d19:: with SMTP id r25mr7395719pgb.317.1621379592309; Tue, 18 May 2021 16:13:12 -0700 (PDT) Received: from localhost.localdomain (h175-177-040-153.catv02.itscom.jp. [175.177.40.153]) by smtp.gmail.com with ESMTPSA id f14sm14437473pjq.50.2021.05.18.16.13.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 May 2021 16:13:12 -0700 (PDT) From: Naoya Horiguchi To: Oscar Salvador , Muchun Song , linux-mm@kvack.org Cc: Andrew Morton , Mike Kravetz , Michal Hocko , Tony Luck , Naoya Horiguchi , linux-kernel@vger.kernel.org Subject: [PATCH v5 1/2] mm,hwpoison: fix race with hugetlb page allocation Date: Wed, 19 May 2021 08:12:58 +0900 Message-Id: <20210518231259.2553203-2-nao.horiguchi@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210518231259.2553203-1-nao.horiguchi@gmail.com> References: <20210518231259.2553203-1-nao.horiguchi@gmail.com> MIME-Version: 1.0 Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=ZwuG7+88; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf13.hostedemail.com: domain of naohoriguchi@gmail.com designates 209.85.215.173 as permitted sender) smtp.mailfrom=naohoriguchi@gmail.com X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 68CAEE000101 X-Stat-Signature: 6f9kw8d89exbgfwhbh6p519hnrkemyh7 X-HE-Tag: 1621379592-474954 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Naoya Horiguchi When hugetlb page fault (under overcommitting situation) and memory_failure() race, VM_BUG_ON_PAGE() is triggered by the following race: CPU0: CPU1: gather_surplus_pages() page = alloc_surplus_huge_page() memory_failure_hugetlb() get_hwpoison_page(page) __get_hwpoison_page(page) get_page_unless_zero(page) zero = put_page_testzero(page) VM_BUG_ON_PAGE(!zero, page) enqueue_huge_page(h, page) put_page(page) __get_hwpoison_page() only checks the page refcount before taking an additional one for memory error handling, which is wrong because there's a time window where compound pages have non-zero refcount during initialization. So make __get_hwpoison_page() check page status a bit more for hugetlb pages. Fixes: ead07f6a867b ("mm/memory-failure: introduce get_hwpoison_page() for consistent refcount handling") Signed-off-by: Naoya Horiguchi Reported-by: Muchun Song Cc: stable@vger.kernel.org # 5.12+ Signed-off-by: Naoya Horiguchi Reported-by: Muchun Song --- include/linux/hugetlb.h | 6 ++++++ mm/hugetlb.c | 15 +++++++++++++++ mm/memory-failure.c | 8 +++++++- 3 files changed, 28 insertions(+), 1 deletion(-) diff --git v5.13-rc2/include/linux/hugetlb.h v5.13-rc2_patched/include/linux/hugetlb.h index b92f25ccef58..790ae618548d 100644 --- v5.13-rc2/include/linux/hugetlb.h +++ v5.13-rc2_patched/include/linux/hugetlb.h @@ -149,6 +149,7 @@ bool hugetlb_reserve_pages(struct inode *inode, long from, long to, long hugetlb_unreserve_pages(struct inode *inode, long start, long end, long freed); bool isolate_huge_page(struct page *page, struct list_head *list); +int get_hwpoison_huge_page(struct page *page, bool *hugetlb); void putback_active_hugepage(struct page *page); void move_hugetlb_state(struct page *oldpage, struct page *newpage, int reason); void free_huge_page(struct page *page); @@ -339,6 +340,11 @@ static inline bool isolate_huge_page(struct page *page, struct list_head *list) return false; } +static inline int get_hwpoison_huge_page(struct page *page, bool *hugetlb) +{ + return 0; +} + static inline void putback_active_hugepage(struct page *page) { } diff --git v5.13-rc2/mm/hugetlb.c v5.13-rc2_patched/mm/hugetlb.c index 95918f410c0f..f138bae3e302 100644 --- v5.13-rc2/mm/hugetlb.c +++ v5.13-rc2_patched/mm/hugetlb.c @@ -5847,6 +5847,21 @@ bool isolate_huge_page(struct page *page, struct list_head *list) return ret; } +int get_hwpoison_huge_page(struct page *page, bool *hugetlb) +{ + int ret = 0; + + *hugetlb = false; + spin_lock_irq(&hugetlb_lock); + if (PageHeadHuge(page)) { + *hugetlb = true; + if (HPageFreed(page) || HPageMigratable(page)) + ret = get_page_unless_zero(page); + } + spin_unlock_irq(&hugetlb_lock); + return ret; +} + void putback_active_hugepage(struct page *page) { spin_lock_irq(&hugetlb_lock); diff --git v5.13-rc2/mm/memory-failure.c v5.13-rc2_patched/mm/memory-failure.c index 85ad98c00fd9..353c6177e489 100644 --- v5.13-rc2/mm/memory-failure.c +++ v5.13-rc2_patched/mm/memory-failure.c @@ -959,8 +959,14 @@ static int page_action(struct page_state *ps, struct page *p, static int __get_hwpoison_page(struct page *page) { struct page *head = compound_head(page); + int ret = 0; + bool hugetlb = false; + + ret = get_hwpoison_huge_page(head, &hugetlb); + if (hugetlb) + return ret; - if (!PageHuge(head) && PageTransHuge(head)) { + if (PageTransHuge(head)) { /* * Non anonymous thp exists only in allocation/free time. We * can't handle such a case correctly, so let's give it up.