From patchwork Sat Dec 14 10:44:01 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Liu Shixin <liushixin2@huawei.com>
X-Patchwork-Id: 13908451
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8AD20E7716A
	for <linux-mm@archiver.kernel.org>; Sat, 14 Dec 2024 10:47:50 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 943246B008A; Sat, 14 Dec 2024 05:47:49 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8CB366B008C; Sat, 14 Dec 2024 05:47:49 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 744F76B0092; Sat, 14 Dec 2024 05:47:49 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com
 [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 51F266B008A
	for <linux-mm@kvack.org>; Sat, 14 Dec 2024 05:47:49 -0500 (EST)
Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id DBA10141EC0
	for <linux-mm@kvack.org>; Sat, 14 Dec 2024 10:47:48 +0000 (UTC)
X-FDA: 82893238470.18.A41A51F
Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [45.249.212.190])
	by imf29.hostedemail.com (Postfix) with ESMTP id 4983D120014
	for <linux-mm@kvack.org>; Sat, 14 Dec 2024 10:47:07 +0000 (UTC)
Authentication-Results: imf29.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf29.hostedemail.com: domain of liushixin2@huawei.com designates
 45.249.212.190 as permitted sender) smtp.mailfrom=liushixin2@huawei.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1734173241; a=rsa-sha256;
	cv=none;
	b=sGVoQvqfbZ5N3A0g/Wv0KLmr5tKTg/4qGDwdjlXfrG6b2c9pCK654SnI8o1rDErjuKUb69
	LxiJetss47ZuSCGbWAsCU28pBv4uVs+4A+8RXJNNRqH1QcQVlrWPPA8bXzaygF7Bn9dUn1
	c81N+fcwTBw0s5684Dju0Uv02GZTZP8=
ARC-Authentication-Results: i=1;
	imf29.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf29.hostedemail.com: domain of liushixin2@huawei.com designates
 45.249.212.190 as permitted sender) smtp.mailfrom=liushixin2@huawei.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1734173241;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:in-reply-to:
	 references; bh=UfB1f1IcA9XgW4L+jbZtoEj2oewrsWitnG5pARwCNKI=;
	b=Yhn1Kw5z6zXkMy0BDhJaPv08ZmXWuPkqH+YhyG6Pwk5Z4HBrSWCDtAPb/pCK3tchNqwimK
	H7P5Fg3yzhz15149ffnZCrtsvPcjDBlhebgkrsPcONrBmGsKyJGo/KcQstgX1o03JcEKpW
	Nz/fhIvILYgRRgwrTpJZ8QAuBXbf4z0=
Received: from mail.maildlp.com (unknown [172.19.88.163])
	by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4Y9NBs59rYz2DhRj;
	Sat, 14 Dec 2024 18:45:09 +0800 (CST)
Received: from kwepemg200013.china.huawei.com (unknown [7.202.181.64])
	by mail.maildlp.com (Postfix) with ESMTPS id 57907180044;
	Sat, 14 Dec 2024 18:47:39 +0800 (CST)
Received: from huawei.com (10.175.113.32) by kwepemg200013.china.huawei.com
 (7.202.181.64) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Sat, 14 Dec
 2024 18:47:38 +0800
From: Liu Shixin <liushixin2@huawei.com>
To: Andrew Morton <akpm@linux-foundation.org>, Muchun Song
	<muchun.song@linux.dev>, Kenneth W Chen <kenneth.w.chen@intel.com>, Kefeng
 Wang <wangkefeng.wang@huawei.com>, Nanyong Sun <sunnanyong@huawei.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>, Liu Shixin
	<liushixin2@huawei.com>
Subject: [PATCH] mm: hugetlb: independent PMD page table shared count
Date: Sat, 14 Dec 2024 18:44:01 +0800
Message-ID: <20241214104401.1052550-1-liushixin2@huawei.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-Originating-IP: [10.175.113.32]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
 kwepemg200013.china.huawei.com (7.202.181.64)
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: 4983D120014
X-Stat-Signature: p7yy9h7hpm85aj6sn4ia59obw3fmozjx
X-Rspam-User: 
X-HE-Tag: 1734173227-103823
X-HE-Meta: 
 U2FsdGVkX1/c46uubUTiOptHSj0jgYnKgRTyPINR0X3YZDEIGNTlSM+Odr/5yoIXer6Y1whi4NsQIsBmkI73FtvYXUjzxUeM1XOBz/ShpPJLJyvoo+nVlcGUmlvUeQidw2nyONgpLTtB8E1NRjl47iCSXs8WukFnADnQOrR7JrnFh+Mibt2gZbBVw6zmswebU5z17XnyO3rENhYkgkacm6m9DlokAv9f8A3erN+fiNLsl9fqOc8eeh1gIwxt8hXwb8xNXCYlqnmsyAbm4TQEJ2FX8gi3wu4fUupUxpS07s4MnR5NJa8UlL/mfPpxmbC4niMEvOi5Aki59eG9DOQL6BD1SuBP+WVsaOa+pmzQkjvrqjfcoZxRJCZ+ip/9yZXCJpst7xUmhDUls7/uCT0rmr0iZ/ZINvmqS0mjeC/qFlE+uxFg4GCoCvGOkZCXg5vOjDAmeax2J50syNPjDPiGHW2tvYJT39nCiKKoWNE12c7+JUpovbRdNFZV6XFKLDZjvXuR/fUb6eLbkylXf12Id+EoflmE08EAoP6+prm0N2n+bthBiEMdr1olAVlYJoVo3qoYy1DtzpMPDKX5HzCVJjAxIrXC1n9XsDm7QdHVfvDl51NENEWJdoridygb9MYoZIlG38oPy0AHuK3Z7FV5e1BKs0qNChD8KX4KMzBsumWlVC1h4PdI/lKc/xUWPXb9yUIZACXup7ntn7QEuOARUlgoPYnJAZcxGeotAk3g1k3gDvL9B6vkdJeU26f84NO7M/6J6wcOmJH7j/GZ19R9FRVXPfkb4GvkT0opClhNI8KrYzd+odJnd7GRMBOgMJ1MHg+rg1KOeuPhjZcGAhq3908BJPqSW4C+JZssqKnMj8AC8DIBPEG8USX30yuLbdtHVzaBDVN7KKy4VULgAMcfJCdAU/qumRI8TpV0EIczrfUVOf9vrTA/ejv4uMGqhu8AjhioMY+IEKXtjh6/Wr8
 SVslB7ug
 y8/IfRoSsE7YIHPzKuy538bZXrElVdBoSH6JKHqVvdQRf7Nvy/yTvZLpi9zma5nDdA4RDJIYweDb3ix+/sfBiTOwQZD9qZIUdVGXiEsq4QV9LnMWQmLVRnewqF1mtsD1jGPqIoqlZmWwpXKAGHZmpemhApYCZpIlRAn9rNXIrQ7tLi6JGxT7qkUk6MQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

The folio refcount may be increased unexpectly through try_get_folio() by
caller such as split_huge_pages. In huge_pmd_unshare(), we use refcount to
check whether a pmd page table is shared. The check is incorrect if the
refcount is increased by the above caller, and this can cause the page
table leaked:

 BUG: Bad page state in process sh  pfn:109324
 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324
 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff)
 page_type: f2(table)
 raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000
 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000
 page dumped because: nonzero mapcount
 ...
 CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G    B              6.13.0-rc2master+ #7
 Tainted: [B]=BAD_PAGE
 Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
 Call trace:
  show_stack+0x20/0x38 (C)
  dump_stack_lvl+0x80/0xf8
  dump_stack+0x18/0x28
  bad_page+0x8c/0x130
  free_page_is_bad_report+0xa4/0xb0
  free_unref_page+0x3cc/0x620
  __folio_put+0xf4/0x158
  split_huge_pages_all+0x1e0/0x3e8
  split_huge_pages_write+0x25c/0x2d8
  full_proxy_write+0x64/0xd8
  vfs_write+0xcc/0x280
  ksys_write+0x70/0x110
  __arm64_sys_write+0x24/0x38
  invoke_syscall+0x50/0x120
  el0_svc_common.constprop.0+0xc8/0xf0
  do_el0_svc+0x24/0x38
  el0_svc+0x34/0x128
  el0t_64_sync_handler+0xc8/0xd0
  el0t_64_sync+0x190/0x198

The issue may be triggered by damon, offline_page, page_idle etc. which
will increase the refcount of page table.

Fix it by introducing independent PMD page table shared count.

Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
---
 include/linux/mm.h       |  1 +
 include/linux/mm_types.h | 28 ++++++++++++++++++++++++++++
 mm/hugetlb.c             | 16 +++++++---------
 3 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h
index c39c4945946c..50fbf2a1b0ad 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3115,6 +3115,7 @@ static inline bool pagetable_pmd_ctor(struct ptdesc *ptdesc)
 	if (!pmd_ptlock_init(ptdesc))
 		return false;
 	__folio_set_pgtable(folio);
+	ptdesc_pmd_pts_init(ptdesc);
 	lruvec_stat_add_folio(folio, NR_PAGETABLE);
 	return true;
 }
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 7361a8f3ab68..740b765ac91e 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -445,6 +445,7 @@ FOLIO_MATCH(compound_head, _head_2a);
  * @pt_index:         Used for s390 gmap.
  * @pt_mm:            Used for x86 pgds.
  * @pt_frag_refcount: For fragmented page table tracking. Powerpc only.
+ * @pt_share_count:   Used for HugeTLB PMD page table share count.
  * @_pt_pad_2:        Padding to ensure proper alignment.
  * @ptl:              Lock for the page table.
  * @__page_type:      Same as page->page_type. Unused for page tables.
@@ -471,6 +472,9 @@ struct ptdesc {
 		pgoff_t pt_index;
 		struct mm_struct *pt_mm;
 		atomic_t pt_frag_refcount;
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+		atomic_t pt_share_count;
+#endif
 	};
 
 	union {
@@ -516,6 +520,30 @@ static_assert(sizeof(struct ptdesc) <= sizeof(struct page));
 	const struct page *:		(const struct ptdesc *)(p),	\
 	struct page *:			(struct ptdesc *)(p)))
 
+#ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING
+static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc)
+{
+	atomic_set(&ptdesc->pt_share_count, 0);
+}
+
+static inline void ptdesc_pmd_pts_inc(struct ptdesc *ptdesc)
+{
+	atomic_inc(&ptdesc->pt_share_count);
+}
+
+static inline void ptdesc_pmd_pts_dec(struct ptdesc *ptdesc)
+{
+	atomic_dec(&ptdesc->pt_share_count);
+}
+
+static inline int ptdesc_pmd_pts_count(struct ptdesc *ptdesc)
+{
+	return atomic_read(&ptdesc->pt_share_count);
+}
+#else
+#define ptdesc_pmd_pts_init NULL
+#endif
+
 /*
  * Used for sizing the vmemmap region on some architectures
  */
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index ea2ed8e301ef..60846b060b87 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -7212,7 +7212,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
 			spte = hugetlb_walk(svma, saddr,
 					    vma_mmu_pagesize(svma));
 			if (spte) {
-				get_page(virt_to_page(spte));
+				ptdesc_pmd_pts_inc(virt_to_ptdesc(spte));
 				break;
 			}
 		}
@@ -7227,7 +7227,7 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
 				(pmd_t *)((unsigned long)spte & PAGE_MASK));
 		mm_inc_nr_pmds(mm);
 	} else {
-		put_page(virt_to_page(spte));
+		ptdesc_pmd_pts_dec(virt_to_ptdesc(spte));
 	}
 	spin_unlock(&mm->page_table_lock);
 out:
@@ -7239,10 +7239,6 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
 /*
  * unmap huge page backed by shared pte.
  *
- * Hugetlb pte page is ref counted at the time of mapping.  If pte is shared
- * indicated by page_count > 1, unmap is achieved by clearing pud and
- * decrementing the ref count. If count == 1, the pte page is not shared.
- *
  * Called with page table lock held.
  *
  * returns: 1 successfully unmapped a shared pte page
@@ -7251,18 +7247,20 @@ pte_t *huge_pmd_share(struct mm_struct *mm, struct vm_area_struct *vma,
 int huge_pmd_unshare(struct mm_struct *mm, struct vm_area_struct *vma,
 					unsigned long addr, pte_t *ptep)
 {
+	unsigned long sz = huge_page_size(hstate_vma(vma));
 	pgd_t *pgd = pgd_offset(mm, addr);
 	p4d_t *p4d = p4d_offset(pgd, addr);
 	pud_t *pud = pud_offset(p4d, addr);
 
 	i_mmap_assert_write_locked(vma->vm_file->f_mapping);
 	hugetlb_vma_assert_locked(vma);
-	BUG_ON(page_count(virt_to_page(ptep)) == 0);
-	if (page_count(virt_to_page(ptep)) == 1)
+	if (sz != PMD_SIZE)
+		return 0;
+	if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep)))
 		return 0;
 
 	pud_clear(pud);
-	put_page(virt_to_page(ptep));
+	ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep));
 	mm_dec_nr_pmds(mm);
 	return 1;
 }