From patchwork Mon Mar 24 13:17:50 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jinjiang Tu <tujinjiang@huawei.com>
X-Patchwork-Id: 14027319
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9D08FC36005
	for <linux-mm@archiver.kernel.org>; Mon, 24 Mar 2025 13:27:42 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id ABA6C280002; Mon, 24 Mar 2025 09:27:39 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A4002280001; Mon, 24 Mar 2025 09:27:39 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8E294280002; Mon, 24 Mar 2025 09:27:39 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com
 [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 6C760280001
	for <linux-mm@kvack.org>; Mon, 24 Mar 2025 09:27:39 -0400 (EDT)
Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id E43AE1A0515
	for <linux-mm@kvack.org>; Mon, 24 Mar 2025 13:27:40 +0000 (UTC)
X-FDA: 83256521880.26.CABCF40
Received: from szxga06-in.huawei.com (szxga06-in.huawei.com [45.249.212.32])
	by imf07.hostedemail.com (Postfix) with ESMTP id 69FE340008
	for <linux-mm@kvack.org>; Mon, 24 Mar 2025 13:27:38 +0000 (UTC)
Authentication-Results: imf07.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf07.hostedemail.com: domain of tujinjiang@huawei.com designates
 45.249.212.32 as permitted sender) smtp.mailfrom=tujinjiang@huawei.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1742822859; a=rsa-sha256;
	cv=none;
	b=DNVxrvcrjs98JhCGGP+1pgp9mvXoqKG479Tln6NNwqQwBMmKMZtOsBqlYShHUNA7alCqDD
	nQOcov181GwVkdsZVLfs2lfArlBaszZPp/aHG5YmR4xhTx4ULSo5888M+dXr0zqOND6ByI
	d2DVt2PN9TXBu4w+BRpOUWkQi5fDboo=
ARC-Authentication-Results: i=1;
	imf07.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf07.hostedemail.com: domain of tujinjiang@huawei.com designates
 45.249.212.32 as permitted sender) smtp.mailfrom=tujinjiang@huawei.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1742822859;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:in-reply-to:
	 references; bh=Tzc5w5OtPBsdWGtxdA5XJ3sEBXAWklpl5P2ONl1vCNE=;
	b=5O1m3kWXrDcM9Ogduf1lbEnp8bbGzG94ZsicoHyHOxtf4BQSCwSihsRM96HNXDyGBWkKIg
	oZV05FEQ4WnHrVRcmA4re5cLtLPpJhZF+ivou2d1Fj+1+rf9WRwHViAPZ2eEzXkME7+Ehj
	7sE0MKh8lGKJD3wdzLVq3LrA/ACQWlw=
Received: from mail.maildlp.com (unknown [172.19.88.214])
	by szxga06-in.huawei.com (SkyGuard) with ESMTP id 4ZLv4q1JDXz27hG3;
	Mon, 24 Mar 2025 21:28:11 +0800 (CST)
Received: from kwepemo200002.china.huawei.com (unknown [7.202.195.209])
	by mail.maildlp.com (Postfix) with ESMTPS id C7E041A016C;
	Mon, 24 Mar 2025 21:27:33 +0800 (CST)
Received: from huawei.com (10.175.124.71) by kwepemo200002.china.huawei.com
 (7.202.195.209) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Mon, 24 Mar
 2025 21:27:32 +0800
From: Jinjiang Tu <tujinjiang@huawei.com>
To: <david@redhat.com>, <osalvador@suse.de>, <akpm@linux-foundation.org>,
	<nao.horiguchi@gmail.com>, <zi.yan@cs.rutgers.edu>
CC: <linux-mm@kvack.org>, <wangkefeng.wang@huawei.com>,
	<sunnanyong@huawei.com>, <tujinjiang@huawei.com>
Subject: [PATCH] mm/memory_hotplug: fix call folio_test_large with tail page
 in do_migrate_range
Date: Mon, 24 Mar 2025 21:17:50 +0800
Message-ID: <20250324131750.1551884-1-tujinjiang@huawei.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
X-Originating-IP: [10.175.124.71]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 kwepemo200002.china.huawei.com (7.202.195.209)
X-Rspamd-Queue-Id: 69FE340008
X-Stat-Signature: abr53p7c17es9cmuqzk9nx6xs6j1bi6s
X-Rspam-User: 
X-Rspamd-Server: rspam06
X-HE-Tag: 1742822858-896859
X-HE-Meta: 
 U2FsdGVkX1/A8pMSzv5G9u9WIBVcHHXclKsbJQClcwc5Y30sf8SYar2KVTfRf50ZDHQFLRu7joKS5lN911EYpzfByulg+2wIat/h4LKcV7S0CE7x+nB2/u7RHeUnbd8p3pVL58Z3fhzPIkL4wzyrUqohc8FoeznKZnrOegFiUIugEt2LzukiOo2g8V5Bj5XEwiut/eGI555IAZ0aYHXdvHQJyv4iw2RGHPXcbLacV+q+lYRS3AQ1rfvnRhRTn/Avv8sCVfmCaZF5HJT6AcRQ/QVrw3KAiqeB0aQscV6eDMEOuBhbec9RiW/v4OkIlsweUmjAYX2BpOOLOI9G1ixdgDOA5cxPKF8wbNfRLdzPZErRhJkBweUdEEFS5soZNMGWyKrbGqwddpG3i+8Isl9mupuDB7Bvuw8IXRc91BaKCvR/QQjvVvnOaQFczbwWxci4wuw4CQvj+mrmKmXywpL3S10fuWiE5qJnUu+N5RLMQSvvdclpuVAw/H/jgxMZT4SQTnexEADKn/ozm/k1YSE1Rfc1VWfkxFyefLopxQ9CGqKkINDrcmlHpLn2+u/cEecflI8a+ZmimQqOA/WA4kzDviU42L7VpByU5xxKSLLBKVnwPkPDA/kfGFAarA3sVMsyqgb+PNrN78ONkOMy7CEfL7ylaeew5KM/kmiJuowlO9PKSQoxKYIiTS8ZFMv6fBh5mqMMfRtHIr9Qpmp0nVZucYFHG7vrRXLpq3IS6+D9TzV8I5xc42LQRPluv2DPMAW6tZasH1fuYCW+S0n6WA3mGimLfhZvudhazh94zeu9JEWaMXJ0hNl2JfEQwsnvnKr+ENUvraCK16OoTnYhLwFtkFQj+yNGpR8G4FifCodJPCwhMuas95EZ3OOSaIcHGii6MH/u2K8sWV8gb4iQzRtaw8ZtlPsepGh5QlbDiQ2yZdskqzQs6O+5np9sUlxqxNhZfG8Lx2Z2s1Y=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

We triggered the below BUG:

 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x240402
 head: order:9 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
 flags: 0x1ffffe0000000040(head|node=1|zone=3|lastcpupid=0x1ffff)
 page_type: f4(hugetlb)
 page dumped because: VM_BUG_ON_PAGE(page->compound_head & 1)
 ------------[ cut here ]------------
 kernel BUG at ./include/linux/page-flags.h:310!
 Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
 Modules linked in:
 CPU: 7 UID: 0 PID: 166 Comm: sh Not tainted 6.14.0-rc7-dirty #374
 Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : const_folio_flags+0x3c/0x58
 lr : const_folio_flags+0x3c/0x58
 Call trace:
  const_folio_flags+0x3c/0x58 (P)
  do_migrate_range+0x164/0x720
  offline_pages+0x63c/0x6fc
  memory_subsys_offline+0x190/0x1f4
  device_offline+0xc0/0x13c
  state_store+0x90/0xd8
  dev_attr_store+0x18/0x2c
  sysfs_kf_write+0x44/0x54
  kernfs_fop_write_iter+0x120/0x1cc
  vfs_write+0x240/0x378
  ksys_write+0x70/0x108
  __arm64_sys_write+0x1c/0x28
  invoke_syscall+0x48/0x10c
  el0_svc_common.constprop.0+0x40/0xe0

When allocating a hugetlb folio, between the folio is taken from buddy
and prep_compound_page() is called, start_isolate_page_range() and
do_migrate_range() is called. When do_migrate_range() scans the head page
of the hugetlb folio, the compound_head field isn't set, so scans the
tail page next. And at this time, the compound_head field of tail page is
set, folio_test_large() is called by tail page, thus triggers VM_BUG_ON().

To fix it, get folio refcount before calling folio_test_large().

Fixes: 8135d8926c08 ("mm: memory_hotplug: memory hotremove supports thp migration")
Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Oscar Salvador <osalvador@suse.de>
---
 mm/memory_hotplug.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
index 16cf9e17077e..f600c26ce5de 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1813,21 +1813,15 @@ static void do_migrate_range(unsigned long start_pfn, unsigned long end_pfn)
 		page = pfn_to_page(pfn);
 		folio = page_folio(page);
 
-		/*
-		 * No reference or lock is held on the folio, so it might
-		 * be modified concurrently (e.g. split).  As such,
-		 * folio_nr_pages() may read garbage.  This is fine as the outer
-		 * loop will revisit the split folio later.
-		 */
-		if (folio_test_large(folio))
-			pfn = folio_pfn(folio) + folio_nr_pages(folio) - 1;
-
 		if (!folio_try_get(folio))
 			continue;
 
 		if (unlikely(page_folio(page) != folio))
 			goto put_folio;
 
+		if (folio_test_large(folio))
+			pfn = folio_pfn(folio) + folio_nr_pages(folio) - 1;
+
 		if (folio_test_hwpoison(folio) ||
 		    (folio_test_large(folio) && folio_test_has_hwpoisoned(folio))) {
 			if (WARN_ON(folio_test_lru(folio)))