From patchwork Thu Mar  3 01:43:34 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hugh Dickins <hughd@google.com>
X-Patchwork-Id: 12766947
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C2DF4C433F5
	for <linux-mm@archiver.kernel.org>; Thu,  3 Mar 2022 01:43:38 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 4AD4E8D0002; Wed,  2 Mar 2022 20:43:38 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 435148D0001; Wed,  2 Mar 2022 20:43:38 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2D5F68D0002; Wed,  2 Mar 2022 20:43:38 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.27])
	by kanga.kvack.org (Postfix) with ESMTP id 1A83D8D0001
	for <linux-mm@kvack.org>; Wed,  2 Mar 2022 20:43:38 -0500 (EST)
Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id E4F0B208AF
	for <linux-mm@kvack.org>; Thu,  3 Mar 2022 01:43:37 +0000 (UTC)
X-FDA: 79201378074.02.FE7ED4A
Received: from mail-qt1-f174.google.com (mail-qt1-f174.google.com
 [209.85.160.174])
	by imf04.hostedemail.com (Postfix) with ESMTP id 5FBD940004
	for <linux-mm@kvack.org>; Thu,  3 Mar 2022 01:43:37 +0000 (UTC)
Received: by mail-qt1-f174.google.com with SMTP id c4so3426510qtx.1
        for <linux-mm@kvack.org>; Wed, 02 Mar 2022 17:43:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:from:to:cc:subject:message-id:mime-version;
        bh=iPfHEmOKdhMIfmj5DivY/bN1HDyWSYEFJHhO7/nuhns=;
        b=V7iwAeTLsXaQIKV2Op9OyY2XBqa01szKvdFcutupQlrJPMLJYdZuO3pNb7e/bI2d04
         gsBg/TrRAZ2Jqd2WnvNmkBEUPLYA56rvBPyQVY0O3zKpvk9U43ZsXZvAbb2Qqw/Jm0SR
         nJSViRcjwsvY1DOTB/RoteIWi4uYK5YItQn6F1Fn9lhxP+5uKaMbh4kqxT0BktjjWkDD
         edMVE9gnNJMfgmRFuQUDBb3bHq7Xa0fSMT8pN/aKfzd1ZGJcRvkE8kFdJhLE6hjIu+7X
         Ns44trhbwsOWUmeuekK67Kc8jHfeXoNH5YQgBeJY1GVhIzwJmYy2zKYCRs9GRxgF0S4t
         1H1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version;
        bh=iPfHEmOKdhMIfmj5DivY/bN1HDyWSYEFJHhO7/nuhns=;
        b=N2HxAmylBEm8nLY408+pOheyxMu9ysQyZhnjCPPEkWxoTWPLwxhUmtd061jq4slf+j
         q782+QLofDcrPCOsTIyYO4axtIK2j9jZyfGflzw68xPK7wguoFRqol4PrB7+OIxmmnPq
         UiDzYJQC5++VUEko0qgNLrvxbxJWlBNovGVZLYzZuLjeKiMrNiuppuTtLnAwHrOeE9GY
         Bgt2FCruNE+nXMa0E4ekembgthwSWtpjBg66Ssxdmj9C/TczqWc6GTNyia0Elst4SPlr
         5Rm3lisYMjR83uRXDiSoH2BQy6i+pB4CVDPfvj5nWz6c7+HCX5Tum3Q7bhgdkPtv/Rl6
         vd0w==
X-Gm-Message-State: AOAM530QGGFC898nWBC0a+jPHEM9RgQ6Q21m/HsvLt3KyGrfRmU14MpX
	DJ1dvQEOg8e/PwPsAX8PoLAI4g==
X-Google-Smtp-Source: 
 ABdhPJzFHfUq3MiN2IigtOEeO0VwfWCXHQ2A9X5459o4XXiiE/KChwr0tPIPow5WzYUzTPUiz5qX1A==
X-Received: by 2002:a05:622a:1055:b0:2de:3ea:f2ad with SMTP id
 f21-20020a05622a105500b002de03eaf2admr26149270qte.327.1646271816542;
        Wed, 02 Mar 2022 17:43:36 -0800 (PST)
Received: from ripple.attlocal.net
 (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147])
        by smtp.gmail.com with ESMTPSA id
 x12-20020a05620a14ac00b0060deaee7a21sm403207qkj.51.2022.03.02.17.43.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 02 Mar 2022 17:43:35 -0800 (PST)
Date: Wed, 2 Mar 2022 17:43:34 -0800 (PST)
From: Hugh Dickins <hughd@google.com>
X-X-Sender: hugh@ripple.anvils
To: Andrew Morton <akpm@linux-foundation.org>
cc: Ralph Campbell <rcampbell@nvidia.com>, Yang Shi <shy828301@gmail.com>,
    Zi Yan <ziy@nvidia.com>,
    "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
    linux-kernel@vger.kernel.org, linux-mm@kvack.org
Subject: [PATCH mmotm] mm/thp: refix __split_huge_pmd_locked() for migration
 PMD
Message-ID: <84792468-f512-e48f-378c-e34c3641e97@google.com>
MIME-Version: 1.0
X-Rspam-User: 
X-Rspamd-Server: rspam01
X-Rspamd-Queue-Id: 5FBD940004
X-Stat-Signature: rgkccgpjwd8q4agmd65yjmw39gttcfmr
Authentication-Results: imf04.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=V7iwAeTL;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf04.hostedemail.com: domain of hughd@google.com designates
 209.85.160.174 as permitted sender) smtp.mailfrom=hughd@google.com
X-HE-Tag: 1646271817-539297
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Migration entries do not contribute to a page's reference count: move
__split_huge_pmd_locked()'s page_ref_add() into pmd_migration's else
block (along with the page_count() check - a page is quite likely to
to have reference count frozen to 0 when a migration entry is found).

This will fix a very rare anonymous memory leak, after a split_huge_pmd()
raced with an anon split_huge_page() or an anon THP migrate_pages(): since
the wrongly raised refcount stopped the page (perhaps small, perhaps huge,
depending on when the race hit) from ever being freed.  At first I thought
there were worse risks, from prematurely unfreezing a frozen page: but now
think that would only affect page cache pages, which do not come this way
(except for anonymous pages in swap cache, perhaps).

Fixes: ec0abae6dcdf ("mm/thp: fix __split_huge_pmd_locked() for migration PMD")
Signed-off-by: Hugh Dickins <hughd@google.com>
---
That's an unfair "Fixes": it did not introduce the problem, but it
missed this aspect of the problem; and will be a good guide to where this
refix should go if stable backports are asked for.

 mm/huge_memory.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -2039,9 +2039,9 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
 		young = pmd_young(old_pmd);
 		soft_dirty = pmd_soft_dirty(old_pmd);
 		uffd_wp = pmd_uffd_wp(old_pmd);
+		VM_BUG_ON_PAGE(!page_count(page), page);
+		page_ref_add(page, HPAGE_PMD_NR - 1);
 	}
-	VM_BUG_ON_PAGE(!page_count(page), page);
-	page_ref_add(page, HPAGE_PMD_NR - 1);
 
 	/*
 	 * Withdraw the table only after we mark the pmd entry invalid.