From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 93379C282EC for ; Sat, 8 Mar 2025 03:17:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A89646B0082; Fri, 7 Mar 2025 22:17:49 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A11F76B0083; Fri, 7 Mar 2025 22:17:49 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8B4736B0085; Fri, 7 Mar 2025 22:17:49 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 6AB1E6B0082 for ; Fri, 7 Mar 2025 22:17:49 -0500 (EST) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 2DCA456A2D for ; Sat, 8 Mar 2025 03:17:50 +0000 (UTC) X-FDA: 83196924300.07.C8EA3C8 Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [45.249.212.190]) by imf30.hostedemail.com (Postfix) with ESMTP id 011CB80004 for ; Sat, 8 Mar 2025 03:17:46 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=none; spf=pass (imf30.hostedemail.com: domain of liushixin2@huawei.com designates 45.249.212.190 as permitted sender) smtp.mailfrom=liushixin2@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1741403868; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PQVX43KmDZcaryTL6KJl7aGxarubjdySov1Xdz3lCIc=; b=Q4ga36x1Btc712taAylcRJGxrZprXzuuErylbMlYxzzvriS7/XsE0YwMEnhWT/uzhFlEff /7ADEHObjZRlO7J7Y6q1P2w3EhcC5LzfGUqGn4fv5XTIHSU1zBU9Byhf3hHN6ACuyhIchu LjyhfI6jZrupy0X31/ajPqajKVTrpz4= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741403868; a=rsa-sha256; cv=none; b=MTCkB2j24GDr3GJn08GPmjD+J/PUarguZzTmQ1L1yoC9MYwBkf13menUyd0ypowDVPhAbY /k+iEtSArikB6R/g2+wJBoHAR/uLig94hoQasyVab6T+bRtr1eXdIwugzTHFvOeAQpq27S okrG1aAN7di8VjzL0E++566yyVgcsVw= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=none; spf=pass (imf30.hostedemail.com: domain of liushixin2@huawei.com designates 45.249.212.190 as permitted sender) smtp.mailfrom=liushixin2@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com Received: from mail.maildlp.com (unknown [172.19.88.234]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4Z8pBt3gs9z2SSjT; Sat, 8 Mar 2025 11:13:26 +0800 (CST) Received: from kwepemg200013.china.huawei.com (unknown [7.202.181.64]) by mail.maildlp.com (Postfix) with ESMTPS id 909131402C3; Sat, 8 Mar 2025 11:17:42 +0800 (CST) Received: from [10.174.179.24] (10.174.179.24) by kwepemg200013.china.huawei.com (7.202.181.64) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Sat, 8 Mar 2025 11:17:41 +0800 Subject: Re: [PATCH v3] mm/migrate: fix shmem xarray update during migration To: Zi Yan , Baolin Wang , References: <20250305200403.2822855-1-ziy@nvidia.com> CC: Andrew Morton , Barry Song , David Hildenbrand , Kefeng Wang , Lance Yang , Ryan Roberts , Matthew Wilcox , Hugh Dickins , Charan Teja Kalla , , From: Liu Shixin Message-ID: <00295311-2367-e210-c0bb-e410ba84d4ac@huawei.com> Date: Sat, 8 Mar 2025 11:17:40 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <20250305200403.2822855-1-ziy@nvidia.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.179.24] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To kwepemg200013.china.huawei.com (7.202.181.64) X-Rspam-User: X-Rspamd-Queue-Id: 011CB80004 X-Stat-Signature: wxxztus3r7yg7h57w837wxao6iz6igck X-Rspamd-Server: rspam10 X-HE-Tag: 1741403866-168937 X-HE-Meta: U2FsdGVkX19GzaIXE1KvWI+Uk+rSvMk1uflDSO8JWAPivV2NpKf2aTAJ/s3eQuXk2Mz5X1mACK1LZedEjOd7G8ZXYmRaqe4Q2c6C2EuK8RdEgCgLIdMsUxOmeQxWeIhKe8av4qAFg/WTEiO4Rkw2AstS98MaTlcuW0hdScs65UzNHq8Ifa5LyEG2StJ3431yi88PKG9x3NZ/8xi0qwjn6OxPypHyddaxOhWYrmXzhnFTyIjs2iB7W6tWifpmfYwF6PPCMCp7aCL7ComcsvbvMi1ZVWCAkUvSbA6GToWRs4hUvjoE/HDnVxU2G6i9t76zeXl7+ewQxATyJIwBtEVwmYyT+fAVqDFBEWNqvoCGBVBWQAfP2zVah17GkkMCyssktwcpl2ZTRUeaAXmgj/C9apOvVHGjIfEM3XQoqhgEm4l4bqpcOpQZsUg6FSkKAHmpOzvUMvRv5C3iVow01ASRLM+jqzhT84pv89fDJhNePs8DtS9rZ1jZb7AgINYv5apTx+ZxMbOAS/EDjTwaYC1kNfMHRitBiFGMUDdbQEv2T10V+OzQT/iC5QxBay5JVaLUfAXLSw/RwYkxyUbuULac731x0srOKq0j8x56EZ38pjzJAbRFQKeyblCUxujhbRVwFiVJyUqa7yNoDSGUKMwfq9XlbX2w2Shl7dzUuJEmjUyN3FZZv9az6yzhHbyUWjhp4TOEDsYMRws0ioHAK4YXH25KrCWcKQaTzyTVt9HO+EtvefN3sc/bqJA4dZcSsRRkW7M67P/azSR1rs6kjxrodN+xkcZZmcY+0B7nHNUkEwPioWGg+cT6PDy2kbiS7OvoDUQhYNPDScToh2oioiidnebaIXCSnVhNMj8fY3IsDdREiAcsPl2UvZe5Fh90VQv+bxaOd/DuK8hko5NTopSrc3K9DbnUA6019ygICRn+q7IuFZ+7hprCDO7TWUzFReDwujiCE4IRR2RpoaU0x2Z 4n35fYPu Kme1cFphjRAdrMPHicaDc5ov/PtV4f2OQr8Yq/OMMRrGS87TeJ5Wvn2CqdQRY55xs+qzIACcEhKT7hg2itMBk17toOF+OxUZQfV7Rd58wCoCt4Yb3RSduuJSofW9JrU8syQ3qogpVcb4C4BU4DeUGbvBpu9KYCdTD5raVdwR0YIM0AG8E41w9iBwUP6iMBcKb+BWu4ZFc0PdHmajhp1UewblRKTE6WUUTTGEUZ9pqTagHRDfvkKnEHB8alwt56ckVpYS/aUiD7otkJgE6S9WK2bgD8nUO7OrgsqWG X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2025/3/6 4:04, Zi Yan wrote: > A shmem folio can be either in page cache or in swap cache, but not at the > same time. Namely, once it is in swap cache, folio->mapping should be NULL, > and the folio is no longer in a shmem mapping. > > In __folio_migrate_mapping(), to determine the number of xarray entries > to update, folio_test_swapbacked() is used, but that conflates shmem in > page cache case and shmem in swap cache case. It leads to xarray > multi-index entry corruption, since it turns a sibling entry to a > normal entry during xas_store() (see [1] for a userspace reproduction). > Fix it by only using folio_test_swapcache() to determine whether xarray > is storing swap cache entries or not to choose the right number of xarray > entries to update. > > [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/ > > Note: > In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is used > to get swap_cache address space, but that ignores the shmem folio in swap > cache case. It could lead to NULL pointer dereferencing when a > in-swap-cache shmem folio is split at __xa_store(), since > !folio_test_anon() is true and folio->mapping is NULL. But fortunately, > its caller split_huge_page_to_list_to_order() bails out early with EBUSY > when folio->mapping is NULL. So no need to take care of it here. > > Fixes: fc346d0a70a1 ("mm: migrate high-order folios in swap cache correctly") > Reported-by: Liu Shixin > Closes: https://lore.kernel.org/all/28546fb4-5210-bf75-16d6-43e1f8646080@huawei.com/ > Suggested-by: Hugh Dickins > Signed-off-by: Zi Yan > Cc: stable@vger.kernel.org Thanks for the patch, it works for me. > --- > mm/migrate.c | 10 ++++------ > 1 file changed, 4 insertions(+), 6 deletions(-) > > diff --git a/mm/migrate.c b/mm/migrate.c > index fb4afd31baf0..c0adea67cd62 100644 > --- a/mm/migrate.c > +++ b/mm/migrate.c > @@ -518,15 +518,13 @@ static int __folio_migrate_mapping(struct address_space *mapping, > if (folio_test_anon(folio) && folio_test_large(folio)) > mod_mthp_stat(folio_order(folio), MTHP_STAT_NR_ANON, 1); > folio_ref_add(newfolio, nr); /* add cache reference */ > - if (folio_test_swapbacked(folio)) { > + if (folio_test_swapbacked(folio)) > __folio_set_swapbacked(newfolio); > - if (folio_test_swapcache(folio)) { > - folio_set_swapcache(newfolio); > - newfolio->private = folio_get_private(folio); > - } > + if (folio_test_swapcache(folio)) { > + folio_set_swapcache(newfolio); > + newfolio->private = folio_get_private(folio); > entries = nr; > } else { > - VM_BUG_ON_FOLIO(folio_test_swapcache(folio), folio); > entries = 1; > } >