在 2025/9/12 2:13, Matthew Wilcox 写道:
> On Thu, Sep 11, 2025 at 09:08:48PM +0800, Jinjiang Tu wrote:
>> Migration may be raced with fallocating hole. remove_inode_single_folio
>> will unmap the folio if the folio is still mapped. However, it's called
>> without folio lock. If the folio is migrated and the mapped pte has been
>> converted to migration entry, folio_mapped() returns false, and won't
>> unmap it. Due to extra refcount held by remove_inode_single_folio,
>> migration fails, restores migration entry to normal pte, and the folio
>> is mapped again. As a result, we triggered BUG in filemap_unaccount_folio.
>> diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
>> index 09d4baef29cf..d21865d0178a 100644
>> --- a/fs/hugetlbfs/inode.c
>> +++ b/fs/hugetlbfs/inode.c
>> @@ -521,10 +521,10 @@ static bool remove_inode_single_folio(struct hstate *h, struct inode *inode,
>>   	 * the fault mutex.  The mutex will prevent faults
>>   	 * until we finish removing the folio.
>>   	 */
>> +	folio_lock(folio);
> The comment above is now nonsensical.  Can you correct it, please?

OK, I will update it.

>
>>   	if (unlikely(folio_mapped(folio)))
>>   		hugetlb_unmap_file_folio(h, mapping, folio, index);
>>   
>> -	folio_lock(folio);
>>   	/*
>>   	 * We must remove the folio from page cache before removing
>>   	 * the region/ reserve map (hugetlb_unreserve_pages).  In
>> -- 
>> 2.43.0
>>
>>