From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6AC14C5AD49 for ; Mon, 26 May 2025 18:30:10 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 09B1E6B007B; Mon, 26 May 2025 14:30:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 0734B6B0083; Mon, 26 May 2025 14:30:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id ECB2E6B0085; Mon, 26 May 2025 14:30:09 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id CD1966B007B for ; Mon, 26 May 2025 14:30:09 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 66CF5140B69 for ; Mon, 26 May 2025 18:30:09 +0000 (UTC) X-FDA: 83485898538.01.797771B Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on2080.outbound.protection.outlook.com [40.107.100.80]) by imf21.hostedemail.com (Postfix) with ESMTP id 7F1791C0007 for ; Mon, 26 May 2025 18:30:06 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=amd.com header.s=selector1 header.b=OjJN15vm; spf=pass (imf21.hostedemail.com: domain of shivankg@amd.com designates 40.107.100.80 as permitted sender) smtp.mailfrom=shivankg@amd.com; dmarc=pass (policy=quarantine) header.from=amd.com; arc=pass ("microsoft.com:s=arcselector10001:i=1") ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1748284206; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=qKfzagy9Qb9nAWw5WDzckkFJ6iOqDu7Ot/K5put5WVs=; b=1I2+i0uhPkesrZxqC0gbewlZidT8FmYCTZ6yYdX6TjavApGZ7SLOv6NHi+fuhrLNciVA/X zhS/zYhEFeKqN/6NVW0/5q7Pg7ptyWuomoDDTCV/nBCcrVTEX73vKLr6Ub0v5iAAkKZL3V BA4nMvXjSuHfqr8BrpbgaIH94uG/0EY= ARC-Authentication-Results: i=2; imf21.hostedemail.com; dkim=pass header.d=amd.com header.s=selector1 header.b=OjJN15vm; spf=pass (imf21.hostedemail.com: domain of shivankg@amd.com designates 40.107.100.80 as permitted sender) smtp.mailfrom=shivankg@amd.com; dmarc=pass (policy=quarantine) header.from=amd.com; arc=pass ("microsoft.com:s=arcselector10001:i=1") ARC-Seal: i=2; s=arc-20220608; d=hostedemail.com; t=1748284206; a=rsa-sha256; cv=pass; b=qwzuOWl/MMKK+mRMPa4d076D7U4yP49iYbyqO5X6yOWBCLD36sD2iNWM11/21Gg9eJ9YzB UO2uNlsFZhoyh/GBvfupm0quS0IRA9q1qnlFtL59G+jnc+U4hfSXuEzeEZlZqBEvyVTrec ODhXqIcyEhUoS3KBkm7naR90SWacvsY= ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=l+3g//8+jmMw/LzSiskqISs7g8uH1nBZ2X/BL2WGqAco97xcb2VoozL4M5s7xFgRBIhs0DFYdVfsfyRvVLBvaKhkOM0rJUrSFhLMolXW/sXzqZ8Jo8dmRiKB5a32JLwHjxTvG0lG/PNgrkRCjGCb7yP/ApK27/TQxo2vGNbsEBZ7rEQlToDlyWZxdVOy3c7f1urOVKSgjyqaDEmmupDmwyRTSeELqbCXm34TuB+cNilNKmjf0JUt5XwmHdttX2SGNogLfxhdaXbiQw4rBDpzqyxk5ou2CIDPvrcweV2gOp8wgPZyMN23FqdtkepQENmrBQY9LMJnQVqOWYRsXVNVNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qKfzagy9Qb9nAWw5WDzckkFJ6iOqDu7Ot/K5put5WVs=; b=guFfyDDV1RG2Trqo82hFdznQyZ8yN8vk2lrgmAuSYLDNTYsHoW0aU/ivQ4MDITIFMpVpxr6E9tgNUYR3HlV6dPc31lznQmpSuqCRsNkgbat/UxT3NMLzwssmlIU77OplQJy7MDbbFIzSq8BVppOGcQ1lKobYNNAC7KSV9oowUhIxR5f2k7klyK0ruPg3rQgWlkYEdW8ZBb9XdiO5CXy1ykZpadwCi13+AMGaD2ZsqlKn6wc8qRl8Y4TkHb6tR0W8SmZozm2k+lTdTHcHJM9mkCpA3PaizXYnNgY62AJNl3p1bDRLVBGeyhemGKRUtolfXbVS7Bna9Xo8S0fzTgjC+g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=linux-foundation.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qKfzagy9Qb9nAWw5WDzckkFJ6iOqDu7Ot/K5put5WVs=; b=OjJN15vmZcKATsO6n+AAwX5jD7DyrMbhX341owLYq03g8hrGFgN0dE69YjMqvg4esBuxBqr7yZpzT6psZQK9d+/Toh0uvZ1OnD+xX0pgdEGJcsrf0Q4NDHt9Kqlkmlb6r0jIVRPOKlkruN1sX4QT6d4IXADtzammFJDe/LNshXI= Received: from CH2PR11CA0008.namprd11.prod.outlook.com (2603:10b6:610:54::18) by DS7PR12MB8346.namprd12.prod.outlook.com (2603:10b6:8:e5::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8769.21; Mon, 26 May 2025 18:30:02 +0000 Received: from CH1PEPF0000AD7D.namprd04.prod.outlook.com (2603:10b6:610:54:cafe::2c) by CH2PR11CA0008.outlook.office365.com (2603:10b6:610:54::18) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8769.19 via Frontend Transport; Mon, 26 May 2025 18:30:02 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C Received: from SATLEXMB04.amd.com (165.204.84.17) by CH1PEPF0000AD7D.mail.protection.outlook.com (10.167.244.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.8769.18 via Frontend Transport; Mon, 26 May 2025 18:30:01 +0000 Received: from kaveri.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Mon, 26 May 2025 13:29:57 -0500 From: Shivank Garg To: , , , CC: , , , , , , , , , , Subject: [PATCH V3 1/2] mm/khugepaged: fix race with folio split/free using temporary reference Date: Mon, 26 May 2025 18:28:18 +0000 Message-ID: <20250526182818.37978-1-shivankg@amd.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.180.168.240] X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com (10.181.40.145) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH1PEPF0000AD7D:EE_|DS7PR12MB8346:EE_ X-MS-Office365-Filtering-Correlation-Id: 6a337434-dbca-4611-4f20-08dd9c8353e8 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|1800799024|7416014|36860700013|376014|13003099007; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?hHmMcYFO8Wk7+CJHYb1IZ3a9e5we7WBaHh3DoNiFErcbyMRPuRHxEiQKvvOb?= =?us-ascii?Q?kLJqlVfmG3d+Q858O602DaNvVfQltzxhuTK6FI9utjSoty5+6sEZ0X5nsmfi?= =?us-ascii?Q?Pd48u5Uwl1I5tqAEm1iVPfkr15o0OltJIpy2FL4/xSZkdBcKQnj9iK9EJuoO?= =?us-ascii?Q?BxyGWZUHoe3LHPXeWsjUB6j7flZB3TIU9W42F1NPTbqwK9zgUGBAAryCA8/V?= =?us-ascii?Q?MYq5TR9r0yXVnOWMCfFf4aa7CXS3Jwx8IqOOaH5QhGNJ0ny6CP2rnBzdzSJU?= =?us-ascii?Q?rkh1DZ2UJZjYMOBslbLi6rfnp0dCqgidYjX5Fr7R8Tf1GENUFbB/Qi2Xeecp?= =?us-ascii?Q?9bqdyw+3sveykSOvNamwRqsWdCBkytGOo202s0s0CcW3PLq7AVWQ/luNbJ4Y?= =?us-ascii?Q?eqj7iunPBc1atm7sYLlL6cpMPtXpIqoyMxQZ0cjeq38Pd3ge7/XP6BsefV3e?= =?us-ascii?Q?8bPpLI/+qkiC1UrCYa8TiV7QpfAPyRM38Ds4Ui7wcpYR3FcFtE11Zq+yD8ZE?= =?us-ascii?Q?IQrrt0Xq/CoQ2FBGdUtdZw0T5wfuHUfMx6hj2JQh0VqwEXHvIx1tXLr7n3PC?= =?us-ascii?Q?qXSjN0+mOp2TmRuDkoKBFoi8U9/hz+W8HgG6Tnuv0nudisyXOgBgoNuFUlTY?= =?us-ascii?Q?1P6a/UdgFdIwkimXaXVHmNp1pzrJMpOR+iKM8BJHqx4ykt16GFvzYwW4EtkG?= =?us-ascii?Q?7p0w7RbRbuxi9VN512sZwG2ElZ9HYHAPFDfwY7VJDaUwWDajzZdx7iFdyG77?= =?us-ascii?Q?dIHMqWOBk/5pVrC0YkSzCO7nyauYc+oyLS4VZ5HjQiDb194wJA4uQuJXdqI9?= =?us-ascii?Q?1n0XeAhBF6K7YBshpS4Rz3ZZM4eQn0W+2c7EP/llz7pa5V7D/xi7sl0X+LXs?= =?us-ascii?Q?bdvtH+nb4jvT1fpjyquF/OhFBqdmfH7/Zt8yL4n81ketRa4d26hruII/1rM+?= =?us-ascii?Q?P5+F5jDmjWKyJO1IDBb/p8BnImaheTZW0TL6O+OeLOVqTLn82SDFvjimhVAL?= =?us-ascii?Q?v+PiN8A6gYk6P6CX59OD6o+kZTJoTgA2eu8wwKWS7Q5bOEJ06YnHbRLlfVrV?= =?us-ascii?Q?Myv88NDkmH4j3sk0uQS0zV+tdCn52makjqEbsMirYxWK602IizWeRETATWVo?= =?us-ascii?Q?RE5S1htR7JWCoy6/oqJHmeA71Rt9oEKD8qP/eiR4ZtbcsqEtccgqSishBlqU?= =?us-ascii?Q?q+hguUVz03VwmybWAWep0K+h/yoIX4oZ91F+ZkfbVd+1kSXXZ5JXLERm47hP?= =?us-ascii?Q?/GrqfdV9gTLJ4Z2HLaSIikHUHB2vOVxKZ0ffaOU6dPY7tcWcepeJKqQv6zXT?= =?us-ascii?Q?C88a/B6C7laxgI9Vkm2SgWkXY5/5R03pjxVLYBW4qgieCNSFCZA0Ri7VhvIT?= =?us-ascii?Q?Unk1cUUHK5MsZKQclxJk24Qw/ujyHvoh3KtlfnViSrCY6E58Te1bLc7EW6Wy?= =?us-ascii?Q?XFFzHCfuWL5vopG/5GhoE3TJU62RLq4kB194fERS6VRqOz+UJW4TdQ=3D=3D?= X-Forefront-Antispam-Report: CIP:165.204.84.17;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(7416014)(36860700013)(376014)(13003099007);DIR:OUT;SFP:1101; X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2025 18:30:01.8289 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6a337434-dbca-4611-4f20-08dd9c8353e8 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com] X-MS-Exchange-CrossTenant-AuthSource: CH1PEPF0000AD7D.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR12MB8346 X-Stat-Signature: k15m5hbo16f7uptdisoi8bto9131mptc X-Rspamd-Queue-Id: 7F1791C0007 X-Rspam-User: X-Rspamd-Server: rspam02 X-HE-Tag: 1748284206-663182 X-HE-Meta: U2FsdGVkX18/Mnim0QrEAHOwsNWeLDYJbeBOPK2uf1lSlWQTdl5LyElRuANSHMSbnvxOyt16i7rnGa1f+LH4OVx4x0q466oGe++ARvsXNovFPI0qYxSh4YiwqmODPw0iTWLBxdIk+XZvatXHWrmjwso0SqGH9wObenHtVGHtktIkd66ZRBowdN9QQ5HrpIAburmH7r+mPXJHD2d2WEWCjQkqMSdvBf4H1uudf/mdB+pPeNowQButL2cTSPgEthEcj1kh8enZedoFv+gwvJNQfb0q1jZeE4OlsA41xujKywt3zRY2Qcq2ByGE7T8eIw0GfFoVfGCF7UyZQOilD5ELvM4qeTI8r/bMU4VzEJANvsTIwNrbHHs5m4nVlDfHhFqeu7m/l+cPxrH6kbzwkLry2sg5+Bb5/Y8fGQmGGvK3oPYHduo3ITXFi0x2RuVXznpYArTmAFfNy4W/kP40nVenaw1c/lkDYuruwxcw9e9YEglqMxH2g+a6CFOT+J3yR1DYYiqctNWDNAdzUsriSz9goHLMUwYzh6YV+byV+reydqajxzxJVJj1XJPm5phSz3ui3Gw9Tju2laS9MVITUN68ihGAm2Vza4+7ygWXJt+wUMDy9g6VxhUU4GVmjocQJuWH66B8dpkJqgsd4vON2n2/RramELPLR0K1nLESksS3arDNFZxchC4bToEWoLcYRXT6jxz+fZAyyH8ne29lfnAZCuGM0VrZWd6g64u0fnSu/HULxc98aQqC4EHuFsmcD0gPHd3ux1yvqyRkUdw2BFRxpuCm8SpZQnucfLgL3PXgkpVqOMoWyxHlixA+AZHSNZ84fpcCUf0YalmT5Ik/Ka6BLijtBTpL7IaEHFQCKLTi1afMeIbBik28F1/OCjX306iKFtW6eFbr2eQYhEU9E62XODLUmLRTg/lDCZ0OoLbC6IQiP4bvMdM9l7Qn0DgdhJ8/oVNHiJhNnz7XKieEU7x rvPi2J3n AFPnWnDwtwJPvitrh7HPx/EQaUXHp5BZtmme1+K85Y/9VOzNCCZeDx+H8j9jmEv4WSw6PY3ayMkG2RHGkjHQUMlKazwht+FUuRfOF8RJ30R1MhG5aLNlub8GM4Ti9yz5MWiWO9gp1u/eBBHt97+mfG4RDdlIdcq6LF4SJnWyZ6FVOUt6dCTqehGv9ft8JmKsXLUgK+q3461yYq8bzul1Y0ee2j/rkoBIU0PPfOfarwtgK60P8EHsGP40S62vABaPOHXqsZaA3P/gNrxiQmOOBjBUVAVdW5N+9CejW6MGvar8Sa97X5Jgm7/6EwOKHTLi5CY42K/stPwRqORoUavPLvZjezu1/N8bH/zDxHch2+8B1SDiR3XtDp87LLjBQjlkNiox93yZZZUvC6QinlHIpnOYC4+sqPDmB8PR95pjFrgO7LOqD30nMfwvHnXcLo9SxCloMqksmlL1JCuFlqjbwcYBuSYGq571UPCTupf7sV9xeCRUkFjv5RzfqMZf1NLxuqRUMc6AaZCeCHaGlXhfy3R4eD1ud0vssnIa44ioNLEPDelequUjR5SVn0Rh9TJWutCVwsgXjBw2PFk1MStuKIdDYQNG/Cz15dD8j91IsnZKe35k7SK8/Khjy3PRmKKh2/ra8xNLjERvkWl/cwSvNQ8sHrFsoFiPzP+WxHu5jRmALegcvXDTQbcqCZ1LhtQZWakspzof99DD2OFWF1DZm/PmeyWyFYzcruoRnUp5qrEs+OW2AgXUvcpZeR4naTeXKSGwleR9AqbYbYKU6U6gK+HiSFe/pr0Ju9Ci+oEjdw3l4nO96d4hH/B3fR4KiRO+JwJpEzal38QMA4o2jfyg975SuyQgikItipSumHsDvXCRGnB6gdM1kvOO6zS1eNAW/mgJwh30ri0R8MQzqvsMXNePfPj9eroPFWTt7 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: hpage_collapse_scan_file() calls is_refcount_suitable(), which in turn calls folio_mapcount(). folio_mapcount() checks folio_test_large() before proceeding to folio_large_mapcount(), but there is a race window where the folio may get split/freed between these checks, triggering: VM_WARN_ON_FOLIO(!folio_test_large(folio), folio) Take a temporary reference to the folio in hpage_collapse_scan_file(). This stabilizes the folio during refcount check and prevents incorrect large folio detection due to concurrent split/free. Use helper folio_expected_ref_count() + 1 to compare with folio_ref_count() instead of using is_refcount_suitable(). Fixes: 05c5323b2a34 ("mm: track mapcount of large folios in single value") Reported-by: syzbot+2b99589e33edbe9475ca@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6828470d.a70a0220.38f255.000c.GAE@google.com Suggested-by: David Hildenbrand Acked-by: David Hildenbrand Signed-off-by: Shivank Garg --- Changes since V2: - https://lore.kernel.org/linux-mm/20250523091432.17588-1-shivankg@amd.com - Reorder the patches to bring the fix in first patch and clean-up in second. --- mm/khugepaged.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index cc945c6ab3bd..fe1fe7eace54 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -2295,6 +2295,17 @@ static int hpage_collapse_scan_file(struct mm_struct *mm, unsigned long addr, continue; } + if (!folio_try_get(folio)) { + xas_reset(&xas); + continue; + } + + if (unlikely(folio != xas_reload(&xas))) { + folio_put(folio); + xas_reset(&xas); + continue; + } + if (folio_order(folio) == HPAGE_PMD_ORDER && folio->index == start) { /* Maybe PMD-mapped */ @@ -2305,23 +2316,27 @@ static int hpage_collapse_scan_file(struct mm_struct *mm, unsigned long addr, * it's safe to skip LRU and refcount checks before * returning. */ + folio_put(folio); break; } node = folio_nid(folio); if (hpage_collapse_scan_abort(node, cc)) { result = SCAN_SCAN_ABORT; + folio_put(folio); break; } cc->node_load[node]++; if (!folio_test_lru(folio)) { result = SCAN_PAGE_LRU; + folio_put(folio); break; } - if (!is_refcount_suitable(folio)) { + if (folio_expected_ref_count(folio) + 1 != folio_ref_count(folio)) { result = SCAN_PAGE_COUNT; + folio_put(folio); break; } @@ -2333,6 +2348,7 @@ static int hpage_collapse_scan_file(struct mm_struct *mm, unsigned long addr, */ present += folio_nr_pages(folio); + folio_put(folio); if (need_resched()) { xas_pause(&xas); -- 2.34.1