From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 24A98C5B559
	for <linux-mm@archiver.kernel.org>; Thu,  5 Jun 2025 08:06:39 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A88686B057D; Thu,  5 Jun 2025 04:06:37 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A392A6B057E; Thu,  5 Jun 2025 04:06:37 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 927756B0580; Thu,  5 Jun 2025 04:06:37 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 6F8AE6B057E
	for <linux-mm@kvack.org>; Thu,  5 Jun 2025 04:06:37 -0400 (EDT)
Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 19AEDC1FBF
	for <linux-mm@kvack.org>; Thu,  5 Jun 2025 08:06:37 +0000 (UTC)
X-FDA: 83520615234.26.D31767A
Received: from mailout4.samsung.com (mailout4.samsung.com [203.254.224.34])
	by imf03.hostedemail.com (Postfix) with ESMTP id 8561D2000C
	for <linux-mm@kvack.org>; Thu,  5 Jun 2025 08:06:33 +0000 (UTC)
Authentication-Results: imf03.hostedemail.com;
	dkim=pass header.d=samsung.com header.s=mail20170921 header.b=Amssj6qE;
	dmarc=pass (policy=none) header.from=samsung.com;
	spf=pass (imf03.hostedemail.com: domain of hyesoo.yu@samsung.com designates 203.254.224.34 as permitted sender) smtp.mailfrom=hyesoo.yu@samsung.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1749110794;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=5Fq5ho7EvwKI7nuqfXI3pZhlK+7Slkc0YlG396IIzDM=;
	b=DpDULm2aUHQ6oY91cx4RDZDj6L4BA8+lnVjbNXLCAe4INkCA3Mm/AKCkW+QrA5BUPnvAZ5
	70g+ORyHtWdZg9I0rxt544B8M0P6OVsZrF8HJ6VcfR1wKZffeJk0Q4O2CjoM6tHwe39rBk
	TIWUA5edtIA58BIquTeITI8kLMxzSa4=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1749110795; a=rsa-sha256;
	cv=none;
	b=wBw3LbTYZK6LI9wTpU7MWdWHFuMMCiYM7zk4HsXj0W+kixCUnm2SlUbnJH8vC+M9eZPYVt
	QOlin3DTmHf0S91fjG523YfWYRYVRhhSPf0ldKr9IEIKGZ6vg8pZlIhqQN2FJbc7WwADpb
	N2ey1k54vWltDoHwCakrntFa5neZ1DQ=
ARC-Authentication-Results: i=1;
	imf03.hostedemail.com;
	dkim=pass header.d=samsung.com header.s=mail20170921 header.b=Amssj6qE;
	dmarc=pass (policy=none) header.from=samsung.com;
	spf=pass (imf03.hostedemail.com: domain of hyesoo.yu@samsung.com designates 203.254.224.34 as permitted sender) smtp.mailfrom=hyesoo.yu@samsung.com
Received: from epcas2p1.samsung.com (unknown [182.195.41.53])
	by mailout4.samsung.com (KnoxPortal) with ESMTP id 20250605080630epoutp0458920da6ede630af61a64c4c7676669d~GFv8TvBkI2571925719epoutp04Q
	for <linux-mm@kvack.org>; Thu,  5 Jun 2025 08:06:30 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 mailout4.samsung.com 20250605080630epoutp0458920da6ede630af61a64c4c7676669d~GFv8TvBkI2571925719epoutp04Q
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com;
	s=mail20170921; t=1749110790;
	bh=5Fq5ho7EvwKI7nuqfXI3pZhlK+7Slkc0YlG396IIzDM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Amssj6qEVeJAgxY57Lqyg7KrglOI3H9QEFSkcloS+KWsN1TSdIy+kEgpd22bMaPA6
	 uhJkIKGxXKsuBfyTdEhptXfXyqh/ZsBksDXYDo8FB6nA3ub2KfGC9o6wCxGDXO12FK
	 Ln8g567pgWnDRnYreNh8yoxc/MnB8ZXBOIFKsJu8=
Received: from epsnrtp02.localdomain (unknown [182.195.42.154]) by
	epcas2p2.samsung.com (KnoxPortal) with ESMTPS id
	20250605080629epcas2p2969bcac1c5d4bc57de58347b35d0e89d~GFv795vGH1407914079epcas2p2F;
	Thu,  5 Jun 2025 08:06:29 +0000 (GMT)
Received: from epcas2p4.samsung.com (unknown [182.195.36.89]) by
	epsnrtp02.localdomain (Postfix) with ESMTP id 4bCcTx1FvWz2SSKp; Thu,  5 Jun
	2025 08:06:29 +0000 (GMT)
Received: from epsmtip1.samsung.com (unknown [182.195.34.30]) by
	epcas2p2.samsung.com (KnoxPortal) with ESMTPA id
	20250605080628epcas2p24220eeceef2ae38feeee9d2c18515800~GFv65NGmN1351013510epcas2p2L;
	Thu,  5 Jun 2025 08:06:28 +0000 (GMT)
Received: from localhost.localdomain (unknown [10.229.95.142]) by
	epsmtip1.samsung.com (KnoxPortal) with ESMTPA id
	20250605080628epsmtip120becc5e0bf4cd5fdf0f5fd129ce21f0~GFv615FQg0467304673epsmtip1-;
	Thu,  5 Jun 2025 08:06:28 +0000 (GMT)
From: Hyesoo Yu <hyesoo.yu@samsung.com>
To: 
Cc: janghyuck.kim@samsung.com, zhaoyang.huang@unisoc.com,
	jaewon31.kim@gmail.com, david@redhat.com, Hyesoo Yu <hyesoo.yu@samsung.com>,
	Andrew Morton <akpm@linux-foundation.org>, Jason Gunthorpe <jgg@ziepe.ca>,
	John Hubbard <jhubbard@nvidia.com>, Peter Xu <peterx@redhat.com>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 1/1] mm: gup: avoid CMA page pinning by retrying
 migration if no migratable page
Date: Thu,  5 Jun 2025 17:04:31 +0900
Message-ID: <20250605080436.3764686-2-hyesoo.yu@samsung.com>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <20250605080436.3764686-1-hyesoo.yu@samsung.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CMS-MailID: 20250605080628epcas2p24220eeceef2ae38feeee9d2c18515800
X-Msg-Generator: CA
Content-Type: text/plain; charset="utf-8"
X-Sendblock-Type: AUTO_CONFIDENTIAL
CMS-TYPE: 102P
cpgsPolicy: CPGSC10-234,Y
X-CFilter-Loop: Reflected
X-CMS-RootMailID: 20250605080628epcas2p24220eeceef2ae38feeee9d2c18515800
References: <20250605080436.3764686-1-hyesoo.yu@samsung.com>
	<CGME20250605080628epcas2p24220eeceef2ae38feeee9d2c18515800@epcas2p2.samsung.com>
X-Rspamd-Server: rspam10
X-Rspamd-Queue-Id: 8561D2000C
X-Stat-Signature: cuua9pojyqxjpsiar3ujmi4hcdqq3mhn
X-Rspam-User: 
X-HE-Tag: 1749110793-33030
X-HE-Meta: U2FsdGVkX19o4nO7wFX+Crie3xT13BhaaON7COIadasnL+lfp8zf3OUJ8ksZdYlriSWYh+wYwSH4oFPL18mr3qt+jmdzwaRMRNQem552p6/xa2m4BPUWQvrOrYzOShszXuA6tZtWYHr09No/+8mLa/LeDptdi7VMm01WaSQqaNdknYNXgJV4soiVtGP5DpVYor48CLqbr3WCIbm1oOMHTBaMMmmTLgLtyJ/rQzWF+Z19pLRBDvD2oI0gqQzZheHG6TwoCgBV4dOs7LEtSUYTirJsNnK76PhxMKrG0Ipf/IG87/C9W0AxySW/Nr7WACJYvJfdGP3VDCDxOLshw9A5IRy8IXw5mHpKCIoWNLU3dZdMKUo/LkTJITYLKsQa8mPGdZjxphm5UwRY1Ljzf8x0ie8TqS3gm7jXiAFYDJJuTnShyiewOBN/pUCpGGqIBBzM0HWswWgWfwc/p5PVK/cRN81P2pCuN6n9Fm5CMZyRl0Tha/kTatNsYHNFWOAIAn2o1zvTpOlGyBZ8+K/h3KsjnrpjH7Tc6ry8KXylyU8DL83vEcsr69dCTANlS8vKavcd2d5uY/j6tpJAY8EGgKLohTja9hKRGbgCklOBO+JSezPYT/8TttLzJ4j3/fYGAx+4KPCgCSGZF7MG4JYHnL6OkejTJ8nLrWTCyDxTZMkwg43hQNUGZs04vsBxAWpvYiCSyAnck1q3k9ciyF0QNQxxUc+85SNdicRTmKhZJGDLa/vhR2AJ+eSLllDOdrpwjsVqfqbLXpHRdy/XSHavlF/Qe6AM9Ry30MemLXF7L1cb/pDi7r3x6N6OSh8qtM+q6eNi/uRctGejiDqpApgWmzJp1qVgaeGP5P3T7ljCPIZ07gzFSNA1WNQQX5aQucfsiU5eoP0VNDTlp6sdxJNPkxPEk28UpeWCZRGxmMg/B/4JhGTWbFsnbJgWJ2+m003Oq2OubKuCiOXRaAHWGL+EaBy
 P2CJuNTu
 LB/P8WEhisqyv0bQ6yUjcNwvAmsQmkzTTFZpbt00MbRzcFrQZrpObd2+sGeRlgewRZ32SF4LxUu7Vp3IL71ud+HLE1cnRSMpuilP/QzUFBFPLIMIiKJXN3ZZ2JJm0TxleMcyRIt0+7ZBRrPIO8TqFeQh1NGhR998T/zRY
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Commit 1aaf8c122918 ("mm: gup: fix infinite loop within __get_longterm_locked")
introduced an issue where CMA pages could be pinned by longterm GUP requests.
This occurs when unpinnable pages are detected but the movable_page_list is empty;
the commit would return success without retrying, allowing unpinnable
pages (such as CMA) to become pinned.

CMA pages may be temporarily off the LRU due to concurrent isolation,
for example when multiple longterm GUP requests are racing and therefore
not appear in movable_page_list. Before commit 1aaf8c, the kernel would
retry migration in such cases, which helped avoid accidental CMA pinning.

The original intent of the commit was to support longterm GUP on non-LRU
CMA pages in out-of-tree use cases such as pKVM. However, allowing this
can lead to broader CMA pinning issues.

To avoid this, the logic is restored to return -EAGAIN instead of success
when no folios could be collected but unpinnable pages were found.
This ensures that migration is retried until success, and avoids
inadvertently pinning unpinnable pages.

Fixes: 1aaf8c122918 ("mm: gup: fix infinite loop within __get_longterm_locked")
Acked-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Hyesoo Yu <hyesoo.yu@samsung.com>

---
We have confirmed that this regression causes CMA pages to be pinned
in our kernel 6.12-based environment.

In addition to CMA allocation failures, we also observed longterm GUP failures
when repeatedly accessing the same VMA. Specifically, the first longterm GUP
call would pin a CMA page, and a second call on the same region
would fail the migration because the cma page was already pinned.

After reverting commit 1aaf8c122918, the issue no longer reproduced.

Therefore, this fix is important to ensure reliable behavior of longterm GUP
and CMA-backed memory, and should be backported to stable.
---
 mm/gup.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/mm/gup.c b/mm/gup.c
index e065a49842a8..66193421c1d4 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -2300,14 +2300,12 @@ static void pofs_unpin(struct pages_or_folios *pofs)
 		unpin_user_pages(pofs->pages, pofs->nr_entries);
 }
 
-/*
- * Returns the number of collected folios. Return value is always >= 0.
- */
-static void collect_longterm_unpinnable_folios(
+static bool collect_longterm_unpinnable_folios(
 		struct list_head *movable_folio_list,
 		struct pages_or_folios *pofs)
 {
 	struct folio *prev_folio = NULL;
+	bool any_unpinnable = false;
 	bool drain_allow = true;
 	unsigned long i;
 
@@ -2321,6 +2319,8 @@ static void collect_longterm_unpinnable_folios(
 		if (folio_is_longterm_pinnable(folio))
 			continue;
 
+		any_unpinnable = true;
+
 		if (folio_is_device_coherent(folio))
 			continue;
 
@@ -2342,6 +2342,8 @@ static void collect_longterm_unpinnable_folios(
 				    NR_ISOLATED_ANON + folio_is_file_lru(folio),
 				    folio_nr_pages(folio));
 	}
+
+	return any_unpinnable;
 }
 
 /*
@@ -2417,11 +2419,25 @@ migrate_longterm_unpinnable_folios(struct list_head *movable_folio_list,
 static long
 check_and_migrate_movable_pages_or_folios(struct pages_or_folios *pofs)
 {
+	bool any_unpinnable;
+
 	LIST_HEAD(movable_folio_list);
 
-	collect_longterm_unpinnable_folios(&movable_folio_list, pofs);
-	if (list_empty(&movable_folio_list))
+	any_unpinnable = collect_longterm_unpinnable_folios(&movable_folio_list, pofs);
+
+	if (list_empty(&movable_folio_list)) {
+		/*
+		 * If we find any longterm unpinnable page that we failed to
+		 * isolated for migration, it might be because someone else
+		 * concurrently isolated it. Make the caller retry until it
+		 * succeeds.
+		 */
+		if (any_unpinnable) {
+			pofs_unpin(pofs);
+			return -EAGAIN;
+		}
 		return 0;
+	}
 
 	return migrate_longterm_unpinnable_folios(&movable_folio_list, pofs);
 }
-- 
2.49.0