From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A915C83F17 for ; Fri, 11 Jul 2025 02:17:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C0BC56B009E; Thu, 10 Jul 2025 22:17:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BBC976B00A0; Thu, 10 Jul 2025 22:17:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AD2086B00A1; Thu, 10 Jul 2025 22:17:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 96E186B009E for ; Thu, 10 Jul 2025 22:17:51 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 4AA2DBEEB2 for ; Fri, 11 Jul 2025 02:17:51 +0000 (UTC) X-FDA: 83650373142.24.F524BF8 Received: from szxga05-in.huawei.com (szxga05-in.huawei.com [45.249.212.191]) by imf13.hostedemail.com (Postfix) with ESMTP id B952220005 for ; Fri, 11 Jul 2025 02:17:48 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=none; spf=pass (imf13.hostedemail.com: domain of tujinjiang@huawei.com designates 45.249.212.191 as permitted sender) smtp.mailfrom=tujinjiang@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752200269; a=rsa-sha256; cv=none; b=EbX16avqxQAidpAShUjVfibAI3riUtdsmZKQKFYlimkD3419N5CE1aregk4LVYG/dSFR5n tekyj6HNhDUdvv064ICjmdOE48bLtM59JmeNhEYP7ivSgmk+TfiaZzrCiD+Hos96sfeqdZ 9GArPVQyD3tAM9SyBacdELu4eQCQ49g= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=none; spf=pass (imf13.hostedemail.com: domain of tujinjiang@huawei.com designates 45.249.212.191 as permitted sender) smtp.mailfrom=tujinjiang@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1752200269; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=E4PC0I62kBZ3bESr9D1tQIRflZJMKEvDCWTKpLQjhzU=; b=S/hfHn6hAH0qm6NX0VCW8bnCS2hSsnmgRtXdx6db8Jv9rwF6/JbaUbyDxnu9xHHvs4GWPh nIOF6oZhTB2TYQ4oHqpma+fth5qOonC9wgXMdAhFWu7JW1pdc+LSEGlVJuJqXQ8CBc2P+G ecCqbzV9QNOy981Z2hYkmutj8v5oXBQ= Received: from mail.maildlp.com (unknown [172.19.163.44]) by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4bdb0g2vbxz2FbQ4; Fri, 11 Jul 2025 10:15:47 +0800 (CST) Received: from kwepemo200002.china.huawei.com (unknown [7.202.195.209]) by mail.maildlp.com (Postfix) with ESMTPS id 6837F14027A; Fri, 11 Jul 2025 10:17:44 +0800 (CST) Received: from huawei.com (10.175.124.71) by kwepemo200002.china.huawei.com (7.202.195.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Fri, 11 Jul 2025 10:17:43 +0800 From: Jinjiang Tu To: , , , , , CC: , , Subject: [PATCH v3] mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list Date: Fri, 11 Jul 2025 10:17:34 +0800 Message-ID: <20250711021734.2362044-1-tujinjiang@huawei.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.175.124.71] X-ClientProxiedBy: kwepems500001.china.huawei.com (7.221.188.70) To kwepemo200002.china.huawei.com (7.202.195.209) X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: B952220005 X-Stat-Signature: 9sfgnoww6eq7nbcdxzmaxrinn6ccsucw X-HE-Tag: 1752200268-779089 X-HE-Meta: U2FsdGVkX18BThWnWA9WVDyivL+3fcPjfJv8+FskV1eZwR2Opu2g5xb+agEsUSYfLJVfghuKOpz3qQaVfx0uqBmLRYAzqpr4DtGCOZKye1YStRBssXi+L6A+hqQAHjZU/hl2db4xirzQTUGsEg2MMiBNOkUWZQeMqgMtJ0c+qCiyPYVqOTx3/r2Wdp8R3rR8PrjiO/EWfxDamNvpIlr36KpMcgNgtSHuXEsF3EVrmnSWFPemtANAzOhoX+9Dliu8UrEAas916BZsRokRCq8GjpecRYC0+BjZfWEKlbSPiizUPA+WjLlzKvkzDDqC/e/qJFeynp1RvVfu6JPb4iCa1IJuHne4rEMf0Yoo7rGSEMD/9aAuYteNRczhbz3O+xDmwh2bnt0e6gUy7f8pltQDpvM5ILhf3bBGEbUdLdESSsLT/26HPIGkE2nZ6oszn/ZGD3vZNRSCU5wzImJaeuSD+LoypxTveIuudVLY/oLWuwPSOKOfLyX7ChzZ0rE1HwJLBTJLw01tXoz3Aa82h0F5m7kzxftdjLksQzQLbp7s+1UgRV2xzbV3EFfg3yNIA3nz+qSP2E3Kotbr35bSLgf2bh6+GnxGNyA59og+geRiJSX+G/7Wcz9DbYTZgVD4auDMH1no8PDt/kjrHaUhNlE54s7izWIytQSzjRZV3pr9uvMdXLdGcxrBa30TAuhhzIoHvdT4MJu2EiBBOBF3iZH0+p7zNyPNP+hALB4rZL5KFvoXaJMhzt0TSanbBH7xf3Ze2EcJwQ5+8wqw5xb2KgoIbfMy8duQ2kct1lamYK/6ilPSS3xuLKo6o+6cFQP8xUdCRSsQGLQu1o4sTxnAfDV3gdi/C0GX3dli25JEdkpaOEmJl4N5WzBhsXaWt1YUT4oC0MsDEnKZAnlO760ueU/KmV98wkuWu3CrG2ERRzcHOdwLwIB14dxLLlOvhitzWum687GWqMRwErsVoq2j/kI CrGl4vPd HWx/4eTK+UGXO9aROLJY2BgZA5u4NwwgbCn8ncvqDIBKxF85/orrEf+TsCAD+IZpEKRks+Xlfr4UaugIWvd6rYfJ7v/nOjmdghVNYvSm2943q0QS3WRB2paJ3szqsOjq3Of9r69jGaNk2MzDIjGpW2bPB1Yy1yWpnwHqP7FCpaPEDjGFQ0p1BFsO3j3YE7kkwkcoQNwH247XklKkaCiYeKtTaJn9vSfV52wz/48BBYaES5wAVCHPgBwr+EVpagmXbjSc46C1IR/ZU13MHorrRngQ/b6kC1+W3iyQAvSgDKfmcJ2Osod600kxM5HN18le/+4ecWR5mFyrHJksq4ga7ZKccd1Cm8D6HguAsVqN2w/tK4vI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In shrink_folio_list(), the hwpoisoned folio may be large folio, which can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a WARN_ON_ONCE due to the page isn't in swapcache. Since UCE is rare in real world, and race with reclaimation is more rare, just skipping the hwpoisoned large folio is enough. memory_failure() will handle it if the UCE is triggered again. Fixes: 1b0449544c64 ("mm/vmscan: don't try to reclaim hwpoison folio") Reported-by: syzbot+3b220254df55d8ca8a61@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68412d57.050a0220.2461cf.000e.GAE@google.com/ Acked-by: David Hildenbrand Reviewed-by: Miaohe Lin Signed-off-by: Jinjiang Tu --- v3: * collect Acked-by and Reviewed-by * update commit message and commemts, sugguested by Oscar Salvador. mm/memory-failure.c | 4 ++++ mm/vmscan.c | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index b91a33fb6c69..9ee176fcc949 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -1561,6 +1561,10 @@ static int get_hwpoison_page(struct page *p, unsigned long flags) return ret; } +/* + * The caller must guarantee the folio isn't large folio. try_to_unmap() + * can't handle it. + */ int unmap_poisoned_folio(struct folio *folio, unsigned long pfn, bool must_kill) { enum ttu_flags ttu = TTU_IGNORE_MLOCK | TTU_SYNC | TTU_HWPOISON; diff --git a/mm/vmscan.c b/mm/vmscan.c index f8dfd2864bbf..424412680cfc 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -1138,6 +1138,14 @@ static unsigned int shrink_folio_list(struct list_head *folio_list, goto keep; if (folio_contain_hwpoisoned_page(folio)) { + /* + * unmap_poisoned_folio() can't handle large + * folio, just skip it. memory_failure() will + * handle it if the UCE is triggered again. + */ + if (folio_test_large(folio)) + goto keep_locked; + unmap_poisoned_folio(folio, folio_pfn(folio), false); folio_unlock(folio); folio_put(folio); -- 2.43.0