From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 44AD8C83F10
	for <linux-mm@archiver.kernel.org>; Sat, 12 Jul 2025 23:42:12 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 9933A6B009B; Sat, 12 Jul 2025 19:42:11 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 9457D6B009C; Sat, 12 Jul 2025 19:42:11 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 880576B009D; Sat, 12 Jul 2025 19:42:11 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 736266B009B
	for <linux-mm@kvack.org>; Sat, 12 Jul 2025 19:42:11 -0400 (EDT)
Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id C78A512AF39
	for <linux-mm@kvack.org>; Sat, 12 Jul 2025 23:42:10 +0000 (UTC)
X-FDA: 83657238420.21.ECD4C87
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
	by imf04.hostedemail.com (Postfix) with ESMTP id 1DADE40003
	for <linux-mm@kvack.org>; Sat, 12 Jul 2025 23:42:08 +0000 (UTC)
Authentication-Results: imf04.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=RiDK9off;
	spf=pass (imf04.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1752363729;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=rguCUyNLkJmjIpDVnF8Bg7sDmRsI3MAhQBAlABi11pY=;
	b=AkksQxke5+wOEXH3ln+UWP4FyK77bxw/jspmzsBWJwrYrKcAUbBaDl4MTarOoT9hhjTmY3
	avKlBTyn1rHj9rRcJUTTdHmP/i7w1jUXSyCfvOL2mUjA0I9Dt96monmzZh87/Vpxr4kKwE
	SzIfIo6tQLHgicDaJPUo3Aorf3LMI50=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752363729; a=rsa-sha256;
	cv=none;
	b=Y7k3n3/DHLtmQNQ9iOtMhGPfpnUWqaBJ/C5/MnOPqXn3VmQG2zz2ae4we1Vv9wUdePoSyT
	Z8XAq5+aReV9ADZeEutKVuK87J8Ss455p1fE9nzdYEq9jlrEzJSTKFJtHC2CY20Jsq4YHN
	ToyB6zBFtssEbi7CtTv5gaYxa/HCiM4=
ARC-Authentication-Results: i=1;
	imf04.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=RiDK9off;
	spf=pass (imf04.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org;
	dmarc=none
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by dfw.source.kernel.org (Postfix) with ESMTP id 2F5255C4221;
	Sat, 12 Jul 2025 23:42:08 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9351AC4CEEF;
	Sat, 12 Jul 2025 23:42:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1752363727;
	bh=q+9agOtqAd9Yei6LicGUB26xRhuo/7dkoKPxnp+Y3Gs=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=RiDK9offY3Jse6cG6rNzfRim9J0BQLfuF64I7mm4PgK31KcXEc0kBsufbDCfTfMIm
	 y7qF1T+RxnslynqaFJSD5r1dlg9apSPR1fSZCBP6SrWl5Y5JYVZwpbqVhBU04NFAFu
	 lHZppzldVEWlaUJ7MxjCVkaMLidrxfgu1MlF+VLs=
Date: Sat, 12 Jul 2025 16:42:07 -0700
From: Andrew Morton <akpm@linux-foundation.org>
To: Jinjiang Tu <tujinjiang@huawei.com>
Cc: David Hildenbrand <david@redhat.com>, <linmiaohe@huawei.com>,
 <osalvador@suse.de>, <mhocko@kernel.org>, <ziy@nvidia.com>,
 <linux-mm@kvack.org>, <wangkefeng.wang@huawei.com>
Subject: Re: [PATCH v4] mm/vmscan: fix hwpoisoned large folio handling in
 shrink_folio_list
Message-Id: <20250712164207.733e3cac2f7783f043ac934e@linux-foundation.org>
In-Reply-To: <69fd4e00-1b13-d5f7-1c82-705c7d977ea4@huawei.com>
References: <20250711021734.2362044-1-tujinjiang@huawei.com>
	<990715ed-f660-4b88-b850-57d6aee6ee59@redhat.com>
	<69fd4e00-1b13-d5f7-1c82-705c7d977ea4@huawei.com>
X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 1DADE40003
X-Stat-Signature: 4w73ekrwpdwxnwbfxeach7ayq5mwor7r
X-Rspam-User: 
X-Rspamd-Server: rspam07
X-HE-Tag: 1752363728-891432
X-HE-Meta: U2FsdGVkX19KQrv3bRS25eP3JPuZTu4zbvUCkXsFr+2X6fh29Y+LC9FrTY0nBJpIEU1BUA0UaseeaTXhsLMV2Ep+JxZjuf6uKDyzYk24TJht2thr471sN8uihiTh0AINhQ9ys6WYstarHBDPQ7/xtlwOrGl/UJRfhLPNldO37c2aRfrhYfFY92GbrtHPta+Z89Wcql9ETq1PcU+qdIBWt/xuOshFMmklzkrrt7j/wmh809E1ymapygkHKxCXtcsJyx7NvdpHdI8Y9axd4H8pxU/tFvVCUq/MI76Lk/F7ZdItyOSRioSEfdpprHNSg2MwrgKBBVK2B8aLlCvJbdWsx8/X3+23eCBoCRBKS9JDtZMqIH1scrbr/ughhT2/zOv32nYXLy9+2cdH4aOMdT/EwxdIErf8V74wbpZxK13HzMaGMBn8Nm45AnMxsu+moCUIx56MNgo1w5o8/mleJTze0ZfnxcIuM3EGBPei5a70MEnbODiX3fEk61Sk3Xefpc7d32hPt0cC+uPAiG6AZ5HeyirUsAZ192DxDj37MLAipKkkz4SS/Jr0B5VOO1d5Meu5uPQGLwGmRuYK+tULvOIfvOI3Ip/ENNy1hmDma90EA3QQ9zawf0TWymBMnaDEfCvO3yiVflQ3aU1ToBVL73VbD9LesuO8cSUdVoFytp3mZwdpsetK0wjruKQa2BANT41Nnq4ghdWJ4OTyJqNvj3yewj8ZpHqJff3IQhr4wcC1qyDzvXUt81JaaTITEU2q8pTgJ/wwx3ux3jtQjFmXCkAo9ROVV6rH+DoCRhfJeqOdeKWq/N4/abnoUcLGuR7AV19lqKoHdX9GdztZfR3hwbv5lzj7+D5LrQD7NS0NkWJ+Gob7EWXRfMwwwRCsYOaxTm+461gLlTkT+a9QDn0bamurbwchtIACcjcTAhRqPB6pPFD8w9maTzHSXA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Fri, 11 Jul 2025 16:55:45 +0800 Jinjiang Tu <tujinjiang@huawei.com> wrote:

> In shrink_folio_list(), the hwpoisoned folio may be large folio, which
> can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one()
> must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then
> retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of
> pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a WARN_ON_ONCE
> due to the page isn't in swapcache.
> 
> Since UCE is rare in real world, and race with reclaimation is more rare,
> just skipping the hwpoisoned large folio is enough. memory_failure() will
> handle it if the UCE is triggered again.

Your email client made a mess of the whitespace.  I fixed that up and
turned this into a v2->v4 delta so I/we can see what happened:


--- a/mm/memory-failure.c~mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list-v4
+++ a/mm/memory-failure.c
@@ -1561,6 +1561,10 @@ static int get_hwpoison_page(struct page
 	return ret;
 }
 
+/*
+ * The caller must guarantee the folio isn't large folio, except hugetlb.
+ * try_to_unmap() can't handle it.
+ */
 int unmap_poisoned_folio(struct folio *folio, unsigned long pfn, bool must_kill)
 {
 	enum ttu_flags ttu = TTU_IGNORE_MLOCK | TTU_SYNC | TTU_HWPOISON;
_


Also, the v2 patch's changelog (probably as amended by me) had a nice
description of the race, which is lost in this v4 patch.  I restored
it, so the final changelog is as below.  Please check.


From: Jinjiang Tu <tujinjiang@huawei.com>
Subject: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list
Date: Fri, 27 Jun 2025 20:57:46 +0800

In shrink_folio_list(), the hwpoisoned folio may be large folio, which
can't be handled by unmap_poisoned_folio().  For THP, try_to_unmap_one()
must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then
retry.  Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of
pvmw.pte.  Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a
WARN_ON_ONCE due to the page isn't in swapcache.

Since UCE is rare in real world, and race with reclaimation is more rare,
just skipping the hwpoisoned large folio is enough.  memory_failure() will
handle it if the UCE is triggered again.

This happens when memory reclaim for large folio races with
memory_failure(), and will lead to kernel panic.  The race is as
follows:

cpu0      cpu1
 shrink_folio_list memory_failure
  TestSetPageHWPoison
  unmap_poisoned_folio
  --> trigger BUG_ON due to
  unmap_poisoned_folio couldn't
   handle large folio

Link: https://lkml.kernel.org/r/20250627125747.3094074-2-tujinjiang@huawei.com
Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
Fixes: 1b0449544c64 ("mm/vmscan: don't try to reclaim hwpoison folio")
Reported-by: syzbot+3b220254df55d8ca8a61@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68412d57.050a0220.2461cf.000e.GAE@google.com/
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 mm/vmscan.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/mm/vmscan.c~mm-vmscan-fix-hwpoisoned-large-folio-handling-in-shrink_folio_list
+++ a/mm/vmscan.c
@@ -1138,6 +1138,14 @@ retry:
 			goto keep;
 
 		if (folio_contain_hwpoisoned_page(folio)) {
+			/*
+			 * unmap_poisoned_folio() can't handle large
+			 * folio, just skip it. memory_failure() will
+			 * handle it if the UCE is triggered again.
+			 */
+			if (folio_test_large(folio))
+				goto keep_locked;
+
 			unmap_poisoned_folio(folio, folio_pfn(folio), false);
 			folio_unlock(folio);
 			folio_put(folio);
_