From: David Hildenbrand <david@redhat.com>
To: Lance Yang <lance.yang@linux.dev>, Dev Jain <dev.jain@arm.com>,
Wei Yang <richard.weiyang@gmail.com>
Cc: linux-mm@kvack.org, lorenzo.stoakes@oracle.com,
akpm@linux-foundation.org, chengming.zhou@linux.dev,
npache@redhat.com, ryan.roberts@arm.com, xu.xin16@zte.com.cn,
baohua@kernel.org, Liam.Howlett@oracle.com, ziy@nvidia.com,
baolin.wang@linux.alibaba.com
Subject: Re: [PATCH] mm/mm_slot: make sure slot is the first element of its wrapper structure
Date: Mon, 15 Sep 2025 10:26:55 +0200 [thread overview]
Message-ID: <a5e0fd97-6215-4fb1-983f-6b2daf2f726a@redhat.com> (raw)
In-Reply-To: <e40f3eaa-7c94-49ab-bc39-e0e3ed56e163@linux.dev>
On 15.09.25 10:08, Lance Yang wrote:
>
>
> On 2025/9/15 15:56, David Hildenbrand wrote:
>> On 14.09.25 09:29, Dev Jain wrote:
>>>
>>> On 14/09/25 12:33 pm, Lance Yang wrote:
>>>>
>>>>
>>>> On 2025/9/14 14:21, Dev Jain wrote:
>>>>>
>>>>> On 14/09/25 5:30 am, Wei Yang wrote:
>>>>>> When using mm_slot in ksm/khugepaged, there is code snip like:
>>>>>>
>>>>>> slot = mm_slot_lookup(mm_slots_hash, mm);
>>>>>> mm_slot = mm_slot_entry(slot, struct ksm_mm_slot, slot);
>>>>>> if (mm_slot && ..) {
>>>>>> }
>>>>>>
>>>>>> This is only valid when mm_slot is the first element of its wrapper
>>>>>> structure, otherwise a NULL slot would converted to a mm_slot with
>>>>>> negative value. And current code thinks it is valid and continue.
>>>>>
>>>>> Shouldn't you fix the code for the case when you can't find the slot
>>>>> in the hashtable, i.e slot == NULL? Like, if (!slot) return.
>>>>
>>>> Right. For khugepaged specifically, the slot == NULL case in
>>>> __khugepaged_exit() (only user of mm_slot_lookup) should probably
>>>> be treated as a kernel BUG for new.
>>>>
>>>> But I'm not sure if the same logic applies to KSM ;)
>>>
>>> I haven't seen the KSM analogue, but restricting the position of an
>>> element
>>>
>>> in a struct to make the code work should imply that the code is wrong in
>>>
>>> the first place :)
>>
>> I agree. If mm_slot_lookup() returns NULL we just just handle that
>> cleanly like
>>
>> diff --git a/mm/khugepaged.c b/mm/khugepaged.c
>> index 6b40bdfd224c3..70a32d59d7d2f 100644
>> --- a/mm/khugepaged.c
>> +++ b/mm/khugepaged.c
>> @@ -488,11 +488,13 @@ void __khugepaged_exit(struct mm_struct *mm)
>>
>> spin_lock(&khugepaged_mm_lock);
>> slot = mm_slot_lookup(mm_slots_hash, mm);
>> - mm_slot = mm_slot_entry(slot, struct khugepaged_mm_slot, slot);
>> - if (mm_slot && khugepaged_scan.mm_slot != mm_slot) {
>> - hash_del(&slot->hash);
>> - list_del(&slot->mm_node);
>> - free = 1;
>> + if (slot) {
>> + mm_slot = mm_slot_entry(slot, struct khugepaged_mm_slot,
>> slot);
>> + if (mm_slot && khugepaged_scan.mm_slot != mm_slot) {
>> + hash_del(&slot->hash);
>> + list_del(&slot->mm_node);
>> + free = 1;
>> + }
>> }
>> spin_unlock(&khugepaged_mm_lock);
>>
>>
>> If mm_slot_lookup() is not expected to ever return NULL, then a
>> VM_WARN_ON_ONCE
>> might be sufficient to document that this is guaranteed.
>>
>> IIUC, MMF_VM_HUGEPAGE might be set in __khugepaged_enter() in case
>>
>> (a) test_and_set_bit() succeeds
>>
>> but
>>
>> (b) mm_slot_alloc() fails
>>
>> In that case we could get NULL.
>
> Ah, good catch! We could indeed get NULL in that case ;)
>
>>
>>
>> It is rather weird to leave the flag set in case mm_slot_alloc() failed ...
>
> Perhaps the MMF_VM_HUGEPAGE flag should be cleared if mm_slot_alloc() fails?
Clearing might also be nasty with concurrent readers that expect that
it's setup.
It's all rather nasty here, because we simply swallow allocation errors
essentially and silently end up not scanning that MM through khugepaged...
--
Cheers
David / dhildenb
next prev parent reply other threads:[~2025-09-15 8:27 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-14 0:00 Wei Yang
2025-09-14 5:05 ` Lance Yang
2025-09-15 1:47 ` Wei Yang
2025-09-15 7:32 ` David Hildenbrand
2025-09-15 7:42 ` Wei Yang
2025-09-15 7:48 ` David Hildenbrand
2025-09-15 7:52 ` Wei Yang
2025-09-14 6:21 ` Dev Jain
2025-09-14 7:03 ` Lance Yang
2025-09-14 7:29 ` Dev Jain
2025-09-14 7:39 ` Lance Yang
2025-09-14 14:16 ` xu.xin16
2025-09-15 1:57 ` Wei Yang
2025-09-15 3:49 ` Dev Jain
2025-09-15 4:05 ` Dev Jain
2025-09-15 7:46 ` Wei Yang
2025-09-15 7:57 ` David Hildenbrand
2025-09-15 7:56 ` David Hildenbrand
2025-09-15 8:08 ` Lance Yang
2025-09-15 8:26 ` David Hildenbrand [this message]
2025-09-15 8:11 ` Dev Jain
2025-09-15 8:25 ` David Hildenbrand
2025-09-15 9:07 ` Wei Yang
2025-09-15 9:15 ` Wei Yang
2025-09-15 9:39 ` Kiryl Shutsemau
2025-09-15 13:37 ` Wei Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a5e0fd97-6215-4fb1-983f-6b2daf2f726a@redhat.com \
--to=david@redhat.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=baohua@kernel.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=chengming.zhou@linux.dev \
--cc=dev.jain@arm.com \
--cc=lance.yang@linux.dev \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=npache@redhat.com \
--cc=richard.weiyang@gmail.com \
--cc=ryan.roberts@arm.com \
--cc=xu.xin16@zte.com.cn \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox