From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CB0EDC5AD49 for ; Mon, 26 May 2025 12:41:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 694716B0089; Mon, 26 May 2025 08:41:59 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 645D66B008A; Mon, 26 May 2025 08:41:59 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 50CD16B008C; Mon, 26 May 2025 08:41:59 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 2DEE26B0089 for ; Mon, 26 May 2025 08:41:59 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id D268958ACE for ; Mon, 26 May 2025 12:41:58 +0000 (UTC) X-FDA: 83485021116.27.D17F911 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf11.hostedemail.com (Postfix) with ESMTP id 6A46640010 for ; Mon, 26 May 2025 12:41:56 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=N8kftHwv; spf=pass (imf11.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1748263316; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=S/ETi802qf64YaxZQVEnQEIF2B/+4bz5j9A/TOJclzg=; b=b2tdBmlHK9/z8rJcpH47Gi5ZwB9yqTC4iYPW7G+Hxfj+23GWbtFfEz4lmTT9eopkCyQ+Xg kRz8Wr0bNyIjMs/t6sPFGiCDm5+j8EH/jud+p7XGWCXUSoTpJAnOFChJtcxiJy9eF1BBgo D06sSxLK89z9FrTe513s9clU/hMPsH4= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=N8kftHwv; spf=pass (imf11.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748263316; a=rsa-sha256; cv=none; b=GLTlMt6qmjgE4o5LgE9EKwBHAfVeIqS5RnJAFrEpOL11LFvR1C5idEarhhCNVacr/yxPLV yqMQ0ibR/XR0GHiVYEIJbxnYlseAvFT2xVCTC8L8nPsb1XkOBwr8ZGNgxYJDnb6izyCkaE /5clE6SL69Oyp9pWjTo6oF/hfe6/CRE= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1748263315; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=S/ETi802qf64YaxZQVEnQEIF2B/+4bz5j9A/TOJclzg=; b=N8kftHwvtfsi9U7WR5X57sUGP1OzcGB3cd/gDhpjNzILqr98+GyCp0mWm3aTPy9/5vTYo1 hyjQELo4VOb7PsJuY+JvrI7kXNJPrd9eLHPywb45PADRzs11PTj2a3tkBNeOcg/Iv52Vhr xsrBPwhS6GKBzggni+B2kf3FMuAgzaM= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-34-gUUkPXOgPo-aCLDZ3DuI5A-1; Mon, 26 May 2025 08:41:52 -0400 X-MC-Unique: gUUkPXOgPo-aCLDZ3DuI5A-1 X-Mimecast-MFC-AGG-ID: gUUkPXOgPo-aCLDZ3DuI5A_1748263311 Received: by mail-wr1-f72.google.com with SMTP id ffacd0b85a97d-3a362939f61so594144f8f.3 for ; Mon, 26 May 2025 05:41:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748263311; x=1748868111; h=content-transfer-encoding:in-reply-to:organization:autocrypt :content-language:from:references:cc:to:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=S/ETi802qf64YaxZQVEnQEIF2B/+4bz5j9A/TOJclzg=; b=LcyRxSc2Mj+VbTgTHUQosudHAp4sQvGkacOskaeUOLjghttgsxS4UxWvCkbEVAea97 uYOJtKF6AATfsBQEzDfzfy6mdCbcuqjUp8dr83RzmRk6wWmSpJcFu892DJ907RC7GRbb CPONfiuYWinqEd2XWxZbEaMUXdNGlpsbh/6hJQUqKcZ8ZXZcYJYD58u98v1jhXOG4X6k Y+6Jq0oPs4+ZRl0txKRpxehwKe0ixYDSW52nXznR+jQbVP+ZMasEwzBfkGMhAhPTDxom fNPEe8d0PJ2YDCNJb3QaSwctHy1NRe4MMWtNkXoIJBQ4y9oNi1YzvJJ8GyvLYBbWRRTF e/cw== X-Gm-Message-State: AOJu0YxXSjq9Loj6O2PpBB6EkeluRT/CuVyGt5DGKwbvmrha4EfEwtUj cCB5OvZeJr5WQUp7Nmbf6bUcjNnRdaEpfJ1JuohdS8rrlP7iT60TcobXXy6tvZfQk7/I5XaC+2n HdXb1jbUeI0no++YaRfWSlPzlN/nbA7yiVzz5qaGq5ho9gG8h/YIu X-Gm-Gg: ASbGncvKchi8nB5ujHmeSQy5hQd2/TzQpGHfF3kDnB3nnjDEiWjfuyHFsSl8/hzCfYw K/0Amk8G318t4iOi23EkuCR52obdy3fUN9mxY5TCb1+ZAXknmJ8ueqM4/QjWUYdAyxn5Qh5xvow 1utr9WGQA/TWfP7t4aTLUFZXVIX1RijdEgi1pS0QeYy5pnQxC0PK7IPhmro4Wsvlnp42ZEvoTnh PfPkkV+x/iV39tQYhwHKQNGSITifuoF7M0zlcshk31KHL1AWyFXiuNU7cTYmgljUTagjRyLetpS +OX8oTlPWc3aarR2tbS2kyK32cDSY7H69koC+hB540sCPXNZoECnnzLCV62Ykrcz1FqlN/2Ugbt vP81oQK3vy+qkKpV6/LJYpWgAPjsUwQdhVZVi5Jg= X-Received: by 2002:a05:6000:3112:b0:3a4:d79a:359f with SMTP id ffacd0b85a97d-3a4d79a3787mr3996868f8f.14.1748263311362; Mon, 26 May 2025 05:41:51 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG/16mi/MASs2oP8FT7hHWDKlwpnwRqmfhtUxX7Vi9qRJuvn5j7Ix99uQiBZkMJx3GVNB/I7A== X-Received: by 2002:a05:6000:3112:b0:3a4:d79a:359f with SMTP id ffacd0b85a97d-3a4d79a3787mr3996842f8f.14.1748263310889; Mon, 26 May 2025 05:41:50 -0700 (PDT) Received: from ?IPV6:2003:d8:2f19:6500:e1c1:8216:4c25:efe4? (p200300d82f196500e1c182164c25efe4.dip0.t-ipconnect.de. [2003:d8:2f19:6500:e1c1:8216:4c25:efe4]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a4d652e8b9sm4125796f8f.34.2025.05.26.05.41.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 May 2025 05:41:50 -0700 (PDT) Message-ID: Date: Mon, 26 May 2025 14:41:49 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios To: yangge1116@126.com, akpm@linux-foundation.org Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, 21cnbao@gmail.com, baolin.wang@linux.alibaba.com, muchun.song@linux.dev, osalvador@suse.de, liuzixing@hygon.cn References: <1747884137-26685-1-git-send-email-yangge1116@126.com> From: David Hildenbrand Autocrypt: addr=david@redhat.com; keydata= xsFNBFXLn5EBEAC+zYvAFJxCBY9Tr1xZgcESmxVNI/0ffzE/ZQOiHJl6mGkmA1R7/uUpiCjJ dBrn+lhhOYjjNefFQou6478faXE6o2AhmebqT4KiQoUQFV4R7y1KMEKoSyy8hQaK1umALTdL QZLQMzNE74ap+GDK0wnacPQFpcG1AE9RMq3aeErY5tujekBS32jfC/7AnH7I0v1v1TbbK3Gp XNeiN4QroO+5qaSr0ID2sz5jtBLRb15RMre27E1ImpaIv2Jw8NJgW0k/D1RyKCwaTsgRdwuK Kx/Y91XuSBdz0uOyU/S8kM1+ag0wvsGlpBVxRR/xw/E8M7TEwuCZQArqqTCmkG6HGcXFT0V9 PXFNNgV5jXMQRwU0O/ztJIQqsE5LsUomE//bLwzj9IVsaQpKDqW6TAPjcdBDPLHvriq7kGjt WhVhdl0qEYB8lkBEU7V2Yb+SYhmhpDrti9Fq1EsmhiHSkxJcGREoMK/63r9WLZYI3+4W2rAc UucZa4OT27U5ZISjNg3Ev0rxU5UH2/pT4wJCfxwocmqaRr6UYmrtZmND89X0KigoFD/XSeVv jwBRNjPAubK9/k5NoRrYqztM9W6sJqrH8+UWZ1Idd/DdmogJh0gNC0+N42Za9yBRURfIdKSb B3JfpUqcWwE7vUaYrHG1nw54pLUoPG6sAA7Mehl3nd4pZUALHwARAQABzSREYXZpZCBIaWxk ZW5icmFuZCA8ZGF2aWRAcmVkaGF0LmNvbT7CwZgEEwEIAEICGwMGCwkIBwMCBhUIAgkKCwQW AgMBAh4BAheAAhkBFiEEG9nKrXNcTDpGDfzKTd4Q9wD/g1oFAl8Ox4kFCRKpKXgACgkQTd4Q 9wD/g1oHcA//a6Tj7SBNjFNM1iNhWUo1lxAja0lpSodSnB2g4FCZ4R61SBR4l/psBL73xktp rDHrx4aSpwkRP6Epu6mLvhlfjmkRG4OynJ5HG1gfv7RJJfnUdUM1z5kdS8JBrOhMJS2c/gPf wv1TGRq2XdMPnfY2o0CxRqpcLkx4vBODvJGl2mQyJF/gPepdDfcT8/PY9BJ7FL6Hrq1gnAo4 3Iv9qV0JiT2wmZciNyYQhmA1V6dyTRiQ4YAc31zOo2IM+xisPzeSHgw3ONY/XhYvfZ9r7W1l pNQdc2G+o4Di9NPFHQQhDw3YTRR1opJaTlRDzxYxzU6ZnUUBghxt9cwUWTpfCktkMZiPSDGd KgQBjnweV2jw9UOTxjb4LXqDjmSNkjDdQUOU69jGMUXgihvo4zhYcMX8F5gWdRtMR7DzW/YE BgVcyxNkMIXoY1aYj6npHYiNQesQlqjU6azjbH70/SXKM5tNRplgW8TNprMDuntdvV9wNkFs 9TyM02V5aWxFfI42+aivc4KEw69SE9KXwC7FSf5wXzuTot97N9Phj/Z3+jx443jo2NR34XgF 89cct7wJMjOF7bBefo0fPPZQuIma0Zym71cP61OP/i11ahNye6HGKfxGCOcs5wW9kRQEk8P9 M/k2wt3mt/fCQnuP/mWutNPt95w9wSsUyATLmtNrwccz63XOwU0EVcufkQEQAOfX3n0g0fZz Bgm/S2zF/kxQKCEKP8ID+Vz8sy2GpDvveBq4H2Y34XWsT1zLJdvqPI4af4ZSMxuerWjXbVWb T6d4odQIG0fKx4F8NccDqbgHeZRNajXeeJ3R7gAzvWvQNLz4piHrO/B4tf8svmRBL0ZB5P5A 2uhdwLU3NZuK22zpNn4is87BPWF8HhY0L5fafgDMOqnf4guJVJPYNPhUFzXUbPqOKOkL8ojk CXxkOFHAbjstSK5Ca3fKquY3rdX3DNo+EL7FvAiw1mUtS+5GeYE+RMnDCsVFm/C7kY8c2d0G NWkB9pJM5+mnIoFNxy7YBcldYATVeOHoY4LyaUWNnAvFYWp08dHWfZo9WCiJMuTfgtH9tc75 7QanMVdPt6fDK8UUXIBLQ2TWr/sQKE9xtFuEmoQGlE1l6bGaDnnMLcYu+Asp3kDT0w4zYGsx 5r6XQVRH4+5N6eHZiaeYtFOujp5n+pjBaQK7wUUjDilPQ5QMzIuCL4YjVoylWiBNknvQWBXS lQCWmavOT9sttGQXdPCC5ynI+1ymZC1ORZKANLnRAb0NH/UCzcsstw2TAkFnMEbo9Zu9w7Kv AxBQXWeXhJI9XQssfrf4Gusdqx8nPEpfOqCtbbwJMATbHyqLt7/oz/5deGuwxgb65pWIzufa N7eop7uh+6bezi+rugUI+w6DABEBAAHCwXwEGAEIACYCGwwWIQQb2cqtc1xMOkYN/MpN3hD3 AP+DWgUCXw7HsgUJEqkpoQAKCRBN3hD3AP+DWrrpD/4qS3dyVRxDcDHIlmguXjC1Q5tZTwNB boaBTPHSy/Nksu0eY7x6HfQJ3xajVH32Ms6t1trDQmPx2iP5+7iDsb7OKAb5eOS8h+BEBDeq 3ecsQDv0fFJOA9ag5O3LLNk+3x3q7e0uo06XMaY7UHS341ozXUUI7wC7iKfoUTv03iO9El5f XpNMx/YrIMduZ2+nd9Di7o5+KIwlb2mAB9sTNHdMrXesX8eBL6T9b+MZJk+mZuPxKNVfEQMQ a5SxUEADIPQTPNvBewdeI80yeOCrN+Zzwy/Mrx9EPeu59Y5vSJOx/z6OUImD/GhX7Xvkt3kq Er5KTrJz3++B6SH9pum9PuoE/k+nntJkNMmQpR4MCBaV/J9gIOPGodDKnjdng+mXliF3Ptu6 3oxc2RCyGzTlxyMwuc2U5Q7KtUNTdDe8T0uE+9b8BLMVQDDfJjqY0VVqSUwImzTDLX9S4g/8 kC4HRcclk8hpyhY2jKGluZO0awwTIMgVEzmTyBphDg/Gx7dZU1Xf8HFuE+UZ5UDHDTnwgv7E th6RC9+WrhDNspZ9fJjKWRbveQgUFCpe1sa77LAw+XFrKmBHXp9ZVIe90RMe2tRL06BGiRZr jPrnvUsUUsjRoRNJjKKA/REq+sAnhkNPPZ/NNMjaZ5b8Tovi8C0tmxiCHaQYqj7G2rgnT0kt WNyWQQ== Organization: Red Hat In-Reply-To: <1747884137-26685-1-git-send-email-yangge1116@126.com> X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: irKeOPgFHeWqdyHTSC2smQ35wZCvbw-4rKJYlkcGF-M_1748263311 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 6A46640010 X-Stat-Signature: g5ady68dfo8o7n7pk9b1oagoc9456anw X-Rspam-User: X-Rspamd-Server: rspam04 X-HE-Tag: 1748263316-886281 X-HE-Meta: U2FsdGVkX1/YhzpKmhqIhuBHRZ+Rin7DCD5bHFSLWE4wRZigjs5BXmH7GwBlnUhkjOT4zNd08boROaWrBkAgWS4O/9AiZbxJlCISnr2WiLoa5ytl56OokI3VXsHW0cObbHrrL86E2TMgjwf82wTHq8LK8g7ocwfGI5/1uVD0uzSKyD9nBZfyUVwwurd0fTXn3Mvmit5hINrPDQT5tAKiG2lnv9tb5piu+CTqVeSkiye8zDeeJqaXoBqqjVpavtY0D29BBzigOFk7ZIkrjz/gnvBFyX11rCfvWiB1uiAI3Ai0I0Lf9BPtrb8tqC1+Dur5HjZ/b305GczyN0Y+b/3oGwCu5Hnury4UO4GVGCEQ9dwhsPK/+JfLUgVvNVZotaERNnAffNr5mO9KiLloS4dGfTuEA+NA/Vi6j/cGsM4Bziy8kaC5phyZFttqM1E9JiVoC7N06/tgW1gj6og/p8avgNDFLO2RYLB2gUyRrv17/q0CCZtcSLQ1XAXWhkJjntotfVoZVlmqlztRrrwKANl+JNH/noTZ7QXIGvfmmuKTs+aVR030vQNXRQ1a4dsYIMaq1qKmRHrODmnE6eAVB0dPX32WE6G/5C6lS7mDlBI5wUZr9fcfxvBFbBgsTB0BG9Nn8TPn4JripZJUlMGnTpfj0qf0IkJCvr9nr/Su1ezVUMmyi5D/WjYg3CLAGh1w1CFkbQn1douH5eMKypPTJLYem2co3zx10eh73JjDGMOJflgZRfNvQbzx5DSVe9Gn773t98E+TFJZHgajMSk4vkB/YfOl7E6ZIUa6cu3XzogXvoHqBMxYjpnKtDono9hc75Z+a0GczWOooKsK7PgTwJ6r6hFDcI3HlBKmByIoLYL1hD46mWfYydqllHK7V2WOEjLE4SAS2ornOPEBtpdZpY5uNnp9w7vX4mWkhXx0ug2Ii6uusTFAvDZf7OLfoG5CCYK3furh//7Z+RT5YPmH0Oy 0GfeP4Er zx3B2Rojby0qdNhTOTI4cIcRybUJVG+Rc1nzwlKxpCRj4A/zl3/jCzMUoc0QHgYqXTRiy74iIWz26sFWZBpOGCcXRrLQM3y4PdZVPnco87UD60v2nGCHlzZoQlqT3Vy9AdpGnXuAlFyb8RMr3xxBwKTdApccVVZOCLkqkEi54I0N+R6vBayBuHIGwL6ZhTlcFsA6TTrzRFw6GoL6AO0uj+3W1kCkcZ6MYp/m72gTPDv0ucFL3OdxNWFzX+Tpea0WJyPxcYUVrddeVpHUPUAHC+MI1o2bEsuqDw/0O0YFN0I9TUarst1Vlo6Y7SbHWdS6debxoqW6wafvqKLxJpAxRLiLpgWa5M3hx6X1xKpQ5jKLXUzKx9/IWqPw4gLiD3PvdZkFQJg6y+IIkjF1PZacycKioLQ6A8gxiHCoGXvPyQySZ5qbhOieoGigdufHkvSmzr2bz2P+49O5cMpl2VeZZhFu6X7YlMR+CbG6NgZBy9cscgDc= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 22.05.25 05:22, yangge1116@126.com wrote: > From: Ge Yang > > A kernel crash was observed when replacing free hugetlb folios: > > BUG: kernel NULL pointer dereference, address: 0000000000000028 > PGD 0 P4D 0 > Oops: Oops: 0000 [#1] SMP NOPTI > CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) > RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0 > RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 > RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 > RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 > RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 > R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 > R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 > FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 > Call Trace: > > replace_free_hugepage_folios+0xb6/0x100 > alloc_contig_range_noprof+0x18a/0x590 > ? srso_return_thunk+0x5/0x5f > ? down_read+0x12/0xa0 > ? srso_return_thunk+0x5/0x5f > cma_range_alloc.constprop.0+0x131/0x290 > __cma_alloc+0xcf/0x2c0 > cma_alloc_write+0x43/0xb0 > simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110 > debugfs_attr_write+0x46/0x70 > full_proxy_write+0x62/0xa0 > vfs_write+0xf8/0x420 > ? srso_return_thunk+0x5/0x5f > ? filp_flush+0x86/0xa0 > ? srso_return_thunk+0x5/0x5f > ? filp_close+0x1f/0x30 > ? srso_return_thunk+0x5/0x5f > ? do_dup2+0xaf/0x160 > ? srso_return_thunk+0x5/0x5f > ksys_write+0x65/0xe0 > do_syscall_64+0x64/0x170 > entry_SYSCALL_64_after_hwframe+0x76/0x7e > > There is a potential race between __update_and_free_hugetlb_folio() > and replace_free_hugepage_folios(): > > CPU1 CPU2 > __update_and_free_hugetlb_folio replace_free_hugepage_folios > folio_test_hugetlb(folio) > -- It's still hugetlb folio. > > __folio_clear_hugetlb(folio) > hugetlb_free_folio(folio) > h = folio_hstate(folio) > -- Here, h is NULL pointer > > When the above race condition occurs, folio_hstate(folio) returns > NULL, and subsequent access to this NULL pointer will cause the > system to crash. To resolve this issue, execute folio_hstate(folio) > under the protection of the hugetlb_lock lock, ensuring that > folio_hstate(folio) does not return NULL. > > Fixes: 04f13d241b8b ("mm: replace free hugepage folios after migration") > Signed-off-by: Ge Yang > Cc: > --- > mm/hugetlb.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/mm/hugetlb.c b/mm/hugetlb.c > index 3d3ca6b..6c2e007 100644 > --- a/mm/hugetlb.c > +++ b/mm/hugetlb.c > @@ -2924,12 +2924,20 @@ int replace_free_hugepage_folios(unsigned long start_pfn, unsigned long end_pfn) > > while (start_pfn < end_pfn) { > folio = pfn_folio(start_pfn); > + > + /* > + * The folio might have been dissolved from under our feet, so make sure > + * to carefully check the state under the lock. > + */ > + spin_lock_irq(&hugetlb_lock); > if (folio_test_hugetlb(folio)) { > h = folio_hstate(folio); > } else { > + spin_unlock_irq(&hugetlb_lock); > start_pfn++; > continue; > } > + spin_unlock_irq(&hugetlb_lock); As mentioned elsewhere, this will grab the hugetlb_lock for each and every pfn in the range if there are no hugetlb folios (common case). That should certainly *not* be done. In case we see !folio_test_hugetlb(), we should just move on. -- Cheers, David / dhildenb