From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 20741C54ED1 for ; Tue, 27 May 2025 06:26:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 802E56B0085; Tue, 27 May 2025 02:26:03 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7B3F56B008A; Tue, 27 May 2025 02:26:03 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6C9C66B008C; Tue, 27 May 2025 02:26:03 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 4CD426B0085 for ; Tue, 27 May 2025 02:26:03 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id BF529121E5B for ; Tue, 27 May 2025 06:26:02 +0000 (UTC) X-FDA: 83487702564.13.30D94F6 Received: from out30-118.freemail.mail.aliyun.com (out30-118.freemail.mail.aliyun.com [115.124.30.118]) by imf05.hostedemail.com (Postfix) with ESMTP id 82259100004 for ; Tue, 27 May 2025 06:25:59 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=linux.alibaba.com header.s=default header.b=Gv0lkGZv; spf=pass (imf05.hostedemail.com: domain of baolin.wang@linux.alibaba.com designates 115.124.30.118 as permitted sender) smtp.mailfrom=baolin.wang@linux.alibaba.com; dmarc=pass (policy=none) header.from=linux.alibaba.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1748327161; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=raIsKgouYAlJeGGfQAn3piR4Qdb0lMEctYAE50GKEko=; b=5U6bqOmgILuEo/89vyjjJ7T3SepbckNb0bqvWGLHezyFn662KXzKWGKyG58Mk6dZi7+msO TAs6AgYTDAHQpSmE5yJqC6aOfjJz3Im9cZ3bW2Bziz7lf5NHmi68TAVb9KDls6f0oeV7QY I1shSJWeBBS24N+/3JDqkTCBxMrivZ0= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=linux.alibaba.com header.s=default header.b=Gv0lkGZv; spf=pass (imf05.hostedemail.com: domain of baolin.wang@linux.alibaba.com designates 115.124.30.118 as permitted sender) smtp.mailfrom=baolin.wang@linux.alibaba.com; dmarc=pass (policy=none) header.from=linux.alibaba.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748327161; a=rsa-sha256; cv=none; b=QzcwMmTc2CgurtNQanH6ODWwJY/+gkHGmc5XZva6vG1JLKNzcSj39QOAtrYabMgibsz6qS 4OI5abJ7ln+B6NGRbLYMvAOMZFLEI5+GZc3+SkIUiVtGkWTGh2rORGBFYe2xuA0tB6KSyS l6DG2iBNnm3qkbXR0AFfzEVO1Pz1zuQ= DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1748327156; h=Message-ID:Date:MIME-Version:Subject:To:From:Content-Type; bh=raIsKgouYAlJeGGfQAn3piR4Qdb0lMEctYAE50GKEko=; b=Gv0lkGZvWLfFCuLp3z8/l/BTtQncnQiFpGWdwPww/UI79XBOFlDFFyBdRIJum5a3QlfTn5Bb1nBOuLINK4DMnfwkRKsbdx1bXt3dyrHK72rXfALCVvY7O9QZopBOC1B2D/QfwLCH+trnPu8aOjrx+YJoA3g23t5sbSBbvXLGleg= Received: from 30.74.144.125(mailfrom:baolin.wang@linux.alibaba.com fp:SMTPD_---0Wbxai9v_1748327152 cluster:ay36) by smtp.aliyun-inc.com; Tue, 27 May 2025 14:25:53 +0800 Message-ID: Date: Tue, 27 May 2025 14:25:52 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH V3 1/2] mm/khugepaged: fix race with folio split/free using temporary reference To: Shivank Garg , akpm@linux-foundation.org, david@redhat.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: ziy@nvidia.com, lorenzo.stoakes@oracle.com, Liam.Howlett@oracle.com, npache@redhat.com, ryan.roberts@arm.com, dev.jain@arm.com, fengwei.yin@intel.com, bharata@amd.com, syzbot+2b99589e33edbe9475ca@syzkaller.appspotmail.com References: <20250526182818.37978-1-shivankg@amd.com> From: Baolin Wang In-Reply-To: <20250526182818.37978-1-shivankg@amd.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 82259100004 X-Stat-Signature: efn4rmwoy7zk9xphnadmjxb3pomaeexn X-Rspam-User: X-HE-Tag: 1748327159-460498 X-HE-Meta: U2FsdGVkX18HrlNN1tY+jh8QSiVLU+XQJE1YmZxLnjqliOIe7ukM9JTekh8SglZ2acq6NjgDxlrCiuqV0hds6empsBokAhDn6uqvJXx0L0fTE8j+i1c+5g+/4rOnazfA2VebT2eRahZaLiQdbgn09bRUpAsBSa3TeJ57u3X1M5Bm8g9Zfe5UKcLXJATlH3wG+zPpZNenj8ypn/e9r22u3lBuxlcmVkE40PsbcngwcBwak75shcw/kbNW/772WU28fI4yLsL+w18w7EbfHrCXeVwC2ojTmWMBBd5sqGkkZiruuAN4KkZjm6zwyTjDc0pJGnYCG4lqWnJJYsYFYuVuLde/V5zfzuOWkxY5Tdh/DEZnJhWUvADalFLcOfLtWJafojiJdj/Qnvh/y6Wr3txBFL+0dgIxU5Z+pgleqOcJ3QdAFnXSM3goAeY3JEl6RqZaDFQ42uyvw+Z1v9vpeA5KjOCqGIG8bZ8xIMOKesl0uK742wBhhY5ONNa17cDHxbS7i3yS22iRDAhY6gDy9ovt5bxalumKs1qVDdMu21vEce7Sa4HUicbnzNs0k/dswJSmVTNiKEiWcNpdUanXdANNnqlU1b9MCt+JU0zsfmI64GUoVEdWsa5ElRbwaCaCkNI1rjaRtOq2jgO35LFctNDd99BI1pBS9ti3YD7HKmBSDhk90d1tPllwjShtPFaFVl1zEW17KOPbn9Mp4gQ7tAqFtcddfM2A+P7oBtITDH7k8x1/DF1rSfFxVv10SDAd0mVIbrmqq9p6LA+LZIMNCNr4oMGRwn4vtDPEWzFA6oLIsnQaGfz/cyfWJKrSblUW/JXPGLKHt6uY4FEmvuFwLos3x0Qy2Kq2JmSOR9UOzPFQRKHC6Do7/xaGhW9YhF+FgjExeoVE1RuwNQCT+G4RuOb1w2t0KExu6p1bNucSxgT2AK8y9MADY/rUeSkwBAkIeqfJUe5fcqV9ccLntZHqHAD 8Rfy7dqb ZsiMzk3HbbMbxmE6MctD9ieMiGIT6VMQfUJk/j7JNCFSEJMjSRo+rXVwFzMI61hRDCUjdYzxgoZ3I8f/CFSbjRrYDJ8viz/gBHCMvAKlcdQNEgiqINcXezdcdhdpAa7W3XDxpTHudv05Kws59R6YbgePyEMSrtAlPS5dpHA3eEtyRwNZlI2CwiyEqrh0Q7kSbUsffAka3MSWZc5hvmCfEybNVi7V1E1RLt2WwwBJ3PEYUSkfRn16N66SxyZ+IpvwFAj5xGNDol9WXGYJeTmqmWoBZ0lEZvupSRco9MxnkISc6HFG4/lHE7ZvJUilZT0CB6HelERYJy1ReASn0QB5GwFsMw8cYMelAuvmfmxfglG2+PsG63M2Jl3nR8Ln029awZHUwvBUnhPzY+yFZdEg3jrbnuS9fj8LpkX6zv6gT2LH1HADOTeYyywomZfRBM+UbhXOIY/DtFtv9JvCqmD9EYfBnj5HU3SIt6r16wT/nMDKrh1z+xAB+mn/D4YRgVhDbhrV/IP6AF00b4hhrs+8aica7f09rE+YjCHWK0jaC12kqgtboS9oehglopg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2025/5/27 02:28, Shivank Garg wrote: > hpage_collapse_scan_file() calls is_refcount_suitable(), which in turn > calls folio_mapcount(). folio_mapcount() checks folio_test_large() before > proceeding to folio_large_mapcount(), but there is a race window where the > folio may get split/freed between these checks, triggering: > > VM_WARN_ON_FOLIO(!folio_test_large(folio), folio) > > Take a temporary reference to the folio in hpage_collapse_scan_file(). > This stabilizes the folio during refcount check and prevents incorrect > large folio detection due to concurrent split/free. Use helper > folio_expected_ref_count() + 1 to compare with folio_ref_count() > instead of using is_refcount_suitable(). > > Fixes: 05c5323b2a34 ("mm: track mapcount of large folios in single value") > Reported-by: syzbot+2b99589e33edbe9475ca@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/6828470d.a70a0220.38f255.000c.GAE@google.com > Suggested-by: David Hildenbrand > Acked-by: David Hildenbrand > Signed-off-by: Shivank Garg LGTM. Reviewed-by: Baolin Wang