From: SeongJae Park <sj@kernel.org>
To: sashiko-bot@kernel.org
Cc: SeongJae Park <sj@kernel.org>, damon@lists.linux.dev
Subject: Re: [RFC PATCH] mm/damon/ops-common: call folio_test_lru() after folio_get()
Date: Sat, 23 May 2026 13:26:07 -0700 [thread overview]
Message-ID: <20260523202608.99529-1-sj@kernel.org> (raw)
In-Reply-To: <20260523195707.6CB2C1F000E9@smtp.kernel.org>
On Sat, 23 May 2026 19:57:06 +0000 sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [High] Speculative folio flag access occurs before pointer re-validation, triggering VM_BUG_ON_PGFLAGS() on tail pages.
> --
>
> commit 119755fb3390d2b7d6c7f2278054cc95e95531c6
> Author: SeongJae Park <sj@kernel.org>
>
> mm/damon/ops-common: call folio_test_lru() after folio_get()
>
> This patch attempts to fix a potential VM_BUG_ON_PGFLAGS crash by removing
> the speculative LRU flag check before trying to get a reference in
> damon_get_folio(). It moves the LRU check after a successful try_get.
>
> Link: https://lore.kernel.org/20260517234112.89245-1-sj@kernel.org
>
> > diff --git a/mm/damon/ops-common.c b/mm/damon/ops-common.c
> > index 3a0ddc3ac7196..d3404615f9b75 100644
> > --- a/mm/damon/ops-common.c
> > +++ b/mm/damon/ops-common.c
> > @@ -32,9 +32,9 @@ struct folio *damon_get_folio(unsigned long pfn)
> > return NULL;
> >
> > folio = page_folio(page);
> > - if (!folio_test_lru(folio) || !folio_try_get(folio))
> > + if (!folio_try_get(folio))
> > return NULL;
> > - if (unlikely(page_folio(page) != folio || !folio_test_lru(folio))) {
> > + if (!folio_test_lru(folio) || unlikely(page_folio(page) != folio)) {
>
> [Severity: High]
> Does this sequence reintroduce the same bug the patch intends to fix?
>
> By placing the LRU flag check before the pointer re-validation, C
> short-circuit evaluation will evaluate the LRU flag first.
>
> If the page was concurrently freed and reallocated as a tail page,
> folio_try_get() might still succeed.
> Evaluating the LRU flag on this
> unvalidated tail page will trigger the VM_BUG_ON_PGFLAGS() in
> const_folio_flags().
>
> Should the pointer re-validation happen before accessing any folio flags in
> PFN scanners?
I was initially assume folio_try_get() will always return a valid folio. But I
find no code to avoid Sashiko's theory in folio_try_get().
So, I think Sashiko is correct. I will drop the above line change on the next
revision.
Thanks,
SJ
[...]
next prev parent reply other threads:[~2026-05-23 20:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-23 19:41 [RFC PATCH] mm/damon/ops-common: call folio_test_lru() after folio_get() SeongJae Park
2026-05-23 19:57 ` sashiko-bot
2026-05-23 20:26 ` SeongJae Park [this message]
2026-05-23 20:31 ` SeongJae Park
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260523202608.99529-1-sj@kernel.org \
--to=sj@kernel.org \
--cc=damon@lists.linux.dev \
--cc=sashiko-bot@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.