From: David Hildenbrand <david@redhat.com>
To: Luiz Capitulino <luizcap@redhat.com>,
willy@infradead.org, akpm@linux-foundation.org
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
shivankg@amd.com, sj@kernel.org, harry.yoo@oracle.com
Subject: Re: [PATCH v3 3/4] proc: kpagecount: use snapshot_page()
Date: Wed, 16 Jul 2025 20:18:28 +0200 [thread overview]
Message-ID: <fa3ddb17-ff50-42e6-9fb3-3245deb64fda@redhat.com> (raw)
In-Reply-To: <16a6a7c6-518a-4558-a8aa-698e24f2e189@redhat.com>
On 16.07.25 19:41, Luiz Capitulino wrote:
> On 2025-07-16 06:17, David Hildenbrand wrote:
>> On 14.07.25 15:16, Luiz Capitulino wrote:
>>> Currently, the call to folio_precise_page_mapcount() from kpage_read()
>>> can race with a folio split. When the race happens we trigger a
>>> VM_BUG_ON_FOLIO() in folio_entire_mapcount() (see splat below).
>>>
>>> This commit fixes this race by using snapshot_page() so that we
>>> retrieve the folio mapcount using a folio snapshot.
>>>
>>> [ 2356.558576] page: refcount:1 mapcount:1 mapping:0000000000000000 index:0xffff85200 pfn:0x6f7c00
>>> [ 2356.558748] memcg:ffff000651775780
>>> [ 2356.558763] anon flags: 0xafffff60020838(uptodate|dirty|lru|owner_2|swapbacked|node=1|zone=2|lastcpupid=0xfffff)
>>> [ 2356.558796] raw: 00afffff60020838 fffffdffdb5d0048 fffffdffdadf7fc8 ffff00064c1629c1
>>> [ 2356.558817] raw: 0000000ffff85200 0000000000000000 0000000100000000 ffff000651775780
>>> [ 2356.558839] page dumped because: VM_BUG_ON_FOLIO(!folio_test_large(folio))
>>> [ 2356.558882] ------------[ cut here ]------------
>>> [ 2356.558897] kernel BUG at ./include/linux/mm.h:1103!
>>> [ 2356.558982] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
>>> [ 2356.564729] CPU: 8 UID: 0 PID: 1864 Comm: folio-split-rac Tainted: G S W 6.15.0+ #3 PREEMPT(voluntary)
>>> [ 2356.566196] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
>>> [ 2356.566814] Hardware name: Red Hat KVM, BIOS edk2-20241117-3.el9 11/17/2024
>>> [ 2356.567684] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>>> [ 2356.568563] pc : kpage_read.constprop.0+0x26c/0x290
>>> [ 2356.569605] lr : kpage_read.constprop.0+0x26c/0x290
>>> [ 2356.569992] sp : ffff80008fb739b0
>>> [ 2356.570263] x29: ffff80008fb739b0 x28: ffff00064aa69580 x27: 00000000ff000000
>>> [ 2356.570842] x26: 0000fffffffffff8 x25: ffff00064aa69580 x24: ffff80008fb73ae0
>>> [ 2356.571411] x23: 0000000000000001 x22: 0000ffff86c6e8b8 x21: 0000000000000008
>>> [ 2356.571978] x20: 00000000006f7c00 x19: 0000ffff86c6e8b8 x18: 0000000000000000
>>> [ 2356.572581] x17: 3630303066666666 x16: 0000000000000003 x15: 0000000000001000
>>> [ 2356.573217] x14: 00000000ffffffff x13: 0000000000000004 x12: 00aaaaaa00aaaaaa
>>> [ 2356.577674] x11: 0000000000000000 x10: 00aaaaaa00aaaaaa x9 : ffffbf3afca6c300
>>> [ 2356.578332] x8 : 0000000000000002 x7 : 0000000000000001 x6 : 0000000000000001
>>> [ 2356.578984] x5 : ffff000c79812408 x4 : 0000000000000000 x3 : 0000000000000000
>>> [ 2356.579635] x2 : 0000000000000000 x1 : ffff00064aa69580 x0 : 000000000000003e
>>> [ 2356.580286] Call trace:
>>> [ 2356.580524] kpage_read.constprop.0+0x26c/0x290 (P)
>>> [ 2356.580982] kpagecount_read+0x28/0x40
>>> [ 2356.581336] proc_reg_read+0x38/0x100
>>> [ 2356.581681] vfs_read+0xcc/0x320
>>> [ 2356.581992] ksys_read+0x74/0x118
>>> [ 2356.582306] __arm64_sys_read+0x24/0x38
>>> [ 2356.582668] invoke_syscall+0x70/0x100
>>> [ 2356.583022] el0_svc_common.constprop.0+0x48/0xf8
>>> [ 2356.583456] do_el0_svc+0x28/0x40
>>> [ 2356.583930] el0_svc+0x38/0x118
>>> [ 2356.584328] el0t_64_sync_handler+0x144/0x168
>>> [ 2356.584883] el0t_64_sync+0x19c/0x1a0
>>> [ 2356.585350] Code: aa0103e0 9003a541 91082021 97f813fc (d4210000)
>>> [ 2356.586130] ---[ end trace 0000000000000000 ]---
>>> [ 2356.587377] note: folio-split-rac[1864] exited with irqs disabled
>>> [ 2356.588050] note: folio-split-rac[1864] exited with preempt_count 1
>>>
>>> Reported-by: syzbot+3d7dc5eaba6b932f8535@syzkaller.appspotmail.com
>>> Closes: https://lore.kernel.org/all/67812fbd.050a0220.d0267.0030.GAE@google.com/
>>> Signed-off-by: Luiz Capitulino <luizcap@redhat.com>
>>> ---
>>> fs/proc/page.c | 21 +++++++++++++++++----
>>> 1 file changed, 17 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/fs/proc/page.c b/fs/proc/page.c
>>> index 999af26c7298..936f8bbe5a6f 100644
>>> --- a/fs/proc/page.c
>>> +++ b/fs/proc/page.c
>>> @@ -43,6 +43,22 @@ static inline unsigned long get_max_dump_pfn(void)
>>> #endif
>>> }
>>> +static u64 get_kpage_count(const struct page *page)
>>> +{
>>> + struct page_snapshot ps;
>>> + u64 ret;
>>> +
>>> + snapshot_page(&ps, page);
>>
>> Curious, if the snapshot is not faithful, maybe we simply want to return 0 or sth. like that?
>
> I chose the flag because it's not exactly that the snapshot failed as it
> tries to return something. But it's not a big deal to return failure
> instead.
Yeah, for this case I would just return 0. But whatever you prefer!
--
Cheers,
David / dhildenb
next prev parent reply other threads:[~2025-07-16 18:18 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-14 13:16 [PATCH v3 0/4] mm: introduce snapshot_page() Luiz Capitulino
2025-07-14 13:16 ` [PATCH v3 1/4] mm/memory: introduce is_huge_zero_pfn() and use it in vm_normal_page_pmd() Luiz Capitulino
2025-07-14 14:26 ` David Hildenbrand
2025-07-14 13:16 ` [PATCH v3 2/4] mm/util: introduce snapshot_page() Luiz Capitulino
2025-07-16 10:16 ` David Hildenbrand
2025-07-16 17:36 ` Luiz Capitulino
2025-07-16 18:18 ` David Hildenbrand
2025-07-16 22:19 ` Andrew Morton
2025-07-17 1:52 ` Luiz Capitulino
2025-07-17 15:54 ` Luiz Capitulino
2025-07-14 13:16 ` [PATCH v3 3/4] proc: kpagecount: use snapshot_page() Luiz Capitulino
2025-07-16 10:17 ` David Hildenbrand
2025-07-16 17:41 ` Luiz Capitulino
2025-07-16 18:18 ` David Hildenbrand [this message]
2025-07-14 13:16 ` [PATCH v3 4/4] fs: stable_page_flags(): " Luiz Capitulino
2025-07-16 10:19 ` David Hildenbrand
2025-07-14 13:55 ` [PATCH v3 0/4] mm: introduce snapshot_page() Shivank Garg
2025-07-15 22:53 ` Harry Yoo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fa3ddb17-ff50-42e6-9fb3-3245deb64fda@redhat.com \
--to=david@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=harry.yoo@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luizcap@redhat.com \
--cc=shivankg@amd.com \
--cc=sj@kernel.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.