[PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split

public inbox for linux-mm@kvack.org
 help / color / mirror / Atom feed

* [PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split
@ 2026-03-06 10:44 Usama Arif
  2026-03-06 12:18 ` Zi Yan
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Usama Arif @ 2026-03-06 10:44 UTC (permalink / raw)
  To: Andrew Morton, npache, david, ziy, linux-mm, mpenttil, balbirs
  Cc: matthew.brost, joshua.hahnjy, hannes, rakie.kim, byungchul,
	gourry, ying.huang, apopple, riel, shakeel.butt, kas,
	linux-kernel, kernel-team, Usama Arif

split_huge_pmd_address() with freeze=true splits a PMD migration entry
into PTE migration entries, consuming one folio reference in the
process.  The folio_get() before it provides this reference.

Add a comment explaining this relationship and a VM_WARN_ON_ONCE to
catch an unexpected refcount != 1 entry state.

Suggested-by: Zi Yan <ziy@nvidia.com>
Signed-off-by: Usama Arif <usama.arif@linux.dev>
---
 mm/migrate_device.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mm/migrate_device.c b/mm/migrate_device.c
index 78c7acf024615..6fa2878848a7e 100644
--- a/mm/migrate_device.c
+++ b/mm/migrate_device.c
@@ -908,6 +908,11 @@ static int migrate_vma_split_unmapped_folio(struct migrate_vma *migrate,
 	unsigned long flags;
 	int ret = 0;
 
+	VM_WARN_ON_ONCE(folio_ref_count(folio) != 1);
+	/*
+	 * take a reference, since split_huge_pmd_address() with freeze = true
+	 * drops a reference at the end.
+	 */
 	folio_get(folio);
 	split_huge_pmd_address(migrate->vma, addr, true);
 	ret = folio_split_unmapped(folio, 0);
-- 
2.47.3



^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split
  2026-03-06 10:44 [PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split Usama Arif
@ 2026-03-06 12:18 ` Zi Yan
  2026-03-09 15:11 ` Nico Pache
  2026-03-09 15:18 ` David Hildenbrand (Arm)
  2 siblings, 0 replies; 6+ messages in thread
From: Zi Yan @ 2026-03-06 12:18 UTC (permalink / raw)
  To: Usama Arif
  Cc: Andrew Morton, npache, david, linux-mm, mpenttil, balbirs,
	matthew.brost, joshua.hahnjy, hannes, rakie.kim, byungchul,
	gourry, ying.huang, apopple, riel, shakeel.butt, kas,
	linux-kernel, kernel-team

On 6 Mar 2026, at 5:44, Usama Arif wrote:

> split_huge_pmd_address() with freeze=true splits a PMD migration entry
> into PTE migration entries, consuming one folio reference in the
> process.  The folio_get() before it provides this reference.
>
> Add a comment explaining this relationship and a VM_WARN_ON_ONCE to
> catch an unexpected refcount != 1 entry state.
>
> Suggested-by: Zi Yan <ziy@nvidia.com>
> Signed-off-by: Usama Arif <usama.arif@linux.dev>
> ---
>  mm/migrate_device.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
Thanks for fixing the logic in my suggestion,

Reviewed-by: Zi Yan <ziy@nvidia.com>

Best Regards,
Yan, Zi


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split
  2026-03-06 10:44 [PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split Usama Arif
  2026-03-06 12:18 ` Zi Yan
@ 2026-03-09 15:11 ` Nico Pache
  2026-03-09 15:18 ` David Hildenbrand (Arm)
  2 siblings, 0 replies; 6+ messages in thread
From: Nico Pache @ 2026-03-09 15:11 UTC (permalink / raw)
  To: Usama Arif
  Cc: Andrew Morton, david, ziy, linux-mm, mpenttil, balbirs,
	matthew.brost, joshua.hahnjy, hannes, rakie.kim, byungchul,
	gourry, ying.huang, apopple, riel, shakeel.butt, kas,
	linux-kernel, kernel-team

On Fri, Mar 6, 2026 at 3:44 AM Usama Arif <usama.arif@linux.dev> wrote:
>
> split_huge_pmd_address() with freeze=true splits a PMD migration entry
> into PTE migration entries, consuming one folio reference in the
> process.  The folio_get() before it provides this reference.
>
> Add a comment explaining this relationship and a VM_WARN_ON_ONCE to
> catch an unexpected refcount != 1 entry state.
>
> Suggested-by: Zi Yan <ziy@nvidia.com>
> Signed-off-by: Usama Arif <usama.arif@linux.dev>

LGTM! Thank you for investigating my concerns about this. I'm glad you
found the proper answer.

Reviewed-by: Nico Pache <npache@redhat.com>

> ---
>  mm/migrate_device.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/mm/migrate_device.c b/mm/migrate_device.c
> index 78c7acf024615..6fa2878848a7e 100644
> --- a/mm/migrate_device.c
> +++ b/mm/migrate_device.c
> @@ -908,6 +908,11 @@ static int migrate_vma_split_unmapped_folio(struct migrate_vma *migrate,
>         unsigned long flags;
>         int ret = 0;
>
> +       VM_WARN_ON_ONCE(folio_ref_count(folio) != 1);
> +       /*
> +        * take a reference, since split_huge_pmd_address() with freeze = true
> +        * drops a reference at the end.
> +        */
>         folio_get(folio);
>         split_huge_pmd_address(migrate->vma, addr, true);
>         ret = folio_split_unmapped(folio, 0);
> --
> 2.47.3
>



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split
  2026-03-06 10:44 [PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split Usama Arif
  2026-03-06 12:18 ` Zi Yan
  2026-03-09 15:11 ` Nico Pache
@ 2026-03-09 15:18 ` David Hildenbrand (Arm)
  2026-03-09 19:11   ` Usama Arif
  2 siblings, 1 reply; 6+ messages in thread
From: David Hildenbrand (Arm) @ 2026-03-09 15:18 UTC (permalink / raw)
  To: Usama Arif, Andrew Morton, npache, ziy, linux-mm, mpenttil,
	balbirs
  Cc: matthew.brost, joshua.hahnjy, hannes, rakie.kim, byungchul,
	gourry, ying.huang, apopple, riel, shakeel.butt, kas,
	linux-kernel, kernel-team

On 3/6/26 11:44, Usama Arif wrote:
> split_huge_pmd_address() with freeze=true splits a PMD migration entry
> into PTE migration entries, consuming one folio reference in the
> process.  The folio_get() before it provides this reference.
> 
> Add a comment explaining this relationship and a VM_WARN_ON_ONCE to
> catch an unexpected refcount != 1 entry state.
> 
> Suggested-by: Zi Yan <ziy@nvidia.com>
> Signed-off-by: Usama Arif <usama.arif@linux.dev>
> ---
>  mm/migrate_device.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/mm/migrate_device.c b/mm/migrate_device.c
> index 78c7acf024615..6fa2878848a7e 100644
> --- a/mm/migrate_device.c
> +++ b/mm/migrate_device.c
> @@ -908,6 +908,11 @@ static int migrate_vma_split_unmapped_folio(struct migrate_vma *migrate,
>  	unsigned long flags;
>  	int ret = 0;
>  
> +	VM_WARN_ON_ONCE(folio_ref_count(folio) != 1);

Can't we have speculative references here? In general, asserting that
the refcount has an exact value (besides 0) is often shaky.

> +	/*
> +	 * take a reference, since split_huge_pmd_address() with freeze = true
> +	 * drops a reference at the end.
> +	 */
>  	folio_get(folio);
>  	split_huge_pmd_address(migrate->vma, addr, true);
>  	ret = folio_split_unmapped(folio, 0);


-- 
Cheers,

David


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split
  2026-03-09 15:18 ` David Hildenbrand (Arm)
@ 2026-03-09 19:11   ` Usama Arif
  2026-03-09 20:22     ` David Hildenbrand (Arm)
  0 siblings, 1 reply; 6+ messages in thread
From: Usama Arif @ 2026-03-09 19:11 UTC (permalink / raw)
  To: David Hildenbrand (Arm), Andrew Morton, npache, ziy, linux-mm,
	mpenttil, balbirs
  Cc: matthew.brost, joshua.hahnjy, hannes, rakie.kim, byungchul,
	gourry, ying.huang, apopple, riel, shakeel.butt, kas,
	linux-kernel, kernel-team



On 09/03/2026 18:18, David Hildenbrand (Arm) wrote:
> On 3/6/26 11:44, Usama Arif wrote:
>> split_huge_pmd_address() with freeze=true splits a PMD migration entry
>> into PTE migration entries, consuming one folio reference in the
>> process.  The folio_get() before it provides this reference.
>>
>> Add a comment explaining this relationship and a VM_WARN_ON_ONCE to
>> catch an unexpected refcount != 1 entry state.
>>
>> Suggested-by: Zi Yan <ziy@nvidia.com>
>> Signed-off-by: Usama Arif <usama.arif@linux.dev>
>> ---
>>  mm/migrate_device.c | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/mm/migrate_device.c b/mm/migrate_device.c
>> index 78c7acf024615..6fa2878848a7e 100644
>> --- a/mm/migrate_device.c
>> +++ b/mm/migrate_device.c
>> @@ -908,6 +908,11 @@ static int migrate_vma_split_unmapped_folio(struct migrate_vma *migrate,
>>  	unsigned long flags;
>>  	int ret = 0;
>>  
>> +	VM_WARN_ON_ONCE(folio_ref_count(folio) != 1);
> 
> Can't we have speculative references here? In general, asserting that
> the refcount has an exact value (besides 0) is often shaky.


I hope not at this point in code.

At this point, the folio is locked and unmapped (both done in migrate_vma_collect_huge_pmd()),
and the present PMD was set to migration entry. It is isolated from LRU in
migrate_device_unmap(). So the folio should not be visible to GUP or reclaim/compaction.
Only anon, non-swapcache folios should reach here. So it won't run into any folio_try_get
in page cache or swap cache.

The folio_get() done in migrate_vma_split_unmapped_folio() is consumed by
split_huge_pmd_address(), and folio_split_unmapped() expects a folio_reference
of 1 after this [1].

If its not considered good to assert a non zero refcount value, I can change the
warning to a comment, but I think refcount should be 1 at this point, otherwise
folio_split_unmapped will fail.

[1] https://elixir.bootlin.com/linux/v6.19.6/source/mm/huge_memory.c#L4137

> 
>> +	/*
>> +	 * take a reference, since split_huge_pmd_address() with freeze = true
>> +	 * drops a reference at the end.
>> +	 */
>>  	folio_get(folio);
>>  	split_huge_pmd_address(migrate->vma, addr, true);
>>  	ret = folio_split_unmapped(folio, 0);
> 
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split
  2026-03-09 19:11   ` Usama Arif
@ 2026-03-09 20:22     ` David Hildenbrand (Arm)
  0 siblings, 0 replies; 6+ messages in thread
From: David Hildenbrand (Arm) @ 2026-03-09 20:22 UTC (permalink / raw)
  To: Usama Arif, Andrew Morton, npache, ziy, linux-mm, mpenttil,
	balbirs
  Cc: matthew.brost, joshua.hahnjy, hannes, rakie.kim, byungchul,
	gourry, ying.huang, apopple, riel, shakeel.butt, kas,
	linux-kernel, kernel-team

On 3/9/26 20:11, Usama Arif wrote:
> 
> 
> On 09/03/2026 18:18, David Hildenbrand (Arm) wrote:
>> On 3/6/26 11:44, Usama Arif wrote:
>>> split_huge_pmd_address() with freeze=true splits a PMD migration entry
>>> into PTE migration entries, consuming one folio reference in the
>>> process.  The folio_get() before it provides this reference.
>>>
>>> Add a comment explaining this relationship and a VM_WARN_ON_ONCE to
>>> catch an unexpected refcount != 1 entry state.
>>>
>>> Suggested-by: Zi Yan <ziy@nvidia.com>
>>> Signed-off-by: Usama Arif <usama.arif@linux.dev>
>>> ---
>>>  mm/migrate_device.c | 5 +++++
>>>  1 file changed, 5 insertions(+)
>>>
>>> diff --git a/mm/migrate_device.c b/mm/migrate_device.c
>>> index 78c7acf024615..6fa2878848a7e 100644
>>> --- a/mm/migrate_device.c
>>> +++ b/mm/migrate_device.c
>>> @@ -908,6 +908,11 @@ static int migrate_vma_split_unmapped_folio(struct migrate_vma *migrate,
>>>  	unsigned long flags;
>>>  	int ret = 0;
>>>  
>>> +	VM_WARN_ON_ONCE(folio_ref_count(folio) != 1);
>>
>> Can't we have speculative references here? In general, asserting that
>> the refcount has an exact value (besides 0) is often shaky.
> 
> 
> I hope not at this point in code.
> 
> At this point, the folio is locked and unmapped (both done in migrate_vma_collect_huge_pmd()),
> and the present PMD was set to migration entry. It is isolated from LRU in
> migrate_device_unmap(). So the folio should not be visible to GUP or reclaim/compaction.
> Only anon, non-swapcache folios should reach here. So it won't run into any folio_try_get
> in page cache or swap cache.

We have other pfn walkers that can just temporary grab a reference, to
immediately back off. So it's not very reliable to depend on that.

> 
> The folio_get() done in migrate_vma_split_unmapped_folio() is consumed by
> split_huge_pmd_address(), and folio_split_unmapped() expects a folio_reference
> of 1 after this [1].
> 
> If its not considered good to assert a non zero refcount value, I can change the
> warning to a comment, but I think refcount should be 1 at this point, otherwise
> folio_split_unmapped will fail.

Well, yes. folio_split_unmapped() will handle this gracefully (as
documented), without triggering a warning.

So best to remove the VM_WARN_ON_ONCE().

-- 
Cheers,

David


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-03-09 20:23 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-06 10:44 [PATCH] mm/migrate_device: document folio_get requirement before frozen PMD split Usama Arif
2026-03-06 12:18 ` Zi Yan
2026-03-09 15:11 ` Nico Pache
2026-03-09 15:18 ` David Hildenbrand (Arm)
2026-03-09 19:11   ` Usama Arif
2026-03-09 20:22     ` David Hildenbrand (Arm)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox