From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7216FC8303C for ; Fri, 11 Jul 2025 08:55:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 13BA06B00A0; Fri, 11 Jul 2025 04:55:54 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 113586B00A1; Fri, 11 Jul 2025 04:55:54 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 077E86B00A2; Fri, 11 Jul 2025 04:55:54 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id EF3956B00A0 for ; Fri, 11 Jul 2025 04:55:53 -0400 (EDT) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id BCD1AE842D for ; Fri, 11 Jul 2025 08:55:53 +0000 (UTC) X-FDA: 83651376186.08.2DECC92 Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [45.249.212.190]) by imf09.hostedemail.com (Postfix) with ESMTP id D437414000A for ; Fri, 11 Jul 2025 08:55:50 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf09.hostedemail.com: domain of tujinjiang@huawei.com designates 45.249.212.190 as permitted sender) smtp.mailfrom=tujinjiang@huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752224152; a=rsa-sha256; cv=none; b=bNgNAJXX6Ctw/0tCc4nTySYRS4JKQGA5ln4P8gRn0MWC7F/9mvRn4pgvpy+UPQMeA04L+Y R0RNVHbdAJitxZfVC0BzsB6YX99HKUjUoh7lAd77VrODOu8LCdIBP0gphJyXP/qE42+ezF jpsvf0iXTYxKzEopWBcZKlUXCC/EW9w= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf09.hostedemail.com: domain of tujinjiang@huawei.com designates 45.249.212.190 as permitted sender) smtp.mailfrom=tujinjiang@huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1752224152; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9IgNDICTJoXyf6oYPNa1OwPq0UXDYfr0QBRfajiJNWs=; b=M1tpZBQbfyyWda6kLa4c1K9OaiAX8fpVd2s3LVPS9g523pTM5/lixysgpadFldeFR4EnEh DJ6NADHrDc4CkYhJd24DkwXGfrVqrJo3wCD6NJ8WYYBkTlvDUL7l3GK+TkbXhBEK9HZ3mx 1I03wChrZfIUgc9BQLdQulwRaSAmolw= Received: from mail.maildlp.com (unknown [172.19.163.44]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4bdlnV0XTSz2Cfmb; Fri, 11 Jul 2025 16:51:42 +0800 (CST) Received: from kwepemo200002.china.huawei.com (unknown [7.202.195.209]) by mail.maildlp.com (Postfix) with ESMTPS id C3703140143; Fri, 11 Jul 2025 16:55:46 +0800 (CST) Received: from [10.174.179.13] (10.174.179.13) by kwepemo200002.china.huawei.com (7.202.195.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Fri, 11 Jul 2025 16:55:46 +0800 Message-ID: <69fd4e00-1b13-d5f7-1c82-705c7d977ea4@huawei.com> Date: Fri, 11 Jul 2025 16:55:45 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: [PATCH v4] mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list To: David Hildenbrand , , , , , CC: , References: <20250711021734.2362044-1-tujinjiang@huawei.com> <990715ed-f660-4b88-b850-57d6aee6ee59@redhat.com> From: Jinjiang Tu In-Reply-To: <990715ed-f660-4b88-b850-57d6aee6ee59@redhat.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.179.13] X-ClientProxiedBy: kwepems200002.china.huawei.com (7.221.188.68) To kwepemo200002.china.huawei.com (7.202.195.209) X-Rspamd-Queue-Id: D437414000A X-Stat-Signature: isgnwojye6b6xx94rrimp4i7r73yjgo9 X-Rspam-User: X-Rspamd-Server: rspam10 X-HE-Tag: 1752224150-203195 X-HE-Meta: U2FsdGVkX1/7VIm9YwNnO0OAXGIYLQ2Ks0lovtHiBz6D/wBR7AfKuYtCwrtdaUrLqf1/c42q2Sot8XjNzlwVinZL+COTWR1QNYM1NFF3OhEcTGQbghvYXUuBROmTBpIajy7D+lLWab0XOTyAbrQcM9IGV9Gkp9eADuAzUqGiNKCpGKQwtkkv0JP1Mj7Lc+AdsVXNhkJJO/ZwR78HyVbPEqroUhJMp3PKzj2kqIpxG2b5mvEDL6ytLLnRSN1djJxMsaJTXmWBeIF3kIduXo1WUQ9Th/S+9jM+2WZfS699yY/I7OwuMgI0xCG0V0A8VuDBQj/NV26djcia6R73fygLSb09RH8YcVRgTxbakJx1IjEPDoUIWEw90WVzz5dTiqTVRoBlZx1UVHeq+A6t2QgMQKhazH1Vfa/Ku/sXv78KbhTvJXgLYoDPNGAsYn655NtyE9o9oUWrkGKXzpTuV8m+glR6zJvSR3U3gVh76VKtHd0TWm1pdZrAWbUT9dW0vhhxawmo2yu4FKx17aATKbb0rkhZgT0ZqiTT1wzhRnXrXASev6OY6fLmnmrJ43JpyudpfaE/MujsoaX8xGrWM00VuQ6YLEgQNer2LocCpnEdq97hdhoslgsrqXOVzi1m8SCMteS4ymb0BkxWcAb/B4rkjfpHKFZhlZkpNiFW7uvWwbKLBuz0fu+hxUN7kao1uyDX+ndQ6lYlA2Qeq2Yzpo35/TBj5w4EWZ+jfo0KFoMvQhuKy+zgPbFUChnP4jnBgv66mpHOuBUbHROtjbTCiCyId5lYIM9dAd96kvMqnfyKu++QbZdzhiH5OGZP+tZmnctbTi5I0AbpNU2Ne/KCMmDy9wMb691eeEDWsQK7DwC1YwRNjNH6R6yWZJTOJkAIndoDGR/u9Q7Q/h+4N337jx+zqtzvinZhdW5oleSG7HvqO8rD59SlliA153F8JL6moC+F2GlcSo3kUkbf1n+pFlw /0kwRwmf 8TRPZo6I+sNZqTlFN9uGpLMYTzrX/w6N5dY9b0C6Gz0oV+wkYniI2l9ggXXaB2vYpH7MH86whu0M6RiSwYPGPXZXa0Nv2Emtp4F2s3S8t07Q9fr4+/NSCIZRJRsINELf7p0lI0M+AGUuBmm4urRHpd5F2lXvcUwyqn8ujgAHB1sVu4jaHwN88DzX331iivwlDAk3wx6S6nFrQDHj5bil+LlRWyjAYqWR+KEsaGeCjmtmnG0mlkf+HomvR+ssJUo2cjuu234LfyznBjLeJF7GWRYoG4L8cn1a96s7dYsRDCa1gk6PcMGvMlqKIVSh7P6IYaFwKp8yrCD578umZ3B1OjIA9W01Ey45n15Ksc+Kb3VlhshE7uRMZbjmLSdiJUUMsCT5mrfiU8jcpJWTtQNpYB5+a0A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In shrink_folio_list(), the hwpoisoned folio may be large folio, which can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a WARN_ON_ONCE due to the page isn't in swapcache. Since UCE is rare in real world, and race with reclaimation is more rare, just skipping the hwpoisoned large folio is enough. memory_failure() will handle it if the UCE is triggered again. Fixes: 1b0449544c64 ("mm/vmscan: don't try to reclaim hwpoison folio") Reported-by: syzbot+3b220254df55d8ca8a61@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/68412d57.050a0220.2461cf.000e.GAE@google.com/ Acked-by: David Hildenbrand Reviewed-by: Miaohe Lin Signed-off-by: Jinjiang Tu ---  mm/memory-failure.c | 4 ++++  mm/vmscan.c         | 8 ++++++++  2 files changed, 12 insertions(+) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index b91a33fb6c69..225dddff091d 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -1561,6 +1561,10 @@ static int get_hwpoison_page(struct page *p, unsigned long flags)      return ret;  } +/* + * The caller must guarantee the folio isn't large folio, except hugetlb. + * try_to_unmap() can't handle it. + */  int unmap_poisoned_folio(struct folio *folio, unsigned long pfn, bool must_kill)  {      enum ttu_flags ttu = TTU_IGNORE_MLOCK | TTU_SYNC | TTU_HWPOISON; diff --git a/mm/vmscan.c b/mm/vmscan.c index f8dfd2864bbf..424412680cfc 100644 --- a/mm/vmscan.c +++ b/mm/vmscan.c @@ -1138,6 +1138,14 @@ static unsigned int shrink_folio_list(struct list_head *folio_list,              goto keep;          if (folio_contain_hwpoisoned_page(folio)) { +            /* +             * unmap_poisoned_folio() can't handle large +             * folio, just skip it. memory_failure() will +             * handle it if the UCE is triggered again. +             */ +            if (folio_test_large(folio)) +                goto keep_locked; +              unmap_poisoned_folio(folio, folio_pfn(folio), false);              folio_unlock(folio);              folio_put(folio); -- 2.43.0