From: Lance Yang <lance.yang@linux.dev>
To: Baolin Wang <baolin.wang@linux.alibaba.com>,
Pedro Falcato <pfalcato@suse.de>
Cc: "Liam R. Howlett" <liam@infradead.org>,
Nico Pache <npache@redhat.com>,
Ryan Roberts <ryan.roberts@arm.com>, Dev Jain <dev.jain@arm.com>,
Barry Song <baohua@kernel.org>,
linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
stable@vger.kernel.org, Alexander Viro <viro@zeniv.linux.org.uk>,
Lorenzo Stoakes <ljs@kernel.org>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Matthew Wilcox <willy@infradead.org>, Song Liu <song@kernel.org>,
Eric Hagberg <ehagberg@janestreet.com>, Zi Yan <ziy@nvidia.com>,
Gregg Leventhal <gleventhal@janestreet.com>,
David Hildenbrand <david@kernel.org>
Subject: Re: [PATCH stable] mm/khugepaged: write all dirty file folios when collapsing
Date: Fri, 3 Jul 2026 16:45:34 +0800 [thread overview]
Message-ID: <6a547571-e60e-4b36-9968-011e3d880588@linux.dev> (raw)
In-Reply-To: <110e92b2-f7a6-487a-94a2-25ef1242afb7@linux.alibaba.com>
On 2026/7/3 11:49, Baolin Wang wrote:
>
>
> On 7/3/26 12:54 AM, Pedro Falcato wrote:
>> As-is, khugepaged and writable-file opening exclude each other. A file
>> cannot be open writeable and have THPs (because the filesystem is not
>> aware
>> of them). khugepaged will never collapse file pages for files that are
>> opened writeable. On an open(O_RDWR/O_WRONLY), the page cache for that
>> particular file is dropped. This is fine because nothing could've been
>> dirtied.
>>
>> However, there is an edge-case: collapse_file() might not be able to
>> coexist with concurrent writers, but it can coexist with dirty folios
>> (from previous writers). Therefore, the following can happen:
>>
>> open(file, O_RDWR)
>> write(file)
>> close(file)
>> madvise(file_mapping, MADV_COLLAPSE, some non-dirty range)
>> open(file, O_RDWR)
>> nr_thps > 0
>> truncate_inode_pages()
>> /* THPs are cleared out, but so are the dirty folios */
>>
>> When this edge-case happens, there is data loss, as the dirty folios are
>> fully discarded.
>>
>> Fix it by fully writing back the page cache (and waiting) when collapsing
>> file THPs. Doing so provides the guarantee that no dirty folio will be
>> observed while there are active THPs. To fully ensure this is safe, the
>> invalidate_lock needs to be held while doing the writeout, so that
>> do_dentry_open()'s page cache truncation excludes this write-and-wait.
>
> Thanks for explaining the race, and it looks reasonable to me. One nit
> below.
>
>> Cc: stable@vger.kernel.org
>> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
>> Cc: Christian Brauner <brauner@kernel.org>
>> Cc: Jan Kara <jack@suse.cz>
>> Cc: Matthew Wilcox <willy@infradead.org>
>> Cc: Song Liu <song@kernel.org>
>> Cc: Eric Hagberg <ehagberg@janestreet.com>
>> Cc: Zi Yan <ziy@nvidia.com>
>> Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-
>> shmem) FS")
>> Reported-by: Gregg Leventhal <gleventhal@janestreet.com>
>> Closes: https://lore.kernel.org/linux-mm/
>> CAFN_u7H_0ECF3jixP=T=U7AH5=Q3wQNvJMo8an3VqUDMerQfUw@mail.gmail.com/
>> Tested-by: Zi Yan <ziy@nvidia.com>
>> Signed-off-by: Pedro Falcato <pfalcato@suse.de>
>> ---
>> This patch is written against 7.1.0 (because the code no longer exists
>> in mainline).
>>
>> Zi, I kept your Tested-by, but I had to move some things around and
>> use the invalidate lock. Please re-test if you can.
>>
>> mm/khugepaged.c | 39 +++++++++++++++++++++++++--------------
>> 1 file changed, 25 insertions(+), 14 deletions(-)
>>
>> diff --git a/mm/khugepaged.c b/mm/khugepaged.c
>> index b8452dbdb043..0707d719a270 100644
>> --- a/mm/khugepaged.c
>> +++ b/mm/khugepaged.c
>> @@ -2094,32 +2094,43 @@ static enum scan_result collapse_file(struct
>> mm_struct *mm, unsigned long addr,
>> goto xa_unlocked;
>> }
>> - if (!is_shmem) {
>> +xa_locked:
>> + xas_unlock_irq(&xas);
>> +xa_unlocked:
>> +
>> + /*
>> + * If collapse is successful, flush must be done now before copying.
>> + * If collapse is unsuccessful, does flush actually need to be done?
>> + * Do it anyway, to clear the state.
>> + */
>> + try_to_unmap_flush();
>> +
>> + if (result == SCAN_SUCCEED && !is_shmem) {
>
> Actually, the operations below only for those mappings that do not
> support large folios. For mappings with large folio support,
> filemap_nr_thps() always returns 0, so the race described in the commit
> message won't happen. We can add mapping_large_folio_support() here to
> filter them out.
>
> if (result == SCAN_SUCCEED && !is_shmem && !
> mapping_large_folio_support(mapping)) {
>
Right! nr_thps only gets updated when !mapping_large_folio_support(mapping).
For mappings that do support large folios, writable open won't see
nr_thps > 0, so no truncate_inode_pages() for that case :)
next prev parent reply other threads:[~2026-07-03 8:46 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 16:54 [PATCH stable] mm/khugepaged: write all dirty file folios when collapsing Pedro Falcato
2026-07-02 17:24 ` Zi Yan
2026-07-03 2:53 ` Lance Yang
2026-07-03 9:19 ` Pedro Falcato
2026-07-03 3:49 ` Baolin Wang
2026-07-03 8:45 ` Lance Yang [this message]
2026-07-03 9:17 ` Pedro Falcato
2026-07-03 5:11 ` Lance Yang
2026-07-03 9:18 ` Pedro Falcato
2026-07-03 8:55 ` David Hildenbrand (Arm)
2026-07-03 9:02 ` Lance Yang
2026-07-03 9:20 ` David Hildenbrand (Arm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a547571-e60e-4b36-9968-011e3d880588@linux.dev \
--to=lance.yang@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=baohua@kernel.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=brauner@kernel.org \
--cc=david@kernel.org \
--cc=dev.jain@arm.com \
--cc=ehagberg@janestreet.com \
--cc=gleventhal@janestreet.com \
--cc=jack@suse.cz \
--cc=liam@infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=npache@redhat.com \
--cc=pfalcato@suse.de \
--cc=ryan.roberts@arm.com \
--cc=song@kernel.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox