linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: Michal Hocko <mhocko@suse.com>
To: David Hildenbrand <david@redhat.com>
Cc: Jinjiang Tu <tujinjiang@huawei.com>,
	akpm@linux-foundation.org, catalin.marinas@arm.com,
	lorenzo.stoakes@oracle.com, thiago.bauermann@linaro.org,
	superman.xpt@gmail.com, christophe.leroy@csgroup.eu,
	brahmajit.xyz@gmail.com, andrii@kernel.org, avagin@gmail.com,
	baolin.wang@linux.alibaba.com, ryan.roberts@arm.com,
	hughd@google.com, rientjes@google.com, joern@logfs.org,
	linux-mm@kvack.org, wangkefeng.wang@huawei.com
Subject: Re: [PATCH] smaps: fix BUG_ON in smaps_hugetlb_range
Date: Mon, 21 Jul 2025 11:35:22 +0200	[thread overview]
Message-ID: <aH4J2jo_uTBfqYCJ@tiehlicka> (raw)
In-Reply-To: <46a22e7c-51f0-4fd0-8583-447c5e366029@redhat.com>

On Mon 21-07-25 11:29:52, David Hildenbrand wrote:
> On 21.07.25 10:14, Jinjiang Tu wrote:
> > smaps_hugetlb_range() handles the pte without holdling ptl, and may be
> > concurrenct with migration, leaing to BUG_ON in pfn_swap_entry_to_page().
> > The race is as follows.
> > 
> > smaps_hugetlb_range              migrate_pages
> >    huge_ptep_get
> >                                     remove_migration_ptes
> > 				   folio_unlock
> >    pfn_swap_entry_folio
> >      BUG_ON
> > 
> > To fix it, hold ptl lock in smaps_hugetlb_range().
> > 
> > Fixes: 25ee01a2fca0 ("mm: hugetlb: proc: add hugetlb-related fields to /proc/PID/smaps")
> > Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
> > ---
> >   fs/proc/task_mmu.c | 6 +++++-
> >   1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> > index 751479eb128f..0102ab3aaec1 100644
> > --- a/fs/proc/task_mmu.c
> > +++ b/fs/proc/task_mmu.c
> > @@ -1020,10 +1020,13 @@ static int smaps_hugetlb_range(pte_t *pte, unsigned long hmask,
> >   {
> >   	struct mem_size_stats *mss = walk->private;
> >   	struct vm_area_struct *vma = walk->vma;
> > -	pte_t ptent = huge_ptep_get(walk->mm, addr, pte);
> >   	struct folio *folio = NULL;
> >   	bool present = false;
> > +	spinlock_t *ptl;
> > +	pte_t ptent;
> > +	ptl = huge_pte_lock(hstate_vma(vma), walk->mm, pte);
> > +	ptent = huge_ptep_get(walk->mm, addr, pte);
> >   	if (pte_present(ptent)) {
> >   		folio = page_folio(pte_page(ptent));
> >   		present = true;
> > @@ -1042,6 +1045,7 @@ static int smaps_hugetlb_range(pte_t *pte, unsigned long hmask,
> >   		else
> >   			mss->private_hugetlb += huge_page_size(hstate_vma(vma));
> >   	}
> > +	spin_unlock(ptl);
> >   	return 0;
> >   }
> >   #else
> 
> 
> Heh, I stumbled over that code many times and wondered "why don't we need
> the PTL here -- I'm  sure it's fine because otherwise we would be getting
> reports.".
> 
> In pagewalk code we only hold the vma lock -- see walk_hugetlb_range().
> 
> So I think we should just grab the PTL in all these walkers.

I believe the reason that we try to avoid taking the lock in these paths
is that they are userspace accessible and we do not want to expose them
to users. I think it would be good to try to rework the code to not
require the lock even if we get imprecise numbers. We cannot trigger any
oops of course and that is a clear bug here. Can we achieve the fix
without taking the lock?
-- 
Michal Hocko
SUSE Labs


  reply	other threads:[~2025-07-21  9:35 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-21  8:14 [PATCH] smaps: fix BUG_ON in smaps_hugetlb_range Jinjiang Tu
2025-07-21  9:11 ` Dev Jain
2025-07-21 11:02   ` Jinjiang Tu
2025-07-21  9:29 ` David Hildenbrand
2025-07-21  9:35   ` Michal Hocko [this message]
2025-07-21  9:41     ` David Hildenbrand
2025-07-21  9:51       ` Michal Hocko
2025-07-21 11:00   ` Jinjiang Tu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aH4J2jo_uTBfqYCJ@tiehlicka \
    --to=mhocko@suse.com \
    --cc=akpm@linux-foundation.org \
    --cc=andrii@kernel.org \
    --cc=avagin@gmail.com \
    --cc=baolin.wang@linux.alibaba.com \
    --cc=brahmajit.xyz@gmail.com \
    --cc=catalin.marinas@arm.com \
    --cc=christophe.leroy@csgroup.eu \
    --cc=david@redhat.com \
    --cc=hughd@google.com \
    --cc=joern@logfs.org \
    --cc=linux-mm@kvack.org \
    --cc=lorenzo.stoakes@oracle.com \
    --cc=rientjes@google.com \
    --cc=ryan.roberts@arm.com \
    --cc=superman.xpt@gmail.com \
    --cc=thiago.bauermann@linaro.org \
    --cc=tujinjiang@huawei.com \
    --cc=wangkefeng.wang@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).