Re: [PATCH v7 2/6] mm/memory-failure: surface unhandlable kernel pages as -ENOTRECOVERABLE

[Lance Yang <lance.yang@linux.dev>]

On Thu, May 14, 2026 at 07:37:14AM -0700, Breno Leitao wrote:
>On Thu, May 14, 2026 at 09:28:30PM +0800, Lance Yang wrote:
>> 
>> On Wed, May 13, 2026 at 08:39:33AM -0700, Breno Leitao wrote:
>> >get_any_page() collapses three different failure modes into a single
>> >-EIO return:
>> >
>> >  * the put_page race in the !count_increased path;
>> >  * the HWPoisonHandlable() rejection that bounces out of
>> >    __get_hwpoison_page() with -EBUSY and exhausts shake_page() retries;
>> >  * the HWPoisonHandlable() rejection that goes through the
>> >    count_increased / put_page / shake_page retry loop.
>> >
>> >The first is transient (the page is racing with the allocator).  The
>> >second can be either transient (a userspace folio briefly off LRU
>> >during migration/compaction) or stable (slab/vmalloc/page-table/
>> >kernel-stack pages).  The third describes a stable kernel-owned page
>> >that the count_increased=true caller already held a reference on.
>> >
>> >Distinguish them on the return path: keep -EIO for both the put_page
>> >race and the -EBUSY-after-retries branch (shake_page() cannot drag a
>> >folio back from active migration, so we cannot prove the page is
>> >permanently kernel-owned from there), keep -EBUSY for the allocation
>> >race (unchanged), and return -ENOTRECOVERABLE only from the
>> >count_increased-true HWPoisonHandlable() rejection that exhausts its
>> >retries -- the caller's reference is structural evidence that the
>> >page is owned by the kernel.
>> >
>> >Extend the unhandlable-page pr_err() to fire for either errno and
>> >update the get_hwpoison_page() kerneldoc.
>> >
>> >memory_failure() still folds every negative return into
>> >MF_MSG_GET_HWPOISON via its existing "else if (res < 0)" branch, so
>> >this patch is a no-op for users of memory_failure() and only changes
>> >the errno that soft_offline_page() can propagate to its callers.  A
>> >follow-up wires the new return code through memory_failure() and
>> >reports MF_MSG_KERNEL for the unrecoverable cases.
>> >
>> >Suggested-by: David Hildenbrand <david@kernel.org>
>> >Signed-off-by: Breno Leitao <leitao@debian.org>
>> >---
>> > mm/memory-failure.c | 18 +++++++++++++++---
>> > 1 file changed, 15 insertions(+), 3 deletions(-)
>> >
>> >diff --git a/mm/memory-failure.c b/mm/memory-failure.c
>> >index 49bcfbd04d213..bae883df3ccb2 100644
>> >--- a/mm/memory-failure.c
>> >+++ b/mm/memory-failure.c
>> >@@ -1408,6 +1408,15 @@ static int get_any_page(struct page *p, unsigned long flags)
>> > 				shake_page(p);
>> > 				goto try_again;
>> > 			}
>> >+			/*
>> >+			 * Return -EIO rather than -ENOTRECOVERABLE: this
>> >+			 * branch is also reached for pages that are merely
>> >+			 * off-LRU transiently (e.g. a folio in the middle
>> >+			 * of migration or compaction), which shake_page()
>> >+			 * cannot drag back.  The caller cannot prove the
>> >+			 * page is permanently kernel-owned from here, so
>> >+			 * keep it on the recoverable errno.
>> >+			 */
>> > 			ret = -EIO;
>> > 			goto out;
>> > 		}
>> >@@ -1427,10 +1436,10 @@ static int get_any_page(struct page *p, unsigned long flags)
>> > 			goto try_again;
>> > 		}
>> > 		put_page(p);
>> >-		ret = -EIO;
>> >+		ret = -ENOTRECOVERABLE;
>> > 	}
>> > out:
>> >-	if (ret == -EIO)
>> >+	if (ret == -EIO || ret == -ENOTRECOVERABLE)
>> > 		pr_err("%#lx: unhandlable page.\n", page_to_pfn(p));
>> > 
>> > 	return ret;
>> >@@ -1487,7 +1496,10 @@ static int __get_unpoison_page(struct page *page)
>> >  *         -EIO for pages on which we can not handle memory errors,
>> >  *         -EBUSY when get_hwpoison_page() has raced with page lifecycle
>> >  *         operations like allocation and free,
>> >- *         -EHWPOISON when the page is hwpoisoned and taken off from buddy.
>> >+ *         -EHWPOISON when the page is hwpoisoned and taken off from buddy,
>> >+ *         -ENOTRECOVERABLE for stable kernel-owned pages the handler
>> >+ *         cannot recover (PG_reserved, slab, vmalloc, page tables,
>> >+ *         kernel stacks, and similar non-LRU/non-buddy pages).
>> 
>> Did you test this patch series? I don't see how we ever get to
>> -ENOTRECOVERABLE there ...
>
>Yes, I did. I am using the following test case:

Okay.

>https://github.com/leitao/linux/commit/cfebe84ddeab5ac34ed456331db980d57e7025dc
>
>	# RUN_DESTRUCTIVE=1 tools/testing/selftests/mm/hwpoison-panic.sh
>	# enabling /proc/sys/vm/panic_on_unrecoverable_memory_failure
>	# injecting hwpoison at phys 0x2a00000 (Kernel rodata)
>	# expecting kernel panic: 'Memory failure: <pfn>: unrecoverable page'
>	[  501.113256] Memory failure: 0x2a00: recovery action for reserved kernel page: Ignored
>	[  501.113956] Kernel panic - not syncing: Memory failure: 0x2a00: unrecoverable page
>
>
>> Even with MF_COUNT_INCREASED, the first pass does:
>> 
>> 	if (flags & MF_COUNT_INCREASED)
>> 		count_increased = true;
>> 
>> 	[...]
>> 
>> 	if (PageHuge(p) || HWPoisonHandlable(p, flags)) {
>> 		ret = 1;
>> 	} else {
>> 		if (pass++ < GET_PAGE_MAX_RETRY_NUM) { <-
>> 			put_page(p);
>> 			shake_page(p);
>> 			count_increased = false;
>> 			goto try_again; <-
>> 		}
>> 		put_page(p);
>> 		ret = -ENOTRECOVERABLE;
>> 	}
>> 
>> Then we come back with count_increased=false:
>> 
>> try_again:
>> 	if (!count_increased) {
>> 		ret = __get_hwpoison_page(p, flags); <-
>> 		if (!ret) {
>> 		[...]
>> 		} else if (ret == -EBUSY) { <-
>> 		[...]
>> 			ret = -EIO;
>> 			goto out; <-
>> 		}
>> 	}
>> 
>> For slab/vmalloc/page-table pages, __get_hwpoison_page() returns -EBUSY:
>> 
>> 	if (!HWPoisonHandlable(&folio->page, flags))
>> 		return -EBUSY;
>> 
>> so they still seem to end up as -EIO ... Am I missing something?
>
>You are not, and thanks for catching this. I traced it again and the
>-ENOTRECOVERABLE branch is unreachable for slab/vmalloc/page-table pages
>exactly as you described. The __get_hwpoison_page() → -EBUSY → shake → retry
>loop catches them first and they exit as -EIO.

Wonder if it would be simpler to just do a positive check near the top
of get_any_page() instead. Something like:

static bool hwpoison_unrecoverable_kernel_page(struct page *page,
						unsigned long flags)
{
	if ((flags & MF_SOFT_OFFLINE) && page_has_movable_ops(page))
		return false;

	return PageReserved(page) || PageSlab(page) || 
		PageTable(page) || PageLargeKmalloc(page);
}

static int get_any_page(struct page *p, unsigned long flags)
{
	int ret = 0, pass = 0;
	bool count_increased = false;

	if (flags & MF_COUNT_INCREASED)
		count_increased = true;

	if (hwpoison_unrecoverable_kernel_page(p, flags)) {
		if (count_increased)
			put_page(p);
		ret = -ENOTRECOVERABLE;
		goto out;
	}
[...]
}

Then get_any_page() could return -ENOTRECOVERABLE only for page types we
can positively identify as kernel-owned.

These types always fail HWPoisonHandlable(), so retrying does not really
buy us anything for them.

Won't cover everything (vmalloc, kernel stacks, etc. have no page_type
to key off), but that's fine - best effort, right?

Cheers, Lance

>
>The selftest I am using (link above) only validated the PageReserved
>short-circuit added in patch 3, which lives in memory_failure() and never
>reaches get_any_page().
>
>I even thought about this code path, and I was not convinced we should return
>-ENOTRECOVERABLE, thus I documented the following (as in this current patch)
>
>	@@ -1408,6 +1408,15 @@ static int get_any_page(struct page *p, unsigned long flags)
>			shake_page(p);
>			goto try_again;
>		}
>	+            /*
>	+             * Return -EIO rather than -ENOTRECOVERABLE: this
>	+             * branch is also reached for pages that are merely
>	+             * off-LRU transiently (e.g. a folio in the middle
>	+             * of migration or compaction), which shake_page()
>	+             * cannot drag back.  The caller cannot prove the
>	+             * page is permanently kernel-owned from here, so
>	+             * keep it on the recoverable errno.
>	+             */
>		ret = -EIO;
>