From: "Vlastimil Babka (SUSE)" <vbabka@kernel.org>
To: Ye Liu <ye.liu@linux.dev>, Andrew Morton <akpm@linux-foundation.org>
Cc: Suren Baghdasaryan <surenb@google.com>,
Michal Hocko <mhocko@suse.com>,
Brendan Jackman <jackmanb@google.com>,
Johannes Weiner <hannes@cmpxchg.org>, Zi Yan <ziy@nvidia.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 9/9] mm/page_owner: use memcg_data snapshot instead of PageMemcgKmem() to avoid TOCTOU VM_BUG_ON
Date: Wed, 1 Jul 2026 08:49:44 +0200 [thread overview]
Message-ID: <1fa509f8-3da7-4c01-94ad-54ea8478f718@kernel.org> (raw)
In-Reply-To: <20260701061101.344679-10-ye.liu@linux.dev>
On 7/1/26 08:10, Ye Liu wrote:
> print_page_owner_memcg() takes a snapshot of page->memcg_data via
> READ_ONCE at the top of the function and guards against tail pages
> and NULL memcg_data. However, at the end it calls PageMemcgKmem(page)
> which internally calls folio_memcg_kmem() — and that function re-reads
> folio->memcg_data and page->compound_head locklessly, wrapping both
> in VM_BUG_ON assertions:
>
> VM_BUG_ON_PGFLAGS(PageTail(&folio->page), &folio->page);
> VM_BUG_ON_FOLIO(folio->memcg_data & MEMCG_DATA_OBJEXTS, folio);
>
> If the page is concurrently freed and reallocated as a THP tail page
> or a slab page between the initial guards and this final call, the
> VM_BUG_ON assertions can fire on debug builds (CONFIG_DEBUG_VM=y),
> causing a kernel panic.
>
> Fix by reusing the memcg_data snapshot already taken at function entry
> instead of calling PageMemcgKmem(), which is semantically equivalent:
> PageMemcgKmem()->folio_memcg_kmem()->folio->memcg_data & MEMCG_DATA_KMEM.
> This avoids both the TOCTOU window and the assertions entirely.
>
> Signed-off-by: Ye Liu <ye.liu@linux.dev>
Reviewed-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>
> ---
> mm/page_owner.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/page_owner.c b/mm/page_owner.c
> index 2e3880053a34..efbf67d54ee2 100644
> --- a/mm/page_owner.c
> +++ b/mm/page_owner.c
> @@ -561,7 +561,7 @@ static inline int print_page_owner_memcg(char *kbuf, size_t count, int ret,
> cgroup_name(memcg->css.cgroup, name, sizeof(name));
> ret += scnprintf(kbuf + ret, count - ret,
> "Charged %sto %smemcg %s\n",
> - PageMemcgKmem(page) ? "(via objcg) " : "",
> + (memcg_data & MEMCG_DATA_KMEM) ? "(via objcg) " : "",
> online ? "" : "offline ",
> name);
> out_unlock:
prev parent reply other threads:[~2026-07-01 6:49 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 6:10 [PATCH v5 0/9] mm/page_owner: misc cleanups Ye Liu
2026-07-01 6:10 ` [PATCH v5 1/9] mm/page_owner: extract skip_buddy_pages() helper to unify buddy page skipping Ye Liu
2026-07-01 6:10 ` [PATCH v5 2/9] mm/page_owner: add MR_NEVER to enum migrate_reason and use it for last_migrate_reason Ye Liu
2026-07-01 6:10 ` [PATCH v5 3/9] mm: use enum migrate_reason instead of int for migration reason parameters Ye Liu
2026-07-01 10:23 ` Lorenzo Stoakes
2026-07-01 6:10 ` [PATCH v5 4/9] mm/page_owner: hoist CONFIG_MEMCG to function level for print_page_owner_memcg() Ye Liu
2026-07-01 6:10 ` [PATCH v5 5/9] mm/page_owner: add missing newline to count_threshold format string Ye Liu
2026-07-01 6:10 ` [PATCH v5 6/9] mm/page_owner: move free_ts_nsec output to free section in __dump_page_owner() Ye Liu
2026-07-01 6:10 ` [PATCH v5 7/9] mm/page_owner: drop redundant page_owner prefix from static symbols Ye Liu
2026-07-01 6:10 ` [PATCH v5 8/9] mm/page_owner: clamp skip_buddy_pages() PFN advance at MAX_ORDER_NR_PAGES boundary Ye Liu
2026-07-01 6:34 ` Vlastimil Babka (SUSE)
2026-07-01 6:10 ` [PATCH v5 9/9] mm/page_owner: use memcg_data snapshot instead of PageMemcgKmem() to avoid TOCTOU VM_BUG_ON Ye Liu
2026-07-01 6:49 ` Vlastimil Babka (SUSE) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1fa509f8-3da7-4c01-94ad-54ea8478f718@kernel.org \
--to=vbabka@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=hannes@cmpxchg.org \
--cc=jackmanb@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=surenb@google.com \
--cc=ye.liu@linux.dev \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox