The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: "Vlastimil Babka (SUSE)" <vbabka@kernel.org>
To: Ye Liu <ye.liu@linux.dev>, Andrew Morton <akpm@linux-foundation.org>
Cc: Suren Baghdasaryan <surenb@google.com>,
	Michal Hocko <mhocko@suse.com>,
	Brendan Jackman <jackmanb@google.com>,
	Johannes Weiner <hannes@cmpxchg.org>, Zi Yan <ziy@nvidia.com>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 9/9] mm/page_owner: use memcg_data snapshot instead of PageMemcgKmem() to avoid TOCTOU VM_BUG_ON
Date: Wed, 1 Jul 2026 08:49:44 +0200	[thread overview]
Message-ID: <1fa509f8-3da7-4c01-94ad-54ea8478f718@kernel.org> (raw)
In-Reply-To: <20260701061101.344679-10-ye.liu@linux.dev>

On 7/1/26 08:10, Ye Liu wrote:
> print_page_owner_memcg() takes a snapshot of page->memcg_data via
> READ_ONCE at the top of the function and guards against tail pages
> and NULL memcg_data.  However, at the end it calls PageMemcgKmem(page)
> which internally calls folio_memcg_kmem() — and that function re-reads
> folio->memcg_data and page->compound_head locklessly, wrapping both
> in VM_BUG_ON assertions:
> 
>     VM_BUG_ON_PGFLAGS(PageTail(&folio->page), &folio->page);
>     VM_BUG_ON_FOLIO(folio->memcg_data & MEMCG_DATA_OBJEXTS, folio);
> 
> If the page is concurrently freed and reallocated as a THP tail page
> or a slab page between the initial guards and this final call, the
> VM_BUG_ON assertions can fire on debug builds (CONFIG_DEBUG_VM=y),
> causing a kernel panic.
> 
> Fix by reusing the memcg_data snapshot already taken at function entry
> instead of calling PageMemcgKmem(), which is semantically equivalent:
> PageMemcgKmem()->folio_memcg_kmem()->folio->memcg_data & MEMCG_DATA_KMEM.
> This avoids both the TOCTOU window and the assertions entirely.
> 
> Signed-off-by: Ye Liu <ye.liu@linux.dev>

Reviewed-by: Vlastimil Babka (SUSE) <vbabka@kernel.org>

> ---
>  mm/page_owner.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/mm/page_owner.c b/mm/page_owner.c
> index 2e3880053a34..efbf67d54ee2 100644
> --- a/mm/page_owner.c
> +++ b/mm/page_owner.c
> @@ -561,7 +561,7 @@ static inline int print_page_owner_memcg(char *kbuf, size_t count, int ret,
>  	cgroup_name(memcg->css.cgroup, name, sizeof(name));
>  	ret += scnprintf(kbuf + ret, count - ret,
>  			"Charged %sto %smemcg %s\n",
> -			PageMemcgKmem(page) ? "(via objcg) " : "",
> +			(memcg_data & MEMCG_DATA_KMEM) ? "(via objcg) " : "",
>  			online ? "" : "offline ",
>  			name);
>  out_unlock:


      reply	other threads:[~2026-07-01  6:49 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  6:10 [PATCH v5 0/9] mm/page_owner: misc cleanups Ye Liu
2026-07-01  6:10 ` [PATCH v5 1/9] mm/page_owner: extract skip_buddy_pages() helper to unify buddy page skipping Ye Liu
2026-07-01  6:10 ` [PATCH v5 2/9] mm/page_owner: add MR_NEVER to enum migrate_reason and use it for last_migrate_reason Ye Liu
2026-07-01  6:10 ` [PATCH v5 3/9] mm: use enum migrate_reason instead of int for migration reason parameters Ye Liu
2026-07-01 10:23   ` Lorenzo Stoakes
2026-07-01  6:10 ` [PATCH v5 4/9] mm/page_owner: hoist CONFIG_MEMCG to function level for print_page_owner_memcg() Ye Liu
2026-07-01  6:10 ` [PATCH v5 5/9] mm/page_owner: add missing newline to count_threshold format string Ye Liu
2026-07-01  6:10 ` [PATCH v5 6/9] mm/page_owner: move free_ts_nsec output to free section in __dump_page_owner() Ye Liu
2026-07-01  6:10 ` [PATCH v5 7/9] mm/page_owner: drop redundant page_owner prefix from static symbols Ye Liu
2026-07-01  6:10 ` [PATCH v5 8/9] mm/page_owner: clamp skip_buddy_pages() PFN advance at MAX_ORDER_NR_PAGES boundary Ye Liu
2026-07-01  6:34   ` Vlastimil Babka (SUSE)
2026-07-01  6:10 ` [PATCH v5 9/9] mm/page_owner: use memcg_data snapshot instead of PageMemcgKmem() to avoid TOCTOU VM_BUG_ON Ye Liu
2026-07-01  6:49   ` Vlastimil Babka (SUSE) [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1fa509f8-3da7-4c01-94ad-54ea8478f718@kernel.org \
    --to=vbabka@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=hannes@cmpxchg.org \
    --cc=jackmanb@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mhocko@suse.com \
    --cc=surenb@google.com \
    --cc=ye.liu@linux.dev \
    --cc=ziy@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox