[PATCH v2 0/2] Fix parameter passed to page_mapcount_is_type()

[PATCH v2 0/2] Fix parameter passed to page_mapcount_is_type()

[Gavin Shan]

Found by code inspection. There are two places where the parameter
passed to page_mapcount_is_type() is (page->_mapcount), which is
incorrect since it should be one more than the value, as explained in
the comments to page_mapcount_is_type(): (a) page_has_type() in
page-flags.h (b) __dump_folio() in mm/debug.c

PATCH[1] fixes the parameter for (a)
PATCH[2] fixes the parameter for (b)

Note that the issue doesn't cause any visible impacts due to the
safety gap introduced by PGTY_mapcount_underflow limit. So the
tag 'Cc: stable@vger.kernel.org' isn't needed.

Changelog
=========
v2:
  * Improved commit log                                (Vlastimi/David)
  * Use page_type_has_type() in page_has_type()        (David)

Gavin Shan (2):
  mm: Fix parameter passed to page_mapcount_is_type()
  mm/debug: Fix parameter passed to page_mapcount_is_type()

 include/linux/page-flags.h | 2 +-
 mm/debug.c                 | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

-- 
2.48.1

[PATCH v2 1/2] mm: Fix parameter passed to page_mapcount_is_type()

[Gavin Shan]

As the comments of page_mapcount_is_type() indicate, the parameter
passed to the function should be one more than page->_mapcount.
However, page->_mapcount (equivalent to page->page_type) is passed
to the function by commit 4ffca5a96678 ("mm: support only one page_type
per page") page_type_has_type() is replaced by page_mapcount_is_type(),
but the parameter isn't adjusted.

Fix it by replacing page_mapcount_is_type() with page_type_has_type()
in page_has_type(). Note that the issue doesn't cause any visible impacts
due to the safety gap introduced by PGTY_mapcount_underflow limit.

Fixes: 4ffca5a96678 ("mm: support only one page_type per page")
Signed-off-by: Gavin Shan <gshan@redhat.com>
Acked-by: David Hildenbrand <david@redhat.com>
---
 include/linux/page-flags.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
index 36d283552f80..e1a9f84bd5ab 100644
--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -950,7 +950,7 @@ static inline bool page_mapcount_is_type(unsigned int mapcount)
 
 static inline bool page_has_type(const struct page *page)
 {
-	return page_mapcount_is_type(data_race(page->page_type));
+	return page_type_has_type(data_race(page->page_type));
 }
 
 #define FOLIO_TYPE_OPS(lname, fname)					\
-- 
2.48.1

[PATCH v2 2/2] mm/debug: Fix parameter passed to page_mapcount_is_type()

[Gavin Shan]

As the comments of page_mapcount_is_type() indicate, the parameter
passed to the function should be one more than page->_mapcount.
However, page->_mapcount is passed to the function by commit 4ffca5a96678
("mm: support only one page_type per page") where page_type_has_type()
is replaced by page_mapcount_is_type(), but the parameter isn't adjusted.

Fix the parameter for page_mapcount_is_type() to be (page->__mapcount
+ 1). Note that the issue doesn't cause any visible impacts due to the
safety gap introduced by PGTY_mapcount_underflow limit.

Fixes: 4ffca5a96678 ("mm: support only one page_type per page")
Signed-off-by: Gavin Shan <gshan@redhat.com>
Acked-by: David Hildenbrand <david@redhat.com>
---
 mm/debug.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/debug.c b/mm/debug.c
index 8d2acf432385..b6bd9555ec7b 100644
--- a/mm/debug.c
+++ b/mm/debug.c
@@ -71,10 +71,10 @@ static void __dump_folio(struct folio *folio, struct page *page,
 		unsigned long pfn, unsigned long idx)
 {
 	struct address_space *mapping = folio_mapping(folio);
-	int mapcount = atomic_read(&page->_mapcount);
+	int mapcount = atomic_read(&page->_mapcount) + 1;
 	char *type = "";
 
-	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount + 1;
+	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount;
 	pr_warn("page: refcount:%d mapcount:%d mapping:%p index:%#lx pfn:%#lx\n",
 			folio_ref_count(folio), mapcount, mapping,
 			folio->index + idx, pfn);
-- 
2.48.1

Re: [PATCH v2 1/2] mm: Fix parameter passed to page_mapcount_is_type()

[Vlastimil Babka]

On 3/21/25 13:02, Gavin Shan wrote:
> As the comments of page_mapcount_is_type() indicate, the parameter
> passed to the function should be one more than page->_mapcount.
> However, page->_mapcount (equivalent to page->page_type) is passed
> to the function by commit 4ffca5a96678 ("mm: support only one page_type
> per page") page_type_has_type() is replaced by page_mapcount_is_type(),
> but the parameter isn't adjusted.
> 
> Fix it by replacing page_mapcount_is_type() with page_type_has_type()
> in page_has_type(). Note that the issue doesn't cause any visible impacts
> due to the safety gap introduced by PGTY_mapcount_underflow limit.
> 
> Fixes: 4ffca5a96678 ("mm: support only one page_type per page")
> Signed-off-by: Gavin Shan <gshan@redhat.com>
> Acked-by: David Hildenbrand <david@redhat.com>

Acked-by: Vlastimil Babka <vbabka@suse.cz>

> ---
>  include/linux/page-flags.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
> index 36d283552f80..e1a9f84bd5ab 100644
> --- a/include/linux/page-flags.h
> +++ b/include/linux/page-flags.h
> @@ -950,7 +950,7 @@ static inline bool page_mapcount_is_type(unsigned int mapcount)
>  
>  static inline bool page_has_type(const struct page *page)
>  {
> -	return page_mapcount_is_type(data_race(page->page_type));
> +	return page_type_has_type(data_race(page->page_type));
>  }
>  
>  #define FOLIO_TYPE_OPS(lname, fname)					\

Re: [PATCH v2 2/2] mm/debug: Fix parameter passed to page_mapcount_is_type()

[Vlastimil Babka]

On 3/21/25 13:02, Gavin Shan wrote:
> As the comments of page_mapcount_is_type() indicate, the parameter
> passed to the function should be one more than page->_mapcount.
> However, page->_mapcount is passed to the function by commit 4ffca5a96678
> ("mm: support only one page_type per page") where page_type_has_type()
> is replaced by page_mapcount_is_type(), but the parameter isn't adjusted.
> 
> Fix the parameter for page_mapcount_is_type() to be (page->__mapcount
> + 1). Note that the issue doesn't cause any visible impacts due to the
> safety gap introduced by PGTY_mapcount_underflow limit.
> 
> Fixes: 4ffca5a96678 ("mm: support only one page_type per page")
> Signed-off-by: Gavin Shan <gshan@redhat.com>
> Acked-by: David Hildenbrand <david@redhat.com>

Acked-by: Vlastimil Babka <vbabka@suse.cz>

> ---
>  mm/debug.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/mm/debug.c b/mm/debug.c
> index 8d2acf432385..b6bd9555ec7b 100644
> --- a/mm/debug.c
> +++ b/mm/debug.c
> @@ -71,10 +71,10 @@ static void __dump_folio(struct folio *folio, struct page *page,
>  		unsigned long pfn, unsigned long idx)
>  {
>  	struct address_space *mapping = folio_mapping(folio);
> -	int mapcount = atomic_read(&page->_mapcount);
> +	int mapcount = atomic_read(&page->_mapcount) + 1;
>  	char *type = "";
>  
> -	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount + 1;
> +	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount;

At this point it would be perhaps more obvious:

if (page_mapcount_is_type(mapcount))
	mapcount = 0;

But doesn't matter much.

>  	pr_warn("page: refcount:%d mapcount:%d mapping:%p index:%#lx pfn:%#lx\n",
>  			folio_ref_count(folio), mapcount, mapping,
>  			folio->index + idx, pfn);

Re: [PATCH v2 2/2] mm/debug: Fix parameter passed to page_mapcount_is_type()

[David Hildenbrand]

On 21.03.25 16:19, Vlastimil Babka wrote:
> On 3/21/25 13:02, Gavin Shan wrote:
>> As the comments of page_mapcount_is_type() indicate, the parameter
>> passed to the function should be one more than page->_mapcount.
>> However, page->_mapcount is passed to the function by commit 4ffca5a96678
>> ("mm: support only one page_type per page") where page_type_has_type()
>> is replaced by page_mapcount_is_type(), but the parameter isn't adjusted.
>>
>> Fix the parameter for page_mapcount_is_type() to be (page->__mapcount
>> + 1). Note that the issue doesn't cause any visible impacts due to the
>> safety gap introduced by PGTY_mapcount_underflow limit.
>>
>> Fixes: 4ffca5a96678 ("mm: support only one page_type per page")
>> Signed-off-by: Gavin Shan <gshan@redhat.com>
>> Acked-by: David Hildenbrand <david@redhat.com>
> 
> Acked-by: Vlastimil Babka <vbabka@suse.cz>
> 
>> ---
>>   mm/debug.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/mm/debug.c b/mm/debug.c
>> index 8d2acf432385..b6bd9555ec7b 100644
>> --- a/mm/debug.c
>> +++ b/mm/debug.c
>> @@ -71,10 +71,10 @@ static void __dump_folio(struct folio *folio, struct page *page,
>>   		unsigned long pfn, unsigned long idx)
>>   {
>>   	struct address_space *mapping = folio_mapping(folio);
>> -	int mapcount = atomic_read(&page->_mapcount);
>> +	int mapcount = atomic_read(&page->_mapcount) + 1;
>>   	char *type = "";
>>   
>> -	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount + 1;
>> +	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount;
> 
> At this point it would be perhaps more obvious:
> 
> if (page_mapcount_is_type(mapcount))
> 	mapcount = 0;

Agreed, maybe Andrew can fix that up.

-- 
Cheers,

David / dhildenb

Re: [PATCH v2 2/2] mm/debug: Fix parameter passed to page_mapcount_is_type()

[Andrew Morton]

On Fri, 21 Mar 2025 16:38:29 +0100 David Hildenbrand <david@redhat.com> wrote:

> >> -	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount + 1;
> >> +	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount;
> > 
> > At this point it would be perhaps more obvious:
> > 
> > if (page_mapcount_is_type(mapcount))
> > 	mapcount = 0;
> 
> Agreed, maybe Andrew can fix that up.

Sure.  I'll be adding this series to the 6.15-rc1 pile.