From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-172.mta0.migadu.com (out-172.mta0.migadu.com [91.218.175.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 85E1B37DEBB for ; Thu, 25 Jun 2026 01:47:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782352049; cv=none; b=t1DGRaYjdEx/2F1HMxozlRozDMsX6mn3ntMI53NHiLjQDvg4TyMsmRFj1GIec8ncv+io7b/FZNTqzxAjkriSqsiczTb4SE4LJU4AJOjdYCfEc7Pt586mJ83BmQPxDJBaGBaYjfnLUnb5keP7RZpH++MEkDIpYuBvJeMO2TZbSoA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782352049; c=relaxed/simple; bh=cm0QI58wz0yaiBL8eg3LGdxE/6fsYE0zg5p29HOEjKY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=V/dykO/M3QlzOCvgrlFLpcHFYBrr3ItOGNqp6TQW80Lp5ydltZoXdRtrNTZezXHguZNryDEfZVQkDjENZcWiownvS0/IGmpFyAvcQ4sD7VxHacZMM+YOKrRv6QBTJDlZfzT7X273tw4O27DKgvs6oDN78lYpwklw8oG4/Z3oecI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=iMw2Cr55; arc=none smtp.client-ip=91.218.175.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="iMw2Cr55" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1782352045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lqPDLB1YoDx0Y1fsr1fIGOh3XfpoSAyKKLhHHE2uK4g=; b=iMw2Cr55VC6ytMBY4Y3rPARgmBWgvBGrBxcTe7KYt9y/IA3JIlyh9GbjLIrqGHVJT4/eqr ziiNcOExSag80d6IHrs615JfpgQMgJWJvme7r//7tSXjbGZyeLRnc/7SdeJUOJx9zEnHST WP9pI3cs8gD6qzTruSesWmik/P1jJRg= From: Ye Liu To: Andrew Morton , Vlastimil Babka Cc: Ye Liu , Suren Baghdasaryan , Michal Hocko , Brendan Jackman , Johannes Weiner , Zi Yan , linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/2] mm/page_owner: use memcg_data snapshot instead of PageMemcgKmem() to avoid TOCTOU VM_BUG_ON Date: Thu, 25 Jun 2026 09:47:05 +0800 Message-ID: <20260625014708.87386-3-ye.liu@linux.dev> In-Reply-To: <20260625014708.87386-1-ye.liu@linux.dev> References: <20260625014708.87386-1-ye.liu@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT print_page_owner_memcg() takes a snapshot of page->memcg_data via READ_ONCE at the top of the function and guards against tail pages and NULL memcg_data. However, at the end it calls PageMemcgKmem(page) which internally calls folio_memcg_kmem() — and that function re-reads folio->memcg_data and page->compound_head locklessly, wrapping both in VM_BUG_ON assertions: VM_BUG_ON_PGFLAGS(PageTail(&folio->page), &folio->page); VM_BUG_ON_FOLIO(folio->memcg_data & MEMCG_DATA_OBJEXTS, folio); If the page is concurrently freed and reallocated as a THP tail page or a slab page between the initial guards and this final call, the VM_BUG_ON assertions can fire on debug builds (CONFIG_DEBUG_VM=y), causing a kernel panic. Fix by reusing the memcg_data snapshot already taken at function entry instead of calling PageMemcgKmem(), which is semantically equivalent: PageMemcgKmem()->folio_memcg_kmem()->folio->memcg_data & MEMCG_DATA_KMEM. This avoids both the TOCTOU window and the assertions entirely. Signed-off-by: Ye Liu --- mm/page_owner.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/page_owner.c b/mm/page_owner.c index 5c403bce35ce..b3252ebc0307 100644 --- a/mm/page_owner.c +++ b/mm/page_owner.c @@ -568,7 +568,7 @@ static inline int print_page_owner_memcg(char *kbuf, size_t count, int ret, cgroup_name(memcg->css.cgroup, name, sizeof(name)); ret += scnprintf(kbuf + ret, count - ret, "Charged %sto %smemcg %s\n", - PageMemcgKmem(page) ? "(via objcg) " : "", + (memcg_data & MEMCG_DATA_KMEM) ? "(via objcg) " : "", online ? "" : "offline ", name); out_unlock: -- 2.43.0