From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-187.mta1.migadu.com (out-187.mta1.migadu.com [95.215.58.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E7133A4F2C for ; Wed, 1 Jul 2026 06:12:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.187 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782886333; cv=none; b=kHyqgtiyBRRaLEi6NlW9mbkCt7TVRU6kF2/SKX677NhWf7XrPsJ63zSnqt69fPcI44VTvQU8MJIsxlf1fG84z7KMRZivJHHR7okrXEIlrGJ8Ve2gow4kuy/CCjXjnUSYdGSbleYUpY1Sl3sTm+MjZz9RclVrIQTdMqwBu+jpTsU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782886333; c=relaxed/simple; bh=BXGNM1Gcc0YxBSs4k5MXUg0B3rAE+GV+ukJfPSSwYaQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=IUVRzlUgQz5sx7EOofNmhMv/4r+eO42GJqvwyVT938HHLXZKaDEILB4EtOyTQsnr6teWOekrlb9UiyTTnrqpucYyea6d0VEW60FxrPZPOeqFmgb5qymXoTEIx9p8sM9H7ORILqrKOsKZz+aBEmFDtuOHqD5ZOispsUpc0OA9Dt0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=hQYvkOCq; arc=none smtp.client-ip=95.215.58.187 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="hQYvkOCq" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1782886329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kPdMSwpWK7V6fRo0p2kvQ6pvML08ypL3K7qCcleN4AQ=; b=hQYvkOCqxZ+sYtTLVbwOEVJuJpQU3RHpvBv4p6VLBMnIHVSMNL6RVPfY/BeVdawllR+9RK K5Ew8NxOJgKbzvlpMixaeBVFvCf5isTx6YQt254dlm7YUh+5qcy88DQrPdHEPltAw5EMbt +W82bi1y1qwhxS/SnC/hzNuPoSuQomU= From: Ye Liu To: Andrew Morton , Vlastimil Babka Cc: Ye Liu , Suren Baghdasaryan , Michal Hocko , Brendan Jackman , Johannes Weiner , Zi Yan , linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v5 9/9] mm/page_owner: use memcg_data snapshot instead of PageMemcgKmem() to avoid TOCTOU VM_BUG_ON Date: Wed, 1 Jul 2026 14:10:52 +0800 Message-ID: <20260701061101.344679-10-ye.liu@linux.dev> In-Reply-To: <20260701061101.344679-1-ye.liu@linux.dev> References: <20260701061101.344679-1-ye.liu@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT print_page_owner_memcg() takes a snapshot of page->memcg_data via READ_ONCE at the top of the function and guards against tail pages and NULL memcg_data. However, at the end it calls PageMemcgKmem(page) which internally calls folio_memcg_kmem() — and that function re-reads folio->memcg_data and page->compound_head locklessly, wrapping both in VM_BUG_ON assertions: VM_BUG_ON_PGFLAGS(PageTail(&folio->page), &folio->page); VM_BUG_ON_FOLIO(folio->memcg_data & MEMCG_DATA_OBJEXTS, folio); If the page is concurrently freed and reallocated as a THP tail page or a slab page between the initial guards and this final call, the VM_BUG_ON assertions can fire on debug builds (CONFIG_DEBUG_VM=y), causing a kernel panic. Fix by reusing the memcg_data snapshot already taken at function entry instead of calling PageMemcgKmem(), which is semantically equivalent: PageMemcgKmem()->folio_memcg_kmem()->folio->memcg_data & MEMCG_DATA_KMEM. This avoids both the TOCTOU window and the assertions entirely. Signed-off-by: Ye Liu --- mm/page_owner.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/page_owner.c b/mm/page_owner.c index 2e3880053a34..efbf67d54ee2 100644 --- a/mm/page_owner.c +++ b/mm/page_owner.c @@ -561,7 +561,7 @@ static inline int print_page_owner_memcg(char *kbuf, size_t count, int ret, cgroup_name(memcg->css.cgroup, name, sizeof(name)); ret += scnprintf(kbuf + ret, count - ret, "Charged %sto %smemcg %s\n", - PageMemcgKmem(page) ? "(via objcg) " : "", + (memcg_data & MEMCG_DATA_KMEM) ? "(via objcg) " : "", online ? "" : "offline ", name); out_unlock: -- 2.43.0