From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09E1F23BD1D for ; Wed, 1 Jul 2026 13:46:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.67.55.147 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782913618; cv=none; b=oU2iY+hoJnowPyIl3VQb/1PQgTOMjYJsYhppJFwwbi5oYKqwF+ZDg/cjQwob16kEnhGJz3WCvWj+nlYAae5usK3KgxcRek6fzxsSMmEdnRLS2FZKMxQJY208naUnaR/kZeNU1nQEDuuC3XaiCIHZTZPBk1VtbUhvEJJCGRi9jrU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782913618; c=relaxed/simple; bh=X7j4ctpkagjDMsnCXVBbDKyOFoscdqd7Mtv1vsd0V34=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=mhN3HmmyDhJAubqXNP77qYHzMkM0lU15haqXreSootfljp2a+ZMKO+/qxAwh6fBP8Cfv/k3zniGBD2mDS5Z2lFwHibYTyZGeMDpZk549g91LUlP8Iyff7H/yU2vprMgfhiVvK3cLI2C1G9NpioHceYaDmboE3ytTRtQeQF1yFUw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=surriel.com; spf=pass smtp.mailfrom=surriel.com; dkim=pass (2048-bit key) header.d=surriel.com header.i=@surriel.com header.b=AswG+Zxp; arc=none smtp.client-ip=96.67.55.147 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=surriel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=surriel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=surriel.com header.i=@surriel.com header.b="AswG+Zxp" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=surriel.com ; s=mail; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=wO7ZZiQGguH2N/obhhx4w2CpdeZ8/YXIgBvKpNRdF9w=; b=AswG+ZxpLGFSU/NE8doEBQNmU+ nt5f4hvHcVNd/0mrbWIx/i/OuSQqdxeROdlx7Zj9hdLlZuTVnHHd23uuAzr5nsSGcCSTeTnQb5fuO bRGj0evMTg/WpRAEcVLc8gz8Z7qlTYC4S65bz3K1zXl4f2PtK4Ty3gZFV6ngMUtgtD1QHOC35L33/ 0ZYF//REQgP9/P3njvGHnqPE/NI+8W4tsZrzozJgIv9aE/v/40VKFntkdChKXoE/Yv0ZMkxQHfWX9 ZC3mqGuyxhvj9XgqDuDHG4VhwM03xqf7qDNeKemsusP7CueD4CiYFabOWDnBvlgii9t3fgIkZO/tt 0Eyi0hFg==; Received: from fangorn.home.surriel.com ([10.0.13.7]) by shelob.surriel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from ) id 1wevH7-000000006qJ-03pK; Wed, 01 Jul 2026 09:46:49 -0400 From: Rik van Riel To: linux-kernel@vger.kernel.org Cc: kernel-team@meta.com, linux-mm@kvack.org, akpm@linux-foundation.org, david@kernel.org, ljs@kernel.org, ziy@nvidia.com, baolin.wang@linux.alibaba.com, liam@infradead.org, npache@redhat.com, ryan.roberts@arm.com, dev.jain@arm.com, baohua@kernel.org, lance.yang@linux.dev, yang@os.amperecomputing.com, Rik van Riel Subject: [PATCH] mm/huge_memory: set PG_has_hwpoisoned only after new folio head is established Date: Wed, 1 Jul 2026 09:46:22 -0400 Message-ID: <20260701134622.3152896-1-riel@surriel.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit __split_folio_to_order() copies the hwpoison state onto each new sub-folio while splitting a folio to a non-zero order. It did so via if (handle_hwpoison && page_range_has_hwpoisoned(new_head, new_nr_pages)) folio_set_has_hwpoisoned(new_folio); *before* clear_compound_head(new_head)/prep_compound_page(new_head, ...) turn @new_head from a tail page into a proper folio head. PG_has_hwpoisoned is a FOLIO_SECOND_PAGE flag, so folio_set_has_hwpoisoned() resolves to folio_flags(folio, 1). With the new compound_info-based page-flags layout, folio_flags() asserts the page is not a tail: VM_BUG_ON_PGFLAGS(page->compound_info & 1, page); VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags.f), page); At the original call site @new_head still has the tail marker (compound_info bit 0 set, PG_head clear), so on CONFIG_DEBUG_VM kernels this hits: kernel BUG at include/linux/page-flags.h:354 folio_flags+0x82 folio_set_has_hwpoisoned __split_folio_to_order __split_unmapped_folio __folio_split truncate_inode_partial_folio (shmem hole-punch / MADV_REMOVE) Reproduced by syzkaller: hwpoison-inject a few subpages of a large shmem folio, then MADV_REMOVE (fallocate punch hole) on the same range, which splits the partial folio to a non-zero order. Move the folio_set_has_hwpoisoned() call to after clear_compound_head()/prep_compound_page(), where @new_folio is a real order-new_order head folio (handle_hwpoison implies new_order != 0, so a second page always exists). The flag still lands on the same struct page (page[1] of the new folio); only the ordering relative to compound-head setup changes, satisfying the FOLIO_SECOND_PAGE precondition. Signed-off-by: Rik van Riel Assisted-by: Claude:claude-opus-4-8 Fixes: fa5a06170036 ("mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order") --- mm/huge_memory.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 2bccb0a53a0a..ee7ecb3b45c6 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3587,10 +3587,6 @@ static void __split_folio_to_order(struct folio *folio, int old_order, (1L << PG_dropbehind) | LRU_GEN_MASK | LRU_REFS_MASK)); - if (handle_hwpoison && - page_range_has_hwpoisoned(new_head, new_nr_pages)) - folio_set_has_hwpoisoned(new_folio); - new_folio->mapping = folio->mapping; new_folio->index = folio->index + i; @@ -3612,6 +3608,18 @@ static void __split_folio_to_order(struct folio *folio, int old_order, folio_set_large_rmappable(new_folio); } + /* + * PG_has_hwpoisoned is a FOLIO_SECOND_PAGE flag, so it can only + * be set once @new_folio is a real (head) folio. Defer setting + * it until after clear_compound_head()/prep_compound_page() have + * turned @new_head from a tail page into a proper folio head; + * otherwise folio_flags() trips on (page->compound_info & 1). + * handle_hwpoison implies new_order != 0. + */ + if (handle_hwpoison && + page_range_has_hwpoisoned(new_head, new_nr_pages)) + folio_set_has_hwpoisoned(new_folio); + if (folio_test_young(folio)) folio_set_young(new_folio); if (folio_test_idle(folio)) -- 2.53.0-Meta