From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-173.mta1.migadu.com (out-173.mta1.migadu.com [95.215.58.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FB153C0A1B for ; Thu, 2 Jul 2026 10:56:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782989799; cv=none; b=aZk8mlHR1Q1XtLQ0cQfQkAJK+L2pG/M0bHgELN2dIkhGzem9HZKkVWhyVti4BoLn8ULbw19iA/Fm2BNVhiyK1vqtLFv9Vo5IWj9Zlc8lqRs0YTqMRKzCmRijPqDwsbFDCHoLsBfoFvtq/Ouyapt7WjSXIGcDnUwL/1mDmHg3PFk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782989799; c=relaxed/simple; bh=aSY6CMxMuFSRtxYwX9PT01Qjyd+F7ju0HYt/vK4Xx3o=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=JT3TgjLobJwJX7Gj9HHVJxZfAThw4/2MKPmXDEy4mpNukCz2uFaN+mvB3huXEXAHpwFCMdSBZR9vAgpNencQ0AEluNv1llYLkuczpqCW/sYlWsHZ5A21Ac9vUCU+FEDv8gRUNzv0SnH5gAwGVWm+aTGwKylvaLBFowBz0z0Lv2E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=bFoxpMKB; arc=none smtp.client-ip=95.215.58.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="bFoxpMKB" Message-ID: <87bbf335-648f-4065-abc8-3eaab5a3beeb@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1782989794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3Wju1Ea4TQfauVETqriOGkFJC2wF9cY4E9t+Aw8443I=; b=bFoxpMKBo/kueyDlMj6ApLTn+pEXOuW710nQYinifewGJTsCcEMAu+4PutHhH9v3nhk032 PldriK1L28RKqigueSQV1hFgXW3vbEjfzI9ochwG5JrIDh4mT9tTLhub1qK2ASdQ6DnXPd 2vD7QNYwgtKdesK5DqHLhcnqvjw0600= Date: Thu, 2 Jul 2026 11:56:27 +0100 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH] mm/migrate_device: pin large folios before splitting To: Andrew Morton , apopple@nvidia.com, byungchul@sk.com, david@kernel.org, gourry@gourry.net, joshua.hahnjy@gmail.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, matthew.brost@intel.com, rakie.kim@sk.com, ying.huang@linux.alibaba.com, ziy@nvidia.com Cc: shakeel.butt@linux.dev, hannes@cmpxchg.org, kernel-team@meta.com, sashiko-bot References: <20260701140638.840773-1-usama.arif@linux.dev> Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Usama Arif In-Reply-To: <20260701140638.840773-1-usama.arif@linux.dev> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 01/07/2026 15:06, Usama Arif wrote: > migrate_vma_collect_pmd() can detect a large folio while holding the PTE > lock, then drop the PTE lock before calling migrate_vma_split_folio(). The > split helper took its own reference, but only after the lock had already > been dropped. > > One way to hit this is device migration over a range that contains a large > folio. The walker reads the PTE while holding the PTE lock and derives the > folio either from a present PTE via vm_normal_page(), or from a non-present > PTE that encodes a device-private softleaf entry. It then has to drop the > PTE lock because split_folio() can block. Before migrate_vma_split_folio() > gets a folio reference, concurrent reclaim, migration, or truncation can > replace or clear the entry and drop the last reference to the folio. The > split helper would then take a reference and lock on a stale folio pointer. > > Take a temporary reference before dropping the PTE lock and pass that > reference into migrate_vma_split_folio(). The helper consumes the > reference, so split_folio() still sees only the expected caller pin instead > of an extra pin that could make the split fail. > > Reported-by: sashiko-bot > Link: https://sashiko.dev/#/patchset/20260630164143.1595669-1-usama.arif%40linux.dev > Fixes: 022a12deda53 ("mm/migrate_device: handle partially mapped folios during collection") > Signed-off-by: Usama Arif > --- > mm/migrate_device.c | 21 ++++++++++++++++++--- > 1 file changed, 18 insertions(+), 3 deletions(-) > Hi Andrew! Could you apply the below fixlet to condense the comment as per Davids', Alistairs' and Zis' suggestion? I can send a v2 if its easier as well. Thanks! >From 022bfeb9573f745cc1d93468d1cc123cf6507581 Mon Sep 17 00:00:00 2001 From: Usama Arif Date: Wed, 1 Jul 2026 11:12:54 -0700 Subject: [fixup] condense comment about folio reference Signed-off-by: Usama Arif --- mm/migrate_device.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/mm/migrate_device.c b/mm/migrate_device.c index f5a5f699e98e..052167f9ad54 100644 --- a/mm/migrate_device.c +++ b/mm/migrate_device.c @@ -311,11 +311,7 @@ static int migrate_vma_collect_pmd(pmd_t *pmdp, if (folio_test_large(folio)) { int ret; - /* - * Keep the folio stable after dropping the PTE - * lock. migrate_vma_split_folio() consumes this - * reference. - */ + /* migrate_vma_split_folio() consumes this reference */ if (folio != fault_folio) folio_get(folio); lazy_mmu_mode_disable(); @@ -361,11 +357,7 @@ static int migrate_vma_collect_pmd(pmd_t *pmdp, if (folio && folio_test_large(folio)) { int ret; - /* - * Keep the folio stable after dropping the - * PTE lock. migrate_vma_split_folio() consumes - * this reference. - */ + /* migrate_vma_split_folio() consumes this reference */ if (folio != fault_folio) folio_get(folio); lazy_mmu_mode_disable(); -- 2.53.0-Meta