From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-182.mta1.migadu.com (out-182.mta1.migadu.com [95.215.58.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 024DC36AB47 for ; Tue, 31 Mar 2026 16:29:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774974596; cv=none; b=Y7Y1Aeb4hFddfXxeo9p9mNEoNwRggPp1ie5iLoFYnc0TqKQ4bovlj6FlybiOV3ZyOY819xMEFjGTrn067YWgI/j8MOKmeKLRuGHChWrn2Hx92bdTUIkvpD8pIZAUGOutW3Lq4/6YDZKdedFBL5xMkMln/vbbUhW+iIePdxWlsQg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774974596; c=relaxed/simple; bh=EWKaD1xfOAb1azOIEIrH8B9ZeWZDXjdHHohpA4XCU4Q=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=VXIp0s++TzTDFlBY8pPXmHjhw9jxus6L1E5LaDSVw9Xy79CVQ70dVR/yms/iehnT/O6up+IHYg6cVq6X95YO7/8NvHvMDF5kSAPLeZj03T5vaoSyWA6d+liqXOtu0QR0Zfj33enHHiHfux81aq3W7RcLxrqXWmw1vXUAeubmOP4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=HStgsD/V; arc=none smtp.client-ip=95.215.58.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="HStgsD/V" Message-ID: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1774974591; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=t+PBWmKg1y16S9pTva+QSFTjRb299uFwMvllatkfV6A=; b=HStgsD/VCRwVsSFrv9YmieEjeotbS2UpvXyW4M+abW7SekkdkMRu+geZDuDaMCdFwZ9CEL dvuE06nvZHXXp5b530P3Jzdtocua3lOERUfFwUOtgD6f+Srdf3Z5Akw72OXUD3/iEwpSid HxXZc9L5mtyQD9G1JlZaTqfwn0qEZhM= Date: Wed, 1 Apr 2026 00:29:17 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH mm-unstable v4 5/5] mm/khugepaged: unify khugepaged and madv_collapse with collapse_single_pmd() Content-Language: en-US To: "Lorenzo Stoakes (Oracle)" , Nico Pache Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, aarcange@redhat.com, akpm@linux-foundation.org, anshuman.khandual@arm.com, apopple@nvidia.com, baohua@kernel.org, baolin.wang@linux.alibaba.com, byungchul@sk.com, catalin.marinas@arm.com, cl@gentwo.org, corbet@lwn.net, dave.hansen@linux.intel.com, david@kernel.org, dev.jain@arm.com, gourry@gourry.net, hannes@cmpxchg.org, hughd@google.com, jackmanb@google.com, jack@suse.cz, jannh@google.com, jglisse@google.com, joshua.hahnjy@gmail.com, kas@kernel.org, Liam.Howlett@oracle.com, lorenzo.stoakes@oracle.com, mathieu.desnoyers@efficios.com, matthew.brost@intel.com, mhiramat@kernel.org, mhocko@suse.com, peterx@redhat.com, pfalcato@suse.de, rakie.kim@sk.com, raquini@redhat.com, rdunlap@infradead.org, richard.weiyang@gmail.com, rientjes@google.com, rostedt@goodmis.org, rppt@kernel.org, ryan.roberts@arm.com, shivankg@amd.com, sunnanyong@huawei.com, surenb@google.com, thomas.hellstrom@linux.intel.com, tiwai@suse.de, usamaarif642@gmail.com, vbabka@suse.cz, vishal.moola@gmail.com, wangkefeng.wang@huawei.com, will@kernel.org, willy@infradead.org, yang@os.amperecomputing.com, ying.huang@linux.alibaba.com, ziy@nvidia.com, zokeefe@google.com References: <20260325114022.444081-1-npache@redhat.com> <20260325114022.444081-6-npache@redhat.com> <7760c811-e100-4d40-9217-0813c28314be@lucifer.local> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Lance Yang In-Reply-To: <7760c811-e100-4d40-9217-0813c28314be@lucifer.local> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_OUT On 2026/3/31 22:01, Lorenzo Stoakes (Oracle) wrote: > OK we need a fairly urgent fix for this as this has triggered a syzbot. See [0] > for an analysis. > > I show inline where the issue is, and attach a fix-patch for the bug. > > [0]: https://lore.kernel.org/all/e1cb33b8-c1f7-4972-8628-3a2169077d6e@lucifer.local/ > > See below for details. > > Cheers, Lorenzo > [...] > > Fix patch follows: > > ----8<---- > From a4dfc7718a15035449f344a0bc7f58e449366405 Mon Sep 17 00:00:00 2001 > From: "Lorenzo Stoakes (Oracle)" > Date: Tue, 31 Mar 2026 13:11:18 +0100 > Subject: [PATCH] mm/khugepaged: fix issue with tracking lock > > We are incorrectly treating lock_dropped to track both whether the lock is > currently held and whether or not the lock was ever dropped. Good catch! Right, lock_dropped is not supposed to mean "is the mmap lock currently unlocked?", it should mean "was the mmap lock dropped at any point during MADV_COLLAPSE?" > > Update this change to account for this. > > Signed-off-by: Lorenzo Stoakes (Oracle) > --- Thanks for the fix! Reviewed-by: Lance Yang > mm/khugepaged.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/mm/khugepaged.c b/mm/khugepaged.c > index d21348b85a59..b8452dbdb043 100644 > --- a/mm/khugepaged.c > +++ b/mm/khugepaged.c > @@ -2828,6 +2828,7 @@ int madvise_collapse(struct vm_area_struct *vma, unsigned long start, > unsigned long hstart, hend, addr; > enum scan_result last_fail = SCAN_FAIL; > int thps = 0; > + bool mmap_unlocked = false; > > BUG_ON(vma->vm_start > start); > BUG_ON(vma->vm_end < end); > @@ -2850,10 +2851,11 @@ int madvise_collapse(struct vm_area_struct *vma, unsigned long start, > for (addr = hstart; addr < hend; addr += HPAGE_PMD_SIZE) { > enum scan_result result = SCAN_FAIL; > > - if (*lock_dropped) { > + if (mmap_unlocked) { > cond_resched(); > mmap_read_lock(mm); > - *lock_dropped = false; > + mmap_unlocked = false; > + *lock_dropped = true; > result = hugepage_vma_revalidate(mm, addr, false, &vma, > cc); > if (result != SCAN_SUCCEED) { > @@ -2864,7 +2866,7 @@ int madvise_collapse(struct vm_area_struct *vma, unsigned long start, > hend = min(hend, vma->vm_end & HPAGE_PMD_MASK); > } > > - result = collapse_single_pmd(addr, vma, lock_dropped, cc); > + result = collapse_single_pmd(addr, vma, &mmap_unlocked, cc); > > switch (result) { > case SCAN_SUCCEED: > @@ -2893,8 +2895,10 @@ int madvise_collapse(struct vm_area_struct *vma, unsigned long start, > > out_maybelock: > /* Caller expects us to hold mmap_lock on return */ > - if (*lock_dropped) > + if (mmap_unlocked) { > + *lock_dropped = true; > mmap_read_lock(mm); > + } > out_nolock: > mmap_assert_locked(mm); > mmdrop(mm); > -- > 2.53.0