+ DavidH
On 08/03/2024 16:03, Matthew Wilcox wrote:
> On Fri, Mar 08, 2024 at 03:11:35PM +0000, Matthew Wilcox wrote:
>> Actually, I have a clue! The third and fourth word have the same value.
>> That's indicative of an empty list_head. And if this were LRU, that would
>> be the second and third word. And the PFN is congruent to 2 modulo 4.
>> So this is the second tail page, and that's an empty deferred_list.
>> So how do we init a list_head after a folio gets freed?
>
> We should probably add this patch anyway, because why wouldn't we want
> to check this. Maybe it'll catch your offender?
>
> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
> index 025ad1a7df7b..fc9c7ca24c4c 100644
> --- a/mm/page_alloc.c
> +++ b/mm/page_alloc.c
> @@ -1007,9 +1007,12 @@ static int free_tail_page_prepare(struct page *head_page, struct page *page)
> break;
> case 2:
> /*
> - * the second tail page: ->mapping is
> - * deferred_list.next -- ignore value.
> + * the second tail page: ->mapping is deferred_list.next
> */
> + if (unlikely(!list_empty(&folio->_deferred_list))) {
> + bad_page(page, "still on deferred list");
> + goto out;
> + }
> break;
> default:
> if (page->mapping != TAIL_MAPPING) {
>
> (thinking about it, this may not be right for all tail pages; will Slab
> stumble over this? It doesn't seem to stumble on _entire_mapcount, but
> then we always initialise _entire_mapcount for all compound pages
> and we don't initialise _deferred_list for slab ... gah)
Yeah I'm getting a huge number of hits for this check. Most either have kfree() or free_slab() or page_to_skb() (networking code?) in the stack. Ideally need to filter on anon pages only, but presumably we have already ditched that info? Actually looks like the head page hasn't been nuked yet so should be able to test the low bit of mapping... let me have a play.
