On Wed, Mar 06, 2024 at 05:31:19PM +0800, Miaohe Lin wrote:
> > -void shake_page(struct page *p)
> > +void shake_folio(struct folio *folio)
>
> It might not be a good idea to convert shake_page() into shake_folio(). shake_page() can
> be called without holding page refcnt. So the below race could happen:
>
> hwpoison_inject
> folio = page_folio(p); --> assume p is 4k page [1]
> shake_folio(folio)
> folio_test_slab(folio)
> test_bit(PG_slab, folio_flags(folio, FOLIO_PF_NO_TAIL) [2]
> VM_BUG_ON_PGFLAGS(PageTail(page), page) in folio_flags
>
> Between [1] and [2], page can become PageTail of a THP. So the VM_BUG_ON_PGFLAGS will trigger.
> Or am I miss something?
No, you're not missing anything. This race can happen. However, I've
removed the VM_BUG_ON for folio_test_slab() with "mm: free up PG_slab".
Now it goes through:
static inline bool PageSlab(const struct page *page)
{
return folio_test_slab(page_folio(page));
}
static __always_inline bool folio_test_##fname(const struct folio *folio)\
{ \
return folio_test_type(folio, PG_##lname); \
} \
#define folio_test_type(folio, flag) \
((folio->page.page_type & (PAGE_TYPE_BASE | flag)) == PAGE_TYPE_BASE)
which has no assertion that the folio is not a tail page. Maybe it
should, but until then we'll silently get the wrong result ;-)
