On 3/21/25 13:02, Gavin Shan wrote:
> As the comments of page_mapcount_is_type() indicate, the parameter
> passed to the function should be one more than page->_mapcount.
> However, page->_mapcount is passed to the function by commit 4ffca5a96678
> ("mm: support only one page_type per page") where page_type_has_type()
> is replaced by page_mapcount_is_type(), but the parameter isn't adjusted.
>
> Fix the parameter for page_mapcount_is_type() to be (page->__mapcount
> + 1). Note that the issue doesn't cause any visible impacts due to the
> safety gap introduced by PGTY_mapcount_underflow limit.
>
> Fixes: 4ffca5a96678 ("mm: support only one page_type per page")
> Signed-off-by: Gavin Shan <gshan@xxxxxxxxxx>
> Acked-by: David Hildenbrand <david@xxxxxxxxxx>
Acked-by: Vlastimil Babka <vbabka@xxxxxxx>
> ---
> mm/debug.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/mm/debug.c b/mm/debug.c
> index 8d2acf432385..b6bd9555ec7b 100644
> --- a/mm/debug.c
> +++ b/mm/debug.c
> @@ -71,10 +71,10 @@ static void __dump_folio(struct folio *folio, struct page *page,
> unsigned long pfn, unsigned long idx)
> {
> struct address_space *mapping = folio_mapping(folio);
> - int mapcount = atomic_read(&page->_mapcount);
> + int mapcount = atomic_read(&page->_mapcount) + 1;
> char *type = "";
>
> - mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount + 1;
> + mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount;
At this point it would be perhaps more obvious:
if (page_mapcount_is_type(mapcount))
mapcount = 0;
But doesn't matter much.
> pr_warn("page: refcount:%d mapcount:%d mapping:%p index:%#lx pfn:%#lx\n",
> folio_ref_count(folio), mapcount, mapping,
> folio->index + idx, pfn);
