Use is_zero_pfn on pteval only after pte_present check on pteval
(It might be better idea to introduce is_zero_pte where checks
pte_present first). Otherwise, it could work with swap or
migration entry and if pte_pfn's result is equal to zero_pfn
by chance, we lose user's data in __collapse_huge_page_copy.
So if you're luck, the application is segfaulted and finally you
could see below message when the application is exit.
BUG: Bad rss-counter state mm:ffff88007f099300 idx:2 val:3
Signed-off-by: Minchan Kim <minchan@xxxxxxxxxx>
---
I found this bug with MADV_FREE hard test. Sometime, I saw
"Bad rss-counter" message with MM_SWAPENTS but it's really
rare, once a day if I was luck or once in five days if I was
unlucky so I am doing test still and just pass a few days but
I hope it will fix the issue.
mm/huge_memory.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 4b06b8db9df2..349590aa4533 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -2665,15 +2665,25 @@ static int khugepaged_scan_pmd(struct mm_struct *mm,
for (_address = address, _pte = pte; _pte < pte+HPAGE_PMD_NR;
_pte++, _address += PAGE_SIZE) {
pte_t pteval = *_pte;
- if (pte_none(pteval) || is_zero_pfn(pte_pfn(pteval))) {
+ if (pte_none(pteval)) {
if (!userfaultfd_armed(vma) &&
++none_or_zero <= khugepaged_max_ptes_none)
continue;
else
goto out_unmap;
}
+
if (!pte_present(pteval))
goto out_unmap;
+
+ if (is_zero_pfn(pte_pfn(pteval))) {
+ if (!userfaultfd_armed(vma) &&
+ ++none_or_zero <= khugepaged_max_ptes_none)
+ continue;
+ else
+ goto out_unmap;
+ }
+
if (pte_write(pteval))
writable = true;
--
1.9.1
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>