On Mon, Apr 29, 2024 at 01:55:19PM +0100, Matthew Wilcox (Oracle) wrote:
> The current folio_test_hugetlb() can be fooled by a concurrent folio split
> into returning true for a folio which has never belonged to hugetlbfs.
> This can't happen if the caller holds a refcount on it, but we have a few
> places (memory-failure, compaction, procfs) which do not and should not
> take a speculative reference.
>
> Since hugetlb pages do not use individual page mapcounts (they are always
> fully mapped and use the entire_mapcount field to record the number of
> mappings), the PageType field is available now that page_mapcount()
> ignores the value in this field.
>
> In compaction and with CONFIG_DEBUG_VM enabled, the current implementation
> can result in an oops, as reported by Luis. This happens since 9c5ccf2db04b
> ("mm: remove HUGETLB_PAGE_DTOR") effectively added some VM_BUG_ON() checks
> in the PageHuge() testing path.
>
> [willy@xxxxxxxxxxxxx: update vmcoreinfo]
> Link: https://lkml.kernel.org/r/ZgGZUvsdhaT1Va-T@xxxxxxxxxxxxxxxxxxxx
> Link: https://lkml.kernel.org/r/20240321142448.1645400-6-willy@xxxxxxxxxxxxx
> Fixes: 9c5ccf2db04b ("mm: remove HUGETLB_PAGE_DTOR")
> Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx>
> Reviewed-by: David Hildenbrand <david@xxxxxxxxxx>
> Acked-by: Vlastimil Babka <vbabka@xxxxxxx>
> Reported-by: Luis Chamberlain <mcgrof@xxxxxxxxxx>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218227
> Cc: Miaohe Lin <linmiaohe@xxxxxxxxxx>
> Cc: Muchun Song <muchun.song@xxxxxxxxx>
> Cc: Oscar Salvador <osalvador@xxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> (cherry picked from commit d99e3140a4d33e26066183ff727d8f02f56bec64)
Both backports now queued up, thanks.
greg k-h
