Linux-mm Archive on lore.kernel.org
 help / color / Atom feed
From: Michal Hocko <mhocko@suse.com>
To: Muchun Song <songmuchun@bytedance.com>
Cc: mike.kravetz@oracle.com, akpm@linux-foundation.org,
	n-horiguchi@ah.jp.nec.com, ak@linux.intel.com,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: Re: [PATCH v4 3/6] mm: hugetlb: fix a race between freeing and dissolving the page
Date: Wed, 13 Jan 2021 10:31:34 +0100
Message-ID: <20210113093134.GU22493@dhcp22.suse.cz> (raw)
In-Reply-To: <20210113052209.75531-4-songmuchun@bytedance.com>

On Wed 13-01-21 13:22:06, Muchun Song wrote:
> There is a race condition between __free_huge_page()
> and dissolve_free_huge_page().
> 
> CPU0:                         CPU1:
> 
> // page_count(page) == 1
> put_page(page)
>   __free_huge_page(page)
>                               dissolve_free_huge_page(page)
>                                 spin_lock(&hugetlb_lock)
>                                 // PageHuge(page) && !page_count(page)
>                                 update_and_free_page(page)
>                                 // page is freed to the buddy
>                                 spin_unlock(&hugetlb_lock)
>     spin_lock(&hugetlb_lock)
>     clear_page_huge_active(page)
>     enqueue_huge_page(page)
>     // It is wrong, the page is already freed
>     spin_unlock(&hugetlb_lock)
> 
> The race windows is between put_page() and dissolve_free_huge_page().
> 
> We should make sure that the page is already on the free list
> when it is dissolved.

Please describe the effect of the bug.
"
As a result __free_huge_page would corrupt page(s) already in the buddy
allocator.
"

> 
> Fixes: c8721bbbdd36 ("mm: memory-hotplug: enable memory hotplug to handle hugepage")
> Signed-off-by: Muchun Song <songmuchun@bytedance.com>
> Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
> Cc: stable@vger.kernel.org
[...]
> @@ -1770,6 +1788,14 @@ int dissolve_free_huge_page(struct page *page)
>  		int nid = page_to_nid(head);
>  		if (h->free_huge_pages - h->resv_huge_pages == 0)
>  			goto out;
> +
> +		/*
> +		 * We should make sure that the page is already on the free list
> +		 * when it is dissolved.
> +		 */
> +		if (unlikely(!PageHugeFreed(head)))
> +			goto out;

I believe we have agreed to retry for this temporary state.

> +
>  		/*
>  		 * Move PageHWPoison flag from head page to the raw error page,
>  		 * which makes any subpages rather than the error page reusable.
> -- 
> 2.11.0

-- 
Michal Hocko
SUSE Labs


  reply index

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-13  5:22 [PATCH v4 0/6] Fix some bugs about HugeTLB code Muchun Song
2021-01-13  5:22 ` [PATCH v4 1/6] mm: migrate: do not migrate HugeTLB page whose refcount is one Muchun Song
2021-01-13 10:30   ` David Hildenbrand
2021-01-13 10:57   ` Oscar Salvador
2021-01-13 11:03     ` [External] " Muchun Song
2021-01-13  5:22 ` [PATCH v4 2/6] mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page Muchun Song
2021-01-13 11:00   ` Oscar Salvador
2021-01-13  5:22 ` [PATCH v4 3/6] mm: hugetlb: fix a race between freeing and dissolving the page Muchun Song
2021-01-13  9:31   ` Michal Hocko [this message]
2021-01-13  5:22 ` [PATCH v4 4/6] mm: hugetlb: retry dissolve page when hitting race Muchun Song
2021-01-13  9:33   ` Michal Hocko
2021-01-13 10:14     ` [External] " Muchun Song
2021-01-13 10:38       ` Michal Hocko
2021-01-13 11:11         ` Muchun Song
2021-01-13 11:14           ` Oscar Salvador
2021-01-13 11:20             ` Muchun Song
2021-01-13 12:03               ` Michal Hocko
2021-01-13 11:22           ` Michal Hocko
2021-01-13 12:15             ` Muchun Song
2021-01-13  5:22 ` [PATCH v4 5/6] mm: hugetlb: fix a race between isolating and freeing page Muchun Song
2021-01-13  5:22 ` [PATCH v4 6/6] mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active Muchun Song

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210113093134.GU22493@dhcp22.suse.cz \
    --to=mhocko@suse.com \
    --cc=ak@linux.intel.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mike.kravetz@oracle.com \
    --cc=n-horiguchi@ah.jp.nec.com \
    --cc=songmuchun@bytedance.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-mm Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-mm/0 linux-mm/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-mm linux-mm/ https://lore.kernel.org/linux-mm \
		linux-mm@kvack.org
	public-inbox-index linux-mm

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kvack.linux-mm


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git