From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D78BEC38145
	for <linux-mm@archiver.kernel.org>; Thu,  8 Sep 2022 12:23:13 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 752F16B0072; Thu,  8 Sep 2022 08:23:13 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6DB046B0073; Thu,  8 Sep 2022 08:23:13 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 5570C6B0074; Thu,  8 Sep 2022 08:23:13 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 3A3D46B0072
	for <linux-mm@kvack.org>; Thu,  8 Sep 2022 08:23:13 -0400 (EDT)
Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id EDF5E12016B
	for <linux-mm@kvack.org>; Thu,  8 Sep 2022 12:23:12 +0000 (UTC)
X-FDA: 79888833024.29.E500828
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28])
	by imf28.hostedemail.com (Postfix) with ESMTP id 8C6ECC009E
	for <linux-mm@kvack.org>; Thu,  8 Sep 2022 12:23:11 +0000 (UTC)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
	by mailout.nyi.internal (Postfix) with ESMTP id 097005C010B;
	Thu,  8 Sep 2022 08:23:08 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute3.internal (MEProxy); Thu, 08 Sep 2022 08:23:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov.name;
	 h=cc:cc:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:sender
	:subject:subject:to:to; s=fm3; t=1662639788; x=1662726188; bh=Qr
	nUHhscABFVHd45MeVYCEuM6pGZuhTaWiCVqnUwT08=; b=wBxCVchf8VL3cCwNnW
	PctMZ+6b1KjGX3Qf6ZDgWKKoCyl2ptw1UF8tHaM6mS4D9N4Rhfqyu0IjQ+AOxKav
	D3kqVGhg3Qmh+KNx3xbiQRVsMCEkpUphY5Vm3XJHTNAZRyrSXHRzYVI4UKQzM+kn
	VktRwMD63mwWJu2G4QY2GV1KOVvgQxDQrx/mICky2eA0RLZGUvDYSdqU3VkvRr9T
	cLPbEq/HmtBi49ukvLokNnZtu1l5R015inT0WHrD3TGaHsGMBippDo6/XoUpfV+K
	YGYuDeBLs84+Qxf/xYbNBKyf9zKh4mUPEWpCYsU0H21cJUf0Gwq4pioxVf2rPqUW
	OWLA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-type:date:date:feedback-id
	:feedback-id:from:from:in-reply-to:in-reply-to:message-id
	:mime-version:references:reply-to:sender:subject:subject:to:to
	:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm2; t=1662639788; x=1662726188; bh=QrnUHhscABFVHd45MeVYCEuM6pGZ
	uhTaWiCVqnUwT08=; b=Xz4bvcfjuguIoJU4t05mV2Qpx+VXlR4YOO0qd0mkADaV
	Bp0hdZGnLOMeKu6jy+l2neyXRHf/VY5cpor3qxJ9NxNjeAJz9WBbvCIVNK/vV29i
	fp1la3Wsf8DTV8AxxkonJ/iQXdjVWWI6YPmGJJ1hIdSBFoLMFdNbwTjHdqGPaRaY
	pVVQG9D8xxohhQwqswQPbZYpNUqyQfqQdwE+l3+RQlEcV+VAdBbcl8K7jCfm5hl8
	K9v4CfwldX7Bt2vASmT5JXa3Hv6gML7F2fKYrF5lIYG9wK27PV3Rn5A9HAOVWNaI
	be0ABiT59N2PMcyZbS0v39WRVKtiu86M/XvxhqRITg==
X-ME-Sender: <xms:q94ZY28WjE6U-xekQoJ3iGNsUsNHG15jDdmZ_tGdgZtKTuB3MOwsFQ>
    <xme:q94ZY2tjF4a92v0tRflSQxsGWOrRMegQT6aZ8LV0S_5edN97Ld_QIz62SqdT4Ne_l
    R1ZDWVs2OZ87Rz_I6A>
X-ME-Received: <xmr:q94ZY8DOS4Pp8DwWd3IckOpRrRz5ew25XkwfLE6rJuQFH6_r7dFYLbyCC9pCN8Q1AT0n4g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfedtvddghedvucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepfffhvfevuffkfhggtggujgesthdttddttddtvdenucfhrhhomhepfdfmihhr
    ihhllhcutedrucfuhhhuthgvmhhovhdfuceokhhirhhilhhlsehshhhuthgvmhhovhdrnh
    grmhgvqeenucggtffrrghtthgvrhhnpefhieeghfdtfeehtdeftdehgfehuddtvdeuheet
    tddtheejueekjeegueeivdektdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh
    epmhgrihhlfhhrohhmpehkihhrihhllhesshhhuhhtvghmohhvrdhnrghmvg
X-ME-Proxy: <xmx:q94ZY-fz6mBlSXZX3Vq_cxSoQtAf2k45uXKX5eobkGbVk_Kk3oE3_w>
    <xmx:q94ZY7MnY8Ii34B8RDEFlTxXv-SozsYduUB9qe3Ca9ms-fhqAQOFGA>
    <xmx:q94ZY4lVzS1i77pf9NKr_KQwqU0D47TtJu9mMAZc7A05UyGHaFWlrA>
    <xmx:rN4ZY2rcULO-yw7z0XJaibjjz_P04LvNPNLgi23r1pkWuAiVaLk73w>
Feedback-ID: ie3994620:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 8 Sep 2022 08:23:07 -0400 (EDT)
Received: by box.shutemov.name (Postfix, from userid 1000)
	id A1DE71037A1; Thu,  8 Sep 2022 15:23:03 +0300 (+03)
Date: Thu, 8 Sep 2022 15:23:03 +0300
From: "Kirill A. Shutemov" <kirill@shutemov.name>
To: Naoya Horiguchi <naoya.horiguchi@linux.dev>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
	David Hildenbrand <david@redhat.com>,
	Muchun Song <songmuchun@bytedance.com>,
	Miaohe Lin <linmiaohe@huawei.com>,
	Matthew Wilcox <willy@infradead.org>,
	Michal Hocko <mhocko@suse.com>, Yang Shi <shy828301@gmail.com>,
	Naoya Horiguchi <naoya.horiguchi@nec.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] mm/huge_memory: use pfn_to_online_page() in
 split_huge_pages_all()
Message-ID: <20220908122303.7pofcdcmbuq4ou6u@box.shutemov.name>
References: <20220908041150.3430269-1-naoya.horiguchi@linux.dev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220908041150.3430269-1-naoya.horiguchi@linux.dev>
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1662639791; a=rsa-sha256;
	cv=none;
	b=fVK3UbfH3copOXN9XXtw0Ly4FosfVT23qX94uZKrdMElH1k656dNn75l5r1r96cIKuVZjm
	r3F9w9FYsc9YV85NADL8KRR4Kz62tVgNd2K1a73Fqy8Z/1568cJs3uBT9N6Ac0VUNY+qI0
	yGRCMAocjp9KgBREf4t8Ek3o4satN+w=
ARC-Authentication-Results: i=1;
	imf28.hostedemail.com;
	dkim=pass header.d=shutemov.name header.s=fm3 header.b=wBxCVchf;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b=Xz4bvcfj;
	spf=pass (imf28.hostedemail.com: domain of kirill@shutemov.name designates 66.111.4.28 as permitted sender) smtp.mailfrom=kirill@shutemov.name;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1662639791;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=QrnUHhscABFVHd45MeVYCEuM6pGZuhTaWiCVqnUwT08=;
	b=aDs9MngDGLUtjWanAdSsCSFcmW6NKV4lKKQjgas5XrwKUqJOZNybdutkKo7tFEV1GXXWMt
	09BBQzPWiswUO2l4YTV3l5/PqMJoLfg6/NUAAVYTULmvCThHV4b8apzhraKi/uPfs5DSNA
	iBzZxB9H0uQatTHAWhCF+ABAALfKjNk=
Authentication-Results: imf28.hostedemail.com;
	dkim=pass header.d=shutemov.name header.s=fm3 header.b=wBxCVchf;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b=Xz4bvcfj;
	spf=pass (imf28.hostedemail.com: domain of kirill@shutemov.name designates 66.111.4.28 as permitted sender) smtp.mailfrom=kirill@shutemov.name;
	dmarc=none
X-Stat-Signature: 565uj6rgzihktsc369nkwfswmek1zrfw
X-Rspam-User: 
X-Rspamd-Server: rspam10
X-Rspamd-Queue-Id: 8C6ECC009E
X-HE-Tag: 1662639791-524981
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, Sep 08, 2022 at 01:11:50PM +0900, Naoya Horiguchi wrote:
> From: Naoya Horiguchi <naoya.horiguchi@nec.com>
> 
> NULL pointer dereference is triggered when calling thp split via debugfs
> on the system with offlined memory blocks.  With debug option enabled,
> the following kernel messages are printed out:
> 
>   page:00000000467f4890 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x121c000
>   flags: 0x17fffc00000000(node=0|zone=2|lastcpupid=0x1ffff)
>   raw: 0017fffc00000000 0000000000000000 dead000000000122 0000000000000000
>   raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
>   page dumped because: unmovable page
>   page:000000007d7ab72e is uninitialized and poisoned
>   page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
>   ------------[ cut here ]------------
>   kernel BUG at include/linux/mm.h:1248!
>   invalid opcode: 0000 [#1] PREEMPT SMP PTI
>   CPU: 16 PID: 20964 Comm: bash Tainted: G          I        6.0.0-rc3-foll-numa+ #41
>   ...
>   RIP: 0010:split_huge_pages_write+0xcf4/0xe30
> 
> This shows that page_to_nid() in page_zone() is unexpectedly called for an
> offlined memmap.
> 
> Use pfn_to_online_page() to get struct page in PFN walker.
> 
> Fixes: 49071d436b51 ("thp: add debugfs handle to split all huge pages")
> Signed-off-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
> Co-developed-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: David Hildenbrand <david@redhat.com>
> Reviewed-by: Yang Shi <shy828301@gmail.com>
> Acked-by: Michal Hocko <mhocko@suse.com>
> Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
> Reviewed-by: Oscar Salvador <osalvador@suse.de>
> Cc: <stable@vger.kernel.org> # 5.10+

Looks good:

Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>

But it makes me think if there's other similar cases. "page is offline" is
rather obscure case that rarely covered by routine testing. Otherwise the
bug would not survive for 6 years.

After quick look, kvm_pfn_to_refcounted_page() looks suspicious.
kdb_getphys() too.

Maybe we should make pfn_valid() false for offline pages and introduce
other check that allows offline pages which can be used in codepaths that
deal with offline pages explicitly.

-- 
  Kiryl Shutsemau / Kirill A. Shutemov