From nobody Fri Apr 10 23:24:03 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF1FBC00140 for ; Thu, 18 Aug 2022 13:00:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244853AbiHRNAq (ORCPT ); Thu, 18 Aug 2022 09:00:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51130 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242589AbiHRNAo (ORCPT ); Thu, 18 Aug 2022 09:00:44 -0400 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4514A647D8 for ; Thu, 18 Aug 2022 06:00:43 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.56]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4M7lKC2kMdz1N7Hm; Thu, 18 Aug 2022 20:57:19 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 18 Aug 2022 21:00:41 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH 1/6] mm, hwpoison: fix page refcnt leaking in try_memory_failure_hugetlb() Date: Thu, 18 Aug 2022 21:00:11 +0800 Message-ID: <20220818130016.45313-2-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220818130016.45313-1-linmiaohe@huawei.com> References: <20220818130016.45313-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" When hwpoison_filter() refuses to hwpoison a hugetlb page, the refcnt of the page would have been incremented if res =3D=3D 1. Using put_page() to f= ix the refcnt leaking in this case. Fixes: 405ce051236c ("mm/hwpoison: fix race between hugetlb free/demotion a= nd memory_failure_hugetlb()") Signed-off-by: Miaohe Lin Acked-by: Naoya Horiguchi --- mm/memory-failure.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index e48f6f6a259d..22840cd5fe59 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -1860,8 +1860,10 @@ static int try_memory_failure_hugetlb(unsigned long = pfn, int flags, int *hugetlb =20 if (hwpoison_filter(p)) { hugetlb_clear_page_hwpoison(head); - res =3D -EOPNOTSUPP; - goto out; + unlock_page(head); + if (res =3D=3D 1) + put_page(head); + return -EOPNOTSUPP; } =20 /* --=20 2.23.0 From nobody Fri Apr 10 23:24:03 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7243AC3F6B0 for ; Thu, 18 Aug 2022 13:00:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244858AbiHRNAy (ORCPT ); Thu, 18 Aug 2022 09:00:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244132AbiHRNAo (ORCPT ); Thu, 18 Aug 2022 09:00:44 -0400 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1303659C2 for ; Thu, 18 Aug 2022 06:00:43 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.56]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4M7lKC5p4Zz1N7NB; Thu, 18 Aug 2022 20:57:19 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 18 Aug 2022 21:00:41 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH 2/6] mm, hwpoison: fix page refcnt leaking in unpoison_memory() Date: Thu, 18 Aug 2022 21:00:12 +0800 Message-ID: <20220818130016.45313-3-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220818130016.45313-1-linmiaohe@huawei.com> References: <20220818130016.45313-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" When free_raw_hwp_pages() fails its work, the refcnt of the hugetlb page would have been incremented if ret > 0. Using put_page() to fix refcnt leaking in this case. Fixes: debb6b9c3fdd ("mm, hwpoison: make unpoison aware of raw error info i= n hwpoisoned hugepage") Signed-off-by: Miaohe Lin Acked-by: Naoya Horiguchi --- mm/memory-failure.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 22840cd5fe59..0c5ad7505b99 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -2378,6 +2378,7 @@ int unpoison_memory(unsigned long pfn) count =3D free_raw_hwp_pages(page, false); if (count =3D=3D 0) { ret =3D -EBUSY; + put_page(page); goto unlock_mutex; } } --=20 2.23.0 From nobody Fri Apr 10 23:24:03 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1CC2C32772 for ; Thu, 18 Aug 2022 13:01:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244879AbiHRNBC (ORCPT ); Thu, 18 Aug 2022 09:01:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51152 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244604AbiHRNAp (ORCPT ); Thu, 18 Aug 2022 09:00:45 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 02BA3659C2 for ; Thu, 18 Aug 2022 06:00:45 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.57]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4M7lMJ62f5zGpcF; Thu, 18 Aug 2022 20:59:08 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 18 Aug 2022 21:00:42 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH 3/6] mm, hwpoison: fix extra put_page() in soft_offline_page() Date: Thu, 18 Aug 2022 21:00:13 +0800 Message-ID: <20220818130016.45313-4-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220818130016.45313-1-linmiaohe@huawei.com> References: <20220818130016.45313-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" When hwpoison_filter() refuses to soft offline a page, the page refcnt incremented previously by MF_COUNT_INCREASED would have been consumed via get_hwpoison_page() if ret <=3D 0. So the put_ref_page() here will put the extra one. Remove it to fix the issue. Fixes: 9113eaf331bf ("mm/memory-failure.c: add hwpoison_filter for soft off= line") Signed-off-by: Miaohe Lin Acked-by: Naoya Horiguchi --- mm/memory-failure.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 0c5ad7505b99..7023c3d81273 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -2591,8 +2591,6 @@ int soft_offline_page(unsigned long pfn, int flags) if (hwpoison_filter(page)) { if (ret > 0) put_page(page); - else - put_ref_page(ref_page); =20 mutex_unlock(&mf_mutex); return -EOPNOTSUPP; --=20 2.23.0 From nobody Fri Apr 10 23:24:03 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37AC6C32773 for ; Thu, 18 Aug 2022 13:01:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244471AbiHRNA5 (ORCPT ); Thu, 18 Aug 2022 09:00:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51138 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244407AbiHRNAp (ORCPT ); Thu, 18 Aug 2022 09:00:45 -0400 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 95B3461DA7 for ; Thu, 18 Aug 2022 06:00:44 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.57]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4M7lKD4xMjz1N7Mc; Thu, 18 Aug 2022 20:57:20 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 18 Aug 2022 21:00:42 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH 4/6] mm, hwpoison: fix possible use-after-free in mf_dax_kill_procs() Date: Thu, 18 Aug 2022 21:00:14 +0800 Message-ID: <20220818130016.45313-5-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220818130016.45313-1-linmiaohe@huawei.com> References: <20220818130016.45313-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" After kill_procs(), tk will be freed without being removed from the to_kill list. In the next iteration, the freed list entry in the to_kill list will be accessed, thus leading to use-after-free issue. Fix it by reinitializing the to_kill list after unmap_and_kill(). Fixes: c36e20249571 ("mm: introduce mf_dax_kill_procs() for fsdax case") Signed-off-by: Miaohe Lin --- mm/memory-failure.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 7023c3d81273..a2f4e8b00a26 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -1658,6 +1658,8 @@ int mf_dax_kill_procs(struct address_space *mapping, = pgoff_t index, collect_procs_fsdax(page, mapping, index, &to_kill); unmap_and_kill(&to_kill, page_to_pfn(page), mapping, index, mf_flags); + /* Reinitialize to_kill list for later resuing. */ + INIT_LIST_HEAD(&to_kill); unlock: dax_unlock_mapping_entry(mapping, index, cookie); } --=20 2.23.0 From nobody Fri Apr 10 23:24:03 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7FB09C00140 for ; Thu, 18 Aug 2022 13:01:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244441AbiHRNBH (ORCPT ); Thu, 18 Aug 2022 09:01:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244842AbiHRNAq (ORCPT ); Thu, 18 Aug 2022 09:00:46 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FCC766A57 for ; Thu, 18 Aug 2022 06:00:45 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4M7lKY569pzlWJd; Thu, 18 Aug 2022 20:57:37 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 18 Aug 2022 21:00:42 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH 5/6] mm, hwpoison: kill procs if unmap fails Date: Thu, 18 Aug 2022 21:00:15 +0800 Message-ID: <20220818130016.45313-6-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220818130016.45313-1-linmiaohe@huawei.com> References: <20220818130016.45313-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" If try_to_unmap() fails, the hwpoisoned page still resides in the address space of some processes. We should kill these processes or the hwpoisoned page might be consumed later. collect_procs() is always called to collect relevant processes now so they can be killed later if unmap fails. Signed-off-by: Miaohe Lin Acked-by: Naoya Horiguchi --- mm/memory-failure.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index a2f4e8b00a26..5f9615a86296 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -1396,7 +1396,7 @@ static bool hwpoison_user_mappings(struct page *p, un= signed long pfn, struct address_space *mapping; LIST_HEAD(tokill); bool unmap_success; - int kill =3D 1, forcekill; + int forcekill; bool mlocked =3D PageMlocked(hpage); =20 /* @@ -1437,7 +1437,6 @@ static bool hwpoison_user_mappings(struct page *p, un= signed long pfn, if (page_mkclean(hpage)) { SetPageDirty(hpage); } else { - kill =3D 0; ttu |=3D TTU_IGNORE_HWPOISON; pr_info("%#lx: corrupted page was clean: dropped without side effects\n= ", pfn); @@ -1452,8 +1451,7 @@ static bool hwpoison_user_mappings(struct page *p, un= signed long pfn, * Error handling: We ignore errors here because * there's nothing that can be done. */ - if (kill) - collect_procs(hpage, &tokill, flags & MF_ACTION_REQUIRED); + collect_procs(hpage, &tokill, flags & MF_ACTION_REQUIRED); =20 if (PageHuge(hpage) && !PageAnon(hpage)) { /* @@ -1495,7 +1493,8 @@ static bool hwpoison_user_mappings(struct page *p, un= signed long pfn, * use a more force-full uncatchable kill to prevent * any accesses to the poisoned memory. */ - forcekill =3D PageDirty(hpage) || (flags & MF_MUST_KILL); + forcekill =3D PageDirty(hpage) || (flags & MF_MUST_KILL) || + !unmap_success; kill_procs(&tokill, forcekill, !unmap_success, pfn, flags); =20 return unmap_success; --=20 2.23.0 From nobody Fri Apr 10 23:24:03 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 984A4C32772 for ; Thu, 18 Aug 2022 13:01:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244407AbiHRNBM (ORCPT ); Thu, 18 Aug 2022 09:01:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244860AbiHRNAt (ORCPT ); Thu, 18 Aug 2022 09:00:49 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2F17F6B16B for ; Thu, 18 Aug 2022 06:00:48 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.56]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4M7lLZ5N68znTYd; Thu, 18 Aug 2022 20:58:30 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 18 Aug 2022 21:00:43 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH 6/6] mm, hwpoison: avoid trying to unpoison reserved page Date: Thu, 18 Aug 2022 21:00:16 +0800 Message-ID: <20220818130016.45313-7-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220818130016.45313-1-linmiaohe@huawei.com> References: <20220818130016.45313-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" For reserved pages, HWPoison flag will be set without increasing the page refcnt. So we shouldn't even try to unpoison these pages and thus decrease the page refcnt unexpectly. Add a PageReserved() check to filter this case out and remove the below unneeded zero page (zero page is reserved) check. Signed-off-by: Miaohe Lin Acked-by: Naoya Horiguchi --- mm/memory-failure.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 5f9615a86296..c831c41bb092 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -2355,7 +2355,7 @@ int unpoison_memory(unsigned long pfn) goto unlock_mutex; } =20 - if (PageSlab(page) || PageTable(page)) + if (PageSlab(page) || PageTable(page) || PageReserved(page)) goto unlock_mutex; =20 ret =3D get_hwpoison_page(p, MF_UNPOISON); @@ -2386,7 +2386,7 @@ int unpoison_memory(unsigned long pfn) freeit =3D !!TestClearPageHWPoison(p); =20 put_page(page); - if (freeit && !(pfn =3D=3D my_zero_pfn(0) && page_count(p) =3D=3D 1)) { + if (freeit) { put_page(page); ret =3D 0; } --=20 2.23.0