From nobody Wed Apr 8 06:24:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D055AC32774 for ; Tue, 23 Aug 2022 03:24:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239595AbiHWDY1 (ORCPT ); Mon, 22 Aug 2022 23:24:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51898 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233113AbiHWDYW (ORCPT ); Mon, 22 Aug 2022 23:24:22 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51A1252092 for ; Mon, 22 Aug 2022 20:24:21 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MBZHl13FYzgYpg; Tue, 23 Aug 2022 11:20:51 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug 2022 11:24:19 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH v2 1/6] mm, hwpoison: fix page refcnt leaking in try_memory_failure_hugetlb() Date: Tue, 23 Aug 2022 11:23:41 +0800 Message-ID: <20220823032346.4260-2-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com> References: <20220823032346.4260-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" When hwpoison_filter() refuses to hwpoison a hugetlb page, the refcnt of the page would have been incremented if res =3D=3D 1. Using put_page() to f= ix the refcnt leaking in this case. Fixes: 405ce051236c ("mm/hwpoison: fix race between hugetlb free/demotion a= nd memory_failure_hugetlb()") Signed-off-by: Miaohe Lin Acked-by: Naoya Horiguchi --- mm/memory-failure.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 5b368124956d..9d1ebfef04ee 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -1860,8 +1860,10 @@ static int try_memory_failure_hugetlb(unsigned long = pfn, int flags, int *hugetlb =20 if (hwpoison_filter(p)) { hugetlb_clear_page_hwpoison(head); - res =3D -EOPNOTSUPP; - goto out; + unlock_page(head); + if (res =3D=3D 1) + put_page(head); + return -EOPNOTSUPP; } =20 /* --=20 2.23.0 From nobody Wed Apr 8 06:24:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 585AEC28D13 for ; Tue, 23 Aug 2022 03:24:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240043AbiHWDYg (ORCPT ); Mon, 22 Aug 2022 23:24:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239205AbiHWDYW (ORCPT ); Mon, 22 Aug 2022 23:24:22 -0400 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3CDE520A6 for ; Mon, 22 Aug 2022 20:24:21 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.53]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4MBZHl73ZJz1N7YB; Tue, 23 Aug 2022 11:20:51 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug 2022 11:24:19 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH v2 2/6] mm, hwpoison: fix page refcnt leaking in unpoison_memory() Date: Tue, 23 Aug 2022 11:23:42 +0800 Message-ID: <20220823032346.4260-3-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com> References: <20220823032346.4260-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" When free_raw_hwp_pages() fails its work, the refcnt of the hugetlb page would have been incremented if ret > 0. Using put_page() to fix refcnt leaking in this case. Fixes: debb6b9c3fdd ("mm, hwpoison: make unpoison aware of raw error info i= n hwpoisoned hugepage") Signed-off-by: Miaohe Lin Acked-by: Naoya Horiguchi --- mm/memory-failure.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 9d1ebfef04ee..ecd42d717c6f 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -2378,6 +2378,7 @@ int unpoison_memory(unsigned long pfn) count =3D free_raw_hwp_pages(page, false); if (count =3D=3D 0) { ret =3D -EBUSY; + put_page(page); goto unlock_mutex; } } --=20 2.23.0 From nobody Wed Apr 8 06:24:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB09BC28D13 for ; Tue, 23 Aug 2022 03:24:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240077AbiHWDYp (ORCPT ); Mon, 22 Aug 2022 23:24:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239405AbiHWDYX (ORCPT ); Mon, 22 Aug 2022 23:24:23 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0A6F52FEE for ; Mon, 22 Aug 2022 20:24:22 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4MBZGq6CvdzXf27; Tue, 23 Aug 2022 11:20:03 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug 2022 11:24:20 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH v2 3/6] mm, hwpoison: fix extra put_page() in soft_offline_page() Date: Tue, 23 Aug 2022 11:23:43 +0800 Message-ID: <20220823032346.4260-4-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com> References: <20220823032346.4260-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" When hwpoison_filter() refuses to soft offline a page, the page refcnt incremented previously by MF_COUNT_INCREASED would have been consumed via get_hwpoison_page() if ret <=3D 0. So the put_ref_page() here will put the extra one. Remove it to fix the issue. Fixes: 9113eaf331bf ("mm/memory-failure.c: add hwpoison_filter for soft off= line") Signed-off-by: Miaohe Lin Acked-by: Naoya Horiguchi --- mm/memory-failure.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index ecd42d717c6f..1d79e693f1b9 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -2575,8 +2575,6 @@ int soft_offline_page(unsigned long pfn, int flags) if (hwpoison_filter(page)) { if (ret > 0) put_page(page); - else - put_ref_page(ref_page); =20 mutex_unlock(&mf_mutex); return -EOPNOTSUPP; --=20 2.23.0 From nobody Wed Apr 8 06:24:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38543C28D13 for ; Tue, 23 Aug 2022 03:24:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240050AbiHWDYl (ORCPT ); Mon, 22 Aug 2022 23:24:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51914 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239310AbiHWDYX (ORCPT ); Mon, 22 Aug 2022 23:24:23 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E06B752E4B for ; Mon, 22 Aug 2022 20:24:22 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.56]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MBZHm3PTVzgYpk; Tue, 23 Aug 2022 11:20:52 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug 2022 11:24:20 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH v2 4/6] mm, hwpoison: fix possible use-after-free in mf_dax_kill_procs() Date: Tue, 23 Aug 2022 11:23:44 +0800 Message-ID: <20220823032346.4260-5-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com> References: <20220823032346.4260-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" After kill_procs(), tk will be freed without being removed from the to_kill list. In the next iteration, the freed list entry in the to_kill list will be accessed, thus leading to use-after-free issue. Adding list_del() in kill_procs() to fix the issue. Fixes: c36e20249571 ("mm: introduce mf_dax_kill_procs() for fsdax case") Signed-off-by: Miaohe Lin --- mm/memory-failure.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 1d79e693f1b9..f8262f577baf 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -413,7 +413,7 @@ static void kill_procs(struct list_head *to_kill, int f= orcekill, bool fail, { struct to_kill *tk, *next; =20 - list_for_each_entry_safe (tk, next, to_kill, nd) { + list_for_each_entry_safe(tk, next, to_kill, nd) { if (forcekill) { /* * In case something went wrong with munmapping @@ -437,6 +437,7 @@ static void kill_procs(struct list_head *to_kill, int f= orcekill, bool fail, pr_err("%#lx: Cannot send advisory machine check signal to %s:%d\n", pfn, tk->tsk->comm, tk->tsk->pid); } + list_del(&tk->nd); put_task_struct(tk->tsk); kfree(tk); } --=20 2.23.0 From nobody Wed Apr 8 06:24:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1C4EAC28D13 for ; Tue, 23 Aug 2022 03:24:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240094AbiHWDYu (ORCPT ); Mon, 22 Aug 2022 23:24:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51922 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239420AbiHWDYX (ORCPT ); Mon, 22 Aug 2022 23:24:23 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3C7F358535 for ; Mon, 22 Aug 2022 20:24:23 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MBZK75H1hzhYcQ; Tue, 23 Aug 2022 11:22:03 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug 2022 11:24:21 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH v2 5/6] mm, hwpoison: kill procs if unmap fails Date: Tue, 23 Aug 2022 11:23:45 +0800 Message-ID: <20220823032346.4260-6-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com> References: <20220823032346.4260-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" If try_to_unmap() fails, the hwpoisoned page still resides in the address space of some processes. We should kill these processes or the hwpoisoned page might be consumed later. collect_procs() is always called to collect relevant processes now so they can be killed later if unmap fails. Signed-off-by: Miaohe Lin Acked-by: Naoya Horiguchi --- mm/memory-failure.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index f8262f577baf..c2910f9af1d4 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -1397,7 +1397,7 @@ static bool hwpoison_user_mappings(struct page *p, un= signed long pfn, struct address_space *mapping; LIST_HEAD(tokill); bool unmap_success; - int kill =3D 1, forcekill; + int forcekill; bool mlocked =3D PageMlocked(hpage); =20 /* @@ -1438,7 +1438,6 @@ static bool hwpoison_user_mappings(struct page *p, un= signed long pfn, if (page_mkclean(hpage)) { SetPageDirty(hpage); } else { - kill =3D 0; ttu |=3D TTU_IGNORE_HWPOISON; pr_info("%#lx: corrupted page was clean: dropped without side effects\n= ", pfn); @@ -1449,12 +1448,8 @@ static bool hwpoison_user_mappings(struct page *p, u= nsigned long pfn, * First collect all the processes that have the page * mapped in dirty form. This has to be done before try_to_unmap, * because ttu takes the rmap data structures down. - * - * Error handling: We ignore errors here because - * there's nothing that can be done. */ - if (kill) - collect_procs(hpage, &tokill, flags & MF_ACTION_REQUIRED); + collect_procs(hpage, &tokill, flags & MF_ACTION_REQUIRED); =20 if (PageHuge(hpage) && !PageAnon(hpage)) { /* @@ -1496,7 +1491,8 @@ static bool hwpoison_user_mappings(struct page *p, un= signed long pfn, * use a more force-full uncatchable kill to prevent * any accesses to the poisoned memory. */ - forcekill =3D PageDirty(hpage) || (flags & MF_MUST_KILL); + forcekill =3D PageDirty(hpage) || (flags & MF_MUST_KILL) || + !unmap_success; kill_procs(&tokill, forcekill, !unmap_success, pfn, flags); =20 return unmap_success; --=20 2.23.0 From nobody Wed Apr 8 06:24:33 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58CABC28D13 for ; Tue, 23 Aug 2022 03:24:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240084AbiHWDYs (ORCPT ); Mon, 22 Aug 2022 23:24:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51924 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239502AbiHWDYY (ORCPT ); Mon, 22 Aug 2022 23:24:24 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 807AE51A2F for ; Mon, 22 Aug 2022 20:24:23 -0700 (PDT) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.55]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MBZHn2SrszgYpq; Tue, 23 Aug 2022 11:20:53 +0800 (CST) Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug 2022 11:24:21 +0800 From: Miaohe Lin To: , CC: , , Subject: [PATCH v2 6/6] mm, hwpoison: avoid trying to unpoison reserved page Date: Tue, 23 Aug 2022 11:23:46 +0800 Message-ID: <20220823032346.4260-7-linmiaohe@huawei.com> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com> References: <20220823032346.4260-1-linmiaohe@huawei.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.124.27] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" For reserved pages, HWPoison flag will be set without increasing the page refcnt. So we shouldn't even try to unpoison these pages and thus decrease the page refcnt unexpectly. Add a PageReserved() check to filter this case out and remove the below unneeded zero page (zero page is reserved) check. Signed-off-by: Miaohe Lin Acked-by: Naoya Horiguchi --- mm/memory-failure.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index c2910f9af1d4..f3ff2515ccc6 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -2351,7 +2351,7 @@ int unpoison_memory(unsigned long pfn) goto unlock_mutex; } =20 - if (PageSlab(page) || PageTable(page)) + if (PageSlab(page) || PageTable(page) || PageReserved(page)) goto unlock_mutex; =20 ret =3D get_hwpoison_page(p, MF_UNPOISON); @@ -2382,7 +2382,7 @@ int unpoison_memory(unsigned long pfn) freeit =3D !!TestClearPageHWPoison(p); =20 put_page(page); - if (freeit && !(pfn =3D=3D my_zero_pfn(0) && page_count(p) =3D=3D 1)) { + if (freeit) { put_page(page); ret =3D 0; } --=20 2.23.0