From nobody Thu Sep 11 17:06:51 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3749DC636D4 for ; Fri, 17 Feb 2023 08:55:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229990AbjBQIzW (ORCPT ); Fri, 17 Feb 2023 03:55:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229966AbjBQIzN (ORCPT ); Fri, 17 Feb 2023 03:55:13 -0500 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 522C0604EC for ; Fri, 17 Feb 2023 00:55:06 -0800 (PST) Received: by mail-pl1-x62d.google.com with SMTP id k10so484994plg.0 for ; Fri, 17 Feb 2023 00:55:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mkfSvy10yTOVtyro8pzajTvlxPW2cal5F0m+TWnGBJI=; b=fuZjVDB1JJSt2E73C3UPMMNrppsEpGv5FH4b5JY96FTsYo6yYLlYHWoX5M+5+TVcju UiSDrXU1dRgGMw40ttJAWrzfgC36ElYDvtynjJ+3E1LwbkZImWo+MnMOMv1cgRmg8mVj gXE1H1KJTTn48o6NnpjjBktQ0/zwB/1MutaBM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mkfSvy10yTOVtyro8pzajTvlxPW2cal5F0m+TWnGBJI=; b=13W+796hWZyo07JOAVzQj6VSN74X4bKqIjm6r6M1D6BKOhldmmkwQZ3keSBOlAGlAv tnekb6JWkO0x+bvUpSfbKR7JS9NENjN7Jx/KpoGeYJkCB2Hy9XRbXl+pTJZss+f4yeie urTgyJgjk3qlf34ZAjI1sXLaHukz+UtdSoeYz84oD4N0SHTtbBc6DUFVulMUiSlMHExn 2b9cqE01Pxipkd27mkyeSIRMIrbrdxmlWw9rMasiRmn3Q7AdiggurEXDt+Z33B3vm77j SDtQ0cZLsSZjnX/AcPVHDmaMRvNr+OkAy2E+s1Lv8h4eaLlmxPxmbT710u0/WDPem6Oy hxkg== X-Gm-Message-State: AO0yUKXUhvEdE/DurWU6PnjbviaLCfJvBqmZ1hmmvGWvKOTgNJh0PxX7 Rj//XuDtEW8bAotxNHOCR/OyFw== X-Google-Smtp-Source: AK7set/iqmOUT7SHo7n0JV+juRYDXdzWb7GPiATpt58f1BhfCy/jRZIhTCV30jeU0FNmEkLWkdY9vQ== X-Received: by 2002:a17:902:c40d:b0:199:49fc:610d with SMTP id k13-20020a170902c40d00b0019949fc610dmr858449plk.15.1676624105797; Fri, 17 Feb 2023 00:55:05 -0800 (PST) Received: from localhost ([2401:fa00:8f:203:b7bc:8cb9:1364:30fb]) by smtp.gmail.com with UTF8SMTPSA id l13-20020a170902d34d00b00198dd432329sm2622132plk.51.2023.02.17.00.55.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Feb 2023 00:55:05 -0800 (PST) From: David Stevens X-Google-Original-From: David Stevens To: linux-mm@kvack.org, Peter Xu , Matthew Wilcox Cc: Andrew Morton , "Kirill A . Shutemov" , Yang Shi , David Hildenbrand , Hugh Dickins , linux-kernel@vger.kernel.org, David Stevens Subject: [PATCH v4 1/3] mm/khugepaged: refactor collapse_file control flow Date: Fri, 17 Feb 2023 17:54:37 +0900 Message-Id: <20230217085439.2826375-2-stevensd@google.com> X-Mailer: git-send-email 2.39.2.637.g21b0678d19-goog In-Reply-To: <20230217085439.2826375-1-stevensd@google.com> References: <20230217085439.2826375-1-stevensd@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: David Stevens Add a rollback label to deal with failure, instead of continuously checking for RESULT_SUCCESS, to make it easier to add more failure cases. The refactoring also allows the collapse_file tracepoint to include hpage on success (instead of NULL). Signed-off-by: David Stevens Acked-by: Peter Xu --- mm/khugepaged.c | 223 ++++++++++++++++++++++++------------------------ 1 file changed, 110 insertions(+), 113 deletions(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 8dbc39896811..6a3d6d2e25e0 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1885,6 +1885,12 @@ static int collapse_file(struct mm_struct *mm, unsig= ned long addr, if (result !=3D SCAN_SUCCEED) goto out; =20 + __SetPageLocked(hpage); + if (is_shmem) + __SetPageSwapBacked(hpage); + hpage->index =3D start; + hpage->mapping =3D mapping; + /* * Ensure we have slots for all the pages in the range. This is * almost certainly a no-op because most of the pages must be present @@ -1897,16 +1903,10 @@ static int collapse_file(struct mm_struct *mm, unsi= gned long addr, xas_unlock_irq(&xas); if (!xas_nomem(&xas, GFP_KERNEL)) { result =3D SCAN_FAIL; - goto out; + goto rollback; } } while (1); =20 - __SetPageLocked(hpage); - if (is_shmem) - __SetPageSwapBacked(hpage); - hpage->index =3D start; - hpage->mapping =3D mapping; - /* * At this point the hpage is locked and not up-to-date. * It's safe to insert it into the page cache, because nobody would @@ -2123,131 +2123,128 @@ static int collapse_file(struct mm_struct *mm, un= signed long addr, */ try_to_unmap_flush(); =20 - if (result =3D=3D SCAN_SUCCEED) { - /* - * Replacing old pages with new one has succeeded, now we - * attempt to copy the contents. - */ - index =3D start; - list_for_each_entry(page, &pagelist, lru) { - while (index < page->index) { - clear_highpage(hpage + (index % HPAGE_PMD_NR)); - index++; - } - if (copy_mc_page(hpage + (page->index % HPAGE_PMD_NR), - page) > 0) { - result =3D SCAN_COPY_MC; - break; - } - index++; - } - while (result =3D=3D SCAN_SUCCEED && index < end) { + if (result !=3D SCAN_SUCCEED) + goto rollback; + + /* + * Replacing old pages with new one has succeeded, now we + * attempt to copy the contents. + */ + index =3D start; + list_for_each_entry(page, &pagelist, lru) { + while (index < page->index) { clear_highpage(hpage + (index % HPAGE_PMD_NR)); index++; } + if (copy_mc_page(hpage + (page->index % HPAGE_PMD_NR), + page) > 0) { + result =3D SCAN_COPY_MC; + goto rollback; + } + index++; + } + while (index < end) { + clear_highpage(hpage + (index % HPAGE_PMD_NR)); + index++; } =20 - if (result =3D=3D SCAN_SUCCEED) { - /* - * Copying old pages to huge one has succeeded, now we - * need to free the old pages. - */ - list_for_each_entry_safe(page, tmp, &pagelist, lru) { - list_del(&page->lru); - page->mapping =3D NULL; - page_ref_unfreeze(page, 1); - ClearPageActive(page); - ClearPageUnevictable(page); - unlock_page(page); - put_page(page); - } + /* + * Copying old pages to huge one has succeeded, now we + * need to free the old pages. + */ + list_for_each_entry_safe(page, tmp, &pagelist, lru) { + list_del(&page->lru); + page->mapping =3D NULL; + page_ref_unfreeze(page, 1); + ClearPageActive(page); + ClearPageUnevictable(page); + unlock_page(page); + put_page(page); + } =20 - xas_lock_irq(&xas); - if (is_shmem) - __mod_lruvec_page_state(hpage, NR_SHMEM_THPS, nr); - else - __mod_lruvec_page_state(hpage, NR_FILE_THPS, nr); + xas_lock_irq(&xas); + if (is_shmem) + __mod_lruvec_page_state(hpage, NR_SHMEM_THPS, nr); + else + __mod_lruvec_page_state(hpage, NR_FILE_THPS, nr); + + if (nr_none) { + __mod_lruvec_page_state(hpage, NR_FILE_PAGES, nr_none); + /* nr_none is always 0 for non-shmem. */ + __mod_lruvec_page_state(hpage, NR_SHMEM, nr_none); + } + /* Join all the small entries into a single multi-index entry. */ + xas_set_order(&xas, start, HPAGE_PMD_ORDER); + xas_store(&xas, hpage); + xas_unlock_irq(&xas); =20 - if (nr_none) { - __mod_lruvec_page_state(hpage, NR_FILE_PAGES, nr_none); - /* nr_none is always 0 for non-shmem. */ - __mod_lruvec_page_state(hpage, NR_SHMEM, nr_none); - } - /* Join all the small entries into a single multi-index entry. */ - xas_set_order(&xas, start, HPAGE_PMD_ORDER); - xas_store(&xas, hpage); - xas_unlock_irq(&xas); + folio =3D page_folio(hpage); + folio_mark_uptodate(folio); + folio_ref_add(folio, HPAGE_PMD_NR - 1); =20 - folio =3D page_folio(hpage); - folio_mark_uptodate(folio); - folio_ref_add(folio, HPAGE_PMD_NR - 1); + if (is_shmem) + folio_mark_dirty(folio); + folio_add_lru(folio); =20 - if (is_shmem) - folio_mark_dirty(folio); - folio_add_lru(folio); + /* + * Remove pte page tables, so we can re-fault the page as huge. + */ + result =3D retract_page_tables(mapping, start, mm, addr, hpage, + cc); + unlock_page(hpage); + goto out; + +rollback: + /* Something went wrong: roll back page cache changes */ + xas_lock_irq(&xas); + if (nr_none) { + mapping->nrpages -=3D nr_none; + shmem_uncharge(mapping->host, nr_none); + } =20 - /* - * Remove pte page tables, so we can re-fault the page as huge. - */ - result =3D retract_page_tables(mapping, start, mm, addr, hpage, - cc); - unlock_page(hpage); - hpage =3D NULL; - } else { - /* Something went wrong: roll back page cache changes */ - xas_lock_irq(&xas); - if (nr_none) { - mapping->nrpages -=3D nr_none; - shmem_uncharge(mapping->host, nr_none); + xas_set(&xas, start); + xas_for_each(&xas, page, end - 1) { + page =3D list_first_entry_or_null(&pagelist, + struct page, lru); + if (!page || xas.xa_index < page->index) { + if (!nr_none) + break; + nr_none--; + /* Put holes back where they were */ + xas_store(&xas, NULL); + continue; } =20 - xas_set(&xas, start); - xas_for_each(&xas, page, end - 1) { - page =3D list_first_entry_or_null(&pagelist, - struct page, lru); - if (!page || xas.xa_index < page->index) { - if (!nr_none) - break; - nr_none--; - /* Put holes back where they were */ - xas_store(&xas, NULL); - continue; - } + VM_BUG_ON_PAGE(page->index !=3D xas.xa_index, page); =20 - VM_BUG_ON_PAGE(page->index !=3D xas.xa_index, page); + /* Unfreeze the page. */ + list_del(&page->lru); + page_ref_unfreeze(page, 2); + xas_store(&xas, page); + xas_pause(&xas); + xas_unlock_irq(&xas); + unlock_page(page); + putback_lru_page(page); + xas_lock_irq(&xas); + } + VM_BUG_ON(nr_none); + /* + * Undo the updates of filemap_nr_thps_inc for non-SHMEM file only. + * This undo is not needed unless failure is due to SCAN_COPY_MC. + */ + if (!is_shmem && result =3D=3D SCAN_COPY_MC) + filemap_nr_thps_dec(mapping); =20 - /* Unfreeze the page. */ - list_del(&page->lru); - page_ref_unfreeze(page, 2); - xas_store(&xas, page); - xas_pause(&xas); - xas_unlock_irq(&xas); - unlock_page(page); - putback_lru_page(page); - xas_lock_irq(&xas); - } - VM_BUG_ON(nr_none); - /* - * Undo the updates of filemap_nr_thps_inc for non-SHMEM file only. - * This undo is not needed unless failure is due to SCAN_COPY_MC. - */ - if (!is_shmem && result =3D=3D SCAN_COPY_MC) - filemap_nr_thps_dec(mapping); + xas_unlock_irq(&xas); =20 - xas_unlock_irq(&xas); + hpage->mapping =3D NULL; =20 - hpage->mapping =3D NULL; - } + unlock_page(hpage); + mem_cgroup_uncharge(page_folio(hpage)); + put_page(hpage); =20 - if (hpage) - unlock_page(hpage); out: VM_BUG_ON(!list_empty(&pagelist)); - if (hpage) { - mem_cgroup_uncharge(page_folio(hpage)); - put_page(hpage); - } - trace_mm_khugepaged_collapse_file(mm, hpage, index, is_shmem, addr, file,= nr, result); return result; } --=20 2.39.2.637.g21b0678d19-goog From nobody Thu Sep 11 17:06:51 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2262BC636D4 for ; Fri, 17 Feb 2023 08:55:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230022AbjBQIz2 (ORCPT ); Fri, 17 Feb 2023 03:55:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58650 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229988AbjBQIzW (ORCPT ); Fri, 17 Feb 2023 03:55:22 -0500 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B1A04233 for ; Fri, 17 Feb 2023 00:55:11 -0800 (PST) Received: by mail-pl1-x62e.google.com with SMTP id f8so730504plr.10 for ; Fri, 17 Feb 2023 00:55:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oqXGa91fBd3Z4sCFS0+Zh+U2aV6NSqY4V6hrmKXsV3Q=; b=ekdQdSmFV568DB16kBGov8uGvKdVtBLBgCQakS0i1HxbfiDRB/ooe7otZ5xC0o8AXG q76yII0lJAloQrG/myB+cvj1LdFwLt9YxA6c12LlBLu4TJWCriKaiXeFWK/sDjw5/pc8 Yu+9MhSm/TSJVreRVMqGSO+HS+qVNC93NIyd4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oqXGa91fBd3Z4sCFS0+Zh+U2aV6NSqY4V6hrmKXsV3Q=; b=y22rHi5edZ+mIBLQT4TbgumtZP1Oz1dyW99/GilDH+4OMJ725WCKUcJ+G51xrjP5di BFExW9ywtWpTgMExYIihp/MkQmRjr0jViyl2mXoF0WcawqC7VTQwY/zu89jvtrGcNHA1 NX6Doh1uWer4ZY9nbdCYmy8Qwf9qDJFtElJqebGdVrmWp2sg44b6ebjkz8dkSOrVnIMF wTIgW1ZsRQPBaYsLnQL1TequYdH/GtZvOqPFlshDY3P+4LPwHHYFDI5+eX5x12RidlYG WenyUDUS697S5TXGRPIiOfTFEoR3t6n09TowD6cFAOEGYYKikWB0q3vsojmMTJZDdybf mzMg== X-Gm-Message-State: AO0yUKXIeUgOnpWTbqSLjl0PuVHzKH5WIuvjnpSCGqpZF2yrjpI0g/M+ LDQT+O0BE5rtg7lGEzVxqkpmdw== X-Google-Smtp-Source: AK7set8mJxF4pYS0xXPZZ5p7uXgxF9+2qtOM7oDd6No4lhMUVWnoPBcz+AZoPD6Miu+FO7vIhGNPCA== X-Received: by 2002:a17:902:dacf:b0:196:5839:b374 with SMTP id q15-20020a170902dacf00b001965839b374mr1180046plx.9.1676624110619; Fri, 17 Feb 2023 00:55:10 -0800 (PST) Received: from localhost ([2401:fa00:8f:203:b7bc:8cb9:1364:30fb]) by smtp.gmail.com with UTF8SMTPSA id 6-20020a170902c20600b00194d14d8e54sm2610781pll.96.2023.02.17.00.55.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Feb 2023 00:55:09 -0800 (PST) From: David Stevens X-Google-Original-From: David Stevens To: linux-mm@kvack.org, Peter Xu , Matthew Wilcox Cc: Andrew Morton , "Kirill A . Shutemov" , Yang Shi , David Hildenbrand , Hugh Dickins , linux-kernel@vger.kernel.org, David Stevens Subject: [PATCH v4 2/3] mm/khugepaged: skip shmem with userfaultfd Date: Fri, 17 Feb 2023 17:54:38 +0900 Message-Id: <20230217085439.2826375-3-stevensd@google.com> X-Mailer: git-send-email 2.39.2.637.g21b0678d19-goog In-Reply-To: <20230217085439.2826375-1-stevensd@google.com> References: <20230217085439.2826375-1-stevensd@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: David Stevens Make sure that collapse_file respects any userfaultfds registered with MODE_MISSING. If userspace has any such userfaultfds registered, then for any page which it knows to be missing, it may expect a UFFD_EVENT_PAGEFAULT. This means collapse_file needs to be careful when collapsing a shmem range would result in replacing an empty page with a THP, to avoid breaking userfaultfd. Synchronization when checking for userfaultfds in collapse_file is tricky because the mmap locks can't be used to prevent races with the registration of new userfaultfds. Instead, we provide synchronization by ensuring that userspace cannot observe the fact that pages are missing before we check for userfaultfds. Although this allows registration of a userfaultfd to race with collapse_file, it ensures that userspace cannot observe any pages transition from missing to present after such a race occurs. This makes such a race indistinguishable to the collapse occurring immediately before the userfaultfd registration. The first step to provide this synchronization is to stop filling gaps during the loop iterating over the target range, since the page cache lock can be dropped during that loop. The second step is to fill the gaps with XA_RETRY_ENTRY after the page cache lock is acquired the final time, to avoid races with accesses to the page cache that only take the RCU read lock. The fact that we don't fill holes during the initial iteration means that collapse_file now has to handle faults occurring during the collapse. This is done by re-validating the number of missing pages after acquiring the page cache lock for the final time. This fix is targeted at khugepaged, but the change also applies to MADV_COLLAPSE. MADV_COLLAPSE on a range with a userfaultfd will now return EBUSY if there are any missing pages (instead of succeeding on shmem and returning EINVAL on anonymous memory). There is also now a window during MADV_COLLAPSE where a fault on a missing page will cause the syscall to fail with EAGAIN. The fact that intermediate page cache state can no longer be observed before the rollback of a failed collapse is also technically a userspace-visible change (via at least SEEK_DATA and SEEK_END), but it is exceedingly unlikely that anything relies on being able to observe that transient state. Signed-off-by: David Stevens Acked-by: Peter Xu --- include/trace/events/huge_memory.h | 3 +- mm/khugepaged.c | 92 +++++++++++++++++++++++------- 2 files changed, 73 insertions(+), 22 deletions(-) diff --git a/include/trace/events/huge_memory.h b/include/trace/events/huge= _memory.h index 46cce509957b..7ee85fff89a3 100644 --- a/include/trace/events/huge_memory.h +++ b/include/trace/events/huge_memory.h @@ -37,7 +37,8 @@ EM( SCAN_CGROUP_CHARGE_FAIL, "ccgroup_charge_failed") \ EM( SCAN_TRUNCATED, "truncated") \ EM( SCAN_PAGE_HAS_PRIVATE, "page_has_private") \ - EMe(SCAN_COPY_MC, "copy_poisoned_page") \ + EM( SCAN_COPY_MC, "copy_poisoned_page") \ + EMe(SCAN_PAGE_FILLED, "page_filled") \ =20 #undef EM #undef EMe diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 6a3d6d2e25e0..1c37f9151345 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -57,6 +57,7 @@ enum scan_result { SCAN_TRUNCATED, SCAN_PAGE_HAS_PRIVATE, SCAN_COPY_MC, + SCAN_PAGE_FILLED, }; =20 #define CREATE_TRACE_POINTS @@ -1851,8 +1852,8 @@ static int retract_page_tables(struct address_space *= mapping, pgoff_t pgoff, * - allocate and lock a new huge page; * - scan page cache replacing old pages with the new one * + swap/gup in pages if necessary; - * + fill in gaps; * + keep old pages around in case rollback is required; + * - finalize updates to the page cache; * - if replacing succeeds: * + copy data over; * + free old pages; @@ -1930,13 +1931,12 @@ static int collapse_file(struct mm_struct *mm, unsi= gned long addr, result =3D SCAN_TRUNCATED; goto xa_locked; } - xas_set(&xas, index); + xas_set(&xas, index + 1); } if (!shmem_charge(mapping->host, 1)) { result =3D SCAN_FAIL; goto xa_locked; } - xas_store(&xas, hpage); nr_none++; continue; } @@ -2148,21 +2148,57 @@ static int collapse_file(struct mm_struct *mm, unsi= gned long addr, index++; } =20 - /* - * Copying old pages to huge one has succeeded, now we - * need to free the old pages. - */ - list_for_each_entry_safe(page, tmp, &pagelist, lru) { - list_del(&page->lru); - page->mapping =3D NULL; - page_ref_unfreeze(page, 1); - ClearPageActive(page); - ClearPageUnevictable(page); - unlock_page(page); - put_page(page); + if (nr_none) { + struct vm_area_struct *vma; + int nr_none_check =3D 0; + + i_mmap_lock_read(mapping); + xas_lock_irq(&xas); + + xas_set(&xas, start); + for (index =3D start; index < end; index++) { + if (!xas_next(&xas)) { + xas_store(&xas, XA_RETRY_ENTRY); + nr_none_check++; + } + } + + if (nr_none !=3D nr_none_check) { + result =3D SCAN_PAGE_FILLED; + goto immap_locked; + } + + /* + * If userspace observed a missing page in a VMA with an armed + * userfaultfd, then it might expect a UFFD_EVENT_PAGEFAULT for + * that page, so we need to roll back to avoid suppressing such + * an event. Any userfaultfds armed after this point will not be + * able to observe any missing pages due to the previously + * inserted retry entries. + */ + vma_interval_tree_foreach(vma, &mapping->i_mmap, start, start) { + if (userfaultfd_missing(vma)) { + result =3D SCAN_EXCEED_NONE_PTE; + goto immap_locked; + } + } + +immap_locked: + i_mmap_unlock_read(mapping); + if (result !=3D SCAN_SUCCEED) { + xas_set(&xas, start); + for (index =3D start; index < end; index++) { + if (xas_next(&xas) =3D=3D XA_RETRY_ENTRY) + xas_store(&xas, NULL); + } + + xas_unlock_irq(&xas); + goto rollback; + } + } else { + xas_lock_irq(&xas); } =20 - xas_lock_irq(&xas); if (is_shmem) __mod_lruvec_page_state(hpage, NR_SHMEM_THPS, nr); else @@ -2192,6 +2228,20 @@ static int collapse_file(struct mm_struct *mm, unsig= ned long addr, result =3D retract_page_tables(mapping, start, mm, addr, hpage, cc); unlock_page(hpage); + + /* + * The collapse has succeeded, so free the old pages. + */ + list_for_each_entry_safe(page, tmp, &pagelist, lru) { + list_del(&page->lru); + page->mapping =3D NULL; + page_ref_unfreeze(page, 1); + ClearPageActive(page); + ClearPageUnevictable(page); + unlock_page(page); + put_page(page); + } + goto out; =20 rollback: @@ -2203,15 +2253,13 @@ static int collapse_file(struct mm_struct *mm, unsi= gned long addr, } =20 xas_set(&xas, start); - xas_for_each(&xas, page, end - 1) { + end =3D index; + for (index =3D start; index < end; index++) { + xas_next(&xas); page =3D list_first_entry_or_null(&pagelist, struct page, lru); if (!page || xas.xa_index < page->index) { - if (!nr_none) - break; nr_none--; - /* Put holes back where they were */ - xas_store(&xas, NULL); continue; } =20 @@ -2730,12 +2778,14 @@ static int madvise_collapse_errno(enum scan_result = r) case SCAN_ALLOC_HUGE_PAGE_FAIL: return -ENOMEM; case SCAN_CGROUP_CHARGE_FAIL: + case SCAN_EXCEED_NONE_PTE: return -EBUSY; /* Resource temporary unavailable - trying again might succeed */ case SCAN_PAGE_COUNT: case SCAN_PAGE_LOCK: case SCAN_PAGE_LRU: case SCAN_DEL_PAGE_LRU: + case SCAN_PAGE_FILLED: return -EAGAIN; /* * Other: Trying again likely not to succeed / error intrinsic to --=20 2.39.2.637.g21b0678d19-goog From nobody Thu Sep 11 17:06:51 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F3A5C05027 for ; Fri, 17 Feb 2023 08:55:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229993AbjBQIzd (ORCPT ); Fri, 17 Feb 2023 03:55:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58650 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229973AbjBQIz0 (ORCPT ); Fri, 17 Feb 2023 03:55:26 -0500 Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA74160A50 for ; Fri, 17 Feb 2023 00:55:15 -0800 (PST) Received: by mail-pj1-x102e.google.com with SMTP id j5so576808pjz.2 for ; Fri, 17 Feb 2023 00:55:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KjMpoZ8bcgvH2E9XkmftEhbBkctgLmEbKJ6cV9dN/tw=; b=GZkmRSsdPBfla5qFntrp2Pw4Fv/pqdobPbGt2YMGNVPFzOczxMqoeQwL/ECUItTSwC Z2EdXnqyL4OaBFASsYyJs5KeDsJjdMoRycYji3+G03xuy31DgKDrPMgW5P/kcBQAMSNx pvFaDbymNIwo9wkkmZsc85H5601aY8DC4tZos= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KjMpoZ8bcgvH2E9XkmftEhbBkctgLmEbKJ6cV9dN/tw=; b=dfA60EK0l7mBvTxwrpYaRwGAh5oYWtVyRkffIm2wzErJiaDlj2JFVvFRVpfskAxr49 vA6HBLot40ha3vrS8RIyfLUTfntKTBaX0V/jt8BP6mq7emPXvdZBVcca8vEq5o0X26ZX b9mfpTrzxC1//O7Plf6v89qDu+8YVqi2YEEYmUrgRmc01FN6KVrmN7QMRF5dCsz0IPGr ryjowubkllfx5srK/ra3yYMXkWcxMvdIRl1oOxbTp4bc6qZj2plr8sh0Fbz4+NISkHu+ prq9KPNpApHM2BzKuYZPIx+TxDwQmAWYsuf0Ha/LH+Xy/W8ivYlBFcyQl2RNK9HAsBH8 6Syw== X-Gm-Message-State: AO0yUKU0dSpGTE1GIyRcr134tem1AUYArMldmp4r/O2Qd6En/N2EEHwk acBNGbWhYyhWcZA9EV0ywBJ24g== X-Google-Smtp-Source: AK7set+gdOoMg/f/eZ6vrpn2+McA1nHrAJV9kACCzgvxBVBKR4TgUlsSlLQeog5O33xrEkX2ULDZpg== X-Received: by 2002:a05:6a20:7b11:b0:c7:32b8:d6b9 with SMTP id s17-20020a056a207b1100b000c732b8d6b9mr3982808pzh.13.1676624115269; Fri, 17 Feb 2023 00:55:15 -0800 (PST) Received: from localhost ([2401:fa00:8f:203:b7bc:8cb9:1364:30fb]) by smtp.gmail.com with UTF8SMTPSA id j12-20020a62b60c000000b0059072daa002sm2550076pff.192.2023.02.17.00.55.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Feb 2023 00:55:14 -0800 (PST) From: David Stevens X-Google-Original-From: David Stevens To: linux-mm@kvack.org, Peter Xu , Matthew Wilcox Cc: Andrew Morton , "Kirill A . Shutemov" , Yang Shi , David Hildenbrand , Hugh Dickins , linux-kernel@vger.kernel.org, David Stevens Subject: [PATCH v4 3/3] mm/khugepaged: maintain page cache uptodate flag Date: Fri, 17 Feb 2023 17:54:39 +0900 Message-Id: <20230217085439.2826375-4-stevensd@google.com> X-Mailer: git-send-email 2.39.2.637.g21b0678d19-goog In-Reply-To: <20230217085439.2826375-1-stevensd@google.com> References: <20230217085439.2826375-1-stevensd@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: David Stevens Make sure that collapse_file doesn't interfere with checking the uptodate flag in the page cache by only inserting hpage into the page cache after it has been updated and marked uptodate. This is achieved by simply not replacing present pages with hpage when iterating over them target range. The present pages are already locked, so replacing the with the locked hpage before the collapse is finalized is unnecessary. This fixes a race where folio_seek_hole_data would mistake hpage for an fallocated but unwritten page. This race is visible to userspace via data temporarily disappearing from SEEK_DATA/SEEK_HOLE. Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem p= ages") Signed-off-by: David Stevens Acked-by: Peter Xu --- mm/khugepaged.c | 50 ++++++++++++------------------------------------- 1 file changed, 12 insertions(+), 38 deletions(-) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 1c37f9151345..e08cf7c5ebdf 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1908,12 +1908,6 @@ static int collapse_file(struct mm_struct *mm, unsig= ned long addr, } } while (1); =20 - /* - * At this point the hpage is locked and not up-to-date. - * It's safe to insert it into the page cache, because nobody would - * be able to map it or use it in another way until we unlock it. - */ - xas_set(&xas, start); for (index =3D start; index < end; index++) { page =3D xas_next(&xas); @@ -2082,13 +2076,9 @@ static int collapse_file(struct mm_struct *mm, unsig= ned long addr, } =20 /* - * Add the page to the list to be able to undo the collapse if - * something go wrong. + * Accumulate the pages that are being collapsed. */ list_add_tail(&page->lru, &pagelist); - - /* Finally, replace with the new page. */ - xas_store(&xas, hpage); continue; out_unlock: unlock_page(page); @@ -2127,8 +2117,7 @@ static int collapse_file(struct mm_struct *mm, unsign= ed long addr, goto rollback; =20 /* - * Replacing old pages with new one has succeeded, now we - * attempt to copy the contents. + * The old pages are locked, so they won't change anymore. */ index =3D start; list_for_each_entry(page, &pagelist, lru) { @@ -2209,11 +2198,11 @@ static int collapse_file(struct mm_struct *mm, unsi= gned long addr, /* nr_none is always 0 for non-shmem. */ __mod_lruvec_page_state(hpage, NR_SHMEM, nr_none); } - /* Join all the small entries into a single multi-index entry. */ - xas_set_order(&xas, start, HPAGE_PMD_ORDER); - xas_store(&xas, hpage); - xas_unlock_irq(&xas); =20 + /* + * Mark hpage as uptodate before inserting it into the page cache so + * that it isn't mistaken for an fallocated but unwritten page. + */ folio =3D page_folio(hpage); folio_mark_uptodate(folio); folio_ref_add(folio, HPAGE_PMD_NR - 1); @@ -2222,6 +2211,11 @@ static int collapse_file(struct mm_struct *mm, unsig= ned long addr, folio_mark_dirty(folio); folio_add_lru(folio); =20 + /* Join all the small entries into a single multi-index entry. */ + xas_set_order(&xas, start, HPAGE_PMD_ORDER); + xas_store(&xas, hpage); + xas_unlock_irq(&xas); + /* * Remove pte page tables, so we can re-fault the page as huge. */ @@ -2246,36 +2240,18 @@ static int collapse_file(struct mm_struct *mm, unsi= gned long addr, =20 rollback: /* Something went wrong: roll back page cache changes */ - xas_lock_irq(&xas); if (nr_none) { mapping->nrpages -=3D nr_none; shmem_uncharge(mapping->host, nr_none); } =20 - xas_set(&xas, start); - end =3D index; - for (index =3D start; index < end; index++) { - xas_next(&xas); - page =3D list_first_entry_or_null(&pagelist, - struct page, lru); - if (!page || xas.xa_index < page->index) { - nr_none--; - continue; - } - - VM_BUG_ON_PAGE(page->index !=3D xas.xa_index, page); - + list_for_each_entry_safe(page, tmp, &pagelist, lru) { /* Unfreeze the page. */ list_del(&page->lru); page_ref_unfreeze(page, 2); - xas_store(&xas, page); - xas_pause(&xas); - xas_unlock_irq(&xas); unlock_page(page); putback_lru_page(page); - xas_lock_irq(&xas); } - VM_BUG_ON(nr_none); /* * Undo the updates of filemap_nr_thps_inc for non-SHMEM file only. * This undo is not needed unless failure is due to SCAN_COPY_MC. @@ -2283,8 +2259,6 @@ static int collapse_file(struct mm_struct *mm, unsign= ed long addr, if (!is_shmem && result =3D=3D SCAN_COPY_MC) filemap_nr_thps_dec(mapping); =20 - xas_unlock_irq(&xas); - hpage->mapping =3D NULL; =20 unlock_page(hpage); --=20 2.39.2.637.g21b0678d19-goog