As the comments of page_mapcount_is_type() indicate, the parameter
passed to the function should be one more than page->_mapcount.
However, page->_mapcount is passed to the function by commit 4ffca5a96678
("mm: support only one page_type per page") where page_type_has_type()
is replaced by page_mapcount_is_type(), but the parameter isn't adjusted.

Fix the parameter for page_mapcount_is_type() to be (page->__mapcount
+ 1). Note that the issue doesn't cause any visible impacts due to the
safety gap introduced by PGTY_mapcount_underflow limit.

Fixes: 4ffca5a96678 ("mm: support only one page_type per page")
Signed-off-by: Gavin Shan <gshan@redhat.com>
Acked-by: David Hildenbrand <david@redhat.com>
---
 mm/debug.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/debug.c b/mm/debug.c
index 8d2acf432385..b6bd9555ec7b 100644
--- a/mm/debug.c
+++ b/mm/debug.c
@@ -71,10 +71,10 @@ static void __dump_folio(struct folio *folio, struct page *page,
 		unsigned long pfn, unsigned long idx)
 {
 	struct address_space *mapping = folio_mapping(folio);
-	int mapcount = atomic_read(&page->_mapcount);
+	int mapcount = atomic_read(&page->_mapcount) + 1;
 	char *type = "";
 
-	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount + 1;
+	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount;
 	pr_warn("page: refcount:%d mapcount:%d mapping:%p index:%#lx pfn:%#lx\n",
 			folio_ref_count(folio), mapcount, mapping,
 			folio->index + idx, pfn);
-- 
2.48.1

On 3/21/25 13:02, Gavin Shan wrote:
> As the comments of page_mapcount_is_type() indicate, the parameter
> passed to the function should be one more than page->_mapcount.
> However, page->_mapcount is passed to the function by commit 4ffca5a96678
> ("mm: support only one page_type per page") where page_type_has_type()
> is replaced by page_mapcount_is_type(), but the parameter isn't adjusted.
> 
> Fix the parameter for page_mapcount_is_type() to be (page->__mapcount
> + 1). Note that the issue doesn't cause any visible impacts due to the
> safety gap introduced by PGTY_mapcount_underflow limit.
> 
> Fixes: 4ffca5a96678 ("mm: support only one page_type per page")
> Signed-off-by: Gavin Shan <gshan@redhat.com>
> Acked-by: David Hildenbrand <david@redhat.com>

Acked-by: Vlastimil Babka <vbabka@suse.cz>

> ---
>  mm/debug.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/mm/debug.c b/mm/debug.c
> index 8d2acf432385..b6bd9555ec7b 100644
> --- a/mm/debug.c
> +++ b/mm/debug.c
> @@ -71,10 +71,10 @@ static void __dump_folio(struct folio *folio, struct page *page,
>  		unsigned long pfn, unsigned long idx)
>  {
>  	struct address_space *mapping = folio_mapping(folio);
> -	int mapcount = atomic_read(&page->_mapcount);
> +	int mapcount = atomic_read(&page->_mapcount) + 1;
>  	char *type = "";
>  
> -	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount + 1;
> +	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount;

At this point it would be perhaps more obvious:

if (page_mapcount_is_type(mapcount))
	mapcount = 0;

But doesn't matter much.

>  	pr_warn("page: refcount:%d mapcount:%d mapping:%p index:%#lx pfn:%#lx\n",
>  			folio_ref_count(folio), mapcount, mapping,
>  			folio->index + idx, pfn);

On 21.03.25 16:19, Vlastimil Babka wrote:
> On 3/21/25 13:02, Gavin Shan wrote:
>> As the comments of page_mapcount_is_type() indicate, the parameter
>> passed to the function should be one more than page->_mapcount.
>> However, page->_mapcount is passed to the function by commit 4ffca5a96678
>> ("mm: support only one page_type per page") where page_type_has_type()
>> is replaced by page_mapcount_is_type(), but the parameter isn't adjusted.
>>
>> Fix the parameter for page_mapcount_is_type() to be (page->__mapcount
>> + 1). Note that the issue doesn't cause any visible impacts due to the
>> safety gap introduced by PGTY_mapcount_underflow limit.
>>
>> Fixes: 4ffca5a96678 ("mm: support only one page_type per page")
>> Signed-off-by: Gavin Shan <gshan@redhat.com>
>> Acked-by: David Hildenbrand <david@redhat.com>
> 
> Acked-by: Vlastimil Babka <vbabka@suse.cz>
> 
>> ---
>>   mm/debug.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/mm/debug.c b/mm/debug.c
>> index 8d2acf432385..b6bd9555ec7b 100644
>> --- a/mm/debug.c
>> +++ b/mm/debug.c
>> @@ -71,10 +71,10 @@ static void __dump_folio(struct folio *folio, struct page *page,
>>   		unsigned long pfn, unsigned long idx)
>>   {
>>   	struct address_space *mapping = folio_mapping(folio);
>> -	int mapcount = atomic_read(&page->_mapcount);
>> +	int mapcount = atomic_read(&page->_mapcount) + 1;
>>   	char *type = "";
>>   
>> -	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount + 1;
>> +	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount;
> 
> At this point it would be perhaps more obvious:
> 
> if (page_mapcount_is_type(mapcount))
> 	mapcount = 0;

Agreed, maybe Andrew can fix that up.

-- 
Cheers,

David / dhildenb

On Fri, 21 Mar 2025 16:38:29 +0100 David Hildenbrand <david@redhat.com> wrote:

> >> -	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount + 1;
> >> +	mapcount = page_mapcount_is_type(mapcount) ? 0 : mapcount;
> > 
> > At this point it would be perhaps more obvious:
> > 
> > if (page_mapcount_is_type(mapcount))
> > 	mapcount = 0;
> 
> Agreed, maybe Andrew can fix that up.

Sure.  I'll be adding this series to the 6.15-rc1 pile.