From nobody Mon Feb  9 11:04:49 2026
Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com
 [209.85.214.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48EFE20010A
	for <linux-kernel@vger.kernel.org>; Mon, 12 Jan 2026 00:49:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768178972; cv=none;
 b=GNSImOGwJ54VbIStfiascvEvzMQq3KvYHa4mIGadURrtrToWRsS4OLSLNMb811NzpBTyZgvvwyfYGrncuN+0nExqNBjrocYNihW6gQ82k65FOCpx+HortMO4fze+K1wpvPKs5igcHW6M3SA/oCWs7+so+yitd3Dz/Etg6mCZQzs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768178972; c=relaxed/simple;
	bh=BeycCS36b/oT9UtTuqLnX3mpVbKss9EYi+BomrbRUvM=;
	h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From:
	 To:Cc:Content-Type;
 b=d0dL5dRXtNXMNmjWFFz0fA2HLSlJxKmPFwhNiOxRLEYr6OfqE3YST2/VeWW2bfE3rlkv+BgnVrhuk0uS9SGFd6/umjDld12ga8Ca3Go/CnGVMGFrgTvE8HB6/5pZ7JWrXp6ObPADxIwpx+9Z0hTn/ZylzqrgkGqA7tYqdAOtQVI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--jiaqiyan.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=VzZAA9Av; arc=none smtp.client-ip=209.85.214.201
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--jiaqiyan.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="VzZAA9Av"
Received: by mail-pl1-f201.google.com with SMTP id
 d9443c01a7336-29f1f79d6afso73993085ad.0
        for <linux-kernel@vger.kernel.org>;
 Sun, 11 Jan 2026 16:49:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1768178970; x=1768783770;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=uwmWF2Bg3a4xbvi54Ji/t7adbofzJTtZzLagbDRk3qs=;
        b=VzZAA9AvgJyAVFsWgCngzw7TvWzj3HYX0jTUTvFvFO/uxVgTcbT9IcZAGeE7KtETlA
         YOCijkVMsjBd+rNDEYR8yLxuPTMdPSCkE9c6hc+YcWM/w5d+vcs59yuKrpaJLZLvaqjr
         mAsclPb0Uo36Eyk/rTS7WT1avgvW0MNGe7B6cb8nndzhOL46x6jECs4bh+pSP82ql0RV
         D5GTkr1LTm+cNDqxLtwBEcvYxWpWuglsYMzlL222tzOt++mYbiebVfeLSrUuXNjqFqTf
         NbKutteM2GGW3KOhtvqY8JHceReFn5yAbxdaifeC+C5KXeEyWY78sBe+1ljRD/8xbb4r
         rDHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768178970; x=1768783770;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=uwmWF2Bg3a4xbvi54Ji/t7adbofzJTtZzLagbDRk3qs=;
        b=vqE2+4S0Da1OEgCKcS8fNcOE6ubsse4fCTfejj+w+tIlESspEDrsv/T9Ku+Bs9nJni
         1rrOeXYbVSF3liZ4lRrJQvHTeTkZ1I6ziGrN5NXundeerHEXfElosYHXsUN5NZzJq5cs
         UiA9x8tQC96vgCjxqQRAIEFm24Uvf2VtLVI6qUw9JKUbzrOV78bXYLnkCFvAehU4x0fe
         iyJLYJur7RYaRKjpv+7c0u6XJ9CJfZFtR7SZw4bdDxL02vxDw84DO/5A0iarX8O12Zlu
         Z3xvh9iCDINo0xB3jNg7cT6M4mjBacAAZobxkT1c7+zs6BgKjxNmK/xHNic5T1rriVZ0
         gMOA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXfhShUOk9SbNQ0y6V1WjiIjm1wfld9LhPG4ZxBr7AbEXLpIDqLFnVLJLN+u+gZ9Xo+o8EpK7PN0uPNYM0=@vger.kernel.org
X-Gm-Message-State: AOJu0YziI20KL5A/7PttjBsskbpRpmz/QLPL8lIp5UPPQj6U2mlEb94z
	+ORom3p/sPS4eUtRJvpaQI3tXitJI4JcbLgxQlDHgJc8T80uWbRIwKI2/j4jfjYxkPma9L8rgCr
	OzxxFzaf8Ip6vVA==
X-Google-Smtp-Source: 
 AGHT+IFL3OjBX45+6Y4kyGYmIkZajwGcoQAeVv1gmRs2jlg58e65eo6WLqHWTKXBSZfAGu8Fskh2r/bvzC2oFA==
X-Received: from plde19.prod.google.com ([2002:a17:902:d393:b0:29e:fb92:99f6])
 (user=jiaqiyan job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:902:ef49:b0:2a0:c1f5:c695 with SMTP id
 d9443c01a7336-2a3ee434048mr164800025ad.16.1768178970528;
 Sun, 11 Jan 2026 16:49:30 -0800 (PST)
Date: Mon, 12 Jan 2026 00:49:22 +0000
In-Reply-To: <20260112004923.888429-1-jiaqiyan@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
References: <20260112004923.888429-1-jiaqiyan@google.com>
X-Mailer: git-send-email 2.52.0.457.g6b5491de43-goog
Message-ID: <20260112004923.888429-3-jiaqiyan@google.com>
Subject: [PATCH v3 2/3] mm/page_alloc: only free healthy pages in high-order
 has_hwpoisoned folio
From: Jiaqi Yan <jiaqiyan@google.com>
To: jackmanb@google.com, hannes@cmpxchg.org, linmiaohe@huawei.com,
	ziy@nvidia.com, harry.yoo@oracle.com, willy@infradead.org
Cc: nao.horiguchi@gmail.com, david@redhat.com, lorenzo.stoakes@oracle.com,
	william.roche@oracle.com, tony.luck@intel.com, wangkefeng.wang@huawei.com,
	jane.chu@oracle.com, akpm@linux-foundation.org, osalvador@suse.de,
	muchun.song@linux.dev, rientjes@google.com, duenwen@google.com,
	jthoughton@google.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	Liam.Howlett@oracle.com, vbabka@suse.cz, rppt@kernel.org, surenb@google.com,
	mhocko@suse.com, Jiaqi Yan <jiaqiyan@google.com>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

At the end of dissolve_free_hugetlb_folio(), a free HugeTLB folio
becomes non-HugeTLB, and it is released to buddy allocator
as a high-order folio, e.g. a folio that contains 262144 pages
if the folio was a 1G HugeTLB hugepage.

This is problematic if the HugeTLB hugepage contained HWPoison
subpages. In that case, since buddy allocator does not check
HWPoison for non-zero-order folio, the raw HWPoison page can
be given out with its buddy page and be re-used by either
kernel or userspace.

Memory failure recovery (MFR) in kernel does attempt to take
raw HWPoison page off buddy allocator after
dissolve_free_hugetlb_folio(). However, there is always a time
window between dissolve_free_hugetlb_folio() frees a HWPoison
high-order folio to buddy allocator and MFR takes HWPoison
raw page off buddy allocator.

One obvious way to avoid this problem is to add page sanity
checks in page allocate or free path. However, it is against
the past efforts to reduce sanity check overhead [1,2,3].

Introduce free_has_hwpoisoned() to only free the healthy pages
and to exclude the HWPoison ones in the high-order folio.
The idea is to iterate through the sub-pages of the folio to
identify contiguous ranges of healthy pages. Instead of freeing
pages one by one, decompose healthy ranges into the largest
possible blocks having different orders. Every block meets the
requirements to be freed via __free_one_page().

free_has_hwpoisoned() has linear time complexity wrt the number
of pages in the folio. While the power-of-two decomposition
ensures that the number of calls to the buddy allocator is
logarithmic for each contiguous healthy range, the mandatory
linear scan of pages to identify PageHWPoison() defines the
overall time complexity. For a 1G hugepage having several
HWPoison pages, free_has_hwpoisoned() takes around 2ms on
average.

Since free_has_hwpoisoned() has nontrivial overhead, it is
wrapped inside free_pages_prepare_has_hwpoisoned() and done
only PG_has_hwpoisoned indicates HWPoison page exists and
after free_pages_prepare() succeeded.

[1] https://lore.kernel.org/linux-mm/1460711275-1130-15-git-send-email-mgor=
man@techsingularity.net
[2] https://lore.kernel.org/linux-mm/1460711275-1130-16-git-send-email-mgor=
man@techsingularity.net
[3] https://lore.kernel.org/all/20230216095131.17336-1-vbabka@suse.cz

Signed-off-by: Jiaqi Yan <jiaqiyan@google.com>
---
 mm/page_alloc.c | 157 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 154 insertions(+), 3 deletions(-)

diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 822e05f1a9646..9393589118604 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -215,6 +215,9 @@ gfp_t gfp_allowed_mask __read_mostly =3D GFP_BOOT_MASK;
 unsigned int pageblock_order __read_mostly;
 #endif
=20
+static bool free_pages_prepare_has_hwpoisoned(struct page *page,
+					      unsigned int order,
+					      fpi_t fpi_flags);
 static void __free_pages_ok(struct page *page, unsigned int order,
 			    fpi_t fpi_flags);
=20
@@ -1568,8 +1571,10 @@ static void __free_pages_ok(struct page *page, unsig=
ned int order,
 	unsigned long pfn =3D page_to_pfn(page);
 	struct zone *zone =3D page_zone(page);
=20
-	if (free_pages_prepare(page, order))
-		free_one_page(zone, page, pfn, order, fpi_flags);
+	if (!free_pages_prepare_has_hwpoisoned(page, order, fpi_flags))
+		return;
+
+	free_one_page(zone, page, pfn, order, fpi_flags);
 }
=20
 void __meminit __free_pages_core(struct page *page, unsigned int order,
@@ -2923,6 +2928,152 @@ static bool free_frozen_page_commit(struct zone *zo=
ne,
 	return ret;
 }
=20
+/*
+ * Given a range of physically contiguous pages, efficiently free them
+ * block by block. Block order is chosen to meet the PFN alignment
+ * requirement in __free_one_page().
+ */
+static void free_contiguous_pages(struct page *curr, unsigned long nr_page=
s,
+				  fpi_t fpi_flags)
+{
+	unsigned int order;
+	unsigned int align_order;
+	unsigned int size_order;
+	unsigned long remaining;
+	unsigned long pfn =3D page_to_pfn(curr);
+	const unsigned long end_pfn =3D pfn + nr_pages;
+	struct zone *zone =3D page_zone(curr);
+
+	/*
+	 * This decomposition algorithm at every iteration chooses the
+	 * order to be the minimum of two constraints:
+	 * - Alignment: the largest power-of-two that divides current pfn.
+	 * - Size: the largest power-of-two that fits in the current
+	 *   remaining number of pages.
+	 */
+	while (pfn < end_pfn) {
+		remaining =3D end_pfn - pfn;
+		align_order =3D ffs(pfn) - 1;
+		size_order =3D fls_long(remaining) - 1;
+		order =3D min(align_order, size_order);
+
+		free_one_page(zone, curr, pfn, order, fpi_flags);
+		curr +=3D (1UL << order);
+		pfn +=3D (1UL << order);
+	}
+
+	VM_WARN_ON(pfn !=3D end_pfn);
+}
+
+/*
+ * Given a high-order compound page containing certain number of HWPoison
+ * pages, free only the healthy ones to buddy allocator.
+ *
+ * Pages must have passed free_pages_prepare(). Even if having HWPoison
+ * pages, breaking down compound page and updating metadata (e.g. page
+ * owner, alloc tag) can be done together during free_pages_prepare(),
+ * which simplifies the splitting here: unlike __split_unmapped_folio(),
+ * there is no need to turn split pages into a compound page or to carry
+ * metadata.
+ *
+ * It calls free_one_page O(2^order) times and cause nontrivial overhead.
+ * So only use this when the compound page really contains HWPoison.
+ *
+ * This implementation doesn't work in memdesc world.
+ */
+static void free_has_hwpoisoned(struct page *page, unsigned int order,
+				fpi_t fpi_flags)
+{
+	struct page *curr =3D page;
+	struct page *next;
+	unsigned long nr_pages;
+	/*
+	 * Don't assume end points to a valid page. It is only used
+	 * here for pointer arithmetic.
+	 */
+	struct page *end =3D page + (1 << order);
+	unsigned long total_freed =3D 0;
+	unsigned long total_hwp =3D 0;
+
+	VM_WARN_ON(order =3D=3D 0);
+	VM_WARN_ON(page->flags.f & PAGE_FLAGS_CHECK_AT_PREP);
+
+	while (curr < end) {
+		next =3D curr;
+		nr_pages =3D 0;
+
+		while (next < end && !PageHWPoison(next)) {
+			++next;
+			++nr_pages;
+		}
+
+		if (next !=3D end && PageHWPoison(next)) {
+			clear_page_tag_ref(next);
+			++total_hwp;
+		}
+
+		free_contiguous_pages(curr, nr_pages, fpi_flags);
+		total_freed +=3D nr_pages;
+		if (next =3D=3D end)
+			break;
+
+		curr =3D PageHWPoison(next) ? next + 1 : next;
+	}
+
+	VM_WARN_ON(total_freed + total_hwp !=3D (1 << order));
+	pr_info("Freed %#lx pages, excluded %lu hwpoison pages\n",
+		total_freed, total_hwp);
+}
+
+static bool compound_has_hwpoisoned(struct page *page, unsigned int order)
+{
+	if (order =3D=3D 0 || !PageCompound(page))
+		return false;
+
+	return folio_test_has_hwpoisoned(page_folio(page));
+}
+
+/*
+ * Do free_has_hwpoisoned() when needed after free_pages_prepare().
+ * Returns
+ * - true: free_pages_prepare() is good and caller can proceed freeing.
+ * - false: caller should not free pages for one of the two reasons:
+ *   1. free_pages_prepare() failed so it is not safe to proceed freeing.
+ *   2. this is a compound page having some HWPoison pages, and healthy
+ *      pages are already safely freed.
+ */
+static bool free_pages_prepare_has_hwpoisoned(struct page *page,
+					      unsigned int order,
+					      fpi_t fpi_flags)
+{
+	/*
+	 * free_pages_prepare() clears PAGE_FLAGS_SECOND flags on the
+	 * first tail page of a compound page, which clears PG_has_hwpoisoned.
+	 * So this call must be before free_pages_prepare().
+	 *
+	 * Note we can't exclude PG_has_hwpoisoned from PAGE_FLAGS_SECOND.
+	 * Because PG_has_hwpoisoned =3D=3D PG_active, free_page_is_bad() will
+	 * confuse and complaint that the first tail page is still active.
+	 */
+	bool should_fhh =3D compound_has_hwpoisoned(page, order);
+
+	if (!free_pages_prepare(page, order))
+		return false;
+
+	/*
+	 * After free_pages_prepare() breaks down compound page and deals
+	 * with page metadata (e.g. page owner and page alloc tags),
+	 * free_has_hwpoisoned() can directly use free_one_page() whenever
+	 * it knows the appropriate orders of page blocks to free.
+	 */
+	if (should_fhh) {
+		free_has_hwpoisoned(page, order, fpi_flags);
+		return false;
+	}
+
+	return true;
+}
+
 /*
  * Free a pcp page
  */
@@ -2940,7 +3091,7 @@ static void __free_frozen_pages(struct page *page, un=
signed int order,
 		return;
 	}
=20
-	if (!free_pages_prepare(page, order))
+	if (!free_pages_prepare_has_hwpoisoned(page, order, fpi_flags))
 		return;
=20
 	/*
--=20
2.52.0.457.g6b5491de43-goog