From nobody Wed Feb 11 03:42:09 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 388ED1FC0EB for ; Mon, 24 Feb 2025 21:59:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740434370; cv=none; b=fg7XTFg+8P7cjQ0J5bfydTo844ZkSRZH+3plzplvuffyJqF5I8T40XpOnx0eX0LylNhPi8DlP2B/QM4ZsHl+Gy/o4Pj7noqUM+L/jRtSLd5rCfWQ2pp+QzucvrVzqJ181OdFIcQg226QMD/Y5RHMRiMYZbJoELxaZiNZ5IVIM5Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740434370; c=relaxed/simple; bh=rTjLKS6zi3fibnlja9uhJe1I0xGmSZ8izGxln042tOM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OU3hZxJTFjn3YBlWbRyMxXUL9+C9C5MkYtTQby5wG3BZBVgtlCh6JDhu81QGlfZvl6sR7BB/56zxRBvFYrByozQtlpYq5VcbZNzSIUJhMcRcSgZAUq5jss22c4QTpNWv783II9PuUqw5c0fHue6cKXZMiJ0t15/lX29QB3jY5WA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=XmxRY1Uj; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="XmxRY1Uj" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1740434368; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FtYeaQb9yjWDAqIxpFJ3I+Fkvf55cMTzB8yThSJBOoQ=; b=XmxRY1Ujax7TBC72QJcTKPD9O/V4SbeF2a25WfA2jhlE4bty1uInFV8TscR1oADSlj8I7O s7Y1lBdPU/f1HpilGS/vgk73gzi7xR6Uvvl5XFNaQXe7X0vqZBxyuf/RKeN/FbmmYM1Yf0 egnEdvAGaTYi8st4MDMspFERbbNsRug= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-462-JUYoEci3NZm2AUhf6yksEw-1; Mon, 24 Feb 2025 16:59:22 -0500 X-MC-Unique: JUYoEci3NZm2AUhf6yksEw-1 X-Mimecast-MFC-AGG-ID: JUYoEci3NZm2AUhf6yksEw_1740434361 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id C20701800373; Mon, 24 Feb 2025 21:59:20 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.22.65.50]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 6746D1800359; Mon, 24 Feb 2025 21:59:18 +0000 (UTC) From: Luiz Capitulino To: linux-kernel@vger.kernel.org, linux-mm@kvack.org, david@redhat.com, yuzhao@google.com, pasha.tatashin@soleen.com Cc: akpm@linux-foundation.org, hannes@cmpxchg.org, muchun.song@linux.dev, luizcap@redhat.com Subject: [PATCH v2 1/4] mm: page_ext: make lookup_page_ext() public Date: Mon, 24 Feb 2025 16:59:05 -0500 Message-ID: In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" The next commit will use it. Signed-off-by: Luiz Capitulino --- include/linux/page_ext.h | 1 + mm/page_ext.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/include/linux/page_ext.h b/include/linux/page_ext.h index e4b48a0dda244..d6fb891c51d1d 100644 --- a/include/linux/page_ext.h +++ b/include/linux/page_ext.h @@ -79,6 +79,7 @@ static inline void page_ext_init(void) =20 extern struct page_ext *page_ext_get(const struct page *page); extern void page_ext_put(struct page_ext *page_ext); +extern struct page_ext *lookup_page_ext(const struct page *page); =20 static inline void *page_ext_data(struct page_ext *page_ext, struct page_ext_operations *ops) diff --git a/mm/page_ext.c b/mm/page_ext.c index 641d93f6af4c1..23ad30597c05c 100644 --- a/mm/page_ext.c +++ b/mm/page_ext.c @@ -165,7 +165,7 @@ void __meminit pgdat_page_ext_init(struct pglist_data *= pgdat) pgdat->node_page_ext =3D NULL; } =20 -static struct page_ext *lookup_page_ext(const struct page *page) +struct page_ext *lookup_page_ext(const struct page *page) { unsigned long pfn =3D page_to_pfn(page); unsigned long index; @@ -245,7 +245,7 @@ static bool page_ext_invalid(struct page_ext *page_ext) return !page_ext || (((unsigned long)page_ext & PAGE_EXT_INVALID) =3D=3D = PAGE_EXT_INVALID); } =20 -static struct page_ext *lookup_page_ext(const struct page *page) +struct page_ext *lookup_page_ext(const struct page *page) { unsigned long pfn =3D page_to_pfn(page); struct mem_section *section =3D __pfn_to_section(pfn); --=20 2.48.1 From nobody Wed Feb 11 03:42:09 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 034601FBEBF for ; Mon, 24 Feb 2025 21:59:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740434370; cv=none; b=tgko3a/83hSxdNt9IP97MPI99TzYZUPvtYgZWfGolb6XCAPnBhmduFO1j5Sj4H0fl5d/ANDsMlK6e6oQpCWdGEdyfxc2kvMdOSek+ssnvvcLgYz6m0l9CrFniudQEPGVITLMuLfn64SX2UsRkTl7l4JXfZIpOO/ZGh0PcQSSY6k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740434370; c=relaxed/simple; bh=MudvCWmh9PIiNzqnJSdpldhHb94nb5lunASWCZYRtPo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TSfcmpAMulVZ2gdqBbJ0o87dEPo2rcU/GVCXGQP3/sQBjBKSTfKjLw/skoKGHrGP5E+7OXsjXZCMq/flET4MHsXRnLvZvpGFzswcbibslipQHf+46QOq+Yq2a42ni3qyBDBVeHSwQGtRA3y4GGOveKQtLX3at48A+mAdzfIjJLM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=BaU5FruA; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="BaU5FruA" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1740434367; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jIuVuZi/rT8xS75r5ZQPMK2tcpRyNkRr1DXyoirL1iM=; b=BaU5FruA/iWT1ha2Jhwz7hWXqnemBW3jNso4gsvtOzXkre71JrUKDoOneWaxjsfXdBNiz5 zvBaeB1xG5WgEtoMjszFe2EFTg0oLBxwLis2fr4QAAJyBd9pqEnnY419S2/qf/YYk8coGt aWOmqxtpobrHr6eqD75qBgqZDoQ0onk= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-323-eAx3mHagOqq5Asig4w3e0Q-1; Mon, 24 Feb 2025 16:59:24 -0500 X-MC-Unique: eAx3mHagOqq5Asig4w3e0Q-1 X-Mimecast-MFC-AGG-ID: eAx3mHagOqq5Asig4w3e0Q_1740434363 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3982F1800872; Mon, 24 Feb 2025 21:59:23 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.22.65.50]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 18C811800368; Mon, 24 Feb 2025 21:59:20 +0000 (UTC) From: Luiz Capitulino To: linux-kernel@vger.kernel.org, linux-mm@kvack.org, david@redhat.com, yuzhao@google.com, pasha.tatashin@soleen.com Cc: akpm@linux-foundation.org, hannes@cmpxchg.org, muchun.song@linux.dev, luizcap@redhat.com Subject: [PATCH v2 2/4] mm: page_ext: add an iteration API for page extensions Date: Mon, 24 Feb 2025 16:59:06 -0500 Message-ID: <08aea5d87f5419f4c7033c81d97645f940f87f7e.1740434344.git.luizcap@redhat.com> In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" The page extension implementation assumes that all page extensions of a given page order are stored in the same memory section. The function page_ext_next() relies on this assumption by adding an offset to the current object to return the next adjacent page extension. This behavior works as expected for flatmem but fails for sparsemem when using 1G pages. The commit cf54f310d0d3 ("mm/hugetlb: use __GFP_COMP for gigantic folios") exposes this issue, making it possible for a crash when using page_owner or page_table_check page extensions. The problem is that for 1G pages, the page extensions may span memory section boundaries and be stored in different memory sections. This issue was not visible before commit cf54f310d0d3 ("mm/hugetlb: use __GFP_COMP for gigantic folios") because alloc_contig_pages() never passed more than MAX_PAGE_ORDER to post_alloc_hook(). However, the series introducing mentioned commit changed this behavior allowing the full 1G page order to be passed. Reproducer: 1. Build the kernel with CONFIG_SPARSEMEM=3Dy and table extensions support 2. Pass 'default_hugepagesz=3D1 page_owner=3Don' in the kernel command-line 3. Reserve one 1G page at run-time, this should crash (backtrace below) To address this issue, this commit introduces a new API for iterating through page extensions. The main iteration macro is for_each_page_ext() and it must be called with the RCU read lock taken. Here's an usage example: """ struct page_ext_iter iter; struct page_ext *page_ext; ... rcu_read_lock(); for_each_page_ext(page, 1 << order, page_ext, iter) { struct my_page_ext *obj =3D get_my_page_ext_obj(page_ext); ... } rcu_read_unlock(); """ The loop construct uses page_ext_iter_next() which checks to see if we have crossed sections in the iteration. In this case, page_ext_iter_next() retrieves the next page_ext object from another section. Thanks to David Hildenbrand for helping identify the root cause and providing suggestions on how to fix and optmize the solution (final implementation and bugs are all mine through). Lastly, here's the backtrace, without kasan you can get random crashes: [ 76.052526] BUG: KASAN: slab-out-of-bounds in __update_page_owner_handle= +0x238/0x298 [ 76.060283] Write of size 4 at addr ffff07ff96240038 by task tee/3598 [ 76.066714] [ 76.068203] CPU: 88 UID: 0 PID: 3598 Comm: tee Kdump: loaded Not tainted= 6.13.0-rep1 #3 [ 76.076202] Hardware name: WIWYNN Mt.Jade Server System B81.030Z1.0007/M= t.Jade Motherboard, BIOS 2.10.20220810 (SCP: 2.10.20220810) 2022/08/10 [ 76.088972] Call trace: [ 76.091411] show_stack+0x20/0x38 (C) [ 76.095073] dump_stack_lvl+0x80/0xf8 [ 76.098733] print_address_description.constprop.0+0x88/0x398 [ 76.104476] print_report+0xa8/0x278 [ 76.108041] kasan_report+0xa8/0xf8 [ 76.111520] __asan_report_store4_noabort+0x20/0x30 [ 76.116391] __update_page_owner_handle+0x238/0x298 [ 76.121259] __set_page_owner+0xdc/0x140 [ 76.125173] post_alloc_hook+0x190/0x1d8 [ 76.129090] alloc_contig_range_noprof+0x54c/0x890 [ 76.133874] alloc_contig_pages_noprof+0x35c/0x4a8 [ 76.138656] alloc_gigantic_folio.isra.0+0x2c0/0x368 [ 76.143616] only_alloc_fresh_hugetlb_folio.isra.0+0x24/0x150 [ 76.149353] alloc_pool_huge_folio+0x11c/0x1f8 [ 76.153787] set_max_huge_pages+0x364/0xca8 [ 76.157961] __nr_hugepages_store_common+0xb0/0x1a0 [ 76.162829] nr_hugepages_store+0x108/0x118 [ 76.167003] kobj_attr_store+0x3c/0x70 [ 76.170745] sysfs_kf_write+0xfc/0x188 [ 76.174492] kernfs_fop_write_iter+0x274/0x3e0 [ 76.178927] vfs_write+0x64c/0x8e0 [ 76.182323] ksys_write+0xf8/0x1f0 [ 76.185716] __arm64_sys_write+0x74/0xb0 [ 76.189630] invoke_syscall.constprop.0+0xd8/0x1e0 [ 76.194412] do_el0_svc+0x164/0x1e0 [ 76.197891] el0_svc+0x40/0xe0 [ 76.200939] el0t_64_sync_handler+0x144/0x168 [ 76.205287] el0t_64_sync+0x1ac/0x1b0 Fixes: cf54f310d0d3 ("mm/hugetlb: use __GFP_COMP for gigantic folios") Signed-off-by: Luiz Capitulino Acked-by: David Hildenbrand --- include/linux/page_ext.h | 92 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/include/linux/page_ext.h b/include/linux/page_ext.h index d6fb891c51d1d..33a118b31a222 100644 --- a/include/linux/page_ext.h +++ b/include/linux/page_ext.h @@ -2,7 +2,9 @@ #ifndef __LINUX_PAGE_EXT_H #define __LINUX_PAGE_EXT_H =20 +#include #include +#include #include =20 struct pglist_data; @@ -69,12 +71,26 @@ extern void page_ext_init(void); static inline void page_ext_init_flatmem_late(void) { } + +static inline bool page_ext_iter_next_fast_possible(unsigned long next_pfn) +{ + /* + * page_ext is allocated per memory section. Once we cross a + * memory section, we have to fetch the new pointer. + */ + return next_pfn % PAGES_PER_SECTION; +} #else extern void page_ext_init_flatmem(void); extern void page_ext_init_flatmem_late(void); static inline void page_ext_init(void) { } + +static inline bool page_ext_iter_next_fast_possible(unsigned long next_pfn) +{ + return true; +} #endif =20 extern struct page_ext *page_ext_get(const struct page *page); @@ -94,6 +110,82 @@ static inline struct page_ext *page_ext_next(struct pag= e_ext *curr) return next; } =20 +struct page_ext_iter { + unsigned long index; + unsigned long start_pfn; + struct page_ext *page_ext; +}; + +/** + * page_ext_iter_begin() - Prepare for iterating through page extensions. + * @iter: page extension iterator. + * @page: The page we're interested in. + * + * Must be called with RCU read lock taken. + * + * Return: NULL if no page_ext exists for this page. + */ +static inline struct page_ext *page_ext_iter_begin(struct page_ext_iter *i= ter, struct page *page) +{ + iter->index =3D 0; + iter->start_pfn =3D page_to_pfn(page); + iter->page_ext =3D lookup_page_ext(page); + + return iter->page_ext; +} + +/** + * page_ext_iter_next() - Get next page extension + * @iter: page extension iterator. + * + * Must be called with RCU read lock taken. + * + * Return: NULL if no next page_ext exists. + */ +static inline struct page_ext *page_ext_iter_next(struct page_ext_iter *it= er) +{ + unsigned long pfn; + + if (WARN_ON_ONCE(!iter->page_ext)) + return NULL; + + iter->index++; + pfn =3D iter->start_pfn + iter->index; + + if (page_ext_iter_next_fast_possible(pfn)) + iter->page_ext =3D page_ext_next(iter->page_ext); + else + iter->page_ext =3D lookup_page_ext(pfn_to_page(pfn)); + + return iter->page_ext; +} + +/** + * page_ext_iter_get() - Get current page extension + * @iter: page extension iterator. + * + * Return: NULL if no page_ext exists for this iterator. + */ +static inline struct page_ext *page_ext_iter_get(const struct page_ext_ite= r *iter) +{ + return iter->page_ext; +} + +/** + * for_each_page_ext(): iterate through page_ext objects. + * @__page: the page we're interested in + * @__pgcount: how many pages to iterate through + * @__page_ext: struct page_ext pointer where the current page_ext + * object is returned + * @__iter: struct page_ext_iter object (defined in the stack) + * + * IMPORTANT: must be called with RCU read lock taken. + */ +#define for_each_page_ext(__page, __pgcount, __page_ext, __iter) \ + for (__page_ext =3D page_ext_iter_begin(&__iter, __page); \ + __page_ext && __iter.index < __pgcount; \ + __page_ext =3D page_ext_iter_next(&__iter)) + #else /* !CONFIG_PAGE_EXTENSION */ struct page_ext; =20 --=20 2.48.1 From nobody Wed Feb 11 03:42:09 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8E8F1FDE0B for ; Mon, 24 Feb 2025 21:59:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740434374; cv=none; b=oJXhamHTsQhtzcNPy2w9rqVo4XU3od7EEKpfidy0/01ytLobWoWb7NZUGxHmWt67gQRz8kgcALrqPb0Bg7X+vsM3ENB0827kFb8Fd9ZcgsgwyM+BDdjeh48mPDFoKWspS7KYn5qgz+2TI3/QC62RY2z39+Lod9AdG9tdN+jb66I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740434374; c=relaxed/simple; bh=gfapPMQxsUeWZIyMMjCbJZLY9wGtMaY+RaHj6lbqACQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=t4qOiirfI1AfMc/5ZI9NYRR5h6bl++bdksu9nUYwxLnrb1vVOEH+gTpu8G1iiqklqcGm6KpmG0JGMZV2g1CK095y0c74s3BGaKoEdJI9wmSRQdnLmnXvWqPzK4l5jAWcpuuOvHGIQGmJEAv8UYyJbMVXIUmHjVDwJdMyZ4FiLL8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=WjEEr0LO; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="WjEEr0LO" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1740434370; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1ZnmS/k+dHYbcrS2T4gnKYBLuSvALIoKj3mKYh0gqWc=; b=WjEEr0LOLIoqFQ/gakrj4kJKmgUHn/HMXKmNZCmiOWNm8uezWir/EKgKZN81bJmhAOrdMZ oYMTYJFw26gPApMqffnozXPv+0/NM/RJxgBgokcSHZdcq8QcPlNzTpDYXZyEzL8hDg29IT coO57BVSd4FLqHBjFUZab+vx3uHrTxM= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-93-d9MzX_ROPZSFbvEmazSggQ-1; Mon, 24 Feb 2025 16:59:26 -0500 X-MC-Unique: d9MzX_ROPZSFbvEmazSggQ-1 X-Mimecast-MFC-AGG-ID: d9MzX_ROPZSFbvEmazSggQ_1740434365 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 76ACE18EB2C3; Mon, 24 Feb 2025 21:59:25 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.22.65.50]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 7E206180035F; Mon, 24 Feb 2025 21:59:23 +0000 (UTC) From: Luiz Capitulino To: linux-kernel@vger.kernel.org, linux-mm@kvack.org, david@redhat.com, yuzhao@google.com, pasha.tatashin@soleen.com Cc: akpm@linux-foundation.org, hannes@cmpxchg.org, muchun.song@linux.dev, luizcap@redhat.com Subject: [PATCH v2 3/4] mm: page_table_check: use new iteration API Date: Mon, 24 Feb 2025 16:59:07 -0500 Message-ID: <30d246e83e73073451dc3d5fe189b733afbefd07.1740434344.git.luizcap@redhat.com> In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" The page_ext_next() function assumes that page extension objects for a page order allocation always reside in the same memory section, which may not be true and could lead to crashes. Use the new page_ext iteration API instead. Fixes: cf54f310d0d3 ("mm/hugetlb: use __GFP_COMP for gigantic folios") Signed-off-by: Luiz Capitulino Acked-by: David Hildenbrand --- mm/page_table_check.c | 39 ++++++++++++--------------------------- 1 file changed, 12 insertions(+), 27 deletions(-) diff --git a/mm/page_table_check.c b/mm/page_table_check.c index 509c6ef8de400..e11bebf23e36f 100644 --- a/mm/page_table_check.c +++ b/mm/page_table_check.c @@ -62,24 +62,20 @@ static struct page_table_check *get_page_table_check(st= ruct page_ext *page_ext) */ static void page_table_check_clear(unsigned long pfn, unsigned long pgcnt) { + struct page_ext_iter iter; struct page_ext *page_ext; struct page *page; - unsigned long i; bool anon; =20 if (!pfn_valid(pfn)) return; =20 page =3D pfn_to_page(pfn); - page_ext =3D page_ext_get(page); - - if (!page_ext) - return; - BUG_ON(PageSlab(page)); anon =3D PageAnon(page); =20 - for (i =3D 0; i < pgcnt; i++) { + rcu_read_lock(); + for_each_page_ext(page, pgcnt, page_ext, iter) { struct page_table_check *ptc =3D get_page_table_check(page_ext); =20 if (anon) { @@ -89,9 +85,8 @@ static void page_table_check_clear(unsigned long pfn, uns= igned long pgcnt) BUG_ON(atomic_read(&ptc->anon_map_count)); BUG_ON(atomic_dec_return(&ptc->file_map_count) < 0); } - page_ext =3D page_ext_next(page_ext); } - page_ext_put(page_ext); + rcu_read_unlock(); } =20 /* @@ -102,24 +97,20 @@ static void page_table_check_clear(unsigned long pfn, = unsigned long pgcnt) static void page_table_check_set(unsigned long pfn, unsigned long pgcnt, bool rw) { + struct page_ext_iter iter; struct page_ext *page_ext; struct page *page; - unsigned long i; bool anon; =20 if (!pfn_valid(pfn)) return; =20 page =3D pfn_to_page(pfn); - page_ext =3D page_ext_get(page); - - if (!page_ext) - return; - BUG_ON(PageSlab(page)); anon =3D PageAnon(page); =20 - for (i =3D 0; i < pgcnt; i++) { + rcu_read_lock(); + for_each_page_ext(page, pgcnt, page_ext, iter) { struct page_table_check *ptc =3D get_page_table_check(page_ext); =20 if (anon) { @@ -129,9 +120,8 @@ static void page_table_check_set(unsigned long pfn, uns= igned long pgcnt, BUG_ON(atomic_read(&ptc->anon_map_count)); BUG_ON(atomic_inc_return(&ptc->file_map_count) < 0); } - page_ext =3D page_ext_next(page_ext); } - page_ext_put(page_ext); + rcu_read_unlock(); } =20 /* @@ -140,24 +130,19 @@ static void page_table_check_set(unsigned long pfn, u= nsigned long pgcnt, */ void __page_table_check_zero(struct page *page, unsigned int order) { + struct page_ext_iter iter; struct page_ext *page_ext; - unsigned long i; =20 BUG_ON(PageSlab(page)); =20 - page_ext =3D page_ext_get(page); - - if (!page_ext) - return; - - for (i =3D 0; i < (1ul << order); i++) { + rcu_read_lock(); + for_each_page_ext(page, 1 << order, page_ext, iter) { struct page_table_check *ptc =3D get_page_table_check(page_ext); =20 BUG_ON(atomic_read(&ptc->anon_map_count)); BUG_ON(atomic_read(&ptc->file_map_count)); - page_ext =3D page_ext_next(page_ext); } - page_ext_put(page_ext); + rcu_read_unlock(); } =20 void __page_table_check_pte_clear(struct mm_struct *mm, pte_t pte) --=20 2.48.1 From nobody Wed Feb 11 03:42:09 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 334481FBEBF for ; Mon, 24 Feb 2025 21:59:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740434377; cv=none; b=YapS/yUzRfcUIY0sKz4Vy6NsgupC8xueVk6sTLXFAh0XzuTQRcZAmMN4uAK23VhGB70ELdLhPyNJud4mBeWgmJ0KVa3FMJdDfiMn03HWT0DO/xJxPCFxvNlHmnGBFwX3XlR3CnotVU7Rw4hNdlBzGn/j8nojaVqvjMjQM/PVPyU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740434377; c=relaxed/simple; bh=tYAQ3aSW354yzsYqD4JxVDZTKN8sBGftkdhW2t84PpQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tjSEihzjcZ+k8pg5TsrZZPc5ztrXjLvi7vwpou3jtxklb2tYsZ1F9FfPo5Zyop6iYceGLNMlAu9L52XQgnA2BqSpaiS3Ecu2gQU8+k5lVVqFXsI0lCcEdjQOg6MOJ+WM004ukUpWZAClpyvmnADZ8FELDRjLWiWKfmitGjD4iEg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=MlIThKYl; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="MlIThKYl" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1740434374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6w7eedefm4DE2XJ3Yn/BDysgoHUEY0apu1z5eddMX8Y=; b=MlIThKYlqRQXAUODBzZWDgWm+tnsJ3U9iqxIgqpqaO3l0mEQ2/HoNy/uWv0r22bqK25FcS ilWQyLKSzCCI916rr0XeWM4iWsW+HfuayG//3i1pmO2yByc8ij2q6bYhTtLTm/p2uK8B2s 0S5SlvpIE0IAgiy2qNeqr4I5VZZT4o0= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-350-JQXE_8nIOY-3y1mHgNHfUw-1; Mon, 24 Feb 2025 16:59:29 -0500 X-MC-Unique: JQXE_8nIOY-3y1mHgNHfUw-1 X-Mimecast-MFC-AGG-ID: JQXE_8nIOY-3y1mHgNHfUw_1740434368 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id AC91419560B9; Mon, 24 Feb 2025 21:59:27 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.22.65.50]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id C092D180035F; Mon, 24 Feb 2025 21:59:25 +0000 (UTC) From: Luiz Capitulino To: linux-kernel@vger.kernel.org, linux-mm@kvack.org, david@redhat.com, yuzhao@google.com, pasha.tatashin@soleen.com Cc: akpm@linux-foundation.org, hannes@cmpxchg.org, muchun.song@linux.dev, luizcap@redhat.com Subject: [PATCH v2 4/4] mm: page_owner: use new iteration API Date: Mon, 24 Feb 2025 16:59:08 -0500 Message-ID: In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Type: text/plain; charset="utf-8" The page_ext_next() function assumes that page extension objects for a page order allocation always reside in the same memory section, which may not be true and could lead to crashes. Use the new page_ext iteration API instead. Fixes: cf54f310d0d3 ("mm/hugetlb: use __GFP_COMP for gigantic folios") Signed-off-by: Luiz Capitulino --- mm/page_owner.c | 61 +++++++++++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 32 deletions(-) diff --git a/mm/page_owner.c b/mm/page_owner.c index 2d6360eaccbb6..c9d2c688eb981 100644 --- a/mm/page_owner.c +++ b/mm/page_owner.c @@ -229,17 +229,19 @@ static void dec_stack_record_count(depot_stack_handle= _t handle, handle); } =20 -static inline void __update_page_owner_handle(struct page_ext *page_ext, +static inline void __update_page_owner_handle(struct page *page, depot_stack_handle_t handle, unsigned short order, gfp_t gfp_mask, short last_migrate_reason, u64 ts_nsec, pid_t pid, pid_t tgid, char *comm) { - int i; + struct page_ext_iter iter; + struct page_ext *page_ext; struct page_owner *page_owner; =20 - for (i =3D 0; i < (1 << order); i++) { + rcu_read_lock(); + for_each_page_ext(page, 1 << order, page_ext, iter) { page_owner =3D get_page_owner(page_ext); page_owner->handle =3D handle; page_owner->order =3D order; @@ -252,20 +254,22 @@ static inline void __update_page_owner_handle(struct = page_ext *page_ext, sizeof(page_owner->comm)); __set_bit(PAGE_EXT_OWNER, &page_ext->flags); __set_bit(PAGE_EXT_OWNER_ALLOCATED, &page_ext->flags); - page_ext =3D page_ext_next(page_ext); } + rcu_read_unlock(); } =20 -static inline void __update_page_owner_free_handle(struct page_ext *page_e= xt, +static inline void __update_page_owner_free_handle(struct page *page, depot_stack_handle_t handle, unsigned short order, pid_t pid, pid_t tgid, u64 free_ts_nsec) { - int i; + struct page_ext_iter iter; + struct page_ext *page_ext; struct page_owner *page_owner; =20 - for (i =3D 0; i < (1 << order); i++) { + rcu_read_lock(); + for_each_page_ext(page, 1 << order, page_ext, iter) { page_owner =3D get_page_owner(page_ext); /* Only __reset_page_owner() wants to clear the bit */ if (handle) { @@ -275,8 +279,8 @@ static inline void __update_page_owner_free_handle(stru= ct page_ext *page_ext, page_owner->free_ts_nsec =3D free_ts_nsec; page_owner->free_pid =3D current->pid; page_owner->free_tgid =3D current->tgid; - page_ext =3D page_ext_next(page_ext); } + rcu_read_unlock(); } =20 void __reset_page_owner(struct page *page, unsigned short order) @@ -293,11 +297,11 @@ void __reset_page_owner(struct page *page, unsigned s= hort order) =20 page_owner =3D get_page_owner(page_ext); alloc_handle =3D page_owner->handle; + page_ext_put(page_ext); =20 handle =3D save_stack(GFP_NOWAIT | __GFP_NOWARN); - __update_page_owner_free_handle(page_ext, handle, order, current->pid, + __update_page_owner_free_handle(page, handle, order, current->pid, current->tgid, free_ts_nsec); - page_ext_put(page_ext); =20 if (alloc_handle !=3D early_handle) /* @@ -313,19 +317,13 @@ void __reset_page_owner(struct page *page, unsigned s= hort order) noinline void __set_page_owner(struct page *page, unsigned short order, gfp_t gfp_mask) { - struct page_ext *page_ext; u64 ts_nsec =3D local_clock(); depot_stack_handle_t handle; =20 handle =3D save_stack(gfp_mask); - - page_ext =3D page_ext_get(page); - if (unlikely(!page_ext)) - return; - __update_page_owner_handle(page_ext, handle, order, gfp_mask, -1, + __update_page_owner_handle(page, handle, order, gfp_mask, -1, ts_nsec, current->pid, current->tgid, current->comm); - page_ext_put(page_ext); inc_stack_record_count(handle, gfp_mask, 1 << order); } =20 @@ -344,26 +342,24 @@ void __set_page_owner_migrate_reason(struct page *pag= e, int reason) =20 void __split_page_owner(struct page *page, int old_order, int new_order) { - int i; - struct page_ext *page_ext =3D page_ext_get(page); + struct page_ext_iter iter; + struct page_ext *page_ext; struct page_owner *page_owner; =20 - if (unlikely(!page_ext)) - return; - - for (i =3D 0; i < (1 << old_order); i++) { + rcu_read_lock(); + for_each_page_ext(page, 1 << old_order, page_ext, iter) { page_owner =3D get_page_owner(page_ext); page_owner->order =3D new_order; - page_ext =3D page_ext_next(page_ext); } - page_ext_put(page_ext); + rcu_read_unlock(); } =20 void __folio_copy_owner(struct folio *newfolio, struct folio *old) { - int i; struct page_ext *old_ext; struct page_ext *new_ext; + struct page_ext *page_ext; + struct page_ext_iter iter; struct page_owner *old_page_owner; struct page_owner *new_page_owner; depot_stack_handle_t migrate_handle; @@ -381,7 +377,7 @@ void __folio_copy_owner(struct folio *newfolio, struct = folio *old) old_page_owner =3D get_page_owner(old_ext); new_page_owner =3D get_page_owner(new_ext); migrate_handle =3D new_page_owner->handle; - __update_page_owner_handle(new_ext, old_page_owner->handle, + __update_page_owner_handle(&newfolio->page, old_page_owner->handle, old_page_owner->order, old_page_owner->gfp_mask, old_page_owner->last_migrate_reason, old_page_owner->ts_nsec, old_page_owner->pid, @@ -391,7 +387,7 @@ void __folio_copy_owner(struct folio *newfolio, struct = folio *old) * will be freed after migration. Keep them until then as they may be * useful. */ - __update_page_owner_free_handle(new_ext, 0, old_page_owner->order, + __update_page_owner_free_handle(&newfolio->page, 0, old_page_owner->order, old_page_owner->free_pid, old_page_owner->free_tgid, old_page_owner->free_ts_nsec); @@ -400,11 +396,12 @@ void __folio_copy_owner(struct folio *newfolio, struc= t folio *old) * for the new one and the old folio otherwise there will be an imbalance * when subtracting those pages from the stack. */ - for (i =3D 0; i < (1 << new_page_owner->order); i++) { + rcu_read_lock(); + for_each_page_ext(&old->page, 1 << new_page_owner->order, page_ext, iter)= { + old_page_owner =3D get_page_owner(page_ext); old_page_owner->handle =3D migrate_handle; - old_ext =3D page_ext_next(old_ext); - old_page_owner =3D get_page_owner(old_ext); } + rcu_read_unlock(); =20 page_ext_put(new_ext); page_ext_put(old_ext); @@ -813,7 +810,7 @@ static void init_pages_in_zone(pg_data_t *pgdat, struct= zone *zone) goto ext_put_continue; =20 /* Found early allocated page */ - __update_page_owner_handle(page_ext, early_handle, 0, 0, + __update_page_owner_handle(page, early_handle, 0, 0, -1, local_clock(), current->pid, current->tgid, current->comm); count++; --=20 2.48.1