Re: [PATCH V2 2/2] mm/khugepaged: fix race with folio split/free using temporary reference

From: David Hildenbrand
Date: Sat May 24 2025 - 17:48:18 EST

Next message: kernel test robot: "Re: [PATCH 2/2] PCI: Rename host_bridge::reset_slot() to host_bridge::reset_root_port()"
Previous message: David Hildenbrand: "Re: [PATCH V2 1/2] mm/khugepaged: clean up refcount check using folio_expected_ref_count()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 23.05.25 11:14, Shivank Garg wrote:

hpage_collapse_scan_file() calls folio_expected_ref_count(), which in turn
calls folio_mapcount(). folio_mapcount() checks folio_test_large() before
proceeding to folio_large_mapcount(), but there is a race window where the
folio may get split/freed between these checks, triggering:

VM_WARN_ON_FOLIO(!folio_test_large(folio), folio)

Take a temporary reference to the folio in hpage_collapse_scan_file().
This stabilizes the folio during refcount check and prevents incorrect
large folio detection due to concurrent split/free.

Fixes: 05c5323b2a34 ("mm: track mapcount of large folios in single value")
Reported-by: syzbot+2b99589e33edbe9475ca@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/all/6828470d.a70a0220.38f255.000c.GAE@xxxxxxxxxx
Suggested-by: David Hildenbrand <david@xxxxxxxxxx>
Signed-off-by: Shivank Garg <shivankg@xxxxxxx>
---
V1: https://lore.kernel.org/linux-mm/20250522093452.6379-1-shivankg@xxxxxxx
---

Assuming we have this as patch #1:

Acked-by: David Hildenbrand <david@xxxxxxxxxx>

--
Cheers,

David / dhildenb

Next message: kernel test robot: "Re: [PATCH 2/2] PCI: Rename host_bridge::reset_slot() to host_bridge::reset_root_port()"
Previous message: David Hildenbrand: "Re: [PATCH V2 1/2] mm/khugepaged: clean up refcount check using folio_expected_ref_count()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]