Re: mm: Regression with v7.0-rc1 on RISC-V

[Zi Yan]

On 24 Feb 2026, at 12:17, Zi Yan wrote:

> On 24 Feb 2026, at 12:14, Zi Yan wrote:
>
>> On 24 Feb 2026, at 12:07, David Hildenbrand wrote:
>>
>>>> David Hildenbrand (Arm) <david@xxxxxxxxxx> hat am 24.02.2026 12:00 CET geschrieben:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 2/24/26 09:37, Ron Economos wrote:
>>>>
>>>>> I'm getting a BUG dump during shutdown with Linux v7.0-rc1 on RISC-V.
>>>>>
>>>>>
>>>>>
>>>>> [  OK  ] Reached target shutdown.target - System Shutdown.
>>>>>
>>>>> [  OK  ] Reached target final.target - Late Shutdown Services.
>>>>>
>>>>> [  OK  ] Finished systemd-reboot.service - System Reboot.
>>>>>
>>>>> [  OK  ] Reached target reboot.target - System Reboot.
>>>>>
>>>>> [  173.985249] BUG: Bad page state in process shutdown  pfn:f8850
>>>>>
>>>>> [  173.985311] page: refcount:1 mapcount:0 mapping:0000000000000000
>>>>>
>>>>> index:0x0 pfn:0xf8850
>>>>>
>>>>> [  173.985336] flags: 0xffff80000000000(node=0|zone=0|
>>>>>
>>>>> lastcpupid=0x1ffff) CMA
>>>>>
>>>>> [  173.985365] raw: 0ffff80000000000 ffffffc501e21448 ffffffc600f2ae88
>>>>>
>>>>> 0000000000000000
>>>>>
>>>>> [  173.985386] raw: 0000000000000000 0000000000000000 00000001ffffffff
>>>>>
>>>>> 0000000000000000
>>>>>
>>>>> [  173.985403] page dumped because: nonzero _refcount
>>>>
>>>> So, we're freeing something from CMA in cma_release().
>>>>
>>>>
>>>>
>>>> In cma_release() we iterate all pages to decrement their refcount
>>>>
>>>>
>>>>
>>>> VM_WARN_ON(!put_page_testzero(pfn_to_page(pfn)));
>>>>
>>>>
>>>>
>>>> I would expect that this would fire already if there is still a page
>>>>
>>>> referenced.
>>>>
>>>>
>>>>
>>>> Are you running with CONFIG_DEBUG_VM=y ?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Cheers,
>>>>
>>>>
>>>>
>>>> David
>>>
>>> Thinking again without my computer at hand … isn‘t the call completely optimized out without CONFIG_DEBUG_VM?
>>>
>>>
>>>
>>> At least that’s what I remember.
>>
>> Right. Without CONFIG_DEBUG_VM=y, VM_WARN_ON(!put_page_testzero(pfn_to_page(pfn)))
>> and is_check_pages_enabled(), which leads to free_page_is_bad()’s
>> “page dumped because: nonzero _refcount”, are disabled.
>>
>> It seems to me that someone else bump the page refcount between
>> VM_WARN_ON(!put_page_testzero(pfn_to_page(pfn))) and free_page_is_bad().
>>
>
> Merging Ron’s reply from another thread[1]:
>
> “Something strange is going on. I enabled CONFIG_DEBUG_VM by itself and
> the issue went away. Let me try CONFIG_DEBUG_PAGE_REF.”
>
> Looks like something is racy, since it is reproducible reliably.
>
> [1] https://lore.kernel.org/all/30dd1efc-9bd9-4664-999e-610d181600f9@xxxxxxxx/

VM_WARN_ON() is BUILD_BUG_ON_INVALID() when CONFIG_DEBUG_VM is off. Only
the validity of the expression is checked and no code is generated.
So that put_page_testzero() becomes a NOP.

Hi Ron,

Can you check if the patch below fix the issue without CONFIG_DEBUG_VM?

diff --git a/mm/cma.c b/mm/cma.c
index 94b5da468a7d..96be62eb3713 100644
--- a/mm/cma.c
+++ b/mm/cma.c
@@ -1020,8 +1020,11 @@ bool cma_release(struct cma *cma, const struct page *pages,
 		return false;

 	pfn = page_to_pfn(pages);
-	for (i = 0; i < count; i++, pfn++)
-		VM_WARN_ON(!put_page_testzero(pfn_to_page(pfn)));
+	for (i = 0; i < count; i++, pfn++) {
+		int __maybe_unused ret = put_page_testzero(pfn_to_page(pfn));
+
+		VM_WARN_ON(!ret);
+	}

 	__cma_release_frozen(cma, cmr, pages, count);



Best Regards,
Yan, Zi