Re: "alloc_tag was not set" when running mm/ksft_hmm.sh
From: David Hildenbrand (Arm)
Date: Mon May 11 2026 - 08:57:50 EST
On 5/11/26 14:19, Zenghui Yu wrote:
> On 2026/5/8 19:53, David Hildenbrand (Arm) wrote:
>> On 5/6/26 17:42, Zenghui Yu wrote:
>>> Hi all,
>>>
>>> Running mm/ksft_hmm.sh triggers the following splat:
>>>
>>> ------------[ cut here ]------------
>>> alloc_tag was not set
>>> WARNING: ./include/linux/alloc_tag.h:164 at ___free_pages+0x2a0/0x2d0,
>>> CPU#5: hmm-tests/2020
>>> Modules linked in: test_hmm rfkill drm backlight fuse
>>> CPU: 5 UID: 0 PID: 2020 Comm: hmm-tests Kdump: loaded Not tainted
>>> 7.1.0-rc2-00099-gadc1e5c6203c-dirty #285 PREEMPT
>>> Hardware name: QEMU QEMU Virtual Machine, BIOS
>>> edk2-stable202408-prebuilt.qemu.org 08/13/2024
>>> pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
>>> pc : ___free_pages+0x2a0/0x2d0
>>> lr : ___free_pages+0x2a0/0x2d0
>>> sp : ffff80008345b530
>>> x29: ffff80008345b530 x28: ffff80008345b700 x27: ffffffffbfff8040
>>> x26: ffff0000c41cb360 x25: ffff0000c0c64008 x24: ffff800081aae400
>>> x23: 05ffff0000000200 x22: 0000000000000000 x21: 0000000000000000
>>> x20: fffffdffc5f20040 x19: 0000000000000000 x18: fffffffffffe7c78
>>> x17: 0000000000000000 x16: 0000000000000000 x15: fffffffffffe7c98
>>> x14: 00000000000001d1 x13: ffff8000818f3d58 x12: 0000000000000573
>>> x11: fffffffffffe7c98 x10: ffff80008194bd58 x9 : 3ffffffffffff000
>>> x8 : ffff8000818f3d58 x7 : ffff80008194bd58 x6 : 0000000000000000
>>> x5 : ffff0001fedb1088 x4 : 0000000000000001 x3 : 0000000000000000
>>> x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c7f58000
>>> Call trace:
>>> ___free_pages+0x2a0/0x2d0 (P)
>>> __free_pages+0x14/0x20
>>> dmirror_devmem_free+0x13c/0x158 [test_hmm]
>>> free_zone_device_folio+0x144/0x1e4
>>> __folio_put+0x124/0x130
>>> free_folio_and_swap_cache+0xa8/0xcc
>>> __folio_split+0x664/0x7fc
>>> split_folio_to_list+0x50/0x5c
>>> migrate_vma_split_folio+0x13c/0x25c
>>> migrate_vma_collect_pmd+0xed4/0xf68
>>> walk_pgd_range+0x598/0x9a0
>>> __walk_page_range+0x90/0x1a0
>>> walk_page_range_mm_unsafe+0x194/0x20c
>>> walk_page_range+0x20/0x2c
>>> migrate_vma_setup+0x18c/0x224
>>> dmirror_devmem_fault+0x188/0x2b8 [test_hmm]
>>> do_swap_page+0x1458/0x185c
>>> __handle_mm_fault+0x85c/0x1ba0
>>> handle_mm_fault+0xb0/0x290
>>> do_page_fault+0x1f8/0x6f8
>>> do_translation_fault+0x60/0x6c
>>> do_mem_abort+0x44/0x94
>>> el0_da+0x30/0xdc
>>> el0t_64_sync_handler+0xd0/0xe4
>>> el0t_64_sync+0x198/0x19c
>>> ---[ end trace 0000000000000000 ]---
>>> lib/test_hmm.c:705 module test_hmm func:dmirror_devmem_alloc_page has
>>> 16744448 allocated at module unload
>>>
>>>
>>> It was tested on kernel built with arm64's virt.config and
>>>
>>> +CONFIG_ZONE_DEVICE=y
>>> +CONFIG_DEVICE_PRIVATE=y
>>> +CONFIG_TEST_HMM=m
>>> +CONFIG_MEM_ALLOC_PROFILING=y
>>> +CONFIG_MEM_ALLOC_PROFILING_DEBUG=y
>>
>> I assume there is a weird interaction between alloc tags and simulated
>> ZONE_DEVICE memory in test_hmm.c
>
> FYI this can be reproduced by running the migrate_partial_unmap_fault
> test case.
>
> TEST_F(hmm, migrate_partial_unmap_fault)
> {
> buffer->mirror = malloc(TWOMEG);
> buffer->ptr = map; // points to a THP
>
> /* Initialize buffer in system memory. */
> for (i = 0, ptr = buffer->ptr; i < TWOMEG / sizeof(*ptr); ++i)
> ptr[i] = i;
>
> ret = hmm_migrate_sys_to_dev(self->fd, buffer, npages);
>
> munmap(buffer->ptr, ONEMEG);
>
> /* Fault pages back to system memory and check them. */
> for (i = 0, ptr = buffer->ptr; i < TWOMEG / sizeof(*ptr); ++i)
> if (i * sizeof(int) < 0 ||
> i * sizeof(int) >= ONEMEG)
> ASSERT_EQ(ptr[i], i); // triggers a fault ->
>
>
> dmirror_devmem_fault()
> migrate_vma_setup()
> migrate_vma_collect_pmd()
> // !pte_present(pte) && folio_test_large(folio)
> migrate_vma_split_folio()
> split_folio()
> [...]
>
> __folio_split() {
> unmap_folio();
>
> __folio_freeze_and_split_unmapped() {
> __split_unmapped_folio();
>
> for (...) {
> zone_device_private_split_cb(.., new_folio);
> // -> dmirror_devmem_folio_split() which doesn't
> // set alloc tag for the backing system memory
> // page being split, i.e., rpage_tail
> }
>
> zone_device_private_split_cb(.., NULL);
> }
>
> remap_page();
>
> for (...)
> free_folio_and_swap_cache(new_folio);
> // -> dmirror_devmem_free()/__free_page() which warns if
> // the page being freed doesn't have alloc tag set, in
> // alloc_tag_sub_check().
> }
>
> The WARN disappears with the following diff. But I'm not sure if I've
> missed more important points (which is likely to happen ;-) ).
>
> diff --git a/lib/alloc_tag.c b/lib/alloc_tag.c
> index ed1bdcf1f8ab..eefa2a739917 100644
> --- a/lib/alloc_tag.c
> +++ b/lib/alloc_tag.c
> @@ -191,6 +191,7 @@ void pgalloc_tag_split(struct folio *folio, int
> old_order, int new_order)
> }
> }
> }
> +EXPORT_SYMBOL(pgalloc_tag_split);
>
> void pgalloc_tag_swap(struct folio *new, struct folio *old)
> {
> diff --git a/lib/test_hmm.c b/lib/test_hmm.c
> index 213504915737..3bec51828916 100644
> --- a/lib/test_hmm.c
> +++ b/lib/test_hmm.c
> @@ -1713,6 +1713,7 @@ static void dmirror_devmem_folio_split(struct
> folio *head, struct folio *tail)
> rfolio = page_folio(rpage);
>
> if (tail == NULL) {
> + pgalloc_tag_split(rfolio, folio_order(rfolio), 0);
> folio_reset_order(rfolio);
> rfolio->mapping = NULL;
> folio_set_count(rfolio, 1);
>
> Thanks,
> Zenghui
zone_device_private_split_cb(), that ends up calling ->folio_split().
We do have a call to pgalloc_tag_split() in __split_unmapped_folio(), invoked in
__folio_freeze_and_split_unmapped() before calling
zone_device_private_split_cb() when iterating the folios.
The zone_device_private_split_cb(folio, NULL); is then called on the first folio
after looping over the other (new) folios.
I would assume that __folio_freeze_and_split_unmapped() would already do the
right thing?
Maybe the issue is the hard-coded folio_reset_order() in
dmirror_devmem_folio_split(), where we seem to assume that we split to an
order-0 folio?
--
Cheers,
David