Re: [PATCH 0/2] mm: memory-failure: fix HWPoison flag race with non-atomic page flag ops
From: David Hildenbrand (Arm)
Date: Mon Jun 29 2026 - 09:14:08 EST
On 6/29/26 09:34, Michael S. Tsirkin wrote:
> On Mon, Jun 29, 2026 at 08:49:37AM +0200, David Hildenbrand (Arm) wrote:
>> On 6/28/26 23:45, Michael S. Tsirkin wrote:
>>> I don't like it that we are adding overhead to the good path for
>>> the benefit of memory failure, which never triggers on many systems,
>>> but I don't have a better idea. Pls take a look.
>>
>> As I said on Friday.
>>
>> "It's also doesn't address the mf_mutex implications and the x86 thingies I
>> mentioned.
>
> Well I did attempt addressing this. These would be these two:
>
> (a) We don't hold the mf_mutex on all call paths, but we really need it so a
> page_test_set_hwpoison() cannot race in weird ways with the other primitives I think.
>
> page_test_set_hwpoison was this code you wrote:
>
> +static void page_set_hwpoison(struct page *page)
> +{
> + lockdep_assert_held(&mf_mutex);
> +
> + while (!PageHWPoison(page)) {
> + SetPageHWPoison(page);
> +
> + /* Make sure concurrent non-atomic writers completed. */
> + synchronize_rcu();
> + }
> +}
>
> and indeed the test+set combination seems racy. But consider the version I posted, for example:
>
> +/*
> + * Drain any in-flight non-atomic page flag operations that could
> + * clobber a concurrently set HWPoison bit. Retries until the bit sticks.
> + */
> +static void set_hwpoison_drain_rcu(struct page *p)
> +{
> + do {
> + synchronize_rcu();
> + } while (!TestSetPageHWPoison(p));
> +}
> +
>
> ...
>
> +static bool test_and_set_hwpoison_drain_rcu(struct page *p)
> +{
> + bool was_set = TestSetPageHWPoison(p);
> +
> + set_hwpoison_drain_rcu(p);
> + return was_set;
> +}
>
>
>
> does not seem racy without a lock. But maybe I don't get it.
Staring at your implementation, just think about two concurrent invocations of
test_and_set_hwpoison_drain() in your code:
Assume HWPoison flag is not set.
Thread 1: test_and_set_hwpoison_drain_rcu() -> TestSetPageHWPoison()
-> was_set = false
Thread 2: update that overwrites page->flags. HWPoison accidentally cleared.
Thread 3: test_and_set_hwpoison_drain_rcu() -> TestSetPageHWPoison()
-> was_set = false
Thread 1: does RCU sync and returns "!was_set"
thread 2: does RCU sync and returns "!was_set"
So you could end up with two thread believing that they atomically cleared the
flag, and you really need to lock.
We really have to document and enforce that the mutex is involved.
And I fear there are more nasty details to be uncovered while we rework some of
this properly, mandating a detailed look.
For example, TestClearPageHWPoison() in put_page_back_buddy() likely needs a
proper treatment as well. Likely that code should be reworked entirely to not
have arbitrary hwpoison page flag modifications throughout the codebase.
>
>
>
> (b) There are some leftover SetPageHWPoison etc. instances. The ones in
> arch/x86/kernel/cpu/mce/core.c likely cannot grab the mutex, but maybe they are
> corner cases either way and we can document the situation.
>
> Well, I did try to document the situation - it's in the commit log for
> patch 1:
>
> Note: the MCE handler in arch/x86/kernel/cpu/mce/core.c also calls
> SetPageHWPoison() and is subject to the same race. It cannot use
> the drain helpers (MCE context cannot call synchronize_rcu()).
> For recoverable MCE errors, memory_failure() is queued via work
> items (kill_me_maybe/kill_me_never) and will re-set the bit via
> test_and_set_hwpoison_drain_rcu() if it was clobbered. The
> mce_panic() path sets HWPoison for kdump right before panic() so
> the race is irrelevant there. The MCG_STATUS_SEAM_NR path does
> not queue memory_failure(), but the affected page belongs to a
> TDX guest whose CPU core has already been marked dead - the page
> is not subject to concurrent non-atomic flag operations in the
> buddy allocator, so the race does not apply.
>
We should have a central mechanism in place to document this and avoid future
mistakes.
I am not even sure if we should clearly document for SetPageHWPoison() when and
how they can be used, or if we need a completely new set of helpers.
And that's something to figure out (e.g., interaction with the mutex) by looking
into all of the details, so I expect this to take a lot more time.
[...]
>> This is nothing to vibe-code. This needs a real expert.
>
> Well I had this sitting on the disk anyway, so I thought I'd post.
It would be good to coordinate here.
Like a reply to my mail, asking whether you should post a new version that you
have already in place.
>
> I wouldn't call this vibe-code - a bunch of manual work went into this,
> llms mostly as a grep/sed replacement.
The version you posted earlier had real AI vibes to it, so I can only speculate.
I know that you did some manual work on this, but the details are really ugly in
this code.
> But hey. I don't object to
> someone taking over, for sure. Was fun, and maybe these patches will be
> helpful as a starting point.
>
> In particular, maybe I should have been more explicit about how your
> points from Friday are addressed.
Yes.
>
> If you want to add a bit more to explain the exact concerns here, for
> whoever works on this next, feel free to do so.
I raised some above. I'll try to find someone to take a closer look and see to
which degree we could optimize this.
Or if there are actually more performant alternatives that we could use. (I
still doubt that using atomics is ok in general)
--
Cheers,
David