Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757217AbcC2MZK (ORCPT <rfc822;w@1wt.eu>);
	Tue, 29 Mar 2016 08:25:10 -0400
Received: from mx2.suse.de ([195.135.220.15]:57144 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1756877AbcC2MZI (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 29 Mar 2016 08:25:08 -0400
Subject: Re: [PATCH] mm: fix invalid node in alloc_migrate_target()
To: Xishi Qiu <qiuxishi@huawei.com>, Andrew Morton <akpm@linux-foundation.org>,
        Joonsoo Kim <js1304@gmail.com>, David Rientjes <rientjes@google.com>,
        Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>,
        Laura Abbott <lauraa@codeaurora.org>, zhuhui@xiaomi.com,
        wangxq10@lzu.edu.cn
References: <56F4E104.9090505@huawei.com>
Cc: Linux MM <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>
From: Vlastimil Babka <vbabka@suse.cz>
Message-ID: <56FA741F.7010705@suse.cz>
Date: Tue, 29 Mar 2016 14:25:03 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <56F4E104.9090505@huawei.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1405
Lines: 42

On 03/25/2016 07:56 AM, Xishi Qiu wrote:
> It is incorrect to use next_node to find a target node, it will
> return MAX_NUMNODES or invalid node. This will lead to crash in
> buddy system allocation.

One possible place of crash is:
alloc_huge_page_node()
     dequeue_huge_page_node()
         [accesses h->hugepage_freelists[nid] with size MAX_NUMANODES]

> Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>

Fixes: c8721bbbdd36 ("mm: memory-hotplug: enable memory hotplug to 
handle hugepage")
Cc: stable
Acked-by: Vlastimil Babka <vbabka@suse.cz>

> ---
>   mm/page_isolation.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/mm/page_isolation.c b/mm/page_isolation.c
> index 92c4c36..31555b6 100644
> --- a/mm/page_isolation.c
> +++ b/mm/page_isolation.c
> @@ -289,11 +289,11 @@ struct page *alloc_migrate_target(struct page *page, unsigned long private,
>   	 * now as a simple work-around, we use the next node for destination.
>   	 */
>   	if (PageHuge(page)) {
> -		nodemask_t src = nodemask_of_node(page_to_nid(page));
> -		nodemask_t dst;
> -		nodes_complement(dst, src);
> +		int node = next_online_node(page_to_nid(page));
> +		if (node == MAX_NUMNODES)
> +			node = first_online_node;
>   		return alloc_huge_page_node(page_hstate(compound_head(page)),
> -					    next_node(page_to_nid(page), dst));
> +					    node);
>   	}
>
>   	if (PageHighMem(page))
>