Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756836AbcC3BQL (ORCPT <rfc822;w@1wt.eu>);
	Tue, 29 Mar 2016 21:16:11 -0400
Received: from TYO202.gate.nec.co.jp ([210.143.35.52]:64766 "EHLO
	tyo202.gate.nec.co.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752995AbcC3BQJ convert rfc822-to-8bit (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 29 Mar 2016 21:16:09 -0400
From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
To: Vlastimil Babka <vbabka@suse.cz>
CC: Xishi Qiu <qiuxishi@huawei.com>, Andrew Morton <akpm@linux-foundation.org>,
        Joonsoo Kim <js1304@gmail.com>, David Rientjes <rientjes@google.com>,
        Laura Abbott <lauraa@codeaurora.org>,
        "zhuhui@xiaomi.com" <zhuhui@xiaomi.com>,
        "wangxq10@lzu.edu.cn" <wangxq10@lzu.edu.cn>,
        Linux MM <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm: fix invalid node in alloc_migrate_target()
Thread-Topic: [PATCH] mm: fix invalid node in alloc_migrate_target()
Thread-Index: AQHRhmRmxMjy3bsjcUaWfDzFOuj9KJ9vyGGAgADWmQA=
Date: Wed, 30 Mar 2016 01:13:10 +0000
Message-ID: <20160330011308.GA12660@hori1.linux.bs1.fc.nec.co.jp>
References: <56F4E104.9090505@huawei.com> <56FA741F.7010705@suse.cz>
In-Reply-To: <56FA741F.7010705@suse.cz>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.128.101.22]
Content-Type: text/plain; charset="iso-2022-jp"
Content-ID: <185D8B5B5B21FB4A83CD4929F0346AFA@gisp.nec.co.jp>
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1626
Lines: 48

On Tue, Mar 29, 2016 at 02:25:03PM +0200, Vlastimil Babka wrote:
> On 03/25/2016 07:56 AM, Xishi Qiu wrote:
> >It is incorrect to use next_node to find a target node, it will
> >return MAX_NUMNODES or invalid node. This will lead to crash in
> >buddy system allocation.
> 
> One possible place of crash is:
> alloc_huge_page_node()
>     dequeue_huge_page_node()
>         [accesses h->hugepage_freelists[nid] with size MAX_NUMANODES]
> 
> >Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
> 
> Fixes: c8721bbbdd36 ("mm: memory-hotplug: enable memory hotplug to handle
> hugepage")
> Cc: stable
> Acked-by: Vlastimil Babka <vbabka@suse.cz>

Thanks everyone for finding/fixing the bug!

Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>

> >---
> >  mm/page_isolation.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> >
> >diff --git a/mm/page_isolation.c b/mm/page_isolation.c
> >index 92c4c36..31555b6 100644
> >--- a/mm/page_isolation.c
> >+++ b/mm/page_isolation.c
> >@@ -289,11 +289,11 @@ struct page *alloc_migrate_target(struct page *page, unsigned long private,
> >  	 * now as a simple work-around, we use the next node for destination.
> >  	 */
> >  	if (PageHuge(page)) {
> >-		nodemask_t src = nodemask_of_node(page_to_nid(page));
> >-		nodemask_t dst;
> >-		nodes_complement(dst, src);
> >+		int node = next_online_node(page_to_nid(page));
> >+		if (node == MAX_NUMNODES)
> >+			node = first_online_node;
> >  		return alloc_huge_page_node(page_hstate(compound_head(page)),
> >-					    next_node(page_to_nid(page), dst));
> >+					    node);
> >  	}
> >
> >  	if (PageHighMem(page))
> >
>