Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S948397AbcKAAxD (ORCPT <rfc822;w@1wt.eu>);
        Mon, 31 Oct 2016 20:53:03 -0400
Received: from mail-pf0-f193.google.com ([209.85.192.193]:33529 "EHLO
        mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S948334AbcKAAxC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 Oct 2016 20:53:02 -0400
From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>,
        Naoya Horiguchi <nao.horiguchi@gmail.com>
Subject: [PATCH v1] mm: hwpoison: fix thp split handling in memory_failure()
Date: Tue,  1 Nov 2016 09:52:57 +0900
Message-Id: <1477961577-7183-1-git-send-email-n-horiguchi@ah.jp.nec.com>
X-Mailer: git-send-email 2.7.0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1874
Lines: 51

When memory_failure() runs on a thp tail page after pmd is split, we trigger
the following VM_BUG_ON_PAGE():

  [  619.550520] page:ffffd7cd819b0040 count:0 mapcount:0 mapping:         (null) index:0x1
  [  619.555486] flags: 0x1fffc000400000(hwpoison)
  [  619.556408] page dumped because: VM_BUG_ON_PAGE(!page_count(p))
  [  619.558998] ------------[ cut here ]------------
  [  619.561388] kernel BUG at /src/linux-dev/mm/memory-failure.c:1132!

memory_failure() passed refcount and page lock from tail page to head page,
which is not needed because we can pass any subpage to split_huge_page().

Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Fixes: 61f5d698cc97 ("mm: re-enable THP")
Cc: stable@vger.kernel.org # 4.5+
---
 mm/memory-failure.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git v4.8-rc8-mmotm-2016-09-27-16-08/mm/memory-failure.c v4.8-rc8-mmotm-2016-09-27-16-08_patched/mm/memory-failure.c
index de88f33..19e796d 100644
--- v4.8-rc8-mmotm-2016-09-27-16-08/mm/memory-failure.c
+++ v4.8-rc8-mmotm-2016-09-27-16-08_patched/mm/memory-failure.c
@@ -1112,10 +1112,10 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
 	}
 
 	if (!PageHuge(p) && PageTransHuge(hpage)) {
-		lock_page(hpage);
-		if (!PageAnon(hpage) || unlikely(split_huge_page(hpage))) {
-			unlock_page(hpage);
-			if (!PageAnon(hpage))
+		lock_page(p);
+		if (!PageAnon(p) || unlikely(split_huge_page(p))) {
+			unlock_page(p);
+			if (!PageAnon(p))
 				pr_err("Memory failure: %#lx: non anonymous thp\n",
 					pfn);
 			else
@@ -1126,9 +1126,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
 			put_hwpoison_page(p);
 			return -EBUSY;
 		}
-		unlock_page(hpage);
-		get_hwpoison_page(p);
-		put_hwpoison_page(hpage);
+		unlock_page(p);
 		VM_BUG_ON_PAGE(!page_count(p), p);
 		hpage = compound_head(p);
 	}
-- 
2.7.0