From patchwork Tue Aug 23 03:23:41 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Miaohe Lin <linmiaohe@huawei.com>
X-Patchwork-Id: 12951675
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E0418C32789
	for <linux-mm@archiver.kernel.org>; Tue, 23 Aug 2022 03:24:24 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id C4A188D0003; Mon, 22 Aug 2022 23:24:23 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id BFA258D0001; Mon, 22 Aug 2022 23:24:23 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id AC8768D0003; Mon, 22 Aug 2022 23:24:23 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id A325E8D0001
	for <linux-mm@kvack.org>; Mon, 22 Aug 2022 23:24:23 -0400 (EDT)
Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 7BBAC121364
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:23 +0000 (UTC)
X-FDA: 79829414406.10.AA04DCF
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
	by imf23.hostedemail.com (Postfix) with ESMTP id 075D4140029
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:22 +0000 (UTC)
Received: from canpemm500002.china.huawei.com (unknown [172.30.72.55])
	by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MBZHl13FYzgYpg;
	Tue, 23 Aug 2022 11:20:51 +0800 (CST)
Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com
 (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug
 2022 11:24:19 +0800
From: Miaohe Lin <linmiaohe@huawei.com>
To: <akpm@linux-foundation.org>, <naoya.horiguchi@nec.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
	<linmiaohe@huawei.com>
Subject: [PATCH v2 1/6] mm,
 hwpoison: fix page refcnt leaking in try_memory_failure_hugetlb()
Date: Tue, 23 Aug 2022 11:23:41 +0800
Message-ID: <20220823032346.4260-2-linmiaohe@huawei.com>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com>
References: <20220823032346.4260-1-linmiaohe@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.175.124.27]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 canpemm500002.china.huawei.com (7.192.104.244)
X-CFilter-Loop: Reflected
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1661225063; a=rsa-sha256;
	cv=none;
	b=SlgpeFV+PIyUnfM0d7P9eAth0OOZI3uZi8d6dtDud+zOfEapmAIolrWegT8qNTOyGpIso7
	NrWTRXV7BYJzdbF1xDGGuWBx4gVVgwMz8iaWWf7ZOiGPyoMNd0N4Ee1/NnvsWnz4fQbHen
	zotc3NkFlwt3lGqKN2dEQg/uji01YtA=
ARC-Authentication-Results: i=1;
	imf23.hostedemail.com;
	dkim=none;
	spf=pass (imf23.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.187 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1661225063;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Oh2/RQVPb2yPdIcXlpkFYi8DjgX39Qn6ZDFEyN9n/F4=;
	b=E2HvrJ6JWRp/Fj2SP0gn9YjtRUuRCwouU50fbAlJ2byUasfDL1cKecutKSL9qRD4uzk4ac
	BA1lvxmyfvnjA+2L3kMnpOGfin17NhhlDz4H44x4UDtOOp4PY8bYV/50e1OrDDYmlx4CHA
	rGogwSwfuTJ1lj2Kr4YdNpcLG9gJTb8=
X-Rspamd-Queue-Id: 075D4140029
X-Rspam-User: 
Authentication-Results: imf23.hostedemail.com;
	dkim=none;
	spf=pass (imf23.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.187 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
X-Rspamd-Server: rspam01
X-Stat-Signature: 7khstsjfe444p3dba99b3rcnrpd1ck4h
X-HE-Tag: 1661225062-901154
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

When hwpoison_filter() refuses to hwpoison a hugetlb page, the refcnt of
the page would have been incremented if res == 1. Using put_page() to fix
the refcnt leaking in this case.

Fixes: 405ce051236c ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
---
 mm/memory-failure.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 5b368124956d..9d1ebfef04ee 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1860,8 +1860,10 @@ static int try_memory_failure_hugetlb(unsigned long pfn, int flags, int *hugetlb
 
 	if (hwpoison_filter(p)) {
 		hugetlb_clear_page_hwpoison(head);
-		res = -EOPNOTSUPP;
-		goto out;
+		unlock_page(head);
+		if (res == 1)
+			put_page(head);
+		return -EOPNOTSUPP;
 	}
 
 	/*

From patchwork Tue Aug 23 03:23:42 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Miaohe Lin <linmiaohe@huawei.com>
X-Patchwork-Id: 12951676
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5E99FC32774
	for <linux-mm@archiver.kernel.org>; Tue, 23 Aug 2022 03:24:26 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 2FCAE8D0005; Mon, 22 Aug 2022 23:24:24 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1E94A8D0001; Mon, 22 Aug 2022 23:24:24 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0D7AC8D0005; Mon, 22 Aug 2022 23:24:24 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com
 [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id F34828D0001
	for <linux-mm@kvack.org>; Mon, 22 Aug 2022 23:24:23 -0400 (EDT)
Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id CA383AADED
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:23 +0000 (UTC)
X-FDA: 79829414406.08.4E2D637
Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255])
	by imf08.hostedemail.com (Postfix) with ESMTP id 1890F160029
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:22 +0000 (UTC)
Received: from canpemm500002.china.huawei.com (unknown [172.30.72.53])
	by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4MBZHl73ZJz1N7YB;
	Tue, 23 Aug 2022 11:20:51 +0800 (CST)
Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com
 (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug
 2022 11:24:19 +0800
From: Miaohe Lin <linmiaohe@huawei.com>
To: <akpm@linux-foundation.org>, <naoya.horiguchi@nec.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
	<linmiaohe@huawei.com>
Subject: [PATCH v2 2/6] mm,
 hwpoison: fix page refcnt leaking in unpoison_memory()
Date: Tue, 23 Aug 2022 11:23:42 +0800
Message-ID: <20220823032346.4260-3-linmiaohe@huawei.com>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com>
References: <20220823032346.4260-1-linmiaohe@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.175.124.27]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 canpemm500002.china.huawei.com (7.192.104.244)
X-CFilter-Loop: Reflected
ARC-Authentication-Results: i=1;
	imf08.hostedemail.com;
	dkim=none;
	spf=pass (imf08.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.255 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1661225063; a=rsa-sha256;
	cv=none;
	b=dwj25915FPi9jm3ECoTF2n3xu877jyCbnsiEmLQylip1MmzCPjwyzff9w/1oL+AGS5LbBY
	wuFR/7MbSW6hl9ubRbvKaAIbo2hbiM/jM+YIIu2jkklRkz7WBF0QuuYGK7y16MVLNY1gPw
	/ClgVHraBshL84kCnR14VZnAheYLu4Q=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1661225063;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=L1lcdRVJ1SWMdbTh7JgkPh7FjxW1ZLFo7OVrfcYt3wc=;
	b=Y1Y/cin4kaKWgNdZlH9WZO2RVjHoxaDbwZHO6EbAG5g4efK5zGPwx+0zALyWomdNkfVjhW
	c01Ku+XJ6FZi61Kq6U3+cuEl636Mc8D2w5nVOXkTTbvbr0jtFCa8QvH9qNlFLeKp0G6xFE
	+u/fSdVaId+GdHMScqBKqHT1IiQEv+4=
Authentication-Results: imf08.hostedemail.com;
	dkim=none;
	spf=pass (imf08.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.255 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
X-Stat-Signature: csia9qquzffe1d9i5ya8miow61mo8zb7
X-Rspamd-Queue-Id: 1890F160029
X-Rspam-User: 
X-Rspamd-Server: rspam12
X-HE-Tag: 1661225062-492006
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

When free_raw_hwp_pages() fails its work, the refcnt of the hugetlb page
would have been incremented if ret > 0. Using put_page() to fix refcnt
leaking in this case.

Fixes: debb6b9c3fdd ("mm, hwpoison: make unpoison aware of raw error info in hwpoisoned hugepage")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
---
 mm/memory-failure.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 9d1ebfef04ee..ecd42d717c6f 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -2378,6 +2378,7 @@ int unpoison_memory(unsigned long pfn)
 			count = free_raw_hwp_pages(page, false);
 			if (count == 0) {
 				ret = -EBUSY;
+				put_page(page);
 				goto unlock_mutex;
 			}
 		}

From patchwork Tue Aug 23 03:23:43 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Miaohe Lin <linmiaohe@huawei.com>
X-Patchwork-Id: 12951677
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EAE67C28D13
	for <linux-mm@archiver.kernel.org>; Tue, 23 Aug 2022 03:24:27 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 745158D0001; Mon, 22 Aug 2022 23:24:24 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 67BE18D0006; Mon, 22 Aug 2022 23:24:24 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 56CCD8D0001; Mon, 22 Aug 2022 23:24:24 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 3AF308D0006
	for <linux-mm@kvack.org>; Mon, 22 Aug 2022 23:24:24 -0400 (EDT)
Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id F1845C136D
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:23 +0000 (UTC)
X-FDA: 79829414406.21.7727815
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
	by imf20.hostedemail.com (Postfix) with ESMTP id 3000F1C000E
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:23 +0000 (UTC)
Received: from canpemm500002.china.huawei.com (unknown [172.30.72.53])
	by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4MBZGq6CvdzXf27;
	Tue, 23 Aug 2022 11:20:03 +0800 (CST)
Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com
 (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug
 2022 11:24:20 +0800
From: Miaohe Lin <linmiaohe@huawei.com>
To: <akpm@linux-foundation.org>, <naoya.horiguchi@nec.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
	<linmiaohe@huawei.com>
Subject: [PATCH v2 3/6] mm,
 hwpoison: fix extra put_page() in soft_offline_page()
Date: Tue, 23 Aug 2022 11:23:43 +0800
Message-ID: <20220823032346.4260-4-linmiaohe@huawei.com>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com>
References: <20220823032346.4260-1-linmiaohe@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.175.124.27]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 canpemm500002.china.huawei.com (7.192.104.244)
X-CFilter-Loop: Reflected
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1661225063;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=+qc79B2BTc+cSDbQrxL+vXMqMVxtgZRkbCViFq3ka/8=;
	b=LfLPiyBG7rRDQKInfhM8YTdh/dpjnfIB7tULIfle3nxFe7/9jn6s5ChKq17NmHkjbMlG0a
	6kUk3XjkToEQU7II7KV0FTpAHmLiV8ty2hulnB+iGgyQ6klJ0XuiUFQw4oSDdALN4yESpb
	zChMNgrtvKx1X5aAEQiFPnqjxDqfYQQ=
ARC-Authentication-Results: i=1;
	imf20.hostedemail.com;
	dkim=none;
	spf=pass (imf20.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.188 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1661225063; a=rsa-sha256;
	cv=none;
	b=Oa+jQpvVTcar/4KvPhFNm0PSe3esRTo1d4RXaBgEpTfILO82oXDujrknIqo9GyCbpoiKHD
	6uTqZqAOGtRiKFkj+oPvMb8ETJZIDBkWhYb3Wa3E5lZ26J5OoYXzeC1T77ZXkzhqW4HoZZ
	NdclNi0I8nVZju0gXoix1lUWUPDZWbw=
X-Rspamd-Queue-Id: 3000F1C000E
X-Rspam-User: 
Authentication-Results: imf20.hostedemail.com;
	dkim=none;
	spf=pass (imf20.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.188 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
X-Rspamd-Server: rspam05
X-Stat-Signature: f1mxq6dfzzwotxsfy5q9uat9m6m5f7fy
X-HE-Tag: 1661225063-618569
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

When hwpoison_filter() refuses to soft offline a page, the page refcnt
incremented previously by MF_COUNT_INCREASED would have been consumed
via get_hwpoison_page() if ret <= 0. So the put_ref_page() here will
put the extra one. Remove it to fix the issue.

Fixes: 9113eaf331bf ("mm/memory-failure.c: add hwpoison_filter for soft offline")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
---
 mm/memory-failure.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index ecd42d717c6f..1d79e693f1b9 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -2575,8 +2575,6 @@ int soft_offline_page(unsigned long pfn, int flags)
 	if (hwpoison_filter(page)) {
 		if (ret > 0)
 			put_page(page);
-		else
-			put_ref_page(ref_page);
 
 		mutex_unlock(&mf_mutex);
 		return -EOPNOTSUPP;

From patchwork Tue Aug 23 03:23:44 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Miaohe Lin <linmiaohe@huawei.com>
X-Patchwork-Id: 12951678
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2F695C32789
	for <linux-mm@archiver.kernel.org>; Tue, 23 Aug 2022 03:24:29 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 1ED398D0007; Mon, 22 Aug 2022 23:24:25 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 12A788D0006; Mon, 22 Aug 2022 23:24:25 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E96E98D0007; Mon, 22 Aug 2022 23:24:24 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com
 [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id D66A98D0006
	for <linux-mm@kvack.org>; Mon, 22 Aug 2022 23:24:24 -0400 (EDT)
Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay07.hostedemail.com (Postfix) with ESMTP id B0EC0160677
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:24 +0000 (UTC)
X-FDA: 79829414448.28.7D3DA75
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
	by imf09.hostedemail.com (Postfix) with ESMTP id 8039E14003C
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:23 +0000 (UTC)
Received: from canpemm500002.china.huawei.com (unknown [172.30.72.56])
	by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MBZHm3PTVzgYpk;
	Tue, 23 Aug 2022 11:20:52 +0800 (CST)
Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com
 (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug
 2022 11:24:20 +0800
From: Miaohe Lin <linmiaohe@huawei.com>
To: <akpm@linux-foundation.org>, <naoya.horiguchi@nec.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
	<linmiaohe@huawei.com>
Subject: [PATCH v2 4/6] mm,
 hwpoison: fix possible use-after-free in mf_dax_kill_procs()
Date: Tue, 23 Aug 2022 11:23:44 +0800
Message-ID: <20220823032346.4260-5-linmiaohe@huawei.com>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com>
References: <20220823032346.4260-1-linmiaohe@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.175.124.27]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 canpemm500002.china.huawei.com (7.192.104.244)
X-CFilter-Loop: Reflected
ARC-Authentication-Results: i=1;
	imf09.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf09.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.187 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1661225063; a=rsa-sha256;
	cv=none;
	b=5FGsLXz4VA7vdbm8KacnDk2CdekQkkcsDORfI817K7oi1g3OxLmNN/yIqEf1cXZT7LVJsG
	WjAAhCnhrs0nLwDdSFC3v2PhQXhzOedk503EeNHo8kR6wpcgx9pwqLZMnAHVSnOmKz2z05
	3g3VmJhrzxvWqrnYcAVvtLgY3d6NE+0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1661225063;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=pFYEpTsXJmHfW6I1oKg6c4BgDdCtGcow54ssxC/v4Go=;
	b=sLO1GH2V1v4baROFWLdtSXAREJjn43H3fGSxOKO5QRZl6ub4xIOg6GQE/DFLovxgLFf+8g
	v+mMWlwlEWcWXeJYmO5eAYBXma10gZDDhBUL+biHTTGs9Ua6lF2mbCYNZ51CimLLeucWPn
	tZHItZFpGqmblzzVlXdaw/QF/NLktGA=
X-Rspam-User: 
Authentication-Results: imf09.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf09.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.187 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com
X-Stat-Signature: 953b7b6y18uef9zga77fju773da6689y
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: 8039E14003C
X-HE-Tag: 1661225063-303702
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

After kill_procs(), tk will be freed without being removed from the to_kill
list. In the next iteration, the freed list entry in the to_kill list will
be accessed, thus leading to use-after-free issue. Adding list_del() in
kill_procs() to fix the issue.

Fixes: c36e20249571 ("mm: introduce mf_dax_kill_procs() for fsdax case")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
---
 mm/memory-failure.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 1d79e693f1b9..f8262f577baf 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -413,7 +413,7 @@ static void kill_procs(struct list_head *to_kill, int forcekill, bool fail,
 {
 	struct to_kill *tk, *next;
 
-	list_for_each_entry_safe (tk, next, to_kill, nd) {
+	list_for_each_entry_safe(tk, next, to_kill, nd) {
 		if (forcekill) {
 			/*
 			 * In case something went wrong with munmapping
@@ -437,6 +437,7 @@ static void kill_procs(struct list_head *to_kill, int forcekill, bool fail,
 				pr_err("%#lx: Cannot send advisory machine check signal to %s:%d\n",
 				       pfn, tk->tsk->comm, tk->tsk->pid);
 		}
+		list_del(&tk->nd);
 		put_task_struct(tk->tsk);
 		kfree(tk);
 	}

From patchwork Tue Aug 23 03:23:45 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Miaohe Lin <linmiaohe@huawei.com>
X-Patchwork-Id: 12951680
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 04FC4C32774
	for <linux-mm@archiver.kernel.org>; Tue, 23 Aug 2022 03:24:32 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 213808D0009; Mon, 22 Aug 2022 23:24:27 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 19AFB8D0006; Mon, 22 Aug 2022 23:24:27 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id F09CC8D0009; Mon, 22 Aug 2022 23:24:26 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com
 [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id D75318D0006
	for <linux-mm@kvack.org>; Mon, 22 Aug 2022 23:24:26 -0400 (EDT)
Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id B0F24A0A1F
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:26 +0000 (UTC)
X-FDA: 79829414532.10.8683CCB
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
	by imf03.hostedemail.com (Postfix) with ESMTP id 2FA5B20033
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:25 +0000 (UTC)
Received: from canpemm500002.china.huawei.com (unknown [172.30.72.54])
	by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MBZK75H1hzhYcQ;
	Tue, 23 Aug 2022 11:22:03 +0800 (CST)
Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com
 (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug
 2022 11:24:21 +0800
From: Miaohe Lin <linmiaohe@huawei.com>
To: <akpm@linux-foundation.org>, <naoya.horiguchi@nec.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
	<linmiaohe@huawei.com>
Subject: [PATCH v2 5/6] mm, hwpoison: kill procs if unmap fails
Date: Tue, 23 Aug 2022 11:23:45 +0800
Message-ID: <20220823032346.4260-6-linmiaohe@huawei.com>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com>
References: <20220823032346.4260-1-linmiaohe@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.175.124.27]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 canpemm500002.china.huawei.com (7.192.104.244)
X-CFilter-Loop: Reflected
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1661225066; a=rsa-sha256;
	cv=none;
	b=Ile99wvUeY700Z0KnX5rzFrHK8AzIToVnChMBEzfZTtV7yKKMIRXHFuln9ImWK8pUdures
	sj9IDoaUsAGb5H/+aNtz4WGe+QRtyWVrzkAe6WdGU5VVeP9q4yEE92Aj7kzAzlg89rcqGA
	WIaioCEaX3nZSKJiKqWjG3adlkqK8xw=
ARC-Authentication-Results: i=1;
	imf03.hostedemail.com;
	dkim=none;
	spf=pass (imf03.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.187 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1661225066;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=GhP5UJAWUh30rSH0rNEdcRuDZSze7TBlX5vGw7AxMqk=;
	b=zbdqYAFqD2dDkPp6mEPwPxRpAjMTz2wuvGd5SzK3N/Xv3fEH3AnfZ/zRyY8GKWnJwJZ0EO
	EkjKk9rGj3Mo/8OA5QQNm8NFlRrZ8HjQpe7ojUA5BrBUpB0cwjiP6Wdo2y1uB5iHmKj8hU
	QnHQspe6ervc6xwXQk3s62tmucenIiI=
X-Rspamd-Queue-Id: 2FA5B20033
X-Rspam-User: 
Authentication-Results: imf03.hostedemail.com;
	dkim=none;
	spf=pass (imf03.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.187 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
X-Rspamd-Server: rspam01
X-Stat-Signature: dxnf3mooexai5oj9tq7apqg4xaogkhwz
X-HE-Tag: 1661225065-284186
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

If try_to_unmap() fails, the hwpoisoned page still resides in the address
space of some processes. We should kill these processes or the hwpoisoned
page might be consumed later. collect_procs() is always called to collect
relevant processes now so they can be killed later if unmap fails.

Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
---
 mm/memory-failure.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index f8262f577baf..c2910f9af1d4 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1397,7 +1397,7 @@ static bool hwpoison_user_mappings(struct page *p, unsigned long pfn,
 	struct address_space *mapping;
 	LIST_HEAD(tokill);
 	bool unmap_success;
-	int kill = 1, forcekill;
+	int forcekill;
 	bool mlocked = PageMlocked(hpage);
 
 	/*
@@ -1438,7 +1438,6 @@ static bool hwpoison_user_mappings(struct page *p, unsigned long pfn,
 		if (page_mkclean(hpage)) {
 			SetPageDirty(hpage);
 		} else {
-			kill = 0;
 			ttu |= TTU_IGNORE_HWPOISON;
 			pr_info("%#lx: corrupted page was clean: dropped without side effects\n",
 				pfn);
@@ -1449,12 +1448,8 @@ static bool hwpoison_user_mappings(struct page *p, unsigned long pfn,
 	 * First collect all the processes that have the page
 	 * mapped in dirty form.  This has to be done before try_to_unmap,
 	 * because ttu takes the rmap data structures down.
-	 *
-	 * Error handling: We ignore errors here because
-	 * there's nothing that can be done.
 	 */
-	if (kill)
-		collect_procs(hpage, &tokill, flags & MF_ACTION_REQUIRED);
+	collect_procs(hpage, &tokill, flags & MF_ACTION_REQUIRED);
 
 	if (PageHuge(hpage) && !PageAnon(hpage)) {
 		/*
@@ -1496,7 +1491,8 @@ static bool hwpoison_user_mappings(struct page *p, unsigned long pfn,
 	 * use a more force-full uncatchable kill to prevent
 	 * any accesses to the poisoned memory.
 	 */
-	forcekill = PageDirty(hpage) || (flags & MF_MUST_KILL);
+	forcekill = PageDirty(hpage) || (flags & MF_MUST_KILL) ||
+		    !unmap_success;
 	kill_procs(&tokill, forcekill, !unmap_success, pfn, flags);
 
 	return unmap_success;

From patchwork Tue Aug 23 03:23:46 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Miaohe Lin <linmiaohe@huawei.com>
X-Patchwork-Id: 12951679
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9B7B1C28D13
	for <linux-mm@archiver.kernel.org>; Tue, 23 Aug 2022 03:24:30 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 2B47B8D0008; Mon, 22 Aug 2022 23:24:26 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1EB5E8D0006; Mon, 22 Aug 2022 23:24:26 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 062488D0008; Mon, 22 Aug 2022 23:24:26 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com
 [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id E58278D0006
	for <linux-mm@kvack.org>; Mon, 22 Aug 2022 23:24:25 -0400 (EDT)
Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay07.hostedemail.com (Postfix) with ESMTP id C1B6B160677
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:25 +0000 (UTC)
X-FDA: 79829414490.08.B93C0FC
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
	by imf28.hostedemail.com (Postfix) with ESMTP id 4129AC0050
	for <linux-mm@kvack.org>; Tue, 23 Aug 2022 03:24:24 +0000 (UTC)
Received: from canpemm500002.china.huawei.com (unknown [172.30.72.55])
	by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4MBZHn2SrszgYpq;
	Tue, 23 Aug 2022 11:20:53 +0800 (CST)
Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com
 (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Tue, 23 Aug
 2022 11:24:21 +0800
From: Miaohe Lin <linmiaohe@huawei.com>
To: <akpm@linux-foundation.org>, <naoya.horiguchi@nec.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
	<linmiaohe@huawei.com>
Subject: [PATCH v2 6/6] mm, hwpoison: avoid trying to unpoison reserved page
Date: Tue, 23 Aug 2022 11:23:46 +0800
Message-ID: <20220823032346.4260-7-linmiaohe@huawei.com>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20220823032346.4260-1-linmiaohe@huawei.com>
References: <20220823032346.4260-1-linmiaohe@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.175.124.27]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 canpemm500002.china.huawei.com (7.192.104.244)
X-CFilter-Loop: Reflected
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1661225065; a=rsa-sha256;
	cv=none;
	b=szrHMfcDPkTKwEq6a2cP0y3zSygvNt+bmDCZHXYxH3XJlFHbRLodqYN6H9OpW+kI6EXA7Y
	lTEMH+lkFT2ipRFeQ4Jj8CIf7vIhbVPc47XwMqyRYLERYlNJWTMHtHGFGXnI5nYkRXd/SZ
	vWsWmrjD/2BHyWA1J+maZNAblQw1AjU=
ARC-Authentication-Results: i=1;
	imf28.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf28.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.187 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1661225065;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=NVkGst6K526LP6oQ59e++PJ5St0Zj5qkPKrR+BZ33DI=;
	b=L9GcFoEaKiAz9JQ2o3YnWJtV9ZPkU5GMDqH+gPomHJQikj9AR0hYhH7D015KpU0KhArRJa
	hSkFZUPc9UXvCquokvCr/gXlwln8r0u2j+EqGwuELhdkVyFfZHtva6b0IG75iJSB47Cq2C
	+sprauMFvN1zisyWKAZuYo2lQB4jN6I=
X-Rspam-User: 
Authentication-Results: imf28.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf28.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.187 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com
X-Rspamd-Server: rspam10
X-Rspamd-Queue-Id: 4129AC0050
X-Stat-Signature: gzwacjp57cmm4yuupezmmfyoh96u4qox
X-HE-Tag: 1661225064-954575
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

For reserved pages, HWPoison flag will be set without increasing the page
refcnt. So we shouldn't even try to unpoison these pages and thus decrease
the page refcnt unexpectly. Add a PageReserved() check to filter this case
out and remove the below unneeded zero page (zero page is reserved) check.

Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
---
 mm/memory-failure.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index c2910f9af1d4..f3ff2515ccc6 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -2351,7 +2351,7 @@ int unpoison_memory(unsigned long pfn)
 		goto unlock_mutex;
 	}
 
-	if (PageSlab(page) || PageTable(page))
+	if (PageSlab(page) || PageTable(page) || PageReserved(page))
 		goto unlock_mutex;
 
 	ret = get_hwpoison_page(p, MF_UNPOISON);
@@ -2382,7 +2382,7 @@ int unpoison_memory(unsigned long pfn)
 		freeit = !!TestClearPageHWPoison(p);
 
 		put_page(page);
-		if (freeit && !(pfn == my_zero_pfn(0) && page_count(p) == 1)) {
+		if (freeit) {
 			put_page(page);
 			ret = 0;
 		}