Commit 16d07443 authored by Hugh Dickins's avatar Hugh Dickins Committed by Greg Kroah-Hartman

mm/huge_memory: splitting set mapping+index before unfreeze

commit 173d9d9f upstream.

Huge tmpfs stress testing has occasionally hit shmem_undo_range()'s
VM_BUG_ON_PAGE(page_to_pgoff(page) != index, page).

Move the setting of mapping and index up before the page_ref_unfreeze()
in __split_huge_page_tail() to fix this: so that a page cache lookup
cannot get a reference while the tail's mapping and index are unstable.

In fact, might as well move them up before the smp_wmb(): I don't see an
actual need for that, but if I'm missing something, this way round is
safer than the other, and no less efficient.

You might argue that VM_BUG_ON_PAGE(page_to_pgoff(page) != index, page) is
misplaced, and should be left until after the trylock_page(); but left as
is has not crashed since, and gives more stringent assurance.

Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1811261516380.2275@eggly.anvils
Fixes: e9b61f19 ("thp: reintroduce split_huge_page()")
Requires: 605ca5ed ("mm/huge_memory.c: reorder operations in __split_huge_page_tail()")
Signed-off-by: default avatarHugh Dickins <hughd@google.com>
Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>	[4.8+]
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 30241d72
...@@ -2331,6 +2331,12 @@ static void __split_huge_page_tail(struct page *head, int tail, ...@@ -2331,6 +2331,12 @@ static void __split_huge_page_tail(struct page *head, int tail,
(1L << PG_unevictable) | (1L << PG_unevictable) |
(1L << PG_dirty))); (1L << PG_dirty)));
/* ->mapping in first tail page is compound_mapcount */
VM_BUG_ON_PAGE(tail > 2 && page_tail->mapping != TAIL_MAPPING,
page_tail);
page_tail->mapping = head->mapping;
page_tail->index = head->index + tail;
/* Page flags must be visible before we make the page non-compound. */ /* Page flags must be visible before we make the page non-compound. */
smp_wmb(); smp_wmb();
...@@ -2351,12 +2357,6 @@ static void __split_huge_page_tail(struct page *head, int tail, ...@@ -2351,12 +2357,6 @@ static void __split_huge_page_tail(struct page *head, int tail,
if (page_is_idle(head)) if (page_is_idle(head))
set_page_idle(page_tail); set_page_idle(page_tail);
/* ->mapping in first tail page is compound_mapcount */
VM_BUG_ON_PAGE(tail > 2 && page_tail->mapping != TAIL_MAPPING,
page_tail);
page_tail->mapping = head->mapping;
page_tail->index = head->index + tail;
page_cpupid_xchg_last(page_tail, page_cpupid_last(head)); page_cpupid_xchg_last(page_tail, page_cpupid_last(head));
lru_add_page_tail(head, page_tail, lruvec, list); lru_add_page_tail(head, page_tail, lruvec, list);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment