Commit 98f1ae16 authored by Hugh Dickins's avatar Hugh Dickins Committed by Greg Kroah-Hartman

mm/khugepaged: fix crashes due to misaccounted holes

commit aaa52e34 upstream.

Huge tmpfs testing on a shortish file mapped into a pmd-rounded extent
hit shmem_evict_inode()'s WARN_ON(inode->i_blocks) followed by
clear_inode()'s BUG_ON(inode->i_data.nrpages) when the file was later
closed and unlinked.

khugepaged's collapse_shmem() was forgetting to update mapping->nrpages
on the rollback path, after it had added but then needs to undo some
holes.

There is indeed an irritating asymmetry between shmem_charge(), whose
callers want it to increment nrpages after successfully accounting
blocks, and shmem_uncharge(), when __delete_from_page_cache() already
decremented nrpages itself: oh well, just add a comment on that to them
both.

And shmem_recalc_inode() is supposed to be called when the accounting is
expected to be in balance (so it can deduce from imbalance that reclaim
discarded some pages): so change shmem_charge() to update nrpages
earlier (though it's rare for the difference to matter at all).

Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1811261523450.2275@eggly.anvils
Fixes: 800d8c63 ("shmem: add huge pages support")
Fixes: f3f0e1d2 ("khugepaged: add support of collapse for tmpfs/shmem pages")
Signed-off-by: default avatarHugh Dickins <hughd@google.com>
Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>	[4.8+]
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 81d2848c
...@@ -1539,8 +1539,10 @@ static void collapse_shmem(struct mm_struct *mm, ...@@ -1539,8 +1539,10 @@ static void collapse_shmem(struct mm_struct *mm,
*hpage = NULL; *hpage = NULL;
} else { } else {
/* Something went wrong: rollback changes to the radix-tree */ /* Something went wrong: rollback changes to the radix-tree */
shmem_uncharge(mapping->host, nr_none);
spin_lock_irq(&mapping->tree_lock); spin_lock_irq(&mapping->tree_lock);
mapping->nrpages -= nr_none;
shmem_uncharge(mapping->host, nr_none);
radix_tree_for_each_slot(slot, &mapping->page_tree, &iter, radix_tree_for_each_slot(slot, &mapping->page_tree, &iter,
start) { start) {
if (iter.index >= end) if (iter.index >= end)
......
...@@ -296,12 +296,14 @@ bool shmem_charge(struct inode *inode, long pages) ...@@ -296,12 +296,14 @@ bool shmem_charge(struct inode *inode, long pages)
if (!shmem_inode_acct_block(inode, pages)) if (!shmem_inode_acct_block(inode, pages))
return false; return false;
/* nrpages adjustment first, then shmem_recalc_inode() when balanced */
inode->i_mapping->nrpages += pages;
spin_lock_irqsave(&info->lock, flags); spin_lock_irqsave(&info->lock, flags);
info->alloced += pages; info->alloced += pages;
inode->i_blocks += pages * BLOCKS_PER_PAGE; inode->i_blocks += pages * BLOCKS_PER_PAGE;
shmem_recalc_inode(inode); shmem_recalc_inode(inode);
spin_unlock_irqrestore(&info->lock, flags); spin_unlock_irqrestore(&info->lock, flags);
inode->i_mapping->nrpages += pages;
return true; return true;
} }
...@@ -311,6 +313,8 @@ void shmem_uncharge(struct inode *inode, long pages) ...@@ -311,6 +313,8 @@ void shmem_uncharge(struct inode *inode, long pages)
struct shmem_inode_info *info = SHMEM_I(inode); struct shmem_inode_info *info = SHMEM_I(inode);
unsigned long flags; unsigned long flags;
/* nrpages adjustment done by __delete_from_page_cache() or caller */
spin_lock_irqsave(&info->lock, flags); spin_lock_irqsave(&info->lock, flags);
info->alloced -= pages; info->alloced -= pages;
inode->i_blocks -= pages * BLOCKS_PER_PAGE; inode->i_blocks -= pages * BLOCKS_PER_PAGE;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment