From: Greg Kroah-Hartman Date: Tue, 8 Apr 2025 10:23:37 +0000 (+0200) Subject: drop mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch from everywhere X-Git-Tag: v5.4.292~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=06b5acdca046b3e5947a0acf57d527188e2c8c68;p=thirdparty%2Fkernel%2Fstable-queue.git drop mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch from everywhere --- diff --git a/queue-6.1/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch b/queue-6.1/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch deleted file mode 100644 index dea207d94e..0000000000 --- a/queue-6.1/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 1b0449544c6482179ac84530b61fc192a6527bfd Mon Sep 17 00:00:00 2001 -From: Jinjiang Tu -Date: Tue, 18 Mar 2025 16:39:39 +0800 -Subject: mm/vmscan: don't try to reclaim hwpoison folio - -From: Jinjiang Tu - -commit 1b0449544c6482179ac84530b61fc192a6527bfd upstream. - -Syzkaller reports a bug as follows: - -Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 -Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users -Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed -page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e -memcg:ffff0000dd6d9000 -anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) -raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 -raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 -page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) -------------[ cut here ]------------ -kernel BUG at mm/swap_state.c:184! -Internal error: Oops - BUG: 00000000f2000800 [#1] SMP -Modules linked in: -CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 -Hardware name: linux,dummy-virt (DT) -pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) -pc : add_to_swap+0xbc/0x158 -lr : add_to_swap+0xbc/0x158 -sp : ffff800087f37340 -x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 -x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 -x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 -x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 -x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c -x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b -x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 -x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 -x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 -x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 -Call trace: - add_to_swap+0xbc/0x158 - shrink_folio_list+0x12ac/0x2648 - shrink_inactive_list+0x318/0x948 - shrink_lruvec+0x450/0x720 - shrink_node_memcgs+0x280/0x4a8 - shrink_node+0x128/0x978 - balance_pgdat+0x4f0/0xb20 - kswapd+0x228/0x438 - kthread+0x214/0x230 - ret_from_fork+0x10/0x20 - -I can reproduce this issue with the following steps: - -1) When a dirty swapcache page is isolated by reclaim process and the - page isn't locked, inject memory failure for the page. - me_swapcache_dirty() clears uptodate flag and tries to delete from lru, - but fails. Reclaim process will put the hwpoisoned page back to lru. - -2) The process that maps the hwpoisoned page exits, the page is deleted - the page will never be freed and will be in the lru forever. - -3) If we trigger a reclaim again and tries to reclaim the page, - add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is - cleared. - -To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the -hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap -it in shrink_folio_list(), otherwise the folio will fail to be unmaped by -hwpoison_user_mappings() since the folio isn't in lru list. - -Link: https://lkml.kernel.org/r/20250318083939.987651-3-tujinjiang@huawei.com -Signed-off-by: Jinjiang Tu -Acked-by: Miaohe Lin -Cc: David Hildenbrand -Cc: Kefeng Wang -Cc: Nanyong Sun -Cc: Naoya Horiguchi -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - mm/vmscan.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -1669,6 +1669,13 @@ retry: - if (!folio_trylock(folio)) - goto keep; - -+ if (folio_contain_hwpoisoned_page(folio)) { -+ unmap_poisoned_folio(folio, folio_pfn(folio), false); -+ folio_unlock(folio); -+ folio_put(folio); -+ continue; -+ } -+ - VM_BUG_ON_FOLIO(folio_test_active(folio), folio); - - nr_pages = folio_nr_pages(folio); diff --git a/queue-6.1/series b/queue-6.1/series index c6e0ca5f52..e860754565 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -194,7 +194,6 @@ tracing-fix-use-after-free-in-print_graph_function_flags-during-tracer-switching tracing-ensure-module-defining-synth-event-cannot-be-unloaded-while-tracing.patch tracing-fix-synth-event-printk-format-for-str-fields.patch tracing-osnoise-fix-possible-recursive-locking-for-cpus_read_lock.patch -mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch arm64-don-t-call-null-in-do_compat_alignment_fixup.patch ext4-don-t-over-report-free-space-or-inodes-in-statvfs.patch ext4-fix-oob-read-when-checking-dotdot-dir.patch diff --git a/queue-6.12/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch b/queue-6.12/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch deleted file mode 100644 index 96f37edfb1..0000000000 --- a/queue-6.12/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 1b0449544c6482179ac84530b61fc192a6527bfd Mon Sep 17 00:00:00 2001 -From: Jinjiang Tu -Date: Tue, 18 Mar 2025 16:39:39 +0800 -Subject: mm/vmscan: don't try to reclaim hwpoison folio - -From: Jinjiang Tu - -commit 1b0449544c6482179ac84530b61fc192a6527bfd upstream. - -Syzkaller reports a bug as follows: - -Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 -Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users -Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed -page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e -memcg:ffff0000dd6d9000 -anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) -raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 -raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 -page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) -------------[ cut here ]------------ -kernel BUG at mm/swap_state.c:184! -Internal error: Oops - BUG: 00000000f2000800 [#1] SMP -Modules linked in: -CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 -Hardware name: linux,dummy-virt (DT) -pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) -pc : add_to_swap+0xbc/0x158 -lr : add_to_swap+0xbc/0x158 -sp : ffff800087f37340 -x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 -x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 -x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 -x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 -x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c -x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b -x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 -x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 -x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 -x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 -Call trace: - add_to_swap+0xbc/0x158 - shrink_folio_list+0x12ac/0x2648 - shrink_inactive_list+0x318/0x948 - shrink_lruvec+0x450/0x720 - shrink_node_memcgs+0x280/0x4a8 - shrink_node+0x128/0x978 - balance_pgdat+0x4f0/0xb20 - kswapd+0x228/0x438 - kthread+0x214/0x230 - ret_from_fork+0x10/0x20 - -I can reproduce this issue with the following steps: - -1) When a dirty swapcache page is isolated by reclaim process and the - page isn't locked, inject memory failure for the page. - me_swapcache_dirty() clears uptodate flag and tries to delete from lru, - but fails. Reclaim process will put the hwpoisoned page back to lru. - -2) The process that maps the hwpoisoned page exits, the page is deleted - the page will never be freed and will be in the lru forever. - -3) If we trigger a reclaim again and tries to reclaim the page, - add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is - cleared. - -To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the -hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap -it in shrink_folio_list(), otherwise the folio will fail to be unmaped by -hwpoison_user_mappings() since the folio isn't in lru list. - -Link: https://lkml.kernel.org/r/20250318083939.987651-3-tujinjiang@huawei.com -Signed-off-by: Jinjiang Tu -Acked-by: Miaohe Lin -Cc: David Hildenbrand -Cc: Kefeng Wang -Cc: Nanyong Sun -Cc: Naoya Horiguchi -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - mm/vmscan.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -1079,6 +1079,13 @@ retry: - if (!folio_trylock(folio)) - goto keep; - -+ if (folio_contain_hwpoisoned_page(folio)) { -+ unmap_poisoned_folio(folio, folio_pfn(folio), false); -+ folio_unlock(folio); -+ folio_put(folio); -+ continue; -+ } -+ - VM_BUG_ON_FOLIO(folio_test_active(folio), folio); - - nr_pages = folio_nr_pages(folio); diff --git a/queue-6.12/series b/queue-6.12/series index ef718f0230..07beceae0e 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -405,7 +405,6 @@ tracing-fix-use-after-free-in-print_graph_function_flags-during-tracer-switching tracing-ensure-module-defining-synth-event-cannot-be-unloaded-while-tracing.patch tracing-fix-synth-event-printk-format-for-str-fields.patch tracing-osnoise-fix-possible-recursive-locking-for-cpus_read_lock.patch -mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch mm-gup-reject-foll_split_pmd-with-hugetlb-vmas.patch arm64-don-t-call-null-in-do_compat_alignment_fixup.patch wifi-mt76-mt7921-fix-kernel-panic-due-to-null-pointer-dereference.patch diff --git a/queue-6.13/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch b/queue-6.13/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch deleted file mode 100644 index 96f37edfb1..0000000000 --- a/queue-6.13/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 1b0449544c6482179ac84530b61fc192a6527bfd Mon Sep 17 00:00:00 2001 -From: Jinjiang Tu -Date: Tue, 18 Mar 2025 16:39:39 +0800 -Subject: mm/vmscan: don't try to reclaim hwpoison folio - -From: Jinjiang Tu - -commit 1b0449544c6482179ac84530b61fc192a6527bfd upstream. - -Syzkaller reports a bug as follows: - -Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 -Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users -Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed -page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e -memcg:ffff0000dd6d9000 -anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) -raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 -raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 -page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) -------------[ cut here ]------------ -kernel BUG at mm/swap_state.c:184! -Internal error: Oops - BUG: 00000000f2000800 [#1] SMP -Modules linked in: -CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 -Hardware name: linux,dummy-virt (DT) -pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) -pc : add_to_swap+0xbc/0x158 -lr : add_to_swap+0xbc/0x158 -sp : ffff800087f37340 -x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 -x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 -x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 -x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 -x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c -x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b -x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 -x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 -x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 -x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 -Call trace: - add_to_swap+0xbc/0x158 - shrink_folio_list+0x12ac/0x2648 - shrink_inactive_list+0x318/0x948 - shrink_lruvec+0x450/0x720 - shrink_node_memcgs+0x280/0x4a8 - shrink_node+0x128/0x978 - balance_pgdat+0x4f0/0xb20 - kswapd+0x228/0x438 - kthread+0x214/0x230 - ret_from_fork+0x10/0x20 - -I can reproduce this issue with the following steps: - -1) When a dirty swapcache page is isolated by reclaim process and the - page isn't locked, inject memory failure for the page. - me_swapcache_dirty() clears uptodate flag and tries to delete from lru, - but fails. Reclaim process will put the hwpoisoned page back to lru. - -2) The process that maps the hwpoisoned page exits, the page is deleted - the page will never be freed and will be in the lru forever. - -3) If we trigger a reclaim again and tries to reclaim the page, - add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is - cleared. - -To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the -hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap -it in shrink_folio_list(), otherwise the folio will fail to be unmaped by -hwpoison_user_mappings() since the folio isn't in lru list. - -Link: https://lkml.kernel.org/r/20250318083939.987651-3-tujinjiang@huawei.com -Signed-off-by: Jinjiang Tu -Acked-by: Miaohe Lin -Cc: David Hildenbrand -Cc: Kefeng Wang -Cc: Nanyong Sun -Cc: Naoya Horiguchi -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - mm/vmscan.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -1079,6 +1079,13 @@ retry: - if (!folio_trylock(folio)) - goto keep; - -+ if (folio_contain_hwpoisoned_page(folio)) { -+ unmap_poisoned_folio(folio, folio_pfn(folio), false); -+ folio_unlock(folio); -+ folio_put(folio); -+ continue; -+ } -+ - VM_BUG_ON_FOLIO(folio_test_active(folio), folio); - - nr_pages = folio_nr_pages(folio); diff --git a/queue-6.13/series b/queue-6.13/series index 9f267d05eb..9f9359c35d 100644 --- a/queue-6.13/series +++ b/queue-6.13/series @@ -478,7 +478,6 @@ tracing-ensure-module-defining-synth-event-cannot-be-unloaded-while-tracing.patc tracing-fix-synth-event-printk-format-for-str-fields.patch tracing-osnoise-fix-possible-recursive-locking-for-cpus_read_lock.patch tracing-verify-event-formats-that-have-p.patch -mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch mm-gup-reject-foll_split_pmd-with-hugetlb-vmas.patch arm64-don-t-call-null-in-do_compat_alignment_fixup.patch wifi-mt76-mt7921-fix-kernel-panic-due-to-null-pointer-dereference.patch diff --git a/queue-6.14/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch b/queue-6.14/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch deleted file mode 100644 index df9096820d..0000000000 --- a/queue-6.14/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 1b0449544c6482179ac84530b61fc192a6527bfd Mon Sep 17 00:00:00 2001 -From: Jinjiang Tu -Date: Tue, 18 Mar 2025 16:39:39 +0800 -Subject: mm/vmscan: don't try to reclaim hwpoison folio - -From: Jinjiang Tu - -commit 1b0449544c6482179ac84530b61fc192a6527bfd upstream. - -Syzkaller reports a bug as follows: - -Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 -Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users -Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed -page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e -memcg:ffff0000dd6d9000 -anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) -raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 -raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 -page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) -------------[ cut here ]------------ -kernel BUG at mm/swap_state.c:184! -Internal error: Oops - BUG: 00000000f2000800 [#1] SMP -Modules linked in: -CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 -Hardware name: linux,dummy-virt (DT) -pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) -pc : add_to_swap+0xbc/0x158 -lr : add_to_swap+0xbc/0x158 -sp : ffff800087f37340 -x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 -x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 -x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 -x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 -x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c -x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b -x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 -x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 -x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 -x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 -Call trace: - add_to_swap+0xbc/0x158 - shrink_folio_list+0x12ac/0x2648 - shrink_inactive_list+0x318/0x948 - shrink_lruvec+0x450/0x720 - shrink_node_memcgs+0x280/0x4a8 - shrink_node+0x128/0x978 - balance_pgdat+0x4f0/0xb20 - kswapd+0x228/0x438 - kthread+0x214/0x230 - ret_from_fork+0x10/0x20 - -I can reproduce this issue with the following steps: - -1) When a dirty swapcache page is isolated by reclaim process and the - page isn't locked, inject memory failure for the page. - me_swapcache_dirty() clears uptodate flag and tries to delete from lru, - but fails. Reclaim process will put the hwpoisoned page back to lru. - -2) The process that maps the hwpoisoned page exits, the page is deleted - the page will never be freed and will be in the lru forever. - -3) If we trigger a reclaim again and tries to reclaim the page, - add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is - cleared. - -To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the -hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap -it in shrink_folio_list(), otherwise the folio will fail to be unmaped by -hwpoison_user_mappings() since the folio isn't in lru list. - -Link: https://lkml.kernel.org/r/20250318083939.987651-3-tujinjiang@huawei.com -Signed-off-by: Jinjiang Tu -Acked-by: Miaohe Lin -Cc: David Hildenbrand -Cc: Kefeng Wang -Cc: Nanyong Sun -Cc: Naoya Horiguchi -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - mm/vmscan.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -1112,6 +1112,13 @@ retry: - if (!folio_trylock(folio)) - goto keep; - -+ if (folio_contain_hwpoisoned_page(folio)) { -+ unmap_poisoned_folio(folio, folio_pfn(folio), false); -+ folio_unlock(folio); -+ folio_put(folio); -+ continue; -+ } -+ - VM_BUG_ON_FOLIO(folio_test_active(folio), folio); - - nr_pages = folio_nr_pages(folio); diff --git a/queue-6.14/series b/queue-6.14/series index 15dd472b8f..27ad12ab3f 100644 --- a/queue-6.14/series +++ b/queue-6.14/series @@ -710,7 +710,6 @@ tracing-ensure-module-defining-synth-event-cannot-be-unloaded-while-tracing.patc tracing-fix-synth-event-printk-format-for-str-fields.patch tracing-osnoise-fix-possible-recursive-locking-for-cpus_read_lock.patch tracing-verify-event-formats-that-have-p.patch -mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch mm-gup-reject-foll_split_pmd-with-hugetlb-vmas.patch arm64-don-t-call-null-in-do_compat_alignment_fixup.patch wifi-mt76-mt7921-fix-kernel-panic-due-to-null-pointer-dereference.patch diff --git a/queue-6.6/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch b/queue-6.6/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch deleted file mode 100644 index 8c9e574c19..0000000000 --- a/queue-6.6/mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 1b0449544c6482179ac84530b61fc192a6527bfd Mon Sep 17 00:00:00 2001 -From: Jinjiang Tu -Date: Tue, 18 Mar 2025 16:39:39 +0800 -Subject: mm/vmscan: don't try to reclaim hwpoison folio - -From: Jinjiang Tu - -commit 1b0449544c6482179ac84530b61fc192a6527bfd upstream. - -Syzkaller reports a bug as follows: - -Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 -Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users -Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed -page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e -memcg:ffff0000dd6d9000 -anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) -raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 -raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 -page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) -------------[ cut here ]------------ -kernel BUG at mm/swap_state.c:184! -Internal error: Oops - BUG: 00000000f2000800 [#1] SMP -Modules linked in: -CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 -Hardware name: linux,dummy-virt (DT) -pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) -pc : add_to_swap+0xbc/0x158 -lr : add_to_swap+0xbc/0x158 -sp : ffff800087f37340 -x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 -x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 -x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 -x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 -x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c -x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b -x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 -x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 -x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 -x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 -Call trace: - add_to_swap+0xbc/0x158 - shrink_folio_list+0x12ac/0x2648 - shrink_inactive_list+0x318/0x948 - shrink_lruvec+0x450/0x720 - shrink_node_memcgs+0x280/0x4a8 - shrink_node+0x128/0x978 - balance_pgdat+0x4f0/0xb20 - kswapd+0x228/0x438 - kthread+0x214/0x230 - ret_from_fork+0x10/0x20 - -I can reproduce this issue with the following steps: - -1) When a dirty swapcache page is isolated by reclaim process and the - page isn't locked, inject memory failure for the page. - me_swapcache_dirty() clears uptodate flag and tries to delete from lru, - but fails. Reclaim process will put the hwpoisoned page back to lru. - -2) The process that maps the hwpoisoned page exits, the page is deleted - the page will never be freed and will be in the lru forever. - -3) If we trigger a reclaim again and tries to reclaim the page, - add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is - cleared. - -To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the -hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap -it in shrink_folio_list(), otherwise the folio will fail to be unmaped by -hwpoison_user_mappings() since the folio isn't in lru list. - -Link: https://lkml.kernel.org/r/20250318083939.987651-3-tujinjiang@huawei.com -Signed-off-by: Jinjiang Tu -Acked-by: Miaohe Lin -Cc: David Hildenbrand -Cc: Kefeng Wang -Cc: Nanyong Sun -Cc: Naoya Horiguchi -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - mm/vmscan.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/mm/vmscan.c -+++ b/mm/vmscan.c -@@ -1741,6 +1741,13 @@ retry: - if (!folio_trylock(folio)) - goto keep; - -+ if (folio_contain_hwpoisoned_page(folio)) { -+ unmap_poisoned_folio(folio, folio_pfn(folio), false); -+ folio_unlock(folio); -+ folio_put(folio); -+ continue; -+ } -+ - VM_BUG_ON_FOLIO(folio_test_active(folio), folio); - - nr_pages = folio_nr_pages(folio); diff --git a/queue-6.6/series b/queue-6.6/series index 2c647f593b..f249e8b8ac 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -257,7 +257,6 @@ tracing-fix-use-after-free-in-print_graph_function_flags-during-tracer-switching tracing-ensure-module-defining-synth-event-cannot-be-unloaded-while-tracing.patch tracing-fix-synth-event-printk-format-for-str-fields.patch tracing-osnoise-fix-possible-recursive-locking-for-cpus_read_lock.patch -mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch arm64-don-t-call-null-in-do_compat_alignment_fixup.patch ext4-don-t-over-report-free-space-or-inodes-in-statvfs.patch ext4-fix-oob-read-when-checking-dotdot-dir.patch