Commit bd12e033 authored May 22, 2024 by Matthew Wilcox (Oracle) Committed by Liu Shixin May 22, 2024

mm: remove folio from deferred split list before uncharging it

mainline inclusion
from mainline-v6.9-rc1
commit 47932e7048df9156e96133ee90fb3e9df68dbd15
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I9R3AY
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=47932e7048df9156e96133ee90fb3e9df68dbd15

--------------------------------

When freeing a large folio, we must remove it from the deferred split list
before we uncharge it as each memcg has its own deferred split list (with
associated lock) and removing a folio from the deferred split list while
holding the wrong lock will corrupt that list and cause various related
problems.

Link: https://lore.kernel.org/linux-mm/367a14f7-340e-4b29-90ae-bc3fcefdd5f4@arm.com/
Link: https://lkml.kernel.org/r/20240311191835.312162-1-willy@infradead.org


Fixes: f77171d241e3 (mm: allow non-hugetlb large folios to be batch processed)
Fixes: 29f3843026cf (mm: free folios directly in move_folios_to_lru())
Fixes: bc2ff4cbc329 (mm: free folios in a batch in shrink_folio_list())
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Debugged-by: Ryan Roberts <ryan.roberts@arm.com>
Tested-by: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Liu Shixin <liushixin2@huawei.com>

parent 6a7ecc2a

mm/swap.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -1012,6 +1012,9 @@ void folios_put_refs(struct folio_batch folios, unsigned int refs)
		free_huge_folio(folio);
		continue;
		}
		if (folio_test_large(folio) &&
		folio_test_large_rmappable(folio))
		folio_undo_large_rmappable(folio);

		__page_cache_release(folio, &lruvec, &flags);

mm/vmscan.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -2135,6 +2135,9 @@ static unsigned int shrink_folio_list(struct list_head *folio_list,
		*/
		nr_reclaimed += nr_pages;

		if (folio_test_large(folio) &&
		folio_test_large_rmappable(folio))
		folio_undo_large_rmappable(folio);
		if (folio_batch_add(&free_folios, folio) == 0) {
		mem_cgroup_uncharge_folios(&free_folios);
		try_to_unmap_flush();
		@@ -2542,6 +2545,9 @@ static unsigned int move_folios_to_lru(struct lruvec *lruvec,
		if (unlikely(folio_put_testzero(folio))) {
		__folio_clear_lru_flags(folio);

		if (folio_test_large(folio) &&
		folio_test_large_rmappable(folio))
		folio_undo_large_rmappable(folio);
		if (folio_batch_add(&free_folios, folio) == 0) {
		spin_unlock_irq(&lruvec->lru_lock);
		mem_cgroup_uncharge_folios(&free_folios);