path: root/mm/page_vma_mapped.c
diff options
authorHugh Dickins <>2021-06-15 18:23:53 -0700
committerLinus Torvalds <>2021-06-16 09:24:42 -0700
commit732ed55823fc3ad998d43b86bf771887bcc5ec67 (patch)
treea1df9c1b8e346b6c861d8c6b2d5ec08ebc1e3aaf /mm/page_vma_mapped.c
parent3b77e8c8cde581dadab9a0f1543a347e24315f11 (diff)
mm/thp: try_to_unmap() use TTU_SYNC for safe splitting
Stressing huge tmpfs often crashed on unmap_page()'s VM_BUG_ON_PAGE (!unmap_success): with dump_page() showing mapcount:1, but then its raw struct page output showing _mapcount ffffffff i.e. mapcount 0. And even if that particular VM_BUG_ON_PAGE(!unmap_success) is removed, it is immediately followed by a VM_BUG_ON_PAGE(compound_mapcount(head)), and further down an IS_ENABLED(CONFIG_DEBUG_VM) total_mapcount BUG(): all indicative of some mapcount difficulty in development here perhaps. But the !CONFIG_DEBUG_VM path handles the failures correctly and silently. I believe the problem is that once a racing unmap has cleared pte or pmd, try_to_unmap_one() may skip taking the page table lock, and emerge from try_to_unmap() before the racing task has reached decrementing mapcount. Instead of abandoning the unsafe VM_BUG_ON_PAGE(), and the ones that follow, use PVMW_SYNC in try_to_unmap_one() in this case: adding TTU_SYNC to the options, and passing that from unmap_page(). When CONFIG_DEBUG_VM, or for non-debug too? Consensus is to do the same for both: the slight overhead added should rarely matter, except perhaps if splitting sparsely-populated multiply-mapped shmem. Once confident that bugs are fixed, TTU_SYNC here can be removed, and the race tolerated. Link: Fixes: fec89c109f3a ("thp: rewrite freeze_page()/unfreeze_page() with generic rmap walkers") Signed-off-by: Hugh Dickins <> Cc: Alistair Popple <> Cc: Jan Kara <> Cc: Jue Wang <> Cc: Kirill A. Shutemov <> Cc: "Matthew Wilcox (Oracle)" <> Cc: Miaohe Lin <> Cc: Minchan Kim <> Cc: Naoya Horiguchi <> Cc: Oscar Salvador <> Cc: Peter Xu <> Cc: Ralph Campbell <> Cc: Shakeel Butt <> Cc: Wang Yugui <> Cc: Yang Shi <> Cc: Zi Yan <> Cc: <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
Diffstat (limited to 'mm/page_vma_mapped.c')
1 files changed, 11 insertions, 0 deletions
diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c
index 2cf01d933f13..5b559967410e 100644
--- a/mm/page_vma_mapped.c
+++ b/mm/page_vma_mapped.c
@@ -212,6 +212,17 @@ restart:
pvmw->ptl = NULL;
} else if (!pmd_present(pmde)) {
+ /*
+ * If PVMW_SYNC, take and drop THP pmd lock so that we
+ * cannot return prematurely, while zap_huge_pmd() has
+ * cleared *pmd but not decremented compound_mapcount().
+ */
+ if ((pvmw->flags & PVMW_SYNC) &&
+ PageTransCompound(pvmw->page)) {
+ spinlock_t *ptl = pmd_lock(mm, pvmw->pmd);
+ spin_unlock(ptl);
+ }
return false;
if (!map_pte(pvmw))