hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8775 ---------------------------------------- When a file hugetlb folio triggers UCE, me_huge_page() will keep the hugetlb folio in pagcahe with refcount increased and PG_hwpoison set. Even after the hugetlb file is deleted, the hugetlb folio is still leaked. If we want to offline the memory block that the hwpoisoned hugetlb folio belongs to, it fails in dissolve_free_hugetlb_folios() due to the hwpoisoned hugetlb folio isn't free. I can reproduce this issue with the following steps in qemu: 1) echo offline >/sys/devices/system/memory/auto_online_blocks 2) in qemu monitor: object_add memory-backend-ram,id=mem10,size=1G device_add pc-dimm,id=dimm1,memdev=mem10,node=2 3) echo online_movable > /sys/devices/system/node/node2/memory136/state 4) echo 5 > /sys/devices/system/node/node2/hugepages/hugepages-2048kB/nr_hugepages 5) run ./hugetlb_file. This process will receive SIGBUS. 6) remove the hugetlbfs file. 7) echo offline > /sys/devices/system/node/node2/memory136/state hugetlb_file.c: fd = open("/dev/hugepages/my_hugepage_file", O_CREAT | O_RDWR, 0755); fallocate(fd, 0, 0, HUGEPAGE_SIZE * 2); addr = mmap(NULL, HUGEPAGE_SIZE * 2, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_HUGETLB, fd, 0); memset(addr, 0xaa, HUGEPAGE_SIZE * 2); madvise(addr, HUGEPAGE_SIZE, MADV_HWPOISON); To fix it, force to put ref of hwpoisoned hugetlb in memory offline, the hwpoisoned hugetlb will be freed and succeeds to be dissolved. We couldn't avoid races here, just like commit b023f46813cd ("memory-hotplug: skip HWPoisoned page when offlining pages"), which force to skip hwpoisoned page regardless of refcount. Fixes: 8625147cafaa ("hugetlbfs: don't delete error page from pagecache") Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com> --- mm/hugetlb.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index d8fe41a77cd2..33dd9dcb186b 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -2480,6 +2480,7 @@ int dissolve_free_huge_page(struct page *page) */ int dissolve_free_huge_pages(unsigned long start_pfn, unsigned long end_pfn) { + struct folio *folio; unsigned long pfn; struct page *page; int rc = 0; @@ -2495,6 +2496,16 @@ int dissolve_free_huge_pages(unsigned long start_pfn, unsigned long end_pfn) for (pfn = start_pfn; pfn < end_pfn; pfn += 1 << order) { page = pfn_to_page(pfn); + folio = page_folio(page); + + /* + * For hwpoisoned hugetlb, put the refcount increaed by + * memory-failure, make it succeed to dissolve. + */ + if (unlikely(folio_test_hwpoison(folio) && folio_test_hugetlb(folio) + && !READ_ONCE(folio->mapping) && (folio_ref_count(folio) == 1))) + folio_put(folio); + rc = dissolve_free_huge_page(page); if (rc) break; -- 2.43.0