mm: thp: check total_mapcount instead of page_mapcount

When debugging the bug reported by Wang Yugui [1], try_to_unmap() may return false positive for PTE-mapped THP since page_mapcount() is used to check if the THP is unmapped, but it just checks compound mapcount and head page's mapcount. If the THP is PTE-mapped and head page is not mapped, it may return a false positive. Use total_mapcount() instead of page_mapcount() for try_to_unmap() and do so for the VM_BUG_ON_PAGE in split_huge_page_to_list as well. This changes the semantics of try_to_unmap(), but I don't see there is any use case that expects try_to_unmap() to just unmap one subpage of a huge page. So using page_mapcount() seems like a bug. [1] https://lore.kernel.org/linux-mm/[email protected]/ Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Yang Shi <[email protected]> Cc: Zi Yan <[email protected]> Cc: Kirill A. Shutemov <[email protected]> Cc: Wang Yugui <[email protected]> Cc: Hugh Dickins <[email protected]> Cc: Mike Kravetz <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Stephen Rothwell <[email protected]>
grate-driver · May 14, 2021 · 69cc525 · 69cc525
1 parent 248470b
commit 69cc525
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 14 deletions.
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
@@ -2350,7 +2350,6 @@ static void unmap_page(struct page *page)
 		ttu_flags |= TTU_SPLIT_FREEZE;
 
 	unmap_success = try_to_unmap(page, ttu_flags);
-	VM_BUG_ON_PAGE(!unmap_success, page);
 }
 
 static void remap_page(struct page *page, unsigned int nr)
@@ -2720,7 +2719,7 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
 	}
 
 	unmap_page(head);
-	VM_BUG_ON_PAGE(compound_mapcount(head), head);
+	VM_BUG_ON_PAGE(total_mapcount(head), head);
 
 	/* block interrupt reentry in xa_lock and spinlock */
 	local_irq_disable();
@@ -2760,14 +2759,6 @@ int split_huge_page_to_list(struct page *page, struct list_head *list)
 		__split_huge_page(page, list, end);
 		ret = 0;
 	} else {
-		if (IS_ENABLED(CONFIG_DEBUG_VM) && mapcount) {
-			pr_alert("total_mapcount: %u, page_count(): %u\n",
-					mapcount, count);
-			if (PageTail(page))
-				dump_page(head, NULL);
-			dump_page(page, "total_mapcount(head) > 0");
-			BUG();
-		}
 		spin_unlock(&ds_queue->split_queue_lock);
 fail:		if (mapping)
 			xa_unlock(&mapping->i_pages);

diff --git a/mm/rmap.c b/mm/rmap.c
@@ -1742,12 +1742,14 @@ static int page_not_mapped(struct page *page)
 }
 
 /**
- * try_to_unmap - try to remove all page table mappings to a page
- * @page: the page to get unmapped
+ * try_to_unmap - try to remove all page table mappings to a page and the
+ *                compound page it belongs to
+ * @page: the page or the subpages of compound page to get unmapped
  * @flags: action and flags
  *
  * Tries to remove all the page table entries which are mapping this
- * page, used in the pageout path.  Caller must hold the page lock.
+ * page and the compound page it belongs to, used in the pageout path.
+ * Caller must hold the page lock.
  *
  * If unmap is successful, return true. Otherwise, false.
  */
@@ -1777,7 +1779,7 @@ bool try_to_unmap(struct page *page, enum ttu_flags flags)
 	else
 		rmap_walk(page, &rwc);
 
-	return !page_mapcount(page) ? true : false;
+	return !total_mapcount(page) ? true : false;
 }
 
 /**