HWPOISON: avoid grabbing the page count multiple times during madvise injection

If page is double referenced in madvise_hwpoison() and __memory_failure(), remove_mapping() will fail because it expects page_count=2. Fix it by not grabbing extra page count in __memory_failure(). Signed-off-by: Wu Fengguang <fengguang.wu@intel.com> Signed-off-by: Andi Kleen <ak@linux.intel.com>

HWPOISON: avoid grabbing the page count multiple times during madvise injection
If page is double referenced in madvise_hwpoison() and __memory_failure(), remove_mapping() will fail because it expects page_count=2. Fix it by not grabbing extra page count in __memory_failure(). Signed-off-by: Wu Fengguang <fengguang.wu@intel.com> Signed-off-by: Andi Kleen <ak@linux.intel.com>
Wu Fengguang · Andi Kleen
1 parent a7560fc80f
Showing 2 changed files with 4 additions and 5 deletions Side-by-side Diff
mm/madvise.c
mm/memory-failure.c
@@ -238,7 +238,6 @@
 		       page_to_pfn(p), start);
 		/* Ignore return value for now */
 		__memory_failure(page_to_pfn(p), 0, 1);
-		put_page(p);
 	}
 	return ret;
 }
@@ -627,7 +627,7 @@
 }
  
 static int page_action(struct page_state *ps, struct page *p,
-			unsigned long pfn, int ref)
+			unsigned long pfn)
 {
 	int result;
 	int count;
@@ -635,7 +635,7 @@
 	result = ps->action(p, pfn);
 	action_result(pfn, ps->msg, result);
  
-	count = page_count(p) - 1 - ref;
+	count = page_count(p) - 1;
 	if (count != 0)
 		printk(KERN_ERR
 		       "MCE %#lx: %s page still referenced by %d users\n",
@@ -773,7 +773,7 @@
 	 * In fact it's dangerous to directly bump up page count from 0,
 	 * that may make page_freeze_refs()/page_unfreeze_refs() mismatch.
 	 */
-	if (!get_page_unless_zero(compound_head(p))) {
+	if (!ref && !get_page_unless_zero(compound_head(p))) {
 		action_result(pfn, "free or high order kernel", IGNORED);
 		return PageBuddy(compound_head(p)) ? 0 : -EBUSY;
 	}
@@ -821,7 +821,7 @@
 	res = -EBUSY;
 	for (ps = error_states;; ps++) {
 		if (((p->flags | lru_flag)& ps->mask) == ps->res) {
-			res = page_action(ps, p, pfn, ref);
+			res = page_action(ps, p, pfn);
 			break;
 		}
 	}
...	...	@@ -238,7 +238,6 @@
238	238	page_to_pfn(p), start);
239	239	/* Ignore return value for now */
240	240	__memory_failure(page_to_pfn(p), 0, 1);
241		- put_page(p);
242	241	}
243	242	return ret;
244	243	}
...	...	@@ -627,7 +627,7 @@
627	627	}
628	628
629	629	static int page_action(struct page_state ps, struct page p,
630		- unsigned long pfn, int ref)
	630	+ unsigned long pfn)
631	631	{
632	632	int result;
633	633	int count;
...	...	@@ -635,7 +635,7 @@
635	635	result = ps->action(p, pfn);
636	636	action_result(pfn, ps->msg, result);
637	637
638		- count = page_count(p) - 1 - ref;
	638	+ count = page_count(p) - 1;
639	639	if (count != 0)
640	640	printk(KERN_ERR
641	641	"MCE %#lx: %s page still referenced by %d users\n",
...	...	@@ -773,7 +773,7 @@
773	773	* In fact it's dangerous to directly bump up page count from 0,
774	774	* that may make page_freeze_refs()/page_unfreeze_refs() mismatch.
775	775	*/
776		- if (!get_page_unless_zero(compound_head(p))) {
	776	+ if (!ref && !get_page_unless_zero(compound_head(p))) {
777	777	action_result(pfn, "free or high order kernel", IGNORED);
778	778	return PageBuddy(compound_head(p)) ? 0 : -EBUSY;
779	779	}
...	...	@@ -821,7 +821,7 @@
821	821	res = -EBUSY;
822	822	for (ps = error_states;; ps++) {
823	823	if (((p->flags \| lru_flag)& ps->mask) == ps->res) {
824		- res = page_action(ps, p, pfn, ref);
	824	+ res = page_action(ps, p, pfn);
825	825	break;
826	826	}
827	827	}