tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

mm/zone_device: reinitialize large zone device private folios

Reinitialize metadata for large zone device private folios in
zone_device_page_init prior to creating a higher-order zone device private
folio. This step is necessary when the folio's order changes dynamically
between zone_device_page_init calls to avoid building a corrupt folio. As
part of the metadata reinitialization, the dev_pagemap must be passed in
from the caller because the pgmap stored in the folio page may have been
overwritten with a compound head.

Without this fix, individual pages could have invalid pgmap fields and
flags (with PG_locked being notably problematic) due to prior different
order allocations, which can, and will, result in kernel crashes.

Link: https://lkml.kernel.org/r/20260116111325.1736137-2-francois.dugast@intel.com
Fixes: d245f9b4ab80 ("mm/zone_device: support large zone device private folios")
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Francois Dugast <francois.dugast@intel.com>
Acked-by: Felix Kuehling <felix.kuehling@amd.com>
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Zi Yan <ziy@nvidia.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Christophe Leroy (CS GROUP)" <chleroy@kernel.org>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: "Christian König" <christian.koenig@amd.com>
Cc: David Airlie <airlied@gmail.com>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Michal Hocko <mhocko@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

authored by Matthew Brost and committed by Andrew Morton 12b2285b cbbbf779

+47 -9
unified split
+1 -1
arch/powerpc/kvm/book3s_hv_uvmem.c
··· 723 724 dpage = pfn_to_page(uvmem_pfn); 725 dpage->zone_device_data = pvt; 726 - zone_device_page_init(dpage, 0); 727 return dpage; 728 out_clear: 729 spin_lock(&kvmppc_uvmem_bitmap_lock);
··· 723 724 dpage = pfn_to_page(uvmem_pfn); 725 dpage->zone_device_data = pvt; 726 + zone_device_page_init(dpage, &kvmppc_uvmem_pgmap, 0); 727 return dpage; 728 out_clear: 729 spin_lock(&kvmppc_uvmem_bitmap_lock);
+1 -1
drivers/gpu/drm/amd/amdkfd/kfd_migrate.c
··· 217 page = pfn_to_page(pfn); 218 svm_range_bo_ref(prange->svm_bo); 219 page->zone_device_data = prange->svm_bo; 220 - zone_device_page_init(page, 0); 221 } 222 223 static void
··· 217 page = pfn_to_page(pfn); 218 svm_range_bo_ref(prange->svm_bo); 219 page->zone_device_data = prange->svm_bo; 220 + zone_device_page_init(page, page_pgmap(page), 0); 221 } 222 223 static void
+1 -1
drivers/gpu/drm/drm_pagemap.c
··· 197 struct drm_pagemap_zdd *zdd) 198 { 199 page->zone_device_data = drm_pagemap_zdd_get(zdd); 200 - zone_device_page_init(page, 0); 201 } 202 203 /**
··· 197 struct drm_pagemap_zdd *zdd) 198 { 199 page->zone_device_data = drm_pagemap_zdd_get(zdd); 200 + zone_device_page_init(page, page_pgmap(page), 0); 201 } 202 203 /**
+1 -1
drivers/gpu/drm/nouveau/nouveau_dmem.c
··· 425 order = ilog2(DMEM_CHUNK_NPAGES); 426 } 427 428 - zone_device_folio_init(folio, order); 429 return page; 430 } 431
··· 425 order = ilog2(DMEM_CHUNK_NPAGES); 426 } 427 428 + zone_device_folio_init(folio, page_pgmap(folio_page(folio, 0)), order); 429 return page; 430 } 431
+6 -3
include/linux/memremap.h
··· 224 } 225 226 #ifdef CONFIG_ZONE_DEVICE 227 - void zone_device_page_init(struct page *page, unsigned int order); 228 void *memremap_pages(struct dev_pagemap *pgmap, int nid); 229 void memunmap_pages(struct dev_pagemap *pgmap); 230 void *devm_memremap_pages(struct device *dev, struct dev_pagemap *pgmap); ··· 235 236 unsigned long memremap_compat_align(void); 237 238 - static inline void zone_device_folio_init(struct folio *folio, unsigned int order) 239 { 240 - zone_device_page_init(&folio->page, order); 241 if (order) 242 folio_set_large_rmappable(folio); 243 }
··· 224 } 225 226 #ifdef CONFIG_ZONE_DEVICE 227 + void zone_device_page_init(struct page *page, struct dev_pagemap *pgmap, 228 + unsigned int order); 229 void *memremap_pages(struct dev_pagemap *pgmap, int nid); 230 void memunmap_pages(struct dev_pagemap *pgmap); 231 void *devm_memremap_pages(struct device *dev, struct dev_pagemap *pgmap); ··· 234 235 unsigned long memremap_compat_align(void); 236 237 + static inline void zone_device_folio_init(struct folio *folio, 238 + struct dev_pagemap *pgmap, 239 + unsigned int order) 240 { 241 + zone_device_page_init(&folio->page, pgmap, order); 242 if (order) 243 folio_set_large_rmappable(folio); 244 }
+3 -1
lib/test_hmm.c
··· 662 goto error; 663 } 664 665 - zone_device_folio_init(page_folio(dpage), order); 666 dpage->zone_device_data = rpage; 667 return dpage; 668
··· 662 goto error; 663 } 664 665 + zone_device_folio_init(page_folio(dpage), 666 + page_pgmap(folio_page(page_folio(dpage), 0)), 667 + order); 668 dpage->zone_device_data = rpage; 669 return dpage; 670
+34 -1
mm/memremap.c
··· 477 } 478 } 479 480 - void zone_device_page_init(struct page *page, unsigned int order) 481 { 482 VM_WARN_ON_ONCE(order > MAX_ORDER_NR_PAGES); 483 484 /* 485 * Drivers shouldn't be allocating pages after calling
··· 477 } 478 } 479 480 + void zone_device_page_init(struct page *page, struct dev_pagemap *pgmap, 481 + unsigned int order) 482 { 483 + struct page *new_page = page; 484 + unsigned int i; 485 + 486 VM_WARN_ON_ONCE(order > MAX_ORDER_NR_PAGES); 487 + 488 + for (i = 0; i < (1UL << order); ++i, ++new_page) { 489 + struct folio *new_folio = (struct folio *)new_page; 490 + 491 + /* 492 + * new_page could have been part of previous higher order folio 493 + * which encodes the order, in page + 1, in the flags bits. We 494 + * blindly clear bits which could have set my order field here, 495 + * including page head. 496 + */ 497 + new_page->flags.f &= ~0xffUL; /* Clear possible order, page head */ 498 + 499 + #ifdef NR_PAGES_IN_LARGE_FOLIO 500 + /* 501 + * This pointer math looks odd, but new_page could have been 502 + * part of a previous higher order folio, which sets _nr_pages 503 + * in page + 1 (new_page). Therefore, we use pointer casting to 504 + * correctly locate the _nr_pages bits within new_page which 505 + * could have modified by previous higher order folio. 506 + */ 507 + ((struct folio *)(new_page - 1))->_nr_pages = 0; 508 + #endif 509 + 510 + new_folio->mapping = NULL; 511 + new_folio->pgmap = pgmap; /* Also clear compound head */ 512 + new_folio->share = 0; /* fsdax only, unused for device private */ 513 + VM_WARN_ON_FOLIO(folio_ref_count(new_folio), new_folio); 514 + VM_WARN_ON_FOLIO(!folio_is_zone_device(new_folio), new_folio); 515 + } 516 517 /* 518 * Drivers shouldn't be allocating pages after calling