From: Miaohe Lin <linmiaohe@huawei.com>
Date: Tue, 11 Jul 2023 05:50:15 +0000 (+0800)
Subject: mm: memory-failure: fetch compound head after extra page refcnt is held
X-Git-Tag: v6.6.7~1970^2~409
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a363d1224b5add67a7cafab9fdb9f19d569fbe98;p=platform%2Fkernel%2Flinux-starfive.git

mm: memory-failure: fetch compound head after extra page refcnt is held

Page might become thp, huge page or being splited after compound head is
fetched but before page refcnt is bumped.  So hpage might be a tail page
leading to VM_BUG_ON_PAGE(PageTail(page)) in PageTransHuge().

Link: https://lkml.kernel.org/r/20230711055016.2286677-8-linmiaohe@huawei.com
Fixes: 415c64c1453a ("mm/memory-failure: split thp earlier in memory error handling")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 36529f3..1337375 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -2175,8 +2175,6 @@ try_again:
 		goto unlock_mutex;
 	}
 
-	hpage = compound_head(p);
-
 	/*
 	 * We need/can do nothing about count=0 pages.
 	 * 1) it's a free page, and therefore in safe hand:
@@ -2215,6 +2213,7 @@ try_again:
 		}
 	}
 
+	hpage = compound_head(p);
 	if (PageTransHuge(hpage)) {
 		/*
 		 * The flag must be set after the refcount is bumped