4.14-stable review patch. If anyone has any objections, please let me know.
------------------
commit 701270fa193aadf00bdcf607738f64997275d4c7 upstream.
Huge tmpfs testing showed that although collapse_shmem() recognizes a concurrently truncated or hole-punched page correctly, its handling of holes was liable to refill an emptied extent. Add check to stop that.
Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1811261522040.2275@eggly.anvils Fixes: f3f0e1d2150b2 ("khugepaged: add support of collapse for tmpfs/shmem pages") Signed-off-by: Hugh Dickins hughd@google.com Reviewed-by: Matthew Wilcox willy@infradead.org Cc: Kirill A. Shutemov kirill.shutemov@linux.intel.com Cc: Jerome Glisse jglisse@redhat.com Cc: Konstantin Khlebnikov khlebnikov@yandex-team.ru Cc: stable@vger.kernel.org [4.8+] Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- mm/khugepaged.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 0a5bb3e8a8a3..d4a06afbeda4 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -1352,6 +1352,16 @@ static void collapse_shmem(struct mm_struct *mm, radix_tree_for_each_slot(slot, &mapping->page_tree, &iter, start) { int n = min(iter.index, end) - index;
+ /* + * Stop if extent has been hole-punched, and is now completely + * empty (the more obvious i_size_read() check would take an + * irq-unsafe seqlock on 32-bit). + */ + if (n >= HPAGE_PMD_NR) { + result = SCAN_TRUNCATED; + goto tree_locked; + } + /* * Handle holes in the radix tree: charge it from shmem and * insert relevant subpage of new_page into the radix-tree. @@ -1463,6 +1473,11 @@ static void collapse_shmem(struct mm_struct *mm, if (result == SCAN_SUCCEED && index < end) { int n = end - index;
+ /* Stop if extent has been truncated, and is now empty */ + if (n >= HPAGE_PMD_NR) { + result = SCAN_TRUNCATED; + goto tree_locked; + } if (!shmem_charge(mapping->host, n)) { result = SCAN_FAIL; goto tree_locked;