[PATCH 3/8] mm: page_alloc: fix highatomic landing on the wrong buddy list

From: Johannes Weiner
Date: Mon Aug 21 2023 - 14:38:00 EST

The following triggers from a custom debug check:

[ 89.401754] page type is 3, passed migratetype is 1 (nr=8)
[ 89.407930] WARNING: CPU: 2 PID: 75 at mm/page_alloc.c:706 __free_one_page+0x5ea/0x6b0
[ 89.415847] Modules linked in:
[ 89.418902] CPU: 2 PID: 75 Comm: kswapd0 Not tainted 6.5.0-rc1-00013-g42be896e9f77-dirty #233
[ 89.427415] Hardware name: Micro-Star International Co., Ltd. MS-7B98/Z390-A PRO (MS-7B98), BIOS 1.80 12/25/2019
[ 89.437572] RIP: 0010:__free_one_page+0x5ea/0x6b0
[ 89.442271] Code: <snip>
[ 89.461003] RSP: 0000:ffffc900001acea8 EFLAGS: 00010092
[ 89.466221] RAX: 0000000000000036 RBX: 0000000000000003 RCX: 0000000000000000
[ 89.473349] RDX: 0000000000000106 RSI: 0000000000000027 RDI: 00000000ffffffff
[ 89.480478] RBP: ffffffff82ca4780 R08: 0000000000000001 R09: 0000000000000000
[ 89.487601] R10: ffffffff8285d1e0 R11: ffffffff8285d1e0 R12: 0000000000000000
[ 89.494725] R13: 0000000000063448 R14: ffffea00018d1200 R15: 0000000000063401
[ 89.501853] FS: 0000000000000000(0000) GS:ffff88806e680000(0000) knlGS:0000000000000000
[ 89.509930] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 89.515671] CR2: 00007fc66488b006 CR3: 00000000190b5001 CR4: 00000000003706e0
[ 89.522798] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 89.529924] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 89.537048] Call Trace:
[ 89.539498] <IRQ>
[ 89.541517] ? __free_one_page+0x5ea/0x6b0
[ 89.545619] ? __warn+0x7d/0x130
[ 89.548852] ? __free_one_page+0x5ea/0x6b0
[ 89.552946] ? report_bug+0x18d/0x1c0
[ 89.556607] ? handle_bug+0x3a/0x70
[ 89.560097] ? exc_invalid_op+0x13/0x60
[ 89.563933] ? asm_exc_invalid_op+0x16/0x20
[ 89.568113] ? __free_one_page+0x5ea/0x6b0
[ 89.572210] ? __free_one_page+0x5ea/0x6b0
[ 89.576306] ? refill_obj_stock+0xf5/0x1c0
[ 89.580399] free_one_page.constprop.0+0x5c/0xe0

This is a HIGHATOMIC page being freed to the MOVABLE buddy list.

Highatomic pages have their own buddy freelists, but not their own
pcplist. free_one_page() adjusts the migratetype so they can hitchhike
on the MOVABLE pcplist. However, when the pcp trylock then fails,
they're fed directly to the buddy list - with the incorrect type.

Use MIGRATE_MOVABLE only for the pcp, not for the buddy bypass.

Signed-off-by: Johannes Weiner <hannes@xxxxxxxxxxx>
---
mm/page_alloc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 20973887999b..a5e36d186893 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2403,7 +2403,7 @@ void free_unref_page(struct page *page, unsigned int order)
struct per_cpu_pages *pcp;
struct zone *zone;
unsigned long pfn = page_to_pfn(page);
- int migratetype;
+ int migratetype, pcpmigratetype;

if (!free_pages_prepare(page, order, FPI_NONE))
return;
@@ -2415,20 +2415,20 @@ void free_unref_page(struct page *page, unsigned int order)
* areas back if necessary. Otherwise, we may have to free
* excessively into the page allocator
*/
- migratetype = get_pfnblock_migratetype(page, pfn);
+ migratetype = pcpmigratetype = get_pfnblock_migratetype(page, pfn);
if (unlikely(migratetype >= MIGRATE_PCPTYPES)) {
if (unlikely(is_migrate_isolate(migratetype))) {
free_one_page(page_zone(page), page, pfn, order, migratetype, FPI_NONE);
return;
}
- migratetype = MIGRATE_MOVABLE;
+ pcpmigratetype = MIGRATE_MOVABLE;
}

zone = page_zone(page);
pcp_trylock_prepare(UP_flags);
pcp = pcp_spin_trylock(zone->per_cpu_pageset);
if (pcp) {
- free_unref_page_commit(zone, pcp, page, migratetype, order);
+ free_unref_page_commit(zone, pcp, page, pcpmigratetype, order);
pcp_spin_unlock(pcp);
} else {
free_one_page(zone, page, pfn, order, migratetype, FPI_NONE);
--
2.41.0