mm: fix crashes from deferred split racing folio migration

Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on flags when freeing, yet the flags shown are not bad: PG_locked had been set and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from deferred_split_scan()'s folio_put(), and a variety of other BUG and WARN symptoms implying double free by deferred split and large folio migration. 6.7 commit 9bcef59 ("mm: memcg: fix split queue list crash when large folio migration") was right to fix the memcg-dependent locking broken in 85ce2c5 ("memcontrol: only transfer the memcg data for migration"), but missed a subtlety of deferred_split_scan(): it moves folios to its own local list to work on them without split_queue_lock, during which time folio->_deferred_list is not empty, but even the "right" lock does nothing to secure the folio and the list it is on. Fortunately, deferred_split_scan() is careful to use folio_try_get(): so folio_migrate_mapping() can avoid the race by folio_undo_large_rmappable() while the old folio's reference count is temporarily frozen to 0 - adding such a freeze in the !mapping case too (originally, folio lock and unmapping and no swap cache left an anon folio unreachable, so no freezing was needed there: but the deferred split queue offers a way to reach it). Link: https://lkml.kernel.org/r/29c83d1a-11ca-b6c9-f92e-6ccb322af510@google.com Fixes: 9bcef59 ("mm: memcg: fix split queue list crash when large folio migration") Signed-off-by: Hugh Dickins <hughd@google.com> Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com> Cc: Barry Song <baohua@kernel.org> Cc: David Hildenbrand <david@redhat.com> Cc: Hugh Dickins <hughd@google.com> Cc: Kefeng Wang <wangkefeng.wang@huawei.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Nhat Pham <nphamcs@gmail.com> Cc: Yang Shi <shy828301@gmail.com> Cc: Zi Yan <ziy@nvidia.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

Author: Hugh Dickins

mm/memcontrol.c

@@ -7823,17 +7823,6 @@ void mem_cgroup_migrate(struct folio *old, struct folio *new)
 
 /* Transfer the charge and the css ref */
 commit_charge(new, memcg);
-/*
- * If the old folio is a large folio and is in the split queue, it needs
- * to be removed from the split queue now, in case getting an incorrect
- * split queue in destroy_large_folio() after the memcg of the old folio
- * is cleared.
- *
- * In addition, the old folio is about to be freed after migration, so
- * removing from the split queue a bit earlier seems reasonable.
- */
-if (folio_test_large(old) && folio_test_large_rmappable(old))
-folio_undo_large_rmappable(old);
 old->memcg_data = 0;
 }
 

mm/migrate.c

@@ -415,6 +415,15 @@ int folio_migrate_mapping(struct address_space *mapping,
 if (folio_ref_count(folio) != expected_count)
 return -EAGAIN;
 
+/* Take off deferred split queue while frozen and memcg set */
+if (folio_test_large(folio) &&
+ folio_test_large_rmappable(folio)) {
+if (!folio_ref_freeze(folio, expected_count))
+return -EAGAIN;
+folio_undo_large_rmappable(folio);
+folio_ref_unfreeze(folio, expected_count);
+}
+
 /* No turning back from here */
 newfolio->index = folio->index;
 newfolio->mapping = folio->mapping;
@@ -433,6 +442,10 @@ int folio_migrate_mapping(struct address_space *mapping,
 return -EAGAIN;
 }
 
+/* Take off deferred split queue while frozen and memcg set */
+if (folio_test_large(folio) && folio_test_large_rmappable(folio))
+folio_undo_large_rmappable(folio);
+
 /*
  * Now we know that no one else is looking at the folio:
  * no turning back from here.