Commit 40a899ed authored by Zi Yan's avatar Zi Yan Committed by Linus Torvalds

mm: migrate: fix an incorrect call of prep_transhuge_page()

In, Andrea reported that during
memory hotplug/hot remove prep_transhuge_page() is called incorrectly on
non-THP pages for migration, when THP is on but THP migration is not
enabled.  This leads to a bad state of target pages for migration.

By inspecting the code, if called on a non-THP, prep_transhuge_page()

 1) change the value of the mapping of (page + 2), since it is used for
    THP deferred list;

 2) change the lru value of (page + 1), since it is used for THP's dtor.

Both can lead to data corruption of these two pages.

Andrea said:
 "Pragmatically and from the point of view of the memory_hotplug subsys,
  the effect is a kernel crash when pages are being migrated during a
  memory hot remove offline and migration target pages are found in a
  bad state"

This patch fixes it by only calling prep_transhuge_page() when we are
certain that the target page is THP.

Fixes: 8135d892 ("mm: memory_hotplug: memory hotremove supports thp migration")
Signed-off-by: default avatarZi Yan <>
Reported-by: default avatarAndrea Reale <>
Cc: Naoya Horiguchi <>
Cc: Michal Hocko <>
Cc: "Jérôme Glisse" <>
Cc: <>	[4.14]
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
parent bde5f6bc
......@@ -54,7 +54,7 @@ static inline struct page *new_page_nodemask(struct page *page,
new_page = __alloc_pages_nodemask(gfp_mask, order,
preferred_nid, nodemask);
if (new_page && PageTransHuge(page))
if (new_page && PageTransHuge(new_page))
return new_page;
