mm: memory-failure: fetch compound head after extra page refcnt is held

Page might become thp, huge page or being splited after compound head is
fetched but before page refcnt is bumped.  So hpage might be a tail page
leading to VM_BUG_ON_PAGE(PageTail(page)) in PageTransHuge().

Link: https://lkml.kernel.org/r/20230711055016.2286677-8-linmiaohe@huawei.com
Fixes: 415c64c1453a ("mm/memory-failure: split thp earlier in memory error handling")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 36529f3c6554a24768b90291b07da7d0594ea5c0..133737580a7ecd76d3da7a881d2c0c6a33078834 100644 (file)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -2175,8 +2175,6 @@ try_again:
                goto unlock_mutex;
        }
 
-       hpage = compound_head(p);
-
        /*
         * We need/can do nothing about count=0 pages.
         * 1) it's a free page, and therefore in safe hand:
@@ -2215,6 +2213,7 @@ try_again:
                }
        }
 
+       hpage = compound_head(p);
        if (PageTransHuge(hpage)) {
                /*
                 * The flag must be set after the refcount is bumped