mm/hugetlb: fix getting refcount 0 page in hugetlb_fault()
authorNaoya Horiguchi <>
Wed, 11 Feb 2015 23:25:25 +0000 (15:25 -0800)
committerLinus Torvalds <>
Thu, 12 Feb 2015 01:06:01 +0000 (17:06 -0800)
mm/hugetlb: fix getting refcount 0 page in hugetlb_fault()

When running the test which causes the race as shown in the previous patch,
we can hit the BUG "get_page() on refcount 0 page" in hugetlb_fault().

This race happens when pte turns into migration entry just after the first
check of is_hugetlb_entry_migration() in hugetlb_fault() passed with false.
To fix this, we need to check pte_present() again after huge_ptep_get().

This patch also reorders taking ptl and doing pte_page(), because
pte_page() should be done in ptl.  Due to this reordering, we need use
trylock_page() in page != pagecache_page case to respect locking order.

Fixes: 66aebce747ea ("hugetlb: fix race condition in hugetlb_fault()")
Signed-off-by: Naoya Horiguchi <>
Cc: Hugh Dickins <>
Cc: James Hogan <>
Cc: David Rientjes <>
Cc: Mel Gorman <>
Cc: Johannes Weiner <>
Cc: Michal Hocko <>
Cc: Rik van Riel <>
Cc: Andrea Arcangeli <>
Cc: Luiz Capitulino <>
Cc: Nishanth Aravamudan <>
Cc: Lee Schermerhorn <>
Cc: Steve Capper <>
Cc: <> [3.2+]
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>