mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

jira KERNEL-249
cve CVE-2025-39883
Rebuild_History Non-Buildable kernel-4.18.0-553.87.1.el8_10
commit-author Miaohe Lin <linmiaohe@huawei.com>
commit d613f53
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-4.18.0-553.87.1.el8_10/d613f53c.failed

When I did memory failure tests, below panic occurs:

page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))
kernel BUG at include/linux/page-flags.h:616!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS:  00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 unpoison_memory+0x2f3/0x590
 simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110
 debugfs_attr_write+0x42/0x60
 full_proxy_write+0x5b/0x80
 vfs_write+0xd5/0x540
 ksys_write+0x64/0xe0
 do_syscall_64+0xb9/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f08f0314887
RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887
RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001
RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00
 </TASK>
Modules linked in: hwpoison_inject
---[ end trace 0000000000000000 ]---
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS:  00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---

The root cause is that unpoison_memory() tries to check the PG_HWPoison
flags of an uninitialized page.  So VM_BUG_ON_PAGE(PagePoisoned(page)) is
triggered.  This can be reproduced by below steps:

1.Offline memory block:

 echo offline > /sys/devices/system/memory/memory12/state

2.Get offlined memory pfn:

 page-types -b n -rlN

3.Write pfn to unpoison-pfn

 echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn

This scenario can be identified by pfn_to_online_page() returning NULL.
And ZONE_DEVICE pages are never expected, so we can simply fail if
pfn_to_online_page() == NULL to fix the bug.

Link: https://lkml.kernel.org/r/20250828024618.1744895-1-linmiaohe@huawei.com
Fixes: f1dd2cd ("mm, memory_hotplug: do not associate hotadded memory to zones until online")
	Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
	Suggested-by: David Hildenbrand <david@redhat.com>
	Acked-by: David Hildenbrand <david@redhat.com>
	Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
	Cc: <stable@vger.kernel.org>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit d613f53)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	mm/memory-failure.c

Author: PlaidCat

ciq/ciq_backports/kernel-4.18.0-553.87.1.el8_10/d613f53c.failed

@@ -0,0 +1,252 @@
+mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
+
+jira KERNEL-249
+cve CVE-2025-39883
+Rebuild_History Non-Buildable kernel-4.18.0-553.87.1.el8_10
+commit-author Miaohe Lin <linmiaohe@huawei.com>
+commit d613f53c83ec47089c4e25859d5e8e0359f6f8da
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.87.1.el8_10/d613f53c.failed
+
+When I did memory failure tests, below panic occurs:
+
+page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))
+kernel BUG at include/linux/page-flags.h:616!
+Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40
+RIP: 0010:unpoison_memory+0x2f3/0x590
+RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
+RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
+RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
+RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
+R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
+R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
+FS:  00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ unpoison_memory+0x2f3/0x590
+ simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110
+ debugfs_attr_write+0x42/0x60
+ full_proxy_write+0x5b/0x80
+ vfs_write+0xd5/0x540
+ ksys_write+0x64/0xe0
+ do_syscall_64+0xb9/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f08f0314887
+RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887
+RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001
+RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
+R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00
+ </TASK>
+Modules linked in: hwpoison_inject
+---[ end trace 0000000000000000 ]---
+RIP: 0010:unpoison_memory+0x2f3/0x590
+RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
+RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
+RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
+RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
+R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
+R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
+FS:  00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
+Kernel panic - not syncing: Fatal exception
+Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+---[ end Kernel panic - not syncing: Fatal exception ]---
+
+The root cause is that unpoison_memory() tries to check the PG_HWPoison
+flags of an uninitialized page.  So VM_BUG_ON_PAGE(PagePoisoned(page)) is
+triggered.  This can be reproduced by below steps:
+
+1.Offline memory block:
+
+ echo offline > /sys/devices/system/memory/memory12/state
+
+2.Get offlined memory pfn:
+
+ page-types -b n -rlN
+
+3.Write pfn to unpoison-pfn
+
+ echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn
+
+This scenario can be identified by pfn_to_online_page() returning NULL. 
+And ZONE_DEVICE pages are never expected, so we can simply fail if
+pfn_to_online_page() == NULL to fix the bug.
+
+Link: https://lkml.kernel.org/r/20250828024618.1744895-1-linmiaohe@huawei.com
+Fixes: f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online")
+	Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+	Suggested-by: David Hildenbrand <david@redhat.com>
+	Acked-by: David Hildenbrand <david@redhat.com>
+	Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+	Cc: <stable@vger.kernel.org>
+	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+(cherry picked from commit d613f53c83ec47089c4e25859d5e8e0359f6f8da)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	mm/memory-failure.c
+diff --cc mm/memory-failure.c
+index 5f584fb174dc,df6ee59527dd..000000000000
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@@ -1776,75 -2568,98 +1776,98 @@@ int unpoison_memory(unsigned long pfn
+  	static DEFINE_RATELIMIT_STATE(unpoison_rs, DEFAULT_RATELIMIT_INTERVAL,
+  					DEFAULT_RATELIMIT_BURST);
+  
+++<<<<<<< HEAD
+ +	if (!pfn_valid(pfn))
+ +		return -ENXIO;
+ +
+ +	p = pfn_to_page(pfn);
+ +	page = compound_head(p);
+++=======
++ 	p = pfn_to_online_page(pfn);
++ 	if (!p)
++ 		return -EIO;
++ 	folio = page_folio(p);
++ 
++ 	mutex_lock(&mf_mutex);
++ 
++ 	if (hw_memory_failure) {
++ 		unpoison_pr_info("%#lx: disabled after HW memory failure\n",
++ 				 pfn, &unpoison_rs);
++ 		ret = -EOPNOTSUPP;
++ 		goto unlock_mutex;
++ 	}
++ 
++ 	if (is_huge_zero_folio(folio)) {
++ 		unpoison_pr_info("%#lx: huge zero page is not supported\n",
++ 				 pfn, &unpoison_rs);
++ 		ret = -EOPNOTSUPP;
++ 		goto unlock_mutex;
++ 	}
+++>>>>>>> d613f53c83ec (mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory)
+  
+  	if (!PageHWPoison(p)) {
+ -		unpoison_pr_info("%#lx: page was already unpoisoned\n",
+ +		unpoison_pr_info("Unpoison: Page was already unpoisoned %#lx\n",
+  				 pfn, &unpoison_rs);
+ -		goto unlock_mutex;
+ +		return 0;
+  	}
+  
+ -	if (folio_ref_count(folio) > 1) {
+ -		unpoison_pr_info("%#lx: someone grabs the hwpoison page\n",
+ +	if (page_count(page) > 1) {
+ +		unpoison_pr_info("Unpoison: Someone grabs the hwpoison page %#lx\n",
+  				 pfn, &unpoison_rs);
+ -		goto unlock_mutex;
+ +		return 0;
+  	}
+  
+ -	if (folio_test_slab(folio) || folio_test_pgtable(folio) ||
+ -	    folio_test_reserved(folio) || folio_test_offline(folio))
+ -		goto unlock_mutex;
+ -
+ -	if (folio_mapped(folio)) {
+ -		unpoison_pr_info("%#lx: someone maps the hwpoison page\n",
+ +	if (page_mapped(page)) {
+ +		unpoison_pr_info("Unpoison: Someone maps the hwpoison page %#lx\n",
+  				 pfn, &unpoison_rs);
+ -		goto unlock_mutex;
+ +		return 0;
+  	}
+  
+ -	if (folio_mapping(folio)) {
+ -		unpoison_pr_info("%#lx: the hwpoison page has non-NULL mapping\n",
+ +	if (page_mapping(page)) {
+ +		unpoison_pr_info("Unpoison: the hwpoison page has non-NULL mapping %#lx\n",
+  				 pfn, &unpoison_rs);
+ -		goto unlock_mutex;
+ +		return 0;
+  	}
+  
+ -	ghp = get_hwpoison_page(p, MF_UNPOISON);
+ -	if (!ghp) {
+ -		if (folio_test_hugetlb(folio)) {
+ -			huge = true;
+ -			count = folio_free_raw_hwp(folio, false);
+ -			if (count == 0)
+ -				goto unlock_mutex;
+ -		}
+ -		ret = folio_test_clear_hwpoison(folio) ? 0 : -EBUSY;
+ -	} else if (ghp < 0) {
+ -		if (ghp == -EHWPOISON) {
+ -			ret = put_page_back_buddy(p) ? 0 : -EBUSY;
+ -		} else {
+ -			ret = ghp;
+ -			unpoison_pr_info("%#lx: failed to grab page\n",
+ -					 pfn, &unpoison_rs);
+ -		}
+ -	} else {
+ -		if (folio_test_hugetlb(folio)) {
+ -			huge = true;
+ -			count = folio_free_raw_hwp(folio, false);
+ -			if (count == 0) {
+ -				folio_put(folio);
+ -				goto unlock_mutex;
+ -			}
+ -		}
+ +	/*
+ +	 * unpoison_memory() can encounter thp only when the thp is being
+ +	 * worked by memory_failure() and the page lock is not held yet.
+ +	 * In such case, we yield to memory_failure() and make unpoison fail.
+ +	 */
+ +	if (!PageHuge(page) && PageTransHuge(page)) {
+ +		unpoison_pr_info("Unpoison: Memory failure is now running on %#lx\n",
+ +				 pfn, &unpoison_rs);
+ +		return 0;
+ +	}
+  
+ -		folio_put(folio);
+ -		if (TestClearPageHWPoison(p)) {
+ -			folio_put(folio);
+ -			ret = 0;
+ -		}
+ +	if (!get_hwpoison_page(p, flags, 0)) {
+ +		if (TestClearPageHWPoison(p))
+ +			num_poisoned_pages_dec();
+ +		unpoison_pr_info("Unpoison: Software-unpoisoned free page %#lx\n",
+ +				 pfn, &unpoison_rs);
+ +		return 0;
+  	}
+  
+ -unlock_mutex:
+ -	mutex_unlock(&mf_mutex);
+ -	if (!ret) {
+ -		if (!huge)
+ -			num_poisoned_pages_sub(pfn, 1);
+ -		unpoison_pr_info("%#lx: software-unpoisoned page\n",
+ -				 page_to_pfn(p), &unpoison_rs);
+ +	lock_page(page);
+ +	/*
+ +	 * This test is racy because PG_hwpoison is set outside of page lock.
+ +	 * That's acceptable because that won't trigger kernel panic. Instead,
+ +	 * the PG_hwpoison page will be caught and isolated on the entrance to
+ +	 * the free buddy page pool.
+ +	 */
+ +	if (TestClearPageHWPoison(page)) {
+ +		unpoison_pr_info("Unpoison: Software-unpoisoned page %#lx\n",
+ +				 pfn, &unpoison_rs);
+ +		num_poisoned_pages_dec();
+ +		freeit = 1;
+  	}
+ -	return ret;
+ +	unlock_page(page);
+ +
+ +	put_page(page);
+ +	if (freeit && !(pfn == my_zero_pfn(0) && page_count(p) == 1))
+ +		put_page(page);
+ +
+ +	return 0;
+  }
+  EXPORT_SYMBOL(unpoison_memory);
+  
+* Unmerged path mm/memory-failure.c