From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1269DC5475B for ; Wed, 6 Mar 2024 21:27:58 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5692B6B0078; Wed, 6 Mar 2024 16:27:58 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 523896B007B; Wed, 6 Mar 2024 16:27:58 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4080C6B007D; Wed, 6 Mar 2024 16:27:58 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 2BFA96B0078 for ; Wed, 6 Mar 2024 16:27:58 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 058DE1C0DB2 for ; Wed, 6 Mar 2024 21:27:58 +0000 (UTC) X-FDA: 81867901836.16.76EBBD4 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf30.hostedemail.com (Postfix) with ESMTP id 2095F80019 for ; Wed, 6 Mar 2024 21:27:54 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=QuzxQv83; spf=none (imf30.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1709760475; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=j037s+oEOxuOoGuhOChRJ85Vwyn5RcSNDQp/vcquZNk=; b=S98D3bBCrrpw3eQYUEdK0ZN+I5JyTvc1SuYrUAl3v7+zdZZtEJeNNTfvJq/5mvaPel//tC x6QPZM3JDF0QmY4EwDhb4yTgA+PpgvwwzruadxE0Oz8eLUJf54eZvb287BMLFgMz/uGddB YvD2oVmGTT9sj0MOcSrrkR/61lkViho= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=QuzxQv83; spf=none (imf30.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1709760475; a=rsa-sha256; cv=none; b=F9re+sa/kl+PD6rBxGdH26efNDNlzw4FVgZZwf+0qLRl1Q0Y2jxegjZXhcu/AmtRPtWM50 55WUjsd1KabULOW6jz8+bDTpuleSb84d/IjA6TNAx7iQF5SaspErKSu5jCs2+LC/JdQzm0 e3wc8m6v6eLvTl7xzdCv4oo1zs/U1xs= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Content-Transfer-Encoding:MIME-Version: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:In-Reply-To:References; bh=j037s+oEOxuOoGuhOChRJ85Vwyn5RcSNDQp/vcquZNk=; b=QuzxQv83h9wjWUJbavpQZ2WuV4 GKNmIy/I2WP0KnqHWUSvmZtO9y+bqU4YWTIdkCbzhr+fiDDIJInUNX1zAyO0C9H4s3FlfLXwWj33M CzZBjfsz5970lHIv9Drfz7/lXwAVco0bspBBfI/lvauWITniBLdLCTmoj+nJRoZtk0tjbDcssePnd QL82se9h4jWyNVRWxRGiybkHyTp29lx4KxwPXb+T7DgDATrYbTozM/+vmgEfd+Kxm4dDSI7+HUOPy x6YIdbmVuIA/E+ot+ox/4Q1/k5Qo0FTD/MTa3ostK8+7NN8NMRhIkvbevcP1jbByq10xtbKtGCyod pCEGbHsQ==; Received: from willy by casper.infradead.org with local (Exim 4.97.1 #2 (Red Hat Linux)) id 1rhynn-00000007eLq-2Q0f; Wed, 06 Mar 2024 21:27:51 +0000 From: "Matthew Wilcox (Oracle)" To: Andrew Morton , linux-mm@kvack.org Cc: "Matthew Wilcox (Oracle)" , "Borah, Chaitanya Kumar" Subject: [PATCH] mm: Fix list corruption in put_pages_list Date: Wed, 6 Mar 2024 21:27:30 +0000 Message-ID: <20240306212749.1823380-1-willy@infradead.org> X-Mailer: git-send-email 2.44.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 2095F80019 X-Rspam-User: X-Stat-Signature: qenwbym8iracq8yexcf9owtcpy5bj5k8 X-Rspamd-Server: rspam01 X-HE-Tag: 1709760474-20613 X-HE-Meta: U2FsdGVkX19EzSrmI7lx199aRVHBxvDDrQoQzLH0x1m142afpQioctlKUT1wXmqMtpZTxbFHoVI5kE5o47btkeWyLP6a1RZEZ0k3tr5UWg/1JBWA7QxhJAtlx8obbhSBoe+Frze/76bPZNHJxwQDCvmrKvbjK1eLf3kwdy6tX3u62W8Mi7jWORx8eX76TcNpo2nIDjZI6xVxMtA3u5+1vlm6Xf15UsouyEXy13+GYVV17iYQCScx9qfB/fHd2t69KoRyneoTUmfNfY67w2X960QLMSVXe2niWPIH9TvCRRcxN6i7tecruYQce7iU/GGHFocSseMH7Ia+7CWFXq5KE69TLp/tBF1tbTTEKZhI7Cgke2v8R0sErYTY9n608kp/v/DKIkxV8cxRS0YzoRKnxsW9jG57cR3vERHjPSpc5saYS/k/Kov3D1c+dt/cnBMKQZxATl8StfsB08Ex9Mdw6bL1tFf0ovlJfHhclEPFHEtva4fZom8P7PPjtI+JKvfvE/M1aszqHwsdtx1cEPkrz7inDF24fRNjR+2kbyP6WFaWfDBvNmwddNnvugWDjo5tyB6nNvCy0njzVmjErGWKGvNtRZImn9punPg2UsnIgvSHNJJroGp/GwrlWPJUiP9LMYD3iwSADpXV6aprXKi8Q2DF2YWMuO/5TB9rtb8yZFEn/e9ITKiAoKarRsldln/6oTzT4N05rJaj7g+T8FX++NE7MbXTVudXk6/LpJ5/6uGjjlW6xRbdgOvkTWjbK0GlOCQ/C+pzwjSUmoUQtRAOVmHECKmVokmWq/a65UA8MIrleBlY5TwKdeEQpnUd0F8jhhLGi5clarCrzBnV2mYBiTMqNXKqKxsHLUFYrOVwWidp2TQQH7v18EDP4ArPJ01DMPfE2Eq4DPbQzXIS0HEws1vyy0wTXdkU X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: My recent change to put_pages_list() dereferences folio->lru.next after returning the folio to the page allocator. Usually this is now on the pcp list with other free folios, so we try to free an already-free folio. This only happens with lists that have more than 15 entries, so it wasn't immediately discovered. Revert to using list_for_each_safe() so we dereference lru.next before disposing of the folio. Reported-by: "Borah, Chaitanya Kumar" Fixes: 24835f899c01 (mm: use free_unref_folios() in put_pages_list()) Signed-off-by: Matthew Wilcox (Oracle) --- mm/swap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/swap.c b/mm/swap.c index a910af21ba68..1d4b7713605d 100644 --- a/mm/swap.c +++ b/mm/swap.c @@ -139,10 +139,10 @@ EXPORT_SYMBOL(__folio_put); void put_pages_list(struct list_head *pages) { struct folio_batch fbatch; - struct folio *folio; + struct folio *folio, *next; folio_batch_init(&fbatch); - list_for_each_entry(folio, pages, lru) { + list_for_each_entry_safe(folio, next, pages, lru) { if (!folio_put_testzero(folio)) continue; if (folio_test_hugetlb(folio)) { -- 2.43.0