On Wed, 6 Mar 2024 21:27:30 +0000 "Matthew Wilcox (Oracle)" <willy@xxxxxxxxxxxxx> wrote:
> My recent change to put_pages_list() dereferences folio->lru.next after
> returning the folio to the page allocator. Usually this is now on the
> pcp list with other free folios, so we try to free an already-free
> folio. This only happens with lists that have more than 15 entries, so
> it wasn't immediately discovered. Revert to using list_for_each_safe()
> so we dereference lru.next before disposing of the folio.
>
> Reported-by: "Borah, Chaitanya Kumar" <chaitanya.kumar.borah@xxxxxxxxx>
I'm unable to find the bug report on linux-mm. Help please?
> Fixes: 24835f899c01 (mm: use free_unref_folios() in put_pages_list())
> Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx>
> ---
> mm/swap.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/mm/swap.c b/mm/swap.c
> index a910af21ba68..1d4b7713605d 100644
> --- a/mm/swap.c
> +++ b/mm/swap.c
> @@ -139,10 +139,10 @@ EXPORT_SYMBOL(__folio_put);
> void put_pages_list(struct list_head *pages)
> {
> struct folio_batch fbatch;
> - struct folio *folio;
> + struct folio *folio, *next;
>
> folio_batch_init(&fbatch);
> - list_for_each_entry(folio, pages, lru) {
> + list_for_each_entry_safe(folio, next, pages, lru) {
> if (!folio_put_testzero(folio))
> continue;
> if (folio_test_hugetlb(folio)) {
> --
> 2.43.0
