Re: [PATCH] mm/compaction: guard move_freelist_head() against invalid freepage

Next message: Seth Forshee: "[PATCH 2/2] firmware: arm_ffa: Fall back to minimum buffer size if RXTX_MAP fails"
Previous message: Seth Forshee: "[PATCH 1/2] firmware: arm_ffa: Honor maximum RX/TX buffer size"
In reply to: Giorgi Tchankvetadze: "[PATCH] mm/compaction: guard move_freelist_head() against invalid freepage"
Next in thread: Giorgi Tchankvetadze: "Re: [PATCH] mm/compaction: guard move_freelist_head() against invalid freepage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Morton

Date: Mon Jun 01 2026 - 16:46:10 EST

On Mon, 1 Jun 2026 17:39:42 +0400 Giorgi Tchankvetadze <giorgitchankvetadze1997@xxxxxxxxx> wrote:

> In fast_isolate_freepages(), freepage is declared uninitialized and
> is only assigned a valid page pointer if list_for_each_entry_reverse
> exits via break. If the loop runs to completion (all pages in the
> freelist have pfn < min_pfn), freepage holds the list head sentinel
> and high_pfn remains zero, so the high_pfn fallback does not update
> it either.
>
> The subsequent unconditional call to move_freelist_head(freelist,
> freepage) then passes the sentinel as a page pointer, which is
> invalid.
>
> Guard move_freelist_head() inside the existing 'if (page)' block
> where freepage is guaranteed to refer to a real page.

Seems correct from my reading. That code is rather twisty.

> This issue was identified via Coccinelle (use_after_iter.cocci).

But AI review is worried:
https://sashiko.dev/#/patchset/20260601133941.111989-2-giorgitchankvetadze1997@xxxxxxxxx