Re: [PATCH 2/7] mm: shmem: avoid setting error on splited entries in shmem_set_folio_swapin_error()

[Baolin Wang]

On 2025/6/9 09:19, Kemeng Shi wrote:
> on 6/7/2025 2:20 PM, Baolin Wang wrote:
> > On 2025/6/6 06:10, Kemeng Shi wrote:
> > > When large entry is splited, the first entry splited from large entry
> > > retains the same entry value and index as original large entry but it's
> > > order is reduced. In shmem_set_folio_swapin_error(), if large entry is
> > > splited before xa_cmpxchg_irq(), we may replace the first splited entry
> > > with error entry while using the size of original large entry for release
> > > operations. This could lead to a WARN_ON(i_blocks) due to incorrect
> > > nr_pages used by shmem_recalc_inode() and could lead to used after free
> > > due to incorrect nr_pages used by swap_free_nr().
> >
> > I wonder if you have actually triggered this issue? When a large swap entry is split, it means the folio is already at order 0, so why would the size of the original large entry be used for release operations? Or is there another race condition?
> All issues are found during review the code of shmem as I menthioned in
> cover letter.
> The folio could be allocated from shmem_swap_alloc_folio() and the folio
> order will keep unchange when swap entry is split.

Sorry, I did not get your point. If a large swap entry is split, we must 
ensure that the corresponding folio is order 0.

However, I missed one potential case which was recently fixed by Kairui[1].

[1] https://lore.kernel.org/all/20250610181645.45922-1-ryncsn@xxxxxxxxx/