Re: [PATCH 1/1] mm/rmap: make folio unmap batching safe and support partial batches

[Lance Yang]

On 2025/6/27 13:02, Barry Song wrote:
> On Fri, Jun 27, 2025 at 2:53 PM Lance Yang <ioworker0@xxxxxxxxx> wrote:
> > From: Lance Yang <lance.yang@xxxxxxxxx>
> >
> > As pointed out by David[1], the batched unmap logic in try_to_unmap_one()
> > can read past the end of a PTE table if a large folio is mapped starting at
> > the last entry of that table.
> >
> > So let's fix the out-of-bounds read by refactoring the logic into a new
> > helper, folio_unmap_pte_batch().
> >
> > The new helper now correctly calculates the safe number of pages to scan by
> > limiting the operation to the boundaries of the current VMA and the PTE
> > table.
> >
> > In addition, the "all-or-nothing" batching restriction is removed to
> > support partial batches. The reference counting is also cleaned up to use
> > folio_put_refs().
> >
> > [1] https://lore.kernel.org/linux-mm/a694398c-9f03-4737-81b9-7e49c857fcbe@xxxxxxxxxx
> >
> > Fixes: 354dffd29575 ("mm: support batched unmap for lazyfree large folios during reclamation")
> > Suggested-by: David Hildenbrand <david@xxxxxxxxxx>
> > Suggested-by: Barry Song <baohua@xxxxxxxxxx>
> > Signed-off-by: Lance Yang <lance.yang@xxxxxxxxx>
>
> I'd prefer changing the subject to something like
> "Fix potential out-of-bounds page table access during batched unmap"

Yep, that's much better.

> Supporting partial batching is a cleanup-related benefit of this fix.
> It's worth mentioning that the affected cases are quite rare,
> since MADV_FREE typically performs split_folio().

Yeah, it would be quite rare in practice ;)

> Also, we need to Cc stable.

Thanks! Will do.