From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A63CCCD98F2 for ; Mon, 22 Jun 2026 19:44:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 529986B0093; Mon, 22 Jun 2026 15:44:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4B3596B0095; Mon, 22 Jun 2026 15:44:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 37B886B0096; Mon, 22 Jun 2026 15:44:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id EC5CC6B0093 for ; Mon, 22 Jun 2026 15:44:42 -0400 (EDT) Received: from smtpin04.hostedemail.com (lb01a-stub [10.200.18.249]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 33691C16EE for ; Mon, 22 Jun 2026 19:44:42 +0000 (UTC) X-FDA: 84908576004.04.E2EECA2 Received: from DM1PR04CU001.outbound.protection.outlook.com (mail-centralusazon11010065.outbound.protection.outlook.com [52.101.61.65]) by imf03.hostedemail.com (Postfix) with ESMTP id 4B76520005 for ; Mon, 22 Jun 2026 19:44:39 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=Nvidia.com header.s=selector2 header.b=fRhYUEeQ; arc=pass ("microsoft.com:s=arcselector10001:i=1"); spf=pass (imf03.hostedemail.com: domain of ziy@nvidia.com designates 52.101.61.65 as permitted sender) smtp.mailfrom=ziy@nvidia.com; dmarc=pass (policy=reject) header.from=nvidia.com ARC-Seal: i=2; a=rsa-sha256; d=hostedemail.com; s=arc-20220608; cv=pass; t=1782157479; b=ecr/xTo9u6Nayo9vFY2Wx7wSLYy8JMTnCeAJRpUJ9jVMsLCjTkHVt/8LcbTAFSx5orhF73 ypA5rX3MGAuJSOzRPuHGEwFHlCmMuc1cxE7DT1sn6NmgUf/vzOoS5Xv8y5dmS9slBIcYjc b14mtGgmFXTrOWdDjNWHBA50I+8CXVQ= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1782157479; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=XcxLdbg2wMfcO5DViw194V286oVJ72doKU4pBCzXZaI=; b=fmUBp/wNyXluTNx3N6pDr81Vs1AMxnCvy9zqSotO4GwsaEdZP8NN/oYM6RwuDLmlGMz6hd 7PVvDL3TTuwIYguOFqMmbrcLUqZU8NPpoQQaq0x7G50z2BMJOKGFSsS3RzpwSPv+tDDMLc cwTqhhSyfZwwegwXp0+TZ3YLPwKtrEc= ARC-Authentication-Results: i=2; imf03.hostedemail.com; dkim=pass header.d=Nvidia.com header.s=selector2 header.b=fRhYUEeQ; arc=pass ("microsoft.com:s=arcselector10001:i=1"); spf=pass (imf03.hostedemail.com: domain of ziy@nvidia.com designates 52.101.61.65 as permitted sender) smtp.mailfrom=ziy@nvidia.com; dmarc=pass (policy=reject) header.from=nvidia.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=r1+hpoMCE7Ik+GXJYwmDLd+i8WeoqBl4HTeWVyQ7bRNh2iWIZQTpGpunUEZfsEiU+29N+h2kfgLBUV1UIC/OUXg8x5djF0wejvaKnQJWGWvhF11OMNC0gi9FUPDrkqUvPE1hiLsEuhwyxl1aICz9k26gKxlys2UoIzxYwwJeFV7bQGvS3ev2IfkxS0rk3dGaigSHwSMmU357G/cma1Y09gCx4SDTLdUidh/1EuZpLsOrjDadE7TqsixKBpxqNa3JGa8W0c+13b+G1yoknHHo5Fqlb2+HDoEPR8r7PW12C3hegCYhYJbT1qFvHoK6FC42zLH0X6M2e0jSaZlC74Lo3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XcxLdbg2wMfcO5DViw194V286oVJ72doKU4pBCzXZaI=; b=OnSaTxP/S3rfbKfqBSCWGdvKtMkY35vOlgEUTMigFbpA4RxevTmqrGxMZawNp6ESynnr6K8wzeCbV7IevaOo1YL78V3xV8bfsxS4xXaP5vM6FgWb/y/BM6q9k23t6gei5yvK9HiicpNxBqSlY/1tl+HzP5qH4VMhhhoU5UvlfBwWeDOY1FwaUPpF3gabNkucVvHw8xUfhGW/nVO1PwLZLNBN7UPpGjLD0rmNQaFLlzQmvi9M/O/K57XXwuioASiHi498OOVE9pPtOs2/0q1fcr7WFoFmyC+CHn+bAAQVW+yOIsjsVPmUa0f1TqQKPdv61n1GEbXxEomLXlzt3xbFwA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XcxLdbg2wMfcO5DViw194V286oVJ72doKU4pBCzXZaI=; b=fRhYUEeQf2G1jIffEBcGxT6Q68DgMo/9qv67il4rEtCiu9hl4XRXOtX1mg8Zm3G3qaL8no0cVNLqvYPYGkogABUW68ZnG3HC1uPLm7QdqysMDYYwerNY+cipaTyq0KccqKWzX8UgS8IzzjnIOWUP3YVX+paTss9qtSOzYvWPcrHYwLUu/nFlBSkQnCxL1OSaTde5OMwKbBh9J+w9izjpFTrLL5ZzSj2Do9yg8ROWYRwjpcf7FpxyoCGcmeTo7C47otsZ2Rjjr8F+gwckwaE7AWhTz+k10pfh5Ow6d0O8adL9x2c2Edz3cPyEnWRAfYxKS4N707gVf6HSal9bn28nIw== Received: from IA0PR12MB8374.namprd12.prod.outlook.com (2603:10b6:208:40e::7) by DS7PR12MB8081.namprd12.prod.outlook.com (2603:10b6:8:e6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.20; Mon, 22 Jun 2026 19:44:33 +0000 Received: from IA0PR12MB8374.namprd12.prod.outlook.com ([fe80::d85f:4c87:ae84:3f16]) by IA0PR12MB8374.namprd12.prod.outlook.com ([fe80::d85f:4c87:ae84:3f16%5]) with mapi id 15.21.0139.018; Mon, 22 Jun 2026 19:44:33 +0000 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Mon, 22 Jun 2026 15:44:32 -0400 Message-Id: Cc: , , , , "Matthew Wilcox" , "Lorenzo Stoakes" , "Liam R. Howlett" , "Mike Rapoport" To: "Ketan" , "Andrew Morton" , "Vlastimil Babka" , "Suren Baghdasaryan" , "Michal Hocko" , "Brendan Jackman" , "Johannes Weiner" , "Luiz Capitulino" , "David Hildenbrand" From: "Zi Yan" Subject: Re: [PATCH v2] mm: page_ext: add count limit to page_ext_iter_next to prevent invalid PFN access X-Mailer: aerc 0.21.0 References: <20260622-page_ext-v2-1-135d4cfbc42f@oss.qualcomm.com> In-Reply-To: <20260622-page_ext-v2-1-135d4cfbc42f@oss.qualcomm.com> X-ClientProxiedBy: MN2PR18CA0016.namprd18.prod.outlook.com (2603:10b6:208:23c::21) To IA0PR12MB8374.namprd12.prod.outlook.com (2603:10b6:208:40e::7) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: IA0PR12MB8374:EE_|DS7PR12MB8081:EE_ X-MS-Office365-Filtering-Correlation-Id: f5eaceaf-5f96-4e02-ca49-08ded096aecd X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|23010399003|7416014|366016|1800799024|56012099006|11063799006|6133799003|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: P7NbJ0X5e8nxs8Hr9Epmqa926ISX0lLn3IbwHVyszXrzOIWv8KbUNNOImqESwaBN+7nganm0xMSVsNUAOOO45Xns1Kchqa1Qgd+n/F5j+DDhopVxHG6lhKytro0bkyKp+rueHkqsFhqOmNNdkPH1TyPmdO5QPDabd5KvB3XwZc/xfigaHSDBBDsBmAoOviugH/fbIOinAWm6jUgieHTXVBP5UuQmvwrDwzU6qJKdZQtNKi9QUO2fOJoCGmX/uaR/+47/n5sSp3/Ltcu3RvirpTPMGSPMfIKopVImldQpu/6DTbaTCr07tcimhMrvTaYkZ6uDmyNW/h1mG2ODDdcoQ4Be/yT/VZDvab1U77P4xRkO/ETQrWYjBZwFSiv978gImGKDo2ekGIyPgKz485GKEL3oQRKAL/vOS212QK9S986ytWrlYImvo/jcTfJS5liPIfL9xgBB8BW07IX1YHmxCzIlbez9ydRJ8qmXx5MUqEFPKmsKaoh2NiQic0SyClxs8OrdBUnroATCLlwuSAJq0y/HSPEw4oHuZRwnvzL3kdASHYR8trH7FuYC2OmCmhc+wyQjHjO/xcqOiLKCEiY4DdBBhdTJIo9tl4kCrGj9nIzu0l7co/kPuqut9lRTybmgq1AhCaapqBedY0haIcvGSkuObVa1Za9dEC0CrCozzHQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:IA0PR12MB8374.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(23010399003)(7416014)(366016)(1800799024)(56012099006)(11063799006)(6133799003)(18002099003)(22082099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MTYzQzJwamZ6TTcrRmcyNTVzYTV3QTNwSko0OU9XWVF6Z0N4aHFNcElWLzV3?= =?utf-8?B?VENLZkltTWg0S0t1OWlOM3NZNnJhUW5pcGJUZ0pnUjJ5YXp5c1VGZTNiNWJT?= =?utf-8?B?dDdybHU2d2ZoVkpvQVVCaGhMRUVNMnBFbk9CcGdQNTVjMWt1OU92TkFjbDYr?= =?utf-8?B?M0FuQ1hFNlU3VzcxM3hGQWNpNTRqeVc4YUIwR2hCTy9SODVMWTVHU0tWNHJJ?= =?utf-8?B?dW5RVjlrbDRibCtBMzJyNngyK1JremVuK1pQTnZ6VTFKTHlIK3A1RGJLQnFh?= =?utf-8?B?VEtCaFVLZ0tsQlBqUWJRTkJ5RmIxMlFEWVEwNEdCdFRGcFk4WGZsNjkwaVg3?= =?utf-8?B?Z2lmd3lrWXNlc25TMmlNUjJURmVDL0ZlY1FRWUFWaWpWUUJ5bEU1OUFOMS9q?= =?utf-8?B?N25kdktLa2N6Z0x1RkdoZDhYWDlEN2JmcCsybGx6TEFmdW0vZTBSTzdZNTBO?= =?utf-8?B?SHB6azBnN09JbjE2b0NCK1JTYll5cUM4Q2tRS25CaGo3S1MxTm1VOXJ6M2JV?= =?utf-8?B?WXV3LytmVmlIUlpmcTVvSWJ6RVNZTFhpcjNQbVVGcndINU5nTzVGZDEwV2xK?= =?utf-8?B?eUhGQnR5QlNhalVOTkZGMk15a0xTM3JkMGgvQWdPdjE1WUdDVXVuOTZHL0t5?= =?utf-8?B?aTI3R3Fla3ZGOUZkelcvZ0E3ZWRIY3lsT2diSFF0ZjVuYnBpay9oWTVqcS8x?= =?utf-8?B?RThITzVPRXdmdWFZdFJ6V0VQdzQyZXRWYms2c2lDV3dBUGw2VWJVbG1xUjZS?= =?utf-8?B?UWtWalo5alJYbFdwcitoM2dEcXlIU2tYZVduYzJrOVdQTHhKSUp3MnBjVmFs?= =?utf-8?B?TnRQL1Ryc3h4SHBRZ2N1WXhocU91OTM4S2pRcGRzZnVqNURtekQwYmQyTHJH?= =?utf-8?B?akR1OXVSZkptUXVPS1lWZDAxdjFBbnZnOTZ5VzJ0Z25KUmlqTVBqT2t0TEFO?= =?utf-8?B?b2hFcWtKbUpjaWRTa1prVVZCSW1aQzM1L0YyN0Z5NVNjczZtaG9TUldDTU9Y?= =?utf-8?B?d2ZybURoQ2pHQUVlM2NLbkZYL3pFREhxNkNUMk83SE5SOXpHQ3RiOTlsaUd2?= =?utf-8?B?RlVjNDVZSmZFbHNNT2o2Yng4R2tFUVlRNUI4a0RHOS9xWStlTTZsdHBGbWd0?= =?utf-8?B?Q05uZ3hUTkVoaU5oNHFscHY1WXpZYm1CWGFKYS91Wjh3amozSkJjRm9qZmpZ?= =?utf-8?B?cFJabHVscHRwa1Y4MHNxYUQ1eFZyU3F4WUVTSjVydklTV0s4bVNWdkZrSDVx?= =?utf-8?B?UVhUQmVLSjBHWG9leDBNSW5TVEVnRTlJRUVPTjVQUGFMNkhzeFMwZFp6YnUy?= =?utf-8?B?bEZCNmc5cHNUekRzS2cwZkQ4eSswL2tjU0ltbnpXT1hlMk5RUjBWWWFXc04v?= =?utf-8?B?UXMzUCs1eGl5c1lxTGsyYTI5bVZ5SmlWZ3REVmNRSE4vNURtTmYxbmg1Ykh1?= =?utf-8?B?eHVUNmNpQkF1SzZPUWdnZGlNSWFCL1J2SVV2ZFdxN1VWMUp4Qm01NExmYkdB?= =?utf-8?B?djNaWE93QlZIdWlUNThmTUYvaC9tVmE0cmlaMDZYeEdPMERyc3Z2U1hyQlY5?= =?utf-8?B?ZFh4NkpuU0dnTkJHSU1WTFBSVW5nOTM1dkJXY1BpU0J3RTRnekZnQWVZc1Q3?= =?utf-8?B?OUJuQ21vSDdwK2VFbEkxN2lndy84bEcrU0hWaWx6R1FnSXp1OFNaMkdnaTV6?= =?utf-8?B?aWZyTnpzWk4yN1JTajJQVi9nYWNMVEh0dzRINEJrN2o0TDg0cUdzS1piQVBR?= =?utf-8?B?OTY4QUxJVnR3OEJWYzl2dzhmZlBqRVQwS3NpVzYwTVdHbGZGejlUTmNyNW1k?= =?utf-8?B?Y1IyTjRqTnYyRGtMSmpVUlk2VVBNTSszZCt3TXVEWDFzRk1hcUF0Nm5yQysv?= =?utf-8?B?Y25OaDJjTVlCZnBmR3R3NGNkdXE3L2xaMDQwaXJGc1ovMjdEcGkrQ09LNndF?= =?utf-8?B?bVRRR0xBMUtEOG5NcFdaSmpyeFpEOThSNTRwRWp6VmE3bWZhT2lRcVRTbnkv?= =?utf-8?B?MVFkVnpnSFhUSnBGYnhlOG04ejFnTmhVNzhIemtaN3FpaWNTVDB2ZVI1VW16?= =?utf-8?B?U0VnK1RqQ3duQmxZMm1yZHZpbC94eFQ0NzJmTGp1ODk2eGRzT1JvRFVVMGxl?= =?utf-8?B?eEQ1cUduRGNUZW5ybnVYdTBFVkVSaE91TzRYRDNmc211djNTTDdXRVFPTWx6?= =?utf-8?B?bHFYcCt0RzZrdjl5UVU0d3JYeGZvRkw2S2tGZ3FqZzE5cy91M0UxVnNZYVQw?= =?utf-8?B?T3U0M0NDN3B1ajBxbTlaRXJkWE5zZ3ViZkU3dW0xdnlTUm1UWCt6WEg4d09Z?= =?utf-8?Q?190q+Xs7coO7d7+qE9?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: f5eaceaf-5f96-4e02-ca49-08ded096aecd X-MS-Exchange-CrossTenant-AuthSource: IA0PR12MB8374.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2026 19:44:33.0957 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0ypw8NYlWhNbknddyeJ5g3qq15rL87kCTC53k1ulLgxQ3aoB4BtldiIBzhI9jXbG X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR12MB8081 X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 4B76520005 X-Stat-Signature: 1a5kwb9ri8ry71dqquxiwdooh3kgryeh X-HE-Tag: 1782157479-308596 X-HE-Meta: U2FsdGVkX1+TVfKN1I2585OB+OL6bLpsZrLU7fv8cQMGc0KayJ4CnCq0vSLliU1oeRLsRfz0zJphuRRYPj3OrhqBTMJ5UonDz9NCJ75Vxn9N7X5aP5O9mnMYZvTj4WLr3VcRKtUxDotePGb5X5VpwE1vavddgSA5bBB8JKD4xOCSk+4RsSe90yFvHZuXwof7q6mYJ23Hf8yDyt/aZmkoVKJpCFa0C11QovS50/e+NqQDqsUFovll9eyaIUPdhSXDoOvrb4/H43QOa2qWdGV6Q06opTDFLjP1skQ1CaC8+ThgysU6PY2PJi50e8vyMcQS4X79YlYv1/eSnaq+swsuN45w+JNIZh5Az/OQKU9rpcqXYc5Y+0G0pUllAHZwdaeFoRoi/4S9drlkYFRGVn5GpDPrdVCS9kPw8p+9gfyDaCb/YwRjeHZmmwYn4SWK/4/F6xF3GleCMGf+aU9mbZAWaJUEXOaSJLYJBX9Q9lkwZGd4jKjMrBPAuZW2R9Jbk20nltClvdN6y9B843SQ2YO/fpigKX/yGzFue26sorG7p+IZJ8ZTsJxwumzyYh6KTz/5NirTpp2BsBUPSmqEQtm/ENeAu/XfR0/CE1sCVdaaSW1WsvWuMJgj5M4cUy5Z8vdxBkmix2As0gih55DV9rU7oaLv4JAs7i91si6ppC8wTYpFlo8xV/nKyIe20afl168RFgPVE/gJRYZWcY8cy/bGFh30LbtTvVfpBYdkGwywLpNzzt2L4gs+CRJO7+AiC+by8xRbS+SY8yYrVkZePzgT/8oHPQ6lo7SShLiq21AQ424uVOxhiUBh+4U10JduUV1kG9yqRCGPvZ7wIGWZSl98f0dyexZ1Wa85NOPIwQu7zaWDyUZn1mXlroYv88RVdeWAvEWbWLU4PyPfKfwfb01rNY1L7wBsnoWY6AmB/K7+HUuRG8YslMC0r91dTNg5cReDzZyQHuuVVJbgJBXtp9b GrgwX6DG e0yUQrvdNj+TO7TRN2xad/XlRGbIsPFkZRIeFZmXyHhxUP+zQUey3dzTXEp3foRaPR/QedSitzlMVMWkxwXZTr1NN8jrEYhwIYdFzQoEvdPWlRHPCWwkQ2v2lPK0hWuQmK30nsRWsKYx3ANGd9ONz9z5EukPky2lLey4Butxt5+jk4RhJvzhA6/XHGJgy9/BkP43ye5UauS4vv2iCGN5LOfYJeYEc4hWmMdIUKsrmo9JFV3QJBgeWKOECw6CdwdyzZN9WgM4A5lREVbsrRwGMyYic3ZrmmOdlCPmdb9G+zWzpBN8F4len1F8ag+M+JQzk5CNcugx3O+eznVTiH6OquOhGFyEVafTIfhT5UDB7um9L3oT3WQeARef9FhpdfWBd48Rs4/AYuu5UUFDpbdVgHGsyLZraBGrmH4Oa3q1Gk30o5CkAq9iooY6XzMTsVmNYk6q4iuIjtT/o9IYfAvZVbHVrUQQzLsmWfaIVOFLIcyIjsRFt+9SrA0JCIlDdgHrpqVCe1IOWQDASMwzM/6MhXMz6JGM3Rb5aUeZBeiv8qDAL/sFUSVZZ8eoTR9U4qWTTvGCqJUJygYRCili0GZCzWLPfO+wyxRXZ7V2gAmXRnMOLC/qPpXh78z5a8UMUHFMfgLwlicsSzckRaUkhF88aQqonQwKXZ3v2xkI/qSnXxmtzHO6gvYJEq6pImxAWQFehwCFy4/4/IprM3dQfHuNazwyEOQMrElmI3W1iXjVKux3uzytE1AcCKFznU5vEzbuN3KxZdlDSlZFzENk3oeqNr5U1KR8J+HSJbKUtsMKXnqUJCAHlIzSZQ8cbBRHqQjeiyxiv8wFJ7GJjQnU= Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon Jun 22, 2026 at 10:14 AM EDT, Ketan wrote: > The page_ext iteration API does not validate if the PFN still > belongs to a valid section while advancing the iterator. When > dynamically adding memory in the hotplug path, it can lead to a > NULL pointer dereference during page_ext_lookup at the boundary > of the last valid section when iterator count equals __pgcount. > > The for_each_page_ext() macro calls page_ext_iter_next() as its > loop increment. for_each_page_ext() does a > "__page_ext =3D page_ext_iter_next(&__iter)" at the end. This > causes page_ext_iter_next() to increment iter->index past > __pgcount and call page_ext_lookup(start_pfn + __pgcount). > During memory hotplug (online), the PFN at start_pfn + __pgcount > may belong to a section that has not yet been initialized, > causing page_ext_lookup() to trigger a NULL pointer dereference. > > [ 14.555124][ T846] Call trace: > [ 14.555125][ T846] lookup_page_ext+0x6c/0x108 (P) > [ 14.555127][ T846] page_ext_lookup+0x30/0x3c > [ 14.555129][ T846] __reset_page_owner+0x11c/0x260 > [ 14.571201][ T846] __free_pages_ok+0x5e8/0x8e0 > [ 14.571204][ T846] __free_pages_core+0x78/0xf0 > [ 14.571206][ T846] generic_online_page+0x14/0x24 > [ 14.597782][ T846] online_pages+0x178/0x30c > [ 14.597784][ T846] memory_block_change_state+0x284/0x32c > [ 14.597787][ T846] memory_subsys_online+0x4c/0x64 > [ 14.597789][ T846] device_online+0x88/0xb0 > [ 14.597791][ T846] online_memory_block+0x30/0x40 > [ 14.597793][ T846] walk_memory_blocks+0xac/0xe8 > [ 14.597794][ T846] add_memory_resource+0x280/0x298 > [ 14.656161][ T846] add_memory+0x60/0x98 > > Move the iteration boundary enforcement inside the iterator > functions, so callers cannot inadvertently access beyond the > requested range. > > Fixes: 9039b9096ea2 ("mm: page_owner: use new iteration API") > Cc: stable@vger.kernel.org > Suggested-by: David Hildenbrand > Suggested-by: Matthew Wilcox > Signed-off-by: Ketan Kishore > --- > Changes in v2: > - Incorporated comments from David and Matthew to check for invalid PFN > in page_ext iterator rather than checking for NULL section in > page_ext_lookup. > - Minor improvement in commit description to include the issue with > page_ext_iter_next > - Link to v1: https://patch.msgid.link/20260617-page_ext-v1-1-37ad802b1a3= 8@oss.qualcomm.com > > To: Andrew Morton > To: David Hildenbrand > To: Lorenzo Stoakes > To: "Liam R. Howlett" > To: Vlastimil Babka > To: Mike Rapoport > To: Suren Baghdasaryan > To: Michal Hocko > To: Luiz Capitulino > Cc: kernel@oss.qualcomm.com > Cc: linux-mm@kvack.org > Cc: linux-kernel@vger.kernel.org > --- > include/linux/page_ext.h | 19 +++++++++++++------ > 1 file changed, 13 insertions(+), 6 deletions(-) > > @@ -138,19 +142,22 @@ static inline struct page_ext *page_ext_iter_begin(= struct page_ext_iter *iter, > /** > * page_ext_iter_next() - Get next page extension > * @iter: page extension iterator. > + * @count: maximum number of page extensions to return. > * > * Must be called with RCU read lock taken. > * > * Return: NULL if no next page_ext exists. > */ > -static inline struct page_ext *page_ext_iter_next(struct page_ext_iter *= iter) > +static inline struct page_ext *page_ext_iter_next(struct page_ext_iter *= iter, > + unsigned long count) > { > unsigned long pfn; > =20 > if (WARN_ON_ONCE(!iter->page_ext)) > return NULL; > =20 > - iter->index++; > + if (iter->index++ >=3D count) The before-incremented iter->index is used to compared to count. Either if (++iter->index >=3D count) or iter->index++; if (iter->index >=3D count) works. I tried the latter locally and it fixed the issue reported by syzbot[1]. [1] https://lore.kernel.org/all/6a396a5a.ac26f6c2.9a9c4.0000.GAE@google.com= / > + return NULL; > pfn =3D iter->start_pfn + iter->index; --=20 Best Regards, Yan, Zi