From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 93D533A4F57 for ; Thu, 30 Apr 2026 20:22:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.67.55.147 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777580571; cv=none; b=oWlon1DBSeOdHYpPL0KHAsJcSq/n3Fago/RTigSStYzclu84aD/0J1h71ah0ikzAFape3RWIT+mV8ofH0/Uw899X1zVNHFeYiYUydC2QQg0w/J/BiHJqHUWAIuikQNs7LsohiaJo+SvPyicyFiqFZkg8bJCsH7ZaoRWo8rn6zO0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777580571; c=relaxed/simple; bh=9qE9mUffFUYhqkm3q00GYEJ+0qXxro74mec5i5is/As=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=m6PJwSzEOc0TQdOlHYCAVeqJw+ODjMyDZxRK8pgk/8zz1/wbERlCdRMW+3QuyBXWEXqvfB1J4+MgzmgdRTlMBIBvFWsTXcByoD3Rl7iuW8bt4YftNTrYL0xOOuFcoTpRH5V2rxysJHseDKSPn0iy9PM5qVmLU32Hzgmcdvsz+wE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=surriel.com; spf=pass smtp.mailfrom=surriel.com; dkim=pass (2048-bit key) header.d=surriel.com header.i=@surriel.com header.b=k7PKv6x4; arc=none smtp.client-ip=96.67.55.147 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=surriel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=surriel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=surriel.com header.i=@surriel.com header.b="k7PKv6x4" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=surriel.com ; s=mail; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tg5Weu69G+wviDv5W5A2GzRuTYUa3VhIg/DY7vTfulA=; b=k7PKv6x4HjrjzXohd+rNODZ6fu zAsURVDXP+bNr7g6LgNjS3AqK4rLIAeHXiTEznc2tKz4A1zgl8SYJwUpvhglHeL+prHiaF9ruPssK OX/zqbbKNVDeeGRraseqKh7AFn0d8Tny6NSmLRlU8f71ZRWjWgOTUe7hixUKWFvFFRctwuS3oQCet hAszdT/aPbQ9v4D+uhvX/7saRhm//BGwKqF+s8PsM4NcucqaFv8rwqXkgjHXldw+Ew7khbmvqIupS J1bDyvscaBe7Jr3qKYxWLRn2cUoveNLx/7ye5hRxhJ5CP5uaavUmBV9W9Ab+GqL7F6SXzytXhTLmn Wi3bJJlw==; Received: from fangorn.home.surriel.com ([10.0.13.7]) by shelob.surriel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from ) id 1wIXuC-000000001R0-2Ghu; Thu, 30 Apr 2026 16:22:40 -0400 From: Rik van Riel To: linux-kernel@vger.kernel.org Cc: kernel-team@meta.com, linux-mm@kvack.org, david@kernel.org, willy@infradead.org, surenb@google.com, hannes@cmpxchg.org, ljs@kernel.org, ziy@nvidia.com, usama.arif@linux.dev, Rik van Riel , Rik van Riel Subject: [RFC PATCH 05/45] mm: vmstat: restore per-migratetype free counts in /proc/pagetypeinfo Date: Thu, 30 Apr 2026 16:20:34 -0400 Message-ID: <20260430202233.111010-6-riel@surriel.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260430202233.111010-1-riel@surriel.com> References: <20260430202233.111010-1-riel@surriel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Rik van Riel The SPB rework moved free pages off zone->free_area[] and onto the per-superpageblock free lists at zone->superpageblocks[i].free_area[]. pagetypeinfo_showfree_print() was still walking the now-empty zone-level free lists, so /proc/pagetypeinfo's "Free pages count per migrate type at order" table read as all zeros. Walk every SPB in the zone, accumulating counts per (migratetype, order) into stack-allocated 2-D arrays, then emit one line per migratetype. zone->lock is dropped between SPBs (matching the original printer's unlock/cond_resched/lock pattern) to bound time under the lock. The 100000-per-cell cap is retained -- it is now cumulative across all SPBs in the zone, which is the same effective semantic as before since the old free_area was already per-zone. Concurrent memory hotplug can swap zone->superpageblocks under us during a lock drop; the counts may then be inconsistent, but no UAF is possible since sb is re-derefed each iteration. Acceptable for a debug-only interface. Signed-off-by: Rik van Riel Assisted-by: Claude:claude-opus-4.7 syzkaller --- mm/vmstat.c | 66 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 28 deletions(-) diff --git a/mm/vmstat.c b/mm/vmstat.c index 86b14b0f77b5..7de08ab61b9d 100644 --- a/mm/vmstat.c +++ b/mm/vmstat.c @@ -1572,41 +1572,51 @@ static int frag_show(struct seq_file *m, void *arg) static void pagetypeinfo_showfree_print(struct seq_file *m, pg_data_t *pgdat, struct zone *zone) { + unsigned long counts[MIGRATE_TYPES][NR_PAGE_ORDERS] = { }; + bool overflow[MIGRATE_TYPES][NR_PAGE_ORDERS] = { }; + unsigned long sb_idx, nr_sbs = zone->nr_superpageblocks; int order, mtype; + /* + * Free pages live on per-superpageblock free lists. Walk the SPBs, + * accumulating per (migratetype, order) counts. The 100000 cap per + * cell limits time under zone->lock; this is a debugging interface, + * knowing there is "a lot" of one size is sufficient. zone->lock is + * dropped between SPBs, so concurrent memory hotplug may produce + * inconsistent counts -- acceptable for a debug-only interface. + */ + for (sb_idx = 0; sb_idx < nr_sbs; sb_idx++) { + struct superpageblock *sb = &zone->superpageblocks[sb_idx]; + + for (order = 0; order < NR_PAGE_ORDERS; order++) { + struct free_area *area = &sb->free_area[order]; + struct list_head *curr; + + for (mtype = 0; mtype < MIGRATE_TYPES; mtype++) { + if (overflow[mtype][order]) + continue; + list_for_each(curr, &area->free_list[mtype]) { + if (++counts[mtype][order] >= 100000) { + overflow[mtype][order] = true; + break; + } + } + } + } + spin_unlock_irq(&zone->lock); + cond_resched(); + spin_lock_irq(&zone->lock); + } + for (mtype = 0; mtype < MIGRATE_TYPES; mtype++) { seq_printf(m, "Node %4d, zone %8s, type %12s ", pgdat->node_id, zone->name, migratetype_names[mtype]); - for (order = 0; order < NR_PAGE_ORDERS; ++order) { - unsigned long freecount = 0; - struct free_area *area; - struct list_head *curr; - bool overflow = false; - - area = &(zone->free_area[order]); - - list_for_each(curr, &area->free_list[mtype]) { - /* - * Cap the free_list iteration because it might - * be really large and we are under a spinlock - * so a long time spent here could trigger a - * hard lockup detector. Anyway this is a - * debugging tool so knowing there is a handful - * of pages of this order should be more than - * sufficient. - */ - if (++freecount >= 100000) { - overflow = true; - break; - } - } - seq_printf(m, "%s%6lu ", overflow ? ">" : "", freecount); - spin_unlock_irq(&zone->lock); - cond_resched(); - spin_lock_irq(&zone->lock); - } + for (order = 0; order < NR_PAGE_ORDERS; order++) + seq_printf(m, "%s%6lu ", + overflow[mtype][order] ? ">" : "", + counts[mtype][order]); seq_putc(m, '\n'); } } -- 2.52.0