From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 003E73DF012 for ; Thu, 23 Apr 2026 08:59:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776934792; cv=none; b=cTomtXWd76hn/5yAp9+CZ8N9+YA04hYHPKSHTYWt3M49bcGTmqx0OcexQ6E3Sc3r3Ao4l8w1zdm0Hj4RidBqmmCxB3qdFizkwi4/WkDtlFbIlFfv08Y5Yyct4ViC+V0LgOP6XjQovNRzazPN1Ffgr9CaBYV1/CRUK1rcT8JReXU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776934792; c=relaxed/simple; bh=tE6hP1ENRaZQlDswdTNz2zgNU1icDwVe0drqFgsQcyA=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=GjSko8WqIbrE65XVMAFVYOj/C27RRfDoDkTi96d063OtL2DHz2a/xmjGsuvJRqqBk+VAYzEW/hwGXPOyqfn95krqGzqSvbrViXsViCDKZlHFT0DBLuokuv1sXdKl2Pu56jZFNFkQoYwLrGD1ASMrlbajyO2Pfhf9HYZLj7bKDZA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=klWRZF8D; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="klWRZF8D" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3F6AAC2BCAF; Thu, 23 Apr 2026 08:59:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776934791; bh=tE6hP1ENRaZQlDswdTNz2zgNU1icDwVe0drqFgsQcyA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=klWRZF8Dv4zjMq6aKgV2pnU+1DxvJpNysA3RxQnJSnp7eThOBzHTNvsYnden+AG/P q+8WY6q7cg9FHxEXkeI233dwd4sdKhOZ4Ehns9MyOKEn3pz/j+Bda8ml3d400HG9gq U1A0oHZQ5RoUBsIOWcxdHbvO0IX/1hHj9N7exlQs= Date: Thu, 23 Apr 2026 10:59:49 +0200 From: Greg KH To: "Matthew Wilcox (Oracle)" Cc: stable@vger.kernel.org, Google Big Sleep , Jens Axboe , Jan Kara , Andrew Morton Subject: Re: [PATCH 6.18.y] mm: call ->free_folio() directly in folio_unmap_invalidate() Message-ID: <2026042310-buffoon-wool-f299@gregkh> References: <2026042002-idealness-evade-7213@gregkh> <20260420145343.2046992-1-willy@infradead.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260420145343.2046992-1-willy@infradead.org> On Mon, Apr 20, 2026 at 03:53:43PM +0100, Matthew Wilcox (Oracle) wrote: > We can only call filemap_free_folio() if we have a reference to (or hold a > lock on) the mapping. Otherwise, we've already removed the folio from the > mapping so it no longer pins the mapping and the mapping can be removed, > causing a use-after-free when accessing mapping->a_ops. > > Follow the same pattern as __remove_mapping() and load the free_folio > function pointer before dropping the lock on the mapping. That lets us > make filemap_free_folio() static as this was the only caller outside > filemap.c. > > Link: https://lore.kernel.org/20260413184314.3419945-1-willy@infradead.org > Fixes: fb7d3bc41493 ("mm/filemap: drop streaming/uncached pages when writeback completes") > Signed-off-by: Matthew Wilcox (Oracle) > Reported-by: Google Big Sleep > Cc: Jens Axboe > Cc: Jan Kara > Cc: > Signed-off-by: Andrew Morton > (cherry picked from commit 615d9bb2ccad42f9e21d837431e401db2e471195) > Signed-off-by: Matthew Wilcox (Oracle) > --- > mm/filemap.c | 3 ++- > mm/internal.h | 1 - > mm/truncate.c | 6 +++++- > 3 files changed, 7 insertions(+), 3 deletions(-) > > diff --git a/mm/filemap.c b/mm/filemap.c > index d8d9c0f0beb6..76bbfa69aca0 100644 > --- a/mm/filemap.c > +++ b/mm/filemap.c > @@ -233,7 +233,8 @@ void __filemap_remove_folio(struct folio *folio, void *shadow) > page_cache_delete(mapping, folio, shadow); > } > > -void filemap_free_folio(struct address_space *mapping, struct folio *folio) > +static void filemap_free_folio(const struct address_space *mapping, > + struct folio *folio) > { > void (*free_folio)(struct folio *); > int refs = 1; > diff --git a/mm/internal.h b/mm/internal.h > index 9e0577413087..f046099d8eff 100644 > --- a/mm/internal.h > +++ b/mm/internal.h > @@ -401,7 +401,6 @@ unsigned find_lock_entries(struct address_space *mapping, pgoff_t *start, > pgoff_t end, struct folio_batch *fbatch, pgoff_t *indices); > unsigned find_get_entries(struct address_space *mapping, pgoff_t *start, > pgoff_t end, struct folio_batch *fbatch, pgoff_t *indices); > -void filemap_free_folio(struct address_space *mapping, struct folio *folio); > int truncate_inode_folio(struct address_space *mapping, struct folio *folio); > bool truncate_inode_partial_folio(struct folio *folio, loff_t start, > loff_t end); > diff --git a/mm/truncate.c b/mm/truncate.c > index fb5c20b57bd4..6bbe22ae3ab8 100644 > --- a/mm/truncate.c > +++ b/mm/truncate.c > @@ -574,6 +574,7 @@ EXPORT_SYMBOL(invalidate_mapping_pages); > static int invalidate_complete_folio2(struct address_space *mapping, > struct folio *folio) > { > + void (*free_folio)(struct folio *); > if (folio->mapping != mapping) > return 0; > > @@ -590,9 +591,12 @@ static int invalidate_complete_folio2(struct address_space *mapping, > xa_unlock_irq(&mapping->i_pages); > if (mapping_shrinkable(mapping)) > inode_add_lru(mapping->host); > + free_folio = mapping->a_ops->free_folio; Wait, I see what's wrong, this function isn't even in 6.18.y, which is why when I apply this it has fuzz and blows up. So this isn't going to work at all here, did you send the wrong backport? thanks, greg k-h