Re: [PATCH] mm/huge_memory: update file PMD counter before folio_put()

[Lorenzo Stoakes]

On Tue, May 26, 2026 at 02:25:35PM +0200, David Hildenbrand (Arm) wrote:
> On 5/26/26 13:05, Lorenzo Stoakes wrote:
> > On Tue, May 26, 2026 at 06:13:37PM +0800, Yin Tirui wrote:
> >> __split_huge_pmd_locked() updates the file/shmem RSS counter after
> >> dropping the PMD mapping's folio reference. If folio_put() drops the
> >> last reference, mm_counter_file() can later read freed folio state via
> >> folio_test_swapbacked().
> >>
> >> Move the counter update before folio_put().
> >>
> >> Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter")
> >
> > That's an old commit :) I mean I suspect we're probably not actually ever
> > dropping the folio ref to 0 here since we never had a report since ~2018.
> >
> > The page cache keeping a reference I guess?
>
> I assume we could be racing with truncation.
>
> Truncation would have to trigger unmap itself before we do the
> folio_remove_rmap_pmd().
>
> While the race could happen in theory I think, I do assume this would be rather
> hard to trigger.

Yeah, I mean unless we missed it somehow it seems like any such race if it
exists is very tiny.

But obviously we really do need to fix this! :)

>
> >
> > But doesn't mean we shouldn't fix this on principal/there being some way
> > this could happen.
> >
> >> Cc: <stable@xxxxxxxxxxxxxxx>
> >> Signed-off-by: Yin Tirui <yintirui@xxxxxxxxxx>
> >
> > LGTM, so:
> >
> > Reviewed-by: Lorenzo Stoakes <ljs@xxxxxxxxxx>
>
> Acked-by: David Hildenbrand (arm) <david@xxxxxxxxxx>
>
> --
> Cheers,
>
> David

Cheers, Lorenzo