Re: [PATCH] mm/huge_memory: update file PUD counter before folio_put()

[Yin Tirui]

On 5/26/2026 6:47 PM, Lorenzo Stoakes wrote:
> You sent this twice :)
>
> On Tue, May 26, 2026 at 06:13:55PM +0800, Yin Tirui wrote:
> > __split_huge_pud_locked() updates the file/shmem RSS counter after
> > dropping the PUD mapping's folio reference. If folio_put() drops the
> > last reference, mm_counter_file() can later read freed folio state via
> > folio_test_swapbacked().
> >
> > Move the counter update before folio_put().
> >
> > Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()")
> > Cc: <stable@xxxxxxxxxxxxxxx>
> > Signed-off-by: Yin Tirui <yintirui@xxxxxxxxxx>
> Patch looks sane to me, so:
>
> Reviewed-by: Lorenzo Stoakes <ljs@xxxxxxxxxx>
>
> There seems to be an identical problem in __split_huge_pmd_locked() - could you
> do the same fix there?

I have already sent it as another separate patch.

https://lore.kernel.org/linux-mm/20260526101337.1984081-1-yintirui@xxxxxxxxxx/T/#u

> Thanks, Lorenzo
>
> > ---
> >   mm/huge_memory.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> > index a5f4a48b7b77..9832ee910d5e 100644
> > --- a/mm/huge_memory.c
> > +++ b/mm/huge_memory.c
> > @@ -3027,9 +3027,9 @@ static void __split_huge_pud_locked(struct vm_area_struct *vma, pud_t *pud,
> >   	if (!folio_test_referenced(folio) && pud_young(old_pud))
> >   		folio_set_referenced(folio);
> >   	folio_remove_rmap_pud(folio, page, vma);
> > -	folio_put(folio);
> >   	add_mm_counter(vma->vm_mm, mm_counter_file(folio),
> >   		-HPAGE_PUD_NR);
> > +	folio_put(folio);
> >   }
> >
> >   void __split_huge_pud(struct vm_area_struct *vma, pud_t *pud,
> > --
> > 2.43.0
--
Yin Tirui