From nobody Mon Feb 9 09:21:45 2026 Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E5653EDAA7 for ; Wed, 21 Jan 2026 08:13:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=124.126.103.232 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768983237; cv=none; b=Z/yjDm8EA+aKtL6Roq6ovWmRZ2rAz2DY7F0ZoLu8tw0zCHxSw/Xl3Bw0pCdr8x0fq3BmMe9pBqqe9Q6qTWZnJDvhw+KmOW8Jy96d0urQJQajUN4NFh/GWJqA3kM93kQRDM91dUbl9FejYL32TjHDTUVMT8vIBjWZRkFwwwz8/0Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768983237; c=relaxed/simple; bh=R6w6ORkDmVEDZCVXG/+8qhM/KLKQlFnDljMuNyvFFsY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=tdDBU3GnAyodlYgm4rpV4L2XCLV+ob6obKRAtuTkg5AwPQv6NHBxDkMkcL46sHZlc5uykJfBip7Ca775jgQ2uQfpvB+TWgmKA7ARo+1/rymprVVsa0hq2v4ZIhLA177U8TFXubnjWSiCxz0e/Qsv4iTj6Ig5lU9WHxWnI+nmeqg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn; spf=pass smtp.mailfrom=kylinos.cn; arc=none smtp.client-ip=124.126.103.232 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kylinos.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kylinos.cn X-UUID: 1d65e0b2f6a111f0b0f03b4cfa9209d1-20260121 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.3.6,REQID:23de3b17-c3dd-49c4-bcc3-504236bae68f,IP:0,UR L:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION:r elease,TS:0 X-CID-META: VersionHash:a9d874c,CLOUDID:5a380108bd19bed4eb7bdae6ce452c73,BulkI D:nil,BulkQuantity:0,Recheck:0,SF:102|850|898,TC:nil,Content:0|15|50,EDM:- 3,IP:nil,URL:0,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,A V:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0,ARC:0 X-CID-BVR: 2,SSN|SDN X-CID-BAS: 2,SSN|SDN,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-CID-RHF: D41D8CD98F00B204E9800998ECF8427E X-UUID: 1d65e0b2f6a111f0b0f03b4cfa9209d1-20260121 X-User: zenghongling@kylinos.cn Received: from localhost.localdomain [(10.44.16.150)] by mailgw.kylinos.cn (envelope-from ) (Generic MTA with TLSv1.3 TLS_AES_256_GCM_SHA384 256/256) with ESMTP id 1266633411; Wed, 21 Jan 2026 16:13:49 +0800 From: zenghongling To: akpm@linux-foundation.org, david@kernel.org, lorenzo.stoakes@oracle.com, ziy@nvidia.com, baolin.wang@linux.alibaba.com, Liam.Howlett@oracle.com, npache@redhat.com, ryan.roberts@arm.com, dev.jain@arm.com, baohua@kernel.org, lance.yang@linux.dev Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, zhongling0719@126.com, zenghongling Subject: [PATCH] mm/huge_memory: Fix iterator variable usage after swap() Date: Wed, 21 Jan 2026 16:13:43 +0800 Message-Id: <20260121081343.713715-1-zenghongling@kylinos.cn> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The iterator variable 'folio' is swapped with 'prev' in the else branch. Using 'folio' after swap() checks the potentially NULL 'prev' value, not the original iterator value. Fix by moving folio_put() call before the swap operation in the path where swap() occurs. Found by: ./huge_memory.c:4225:6-11: ERROR: iterator variable bound on line 4178 cann= ot be NULL Signed-off-by: zenghongling --- mm/huge_memory.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 6cba1cb14b23..258bf4725aea 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -4212,6 +4212,7 @@ static unsigned long deferred_split_scan(struct shrin= ker *shrink, ; /* folio already removed from list */ } else if (!folio_test_partially_mapped(folio)) { list_del_init(&folio->_deferred_list); + folio_put(folio); removed++; } else { /* @@ -4220,10 +4221,9 @@ static unsigned long deferred_split_scan(struct shri= nker *shrink, * left on the list (which may be concurrently unqueued) * by one safe folio with refcount still raised. */ + folio_put(folio); swap(folio, prev); } - if (folio) - folio_put(folio); } =20 spin_lock_irqsave(&ds_queue->split_queue_lock, flags); --=20 2.25.1