From nobody Tue Apr 7 22:01:09 2026 Received: from out-170.mta0.migadu.com (out-170.mta0.migadu.com [91.218.175.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D77F2DCF6C for ; Wed, 11 Mar 2026 13:23:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773235437; cv=none; b=B52cekv/uvCLAQgnU6kg53KqUAvE1aExU0ySbXGCUPzr3qGBQ36hNMFgLdcWRA2ICSa6/ck9yEUo24/tStujOJps9JKYvFrnJ0p+VNGNi0mxrDjZaNvVTniUJP91hMsi/9Xjs0JZ94Rl3ODoQ3VnNfjs/JySCEfgG78DtRCLbzA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773235437; c=relaxed/simple; bh=+9H9OIFghoq7ZwljgjX1PGkojSZcKIGAe4x6Xx2ajdo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=IdEn4qA3BJg97wL0vDvHUqq3y0noLKPgf5mpdzIg9whWL0X8UfvAVrKeGnc1iqyJgbqPMBHtVfJUilsVU6ttnxs5bOPqTQg1gGhviT9/opTFEwg4KQ/Zl1oXPcXeE/32hIdt+YsLCF85xMXmIPXAPVCPnCacGRxwusY+dXP66bo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=uzzGW+WF; arc=none smtp.client-ip=91.218.175.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="uzzGW+WF" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1773235433; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=+O5gf1pZ1dggx/+znLMME1fX5E2Y3EWFqOzsy2U+5bs=; b=uzzGW+WFtGdGvSeA/g9dYSOAZWy5btS7pFr/AbCTOXaVxDveKfgRd9c5nsvNruHi7YU6l9 m4dsTD2fyX0n5j9uH1tBt0UfDXsAstCi3fwinWrx2F398KFj+cOVnI9M8djBB/I/sye/QH GY8GMOgsnH4tAyrAD2HA+KouvYGzW1I= From: Usama Arif To: Andrew Morton , npache@redhat.com, david@kernel.org, ziy@nvidia.com, willy@infradead.org, linux-mm@kvack.org Cc: matthew.brost@intel.com, joshua.hahnjy@gmail.com, hannes@cmpxchg.org, rakie.kim@sk.com, byungchul@sk.com, gourry@gourry.net, ying.huang@linux.alibaba.com, apopple@nvidia.com, linux-kernel@vger.kernel.org, kernel-team@meta.com, Usama Arif Subject: [PATCH] mm: migrate: transfer large_rmappable flag in folio_migrate_flags() Date: Wed, 11 Mar 2026 06:23:42 -0700 Message-ID: <20260311132342.3193160-1-usama.arif@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" folio_migrate_flags() transfers folio state from source to destination during migration, but does not transfer the large_rmappable flag. Migration allocators like alloc_migration_target() and alloc_misplaced_dst_folio() use __folio_alloc() directly without wrapping the result in page_rmappable_folio(), so the destination folio never gets large_rmappable set. This becomes a problem when a folio on the deferred split queue is migrated: the destination folio can be added to the deferred split queue via deferred_split_folio() (which does not check large_rmappable), but when the folio is later freed, folio_unqueue_deferred_split() bails out early because large_rmappable is not set: if (folio_order(folio) <=3D 1 || !folio_test_large_rmappable(folio)) return false; This leaves a stale entry on the deferred split queue, leading to use-after-free when the shrinker walks the list. Fix this by transferring large_rmappable in folio_migrate_flags(), consistent with how all other folio flags are handled. Fixes: dafff3f4c850 ("mm: split underused THPs") Signed-off-by: Usama Arif --- mm/migrate.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/migrate.c b/mm/migrate.c index 3380021fd3db..ee1c7bc851dd 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -846,6 +846,9 @@ void folio_migrate_flags(struct folio *newfolio, struct= folio *folio) folio_copy_owner(newfolio, folio); pgalloc_tag_swap(newfolio, folio); =20 + if (folio_test_large_rmappable(folio)) + folio_set_large_rmappable(newfolio); + mem_cgroup_migrate(folio, newfolio); } EXPORT_SYMBOL(folio_migrate_flags); --=20 2.52.0