__split_huge_pud_locked() updates the file/shmem RSS counter after
dropping the PUD mapping's folio reference. If folio_put() drops the
last reference, mm_counter_file() can later read freed folio state via
folio_test_swapbacked().

Move the counter update before folio_put().

Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()")
Cc: <stable@vger.kernel.org>
Signed-off-by: Yin Tirui <yintirui@huawei.com>
---
 mm/huge_memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index a5f4a48b7b77..9832ee910d5e 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -3027,9 +3027,9 @@ static void __split_huge_pud_locked(struct vm_area_struct *vma, pud_t *pud,
 	if (!folio_test_referenced(folio) && pud_young(old_pud))
 		folio_set_referenced(folio);
 	folio_remove_rmap_pud(folio, page, vma);
-	folio_put(folio);
 	add_mm_counter(vma->vm_mm, mm_counter_file(folio),
 		-HPAGE_PUD_NR);
+	folio_put(folio);
 }
 
 void __split_huge_pud(struct vm_area_struct *vma, pud_t *pud,
-- 
2.43.0

On 26/05/26 3:43 pm, Yin Tirui wrote:
> __split_huge_pud_locked() updates the file/shmem RSS counter after
> dropping the PUD mapping's folio reference. If folio_put() drops the
> last reference, mm_counter_file() can later read freed folio state via
> folio_test_swapbacked().
> 
> Move the counter update before folio_put().
> 
> Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Yin Tirui <yintirui@huawei.com>
> ---

Reviewed-by: Dev Jain <dev.jain@arm.com>

>  mm/huge_memory.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index a5f4a48b7b77..9832ee910d5e 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -3027,9 +3027,9 @@ static void __split_huge_pud_locked(struct vm_area_struct *vma, pud_t *pud,
>  	if (!folio_test_referenced(folio) && pud_young(old_pud))
>  		folio_set_referenced(folio);
>  	folio_remove_rmap_pud(folio, page, vma);
> -	folio_put(folio);
>  	add_mm_counter(vma->vm_mm, mm_counter_file(folio),
>  		-HPAGE_PUD_NR);
> +	folio_put(folio);
>  }
>  
>  void __split_huge_pud(struct vm_area_struct *vma, pud_t *pud,

On Tue, May 26, 2026 at 06:13:55PM +0800, Yin Tirui wrote:
>__split_huge_pud_locked() updates the file/shmem RSS counter after
>dropping the PUD mapping's folio reference. If folio_put() drops the
>last reference, mm_counter_file() can later read freed folio state via
>folio_test_swapbacked().
>
>Move the counter update before folio_put().
>
>Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()")
>Cc: <stable@vger.kernel.org>
>Signed-off-by: Yin Tirui <yintirui@huawei.com>
>---

Thanks! Feel free to add:
Reviewed-by: Lance Yang <lance.yang@linux.dev>

On 5/26/26 12:13, Yin Tirui wrote:
> __split_huge_pud_locked() updates the file/shmem RSS counter after
> dropping the PUD mapping's folio reference. If folio_put() drops the
> last reference, mm_counter_file() can later read freed folio state via
> folio_test_swapbacked().
> 
> Move the counter update before folio_put().
> 
> Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Yin Tirui <yintirui@huawei.com>
> ---

Acked-by: David Hildenbrand (arm) <david@kernel.org>

-- 
Cheers,

David

You sent this twice :)

On Tue, May 26, 2026 at 06:13:55PM +0800, Yin Tirui wrote:
> __split_huge_pud_locked() updates the file/shmem RSS counter after
> dropping the PUD mapping's folio reference. If folio_put() drops the
> last reference, mm_counter_file() can later read freed folio state via
> folio_test_swapbacked().
>
> Move the counter update before folio_put().
>
> Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Yin Tirui <yintirui@huawei.com>

Patch looks sane to me, so:

Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>

There seems to be an identical problem in __split_huge_pmd_locked() - could you
do the same fix there?

Thanks, Lorenzo

> ---
>  mm/huge_memory.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index a5f4a48b7b77..9832ee910d5e 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -3027,9 +3027,9 @@ static void __split_huge_pud_locked(struct vm_area_struct *vma, pud_t *pud,
>  	if (!folio_test_referenced(folio) && pud_young(old_pud))
>  		folio_set_referenced(folio);
>  	folio_remove_rmap_pud(folio, page, vma);
> -	folio_put(folio);
>  	add_mm_counter(vma->vm_mm, mm_counter_file(folio),
>  		-HPAGE_PUD_NR);
> +	folio_put(folio);
>  }
>
>  void __split_huge_pud(struct vm_area_struct *vma, pud_t *pud,
> --
> 2.43.0
>

On 5/26/2026 6:47 PM, Lorenzo Stoakes wrote:
> You sent this twice :)
>
> On Tue, May 26, 2026 at 06:13:55PM +0800, Yin Tirui wrote:
>> __split_huge_pud_locked() updates the file/shmem RSS counter after
>> dropping the PUD mapping's folio reference. If folio_put() drops the
>> last reference, mm_counter_file() can later read freed folio state via
>> folio_test_swapbacked().
>>
>> Move the counter update before folio_put().
>>
>> Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()")
>> Cc: <stable@vger.kernel.org>
>> Signed-off-by: Yin Tirui <yintirui@huawei.com>
> Patch looks sane to me, so:
>
> Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
>
> There seems to be an identical problem in __split_huge_pmd_locked() - could you
> do the same fix there?

I have already sent it as another separate patch.

https://lore.kernel.org/linux-mm/20260526101337.1984081-1-yintirui@huawei.com/T/#u

>
> Thanks, Lorenzo
>
>> ---
>>   mm/huge_memory.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
>> index a5f4a48b7b77..9832ee910d5e 100644
>> --- a/mm/huge_memory.c
>> +++ b/mm/huge_memory.c
>> @@ -3027,9 +3027,9 @@ static void __split_huge_pud_locked(struct vm_area_struct *vma, pud_t *pud,
>>   	if (!folio_test_referenced(folio) && pud_young(old_pud))
>>   		folio_set_referenced(folio);
>>   	folio_remove_rmap_pud(folio, page, vma);
>> -	folio_put(folio);
>>   	add_mm_counter(vma->vm_mm, mm_counter_file(folio),
>>   		-HPAGE_PUD_NR);
>> +	folio_put(folio);
>>   }
>>
>>   void __split_huge_pud(struct vm_area_struct *vma, pud_t *pud,
>> --
>> 2.43.0
>>
-- 
Yin Tirui

On Tue, May 26, 2026 at 06:53:05PM +0800, Yin Tirui wrote:
>
> On 5/26/2026 6:47 PM, Lorenzo Stoakes wrote:
> > You sent this twice :)

Yeah oops you didn't, that was just the PMD part!

(Also my mail client may now, ironically, duplicate a reply...)

> >
> > On Tue, May 26, 2026 at 06:13:55PM +0800, Yin Tirui wrote:
> > > __split_huge_pud_locked() updates the file/shmem RSS counter after
> > > dropping the PUD mapping's folio reference. If folio_put() drops the
> > > last reference, mm_counter_file() can later read freed folio state via
> > > folio_test_swapbacked().
> > >
> > > Move the counter update before folio_put().
> > >
> > > Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()")
> > > Cc: <stable@vger.kernel.org>
> > > Signed-off-by: Yin Tirui <yintirui@huawei.com>
> > Patch looks sane to me, so:
> >
> > Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
> >
> > There seems to be an identical problem in __split_huge_pmd_locked() - could you
> > do the same fix there?
>
> I have already sent it as another separate patch.
>
> https://lore.kernel.org/linux-mm/20260526101337.1984081-1-yintirui@huawei.com/T/#u

Yup, inevitably hit send and only then notice this :)

Cheers, Lorenzo