From: Usama Arif <usama.arif@linux.dev>
To: Andrew Morton <akpm@linux-foundation.org>,
npache@redhat.com, david@kernel.org, ziy@nvidia.com,
willy@infradead.org, linux-mm@kvack.org
Cc: matthew.brost@intel.com, joshua.hahnjy@gmail.com,
hannes@cmpxchg.org, rakie.kim@sk.com, byungchul@sk.com,
gourry@gourry.net, ying.huang@linux.alibaba.com,
apopple@nvidia.com, linux-kernel@vger.kernel.org,
kernel-team@meta.com, Usama Arif <usama.arif@linux.dev>
Subject: [PATCH] mm: migrate: transfer large_rmappable flag in folio_migrate_flags()
Date: Wed, 11 Mar 2026 06:23:42 -0700 [thread overview]
Message-ID: <20260311132342.3193160-1-usama.arif@linux.dev> (raw)
folio_migrate_flags() transfers folio state from source to destination
during migration, but does not transfer the large_rmappable flag.
Migration allocators like alloc_migration_target() and
alloc_misplaced_dst_folio() use __folio_alloc() directly without
wrapping the result in page_rmappable_folio(), so the destination folio
never gets large_rmappable set.
This becomes a problem when a folio on the deferred split queue is
migrated: the destination folio can be added to the deferred split queue
via deferred_split_folio() (which does not check large_rmappable), but
when the folio is later freed, folio_unqueue_deferred_split() bails out
early because large_rmappable is not set:
if (folio_order(folio) <= 1 || !folio_test_large_rmappable(folio))
return false;
This leaves a stale entry on the deferred split queue, leading to
use-after-free when the shrinker walks the list.
Fix this by transferring large_rmappable in folio_migrate_flags(),
consistent with how all other folio flags are handled.
Fixes: dafff3f4c850 ("mm: split underused THPs")
Signed-off-by: Usama Arif <usama.arif@linux.dev>
---
mm/migrate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/mm/migrate.c b/mm/migrate.c
index 3380021fd3db..ee1c7bc851dd 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -846,6 +846,9 @@ void folio_migrate_flags(struct folio *newfolio, struct folio *folio)
folio_copy_owner(newfolio, folio);
pgalloc_tag_swap(newfolio, folio);
+ if (folio_test_large_rmappable(folio))
+ folio_set_large_rmappable(newfolio);
+
mem_cgroup_migrate(folio, newfolio);
}
EXPORT_SYMBOL(folio_migrate_flags);
--
2.52.0
next reply other threads:[~2026-03-11 13:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 13:23 Usama Arif [this message]
2026-03-11 13:33 ` [PATCH] mm: migrate: transfer large_rmappable flag in folio_migrate_flags() David Hildenbrand (Arm)
2026-03-11 13:38 ` Zi Yan
2026-03-11 13:57 ` David Hildenbrand (Arm)
2026-03-11 14:24 ` Usama Arif
2026-03-11 14:28 ` Usama Arif
2026-03-11 14:34 ` David Hildenbrand (Arm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260311132342.3193160-1-usama.arif@linux.dev \
--to=usama.arif@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=apopple@nvidia.com \
--cc=byungchul@sk.com \
--cc=david@kernel.org \
--cc=gourry@gourry.net \
--cc=hannes@cmpxchg.org \
--cc=joshua.hahnjy@gmail.com \
--cc=kernel-team@meta.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=matthew.brost@intel.com \
--cc=npache@redhat.com \
--cc=rakie.kim@sk.com \
--cc=willy@infradead.org \
--cc=ying.huang@linux.alibaba.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.