* [PATCH] mm/huge_memory: update file PMD counter before folio_put()
@ 2026-05-26 10:13 Yin Tirui
2026-05-26 11:05 ` Lorenzo Stoakes
2026-05-26 12:56 ` Lance Yang
0 siblings, 2 replies; 5+ messages in thread
From: Yin Tirui @ 2026-05-26 10:13 UTC (permalink / raw)
To: Andrew Morton
Cc: David Hildenbrand, Lorenzo Stoakes, Zi Yan, Baolin Wang,
Liam R . Howlett, Nico Pache, Ryan Roberts, Dev Jain, Barry Song,
Lance Yang, Vlastimil Babka, Yang Shi, wangkefeng.wang,
chenjun102, yintirui, linux-mm, linux-kernel, stable
__split_huge_pmd_locked() updates the file/shmem RSS counter after
dropping the PMD mapping's folio reference. If folio_put() drops the
last reference, mm_counter_file() can later read freed folio state via
folio_test_swapbacked().
Move the counter update before folio_put().
Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter")
Cc: <stable@vger.kernel.org>
Signed-off-by: Yin Tirui <yintirui@huawei.com>
---
mm/huge_memory.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 0135c29a4372..a5f4a48b7b77 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -3145,7 +3145,9 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
if (!folio_test_referenced(folio) && pmd_young(old_pmd))
folio_set_referenced(folio);
folio_remove_rmap_pmd(folio, page, vma);
+ add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR);
folio_put(folio);
+ return;
}
add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR);
return;
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] mm/huge_memory: update file PMD counter before folio_put()
2026-05-26 10:13 [PATCH] mm/huge_memory: update file PMD counter before folio_put() Yin Tirui
@ 2026-05-26 11:05 ` Lorenzo Stoakes
2026-05-26 11:17 ` Yin Tirui
2026-05-26 12:25 ` David Hildenbrand (Arm)
2026-05-26 12:56 ` Lance Yang
1 sibling, 2 replies; 5+ messages in thread
From: Lorenzo Stoakes @ 2026-05-26 11:05 UTC (permalink / raw)
To: Yin Tirui
Cc: Andrew Morton, David Hildenbrand, Zi Yan, Baolin Wang,
Liam R . Howlett, Nico Pache, Ryan Roberts, Dev Jain, Barry Song,
Lance Yang, Vlastimil Babka, Yang Shi, wangkefeng.wang,
chenjun102, linux-mm, linux-kernel, stable
On Tue, May 26, 2026 at 06:13:37PM +0800, Yin Tirui wrote:
> __split_huge_pmd_locked() updates the file/shmem RSS counter after
> dropping the PMD mapping's folio reference. If folio_put() drops the
> last reference, mm_counter_file() can later read freed folio state via
> folio_test_swapbacked().
>
> Move the counter update before folio_put().
>
> Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter")
That's an old commit :) I mean I suspect we're probably not actually ever
dropping the folio ref to 0 here since we never had a report since ~2018.
The page cache keeping a reference I guess?
But doesn't mean we shouldn't fix this on principal/there being some way
this could happen.
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Yin Tirui <yintirui@huawei.com>
LGTM, so:
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
> ---
> mm/huge_memory.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 0135c29a4372..a5f4a48b7b77 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -3145,7 +3145,9 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
> if (!folio_test_referenced(folio) && pmd_young(old_pmd))
> folio_set_referenced(folio);
> folio_remove_rmap_pmd(folio, page, vma);
> + add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR);
> folio_put(folio);
> + return;
Hmm, sucks to duplicate like this, but for purposes of backport and getting
this resolved fine, we can clean it up later.
> }
> add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR);
> return;
> --
> 2.43.0
>
Cheers, Lorenzo
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] mm/huge_memory: update file PMD counter before folio_put()
2026-05-26 11:05 ` Lorenzo Stoakes
@ 2026-05-26 11:17 ` Yin Tirui
2026-05-26 12:25 ` David Hildenbrand (Arm)
1 sibling, 0 replies; 5+ messages in thread
From: Yin Tirui @ 2026-05-26 11:17 UTC (permalink / raw)
To: Lorenzo Stoakes
Cc: Andrew Morton, David Hildenbrand, Zi Yan, Baolin Wang,
Liam R . Howlett, Nico Pache, Ryan Roberts, Dev Jain, Barry Song,
Lance Yang, Vlastimil Babka, Yang Shi, wangkefeng.wang,
chenjun102, linux-mm, linux-kernel, stable
On 5/26/2026 7:05 PM, Lorenzo Stoakes wrote:
> On Tue, May 26, 2026 at 06:13:37PM +0800, Yin Tirui wrote:
>> __split_huge_pmd_locked() updates the file/shmem RSS counter after
>> dropping the PMD mapping's folio reference. If folio_put() drops the
>> last reference, mm_counter_file() can later read freed folio state via
>> folio_test_swapbacked().
>>
>> Move the counter update before folio_put().
>>
>> Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter")
> That's an old commit :) I mean I suspect we're probably not actually ever
> dropping the folio ref to 0 here since we never had a report since ~2018.
>
> The page cache keeping a reference I guess?
>
> But doesn't mean we shouldn't fix this on principal/there being some way
> this could happen.
Yes, agreed.
>
>> Cc: <stable@vger.kernel.org>
>> Signed-off-by: Yin Tirui <yintirui@huawei.com>
> LGTM, so:
>
> Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Thanks!
>> ---
>> mm/huge_memory.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
>> index 0135c29a4372..a5f4a48b7b77 100644
>> --- a/mm/huge_memory.c
>> +++ b/mm/huge_memory.c
>> @@ -3145,7 +3145,9 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
>> if (!folio_test_referenced(folio) && pmd_young(old_pmd))
>> folio_set_referenced(folio);
>> folio_remove_rmap_pmd(folio, page, vma);
>> + add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR);
>> folio_put(folio);
>> + return;
> Hmm, sucks to duplicate like this, but for purposes of backport and getting
> this resolved fine, we can clean it up later.
Yes, that was my intention as well: keep this patch minimal for backport.
I will post the related refactoring patch soon.
>> }
>> add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR);
>> return;
>> --
>> 2.43.0
>>
> Cheers, Lorenzo
>
--
Yin Tirui
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] mm/huge_memory: update file PMD counter before folio_put()
2026-05-26 11:05 ` Lorenzo Stoakes
2026-05-26 11:17 ` Yin Tirui
@ 2026-05-26 12:25 ` David Hildenbrand (Arm)
1 sibling, 0 replies; 5+ messages in thread
From: David Hildenbrand (Arm) @ 2026-05-26 12:25 UTC (permalink / raw)
To: Lorenzo Stoakes, Yin Tirui
Cc: Andrew Morton, Zi Yan, Baolin Wang, Liam R . Howlett, Nico Pache,
Ryan Roberts, Dev Jain, Barry Song, Lance Yang, Vlastimil Babka,
Yang Shi, wangkefeng.wang, chenjun102, linux-mm, linux-kernel,
stable
On 5/26/26 13:05, Lorenzo Stoakes wrote:
> On Tue, May 26, 2026 at 06:13:37PM +0800, Yin Tirui wrote:
>> __split_huge_pmd_locked() updates the file/shmem RSS counter after
>> dropping the PMD mapping's folio reference. If folio_put() drops the
>> last reference, mm_counter_file() can later read freed folio state via
>> folio_test_swapbacked().
>>
>> Move the counter update before folio_put().
>>
>> Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter")
>
> That's an old commit :) I mean I suspect we're probably not actually ever
> dropping the folio ref to 0 here since we never had a report since ~2018.
>
> The page cache keeping a reference I guess?
I assume we could be racing with truncation.
Truncation would have to trigger unmap itself before we do the
folio_remove_rmap_pmd().
While the race could happen in theory I think, I do assume this would be rather
hard to trigger.
>
> But doesn't mean we shouldn't fix this on principal/there being some way
> this could happen.
>
>> Cc: <stable@vger.kernel.org>
>> Signed-off-by: Yin Tirui <yintirui@huawei.com>
>
> LGTM, so:
>
> Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Acked-by: David Hildenbrand (arm) <david@kernel.org>
--
Cheers,
David
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] mm/huge_memory: update file PMD counter before folio_put()
2026-05-26 10:13 [PATCH] mm/huge_memory: update file PMD counter before folio_put() Yin Tirui
2026-05-26 11:05 ` Lorenzo Stoakes
@ 2026-05-26 12:56 ` Lance Yang
1 sibling, 0 replies; 5+ messages in thread
From: Lance Yang @ 2026-05-26 12:56 UTC (permalink / raw)
To: yintirui
Cc: akpm, david, ljs, ziy, baolin.wang, liam, npache, ryan.roberts,
dev.jain, baohua, lance.yang, vbabka, yang.shi, wangkefeng.wang,
chenjun102, linux-mm, linux-kernel, stable
On Tue, May 26, 2026 at 06:13:37PM +0800, Yin Tirui wrote:
>__split_huge_pmd_locked() updates the file/shmem RSS counter after
>dropping the PMD mapping's folio reference. If folio_put() drops the
>last reference, mm_counter_file() can later read freed folio state via
>folio_test_swapbacked().
>
>Move the counter update before folio_put().
>
>Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter")
>Cc: <stable@vger.kernel.org>
>Signed-off-by: Yin Tirui <yintirui@huawei.com>
>---
Thanks! Feel free to add:
Reviewed-by: Lance Yang <lance.yang@linux.dev>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-05-26 12:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-26 10:13 [PATCH] mm/huge_memory: update file PMD counter before folio_put() Yin Tirui
2026-05-26 11:05 ` Lorenzo Stoakes
2026-05-26 11:17 ` Yin Tirui
2026-05-26 12:25 ` David Hildenbrand (Arm)
2026-05-26 12:56 ` Lance Yang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox