mm/zone_device: do not touch device folio after calling ->folio_free()

The contents of a device folio can immediately change after calling
->folio_free(), as the folio may be reallocated by a driver with a
different order.  Instead of touching the folio again to extract the
pgmap, use the local stack variable when calling percpu_ref_put_many().

Link: https://lore.kernel.org/20260410230346.4009855-1-matthew.brost@intel.com
Fixes: d245f9b4ab80 ("mm/zone_device: support large zone device private folios")
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Reviewed-by: Vishal Moola <vishal.moola@gmail.com>
Reviewed-by: Alistair Popple <apopple@nvidia.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/mm/memremap.c b/mm/memremap.c
index ac7be07e3361ae47490b60a864bf2b16423a13ba..053842d45cb1097bdfe05f049d00ec508ab152f3 100644 (file)
--- a/mm/memremap.c
+++ b/mm/memremap.c
@@ -454,7 +454,7 @@ void free_zone_device_folio(struct folio *folio)
                if (WARN_ON_ONCE(!pgmap->ops || !pgmap->ops->folio_free))
                        break;
                pgmap->ops->folio_free(folio);
-               percpu_ref_put_many(&folio->pgmap->ref, nr);
+               percpu_ref_put_many(&pgmap->ref, nr);
                break;
 
        case MEMORY_DEVICE_GENERIC: