Re: A potential refcount issue during __folio_split

[Wei Yang <richard.weiyang@gmail.com>]

On Mon, Feb 23, 2026 at 11:00:01PM -0500, Zi Yan wrote:
>On 23 Feb 2026, at 6:59, Wei Yang wrote:
>
>> On Mon, Feb 23, 2026 at 10:23:11AM +0100, David Hildenbrand (Arm) wrote:
>>>> BTW, in the folio world, I do not think it is possible to perform the aforementioned
>>>> split_huge_page_to_list_to_order() pattern any more, since you always work on folio,
>>>> the head. Unless there is a need of getting hold of a tail after-split folio after
>>>> a folio split, the pattern would be:
>>>>
>>>> tail_page = folio_page(folio, N);
>>>>
>>>> folio_get(folio);
>>>> folio_lock(folio);
>>>> folio_split(folio, ..., /* new parameter: lock_at = */ tail_page, ...);
>>>> tail_folio = page_folio(tail_page);
>>>> folio_unlock(tail_folio);
>>>> folio_put(tail_folio);
>>>
>>
>> Missed this. Agree.
>>
>>> Agreed. Maybe it would be even nicer if the split function could return the
>>> new folio directly.
>>>
>>> folio_get(folio);
>>> folio_lock(folio);
>>> split_folio = folio_split_XXX(folio, ..., tail_page, ...);
>>> if (IS_ERR_VALUE(split_folio)) {
>>> 	...
>>> }
>>> folio_unlock(split_folio);
>>> folio_put(split__folio);
>>>
>>
>> I am afraid it would be complicated?
>>
>> Well, we don't have this usecase now, could decide it when we do need it.
>
>The patch below should work, but for now, since we do not have any user,
>it is better to update the comment and add a check to make sure @lock_at
>always points to the head page if @list is not NULL.

Hi, Zi Yan

Below is my draft change for the comment and check. If it looks good, I would
like to send a formal patch.

Look forward your opinion.

diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 2dbb35accf4b..8047f00bfc2a 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -4158,8 +4158,9 @@ int folio_split_unmapped(struct folio *folio, unsigned int new_order)
 
 /*
  * This function splits a large folio into smaller folios of order @new_order.
- * @page can point to any page of the large folio to split. The split operation
- * does not change the position of @page.
+ * If @list is null, @page can point to any page of the large folio to split.
+ * If @list is !null, @page must be head page of the large folio to split.
+ * The split operation does not change the position of @page.
  *
  * Prerequisites:
  *
@@ -4208,6 +4209,16 @@ int __split_huge_page_to_list_to_order(struct page *page, struct list_head *list
 {
 	struct folio *folio = page_folio(page);
 
+	/*
+	 * When @list is !null, each after-split tail folio would get one
+	 * refcount in lru_add_split_folio(). But all after-split folio
+	 * would release one refcount except the one at @page.
+	 *
+	 * So @page should be the head page for this case, otherwise the
+	 * refcount would be wrong.
+	 */
+	VM_WARN_ON_ONCE_FOLIO(list && (page != folio_page(folio, 0)), folio);
+
 	return __folio_split(folio, new_order, &folio->page, page, list,
 			     SPLIT_TYPE_UNIFORM);
 }
-- 
2.34.1

-- 
Wei Yang
Help you, Help me