Commit 399289849560 for kernel

commit 39928984956037cabd304321cb8f342e47421db5
Author: Matthew Brost <matthew.brost@intel.com>
Date:   Fri Apr 10 16:03:46 2026 -0700

    mm/zone_device: do not touch device folio after calling ->folio_free()

    The contents of a device folio can immediately change after calling
    ->folio_free(), as the folio may be reallocated by a driver with a
    different order.  Instead of touching the folio again to extract the
    pgmap, use the local stack variable when calling percpu_ref_put_many().

    Link: https://lore.kernel.org/20260410230346.4009855-1-matthew.brost@intel.com
    Fixes: d245f9b4ab80 ("mm/zone_device: support large zone device private folios")
    Signed-off-by: Matthew Brost <matthew.brost@intel.com>
    Reviewed-by: Balbir Singh <balbirs@nvidia.com>
    Reviewed-by: Vishal Moola <vishal.moola@gmail.com>
    Reviewed-by: Alistair Popple <apopple@nvidia.com>
    Cc: David Hildenbrand <david@kernel.org>
    Cc: Oscar Salvador <osalvador@suse.de>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/mm/memremap.c b/mm/memremap.c
index ac7be07e3361..053842d45cb1 100644
--- a/mm/memremap.c
+++ b/mm/memremap.c
@@ -454,7 +454,7 @@ void free_zone_device_folio(struct folio *folio)
 		if (WARN_ON_ONCE(!pgmap->ops || !pgmap->ops->folio_free))
 			break;
 		pgmap->ops->folio_free(folio);
-		percpu_ref_put_many(&folio->pgmap->ref, nr);
+		percpu_ref_put_many(&pgmap->ref, nr);
 		break;

 	case MEMORY_DEVICE_GENERIC: