mm/ksm: fix possible UAF of stable_node

mainline inclusion
from mainline-v6.10-rc1
commit 90e823498881fb8a91d83e9a8eed87c8c3ff2176
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IARBRI
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=90e823498881fb8a91d83e9a8eed87c8c3ff2176

--------------------------------

The commit 2c653d0e ("ksm: introduce ksm_max_page_sharing per page
deduplication limit") introduced a possible failure case in the
stable_tree_insert(), where we may free the new allocated stable_node_dup
if we fail to prepare the missing chain node.

Then that kfolio return and unlock with a freed stable_node set...  And
any MM activities can come in to access kfolio->mapping, so UAF.

Fix it by moving folio_set_stable_node() to the end after stable_node
is inserted successfully.

Link: https://lkml.kernel.org/r/20240513-b4-ksm-stable-node-uaf-v1-1-f687de76f452@linux.dev


Fixes: 2c653d0e ("ksm: introduce ksm_max_page_sharing per page deduplication limit")
Signed-off-by: Chengming Zhou <chengming.zhou@linux.dev>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Stefan Roesch <shr@devkernel.io>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

Conflicts:
        mm/ksm.c
[OLK-6.6 didn't merge mainline inclusion commit
79899cce33e0887c06d41e767aa543aaaaef48e2("mm/ksm: convert
chain series funcs and replace get_ksm_page")]
Signed-off-by: Kaixiong Yu <yukaixiong@huawei.com>