From: Lorenzo Stoakes (Oracle) Date: Fri, 20 Mar 2026 18:07:21 +0000 (+0000) Subject: mm/huge_memory: handle buggy PMD entry in zap_huge_pmd() X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7011140612fd13000b2ebed43e1bfb542f90b959;p=thirdparty%2Fkernel%2Flinux.git mm/huge_memory: handle buggy PMD entry in zap_huge_pmd() A recent bug I analysed managed to, through a bug in the userfaultfd implementation, reach an invalid point in the zap_huge_pmd() code where the PMD was none of: - A non-DAX, PFN or mixed map. - The huge zero folio - A present PMD entry - A softleaf entry The code at this point calls folio_test_anon() on a known-NULL folio. Having logic like this explicitly NULL dereference in the code is hard to understand, and makes debugging potentially more difficult. Add an else branch to handle this case and WARN(). No functional change intended. Link: https://lore.kernel.org/all/6b3d7ad7-49e1-407a-903d-3103704160d8@lucifer.local/ Link: https://lkml.kernel.org/r/fcf1f6de84a2ace188b6bf103fa15dde695f1ed8.1774029655.git.ljs@kernel.org Signed-off-by: Lorenzo Stoakes (Oracle) Reviewed-by: Baolin Wang Reviewed-by: Suren Baghdasaryan Cc: Barry Song Cc: David Hildenbrand Cc: Dev Jain Cc: Lance Yang Cc: Liam Howlett Cc: Michal Hocko Cc: Mike Rapoport Cc: Nico Pache Cc: Qi Zheng Cc: Ryan Roberts Cc: Zi Yan Signed-off-by: Andrew Morton --- diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 65e554afdf163..2f9aec7d4952c 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2462,6 +2462,10 @@ bool zap_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, if (!thp_migration_supported()) WARN_ONCE(1, "Non present huge pmd without pmd migration enabled!"); + } else { + WARN_ON_ONCE(true); + spin_unlock(ptl); + return true; } if (folio_test_anon(folio)) {