Re: [syzbot] [mm?] general protection fault in zap_huge_pmd

Next message: Wei Fang: "RE: [net-next,12/14] net: dsa: netc: add more basic functions support"
Previous message: Eric Biggers: "Re: [f2fs-dev] [PATCH] f2fs: annotate data races around fi-&gt;i_flags"
In reply to: Lorenzo Stoakes (Oracle): "Re: [syzbot] [mm?] general protection fault in zap_huge_pmd"
Next in thread: Lorenzo Stoakes (Oracle): "Re: [syzbot] [mm?] general protection fault in zap_huge_pmd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lance Yang

Date: Wed Mar 18 2026 - 22:59:27 EST

On 2026/3/19 01:35, Lorenzo Stoakes (Oracle) wrote:

On Thu, Mar 19, 2026 at 12:53:46AM +0800, Lance Yang wrote:

Looks like it hits a general protection fault in zap_huge_pmd() while
dereferencing folio->mapping via folio_test_anon() ...

zap_huge_pmd() fails to handle non-present, non-none PMD entries that
are not valid PMD softleaf entries, leaving folio as NULL and
dereferencing it ...

For PMD-sized hugetlb mappings like the reproducer above,
hugetlb/userfaultfd would make such PMD entries that can be
non-present and non-none without being valid PMD softleaf entries?

Yeah, exactly :) interesting how it gets there though.

Even after I figured out this was fixed wanted to track it down!

See
https://lore.kernel.org/linux-mm/6b3d7ad7-49e1-407a-903d-3103704160d8@lucifer.local/

I'll look into it :)

As per above, I already did the analysis on this monster, it's fixed already (of
course!).

I am going to send a patch to make this bit of the code more robust anyway!

Cool, thanks!