Re: [PATCH v2 4/9] mm/huge_memory: handle buggy PMD entry in zap_huge_pmd()

Next message: Chengwen Feng: "[PATCH v10 6/8] perf: arm_cspmu: Switch to acpi_get_cpu_uid() from get_acpi_id_for_cpu()"
Previous message: Chengwen Feng: "[PATCH v10 4/8] x86/acpi: Add acpi_get_cpu_uid() for unified ACPI CPU UID retrieval"
In reply to: Lorenzo Stoakes (Oracle): "[PATCH v2 4/9] mm/huge_memory: handle buggy PMD entry in zap_huge_pmd()"
Next in thread: Lorenzo Stoakes (Oracle): "[PATCH v2 6/9] mm/huge_memory: remove unnecessary VM_BUG_ON_PAGE()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Baolin Wang

Date: Thu Mar 19 2026 - 23:20:17 EST

On 3/19/26 9:00 PM, Lorenzo Stoakes (Oracle) wrote:

A recent bug I analysed [0] managed to, through a bug in the userfaultfd
implementation, reach an invalid point in the zap_huge_pmd() code where the
PMD was none of:

- A non-DAX, PFN or mixed map.
- The huge zero folio
- A present PMD entry
- A softleaf entry

The code at this point calls folio_test_anon() on a known-NULL
folio. Having logic like this explicitly NULL dereference in the code is
hard to understand, and makes debugging potentially more difficult.

Add an else branch to handle this case and WARN().

[0]:https://lore.kernel.org/all/6b3d7ad7-49e1-407a-903d-3103704160d8@lucifer.local/

Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@xxxxxxxxxx>

LGTM.
Reviewed-by: Baolin Wang <baolin.wang@xxxxxxxxxxxxxxxxx>