Re: [syzbot] [mm?] general protection fault in zap_huge_pmd

Next message: Ian Rogers: "[PATCH v7 5/5] perf evlist: Improve default event for s390"
Previous message: Conor Dooley: "Re: [PATCH 3/7] dt-bindings: net: ti: k3-am654-cpsw-nuss: Add ti,j722s-cpsw-nuss compatible"
In reply to: Lance Yang: "Re: [syzbot] [mm?] general protection fault in zap_huge_pmd"
Next in thread: Lance Yang: "Re: [syzbot] [mm?] general protection fault in zap_huge_pmd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Lorenzo Stoakes (Oracle)

Date: Wed Mar 18 2026 - 14:05:26 EST

On Thu, Mar 19, 2026 at 12:53:46AM +0800, Lance Yang wrote:
> Looks like it hits a general protection fault in zap_huge_pmd() while
> dereferencing folio->mapping via folio_test_anon() ...
>
> zap_huge_pmd() fails to handle non-present, non-none PMD entries that
> are not valid PMD softleaf entries, leaving folio as NULL and
> dereferencing it ...
>
> For PMD-sized hugetlb mappings like the reproducer above,
> hugetlb/userfaultfd would make such PMD entries that can be
> non-present and non-none without being valid PMD softleaf entries?

Yeah, exactly :) interesting how it gets there though.

Even after I figured out this was fixed wanted to track it down!

See
https://lore.kernel.org/linux-mm/6b3d7ad7-49e1-407a-903d-3103704160d8@lucifer.local/

>
> I'll look into it :)

As per above, I already did the analysis on this monster, it's fixed already (of
course!).

I am going to send a patch to make this bit of the code more robust anyway!

Cheers, Lorenzo