- Linux-stable-mirror - lists.linaro.org

[Patch v2] mm/huge_memory: fix NULL pointer deference when splitting folio

by Wei Yang

Commit c010d47f107f ("mm: thp: split huge page to any lower order pages") introduced an early check on the folio's order via mapping->flags before proceeding with the split work. This check introduced a bug: for shmem folios in the swap cache and truncated folios, the mapping pointer can be NULL. Accessing mapping->flags in this state leads directly to a NULL pointer dereference. This commit fixes the issue by moving the check for mapping != NULL before any attempt to access mapping->flags. Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: "David Hildenbrand (Red Hat)" <david(a)kernel.org> Cc: <stable(a)vger.kernel.org> --- This patch is based on current mm-new, latest commit: febb34c02328 dt-bindings: riscv: Add Svrsw60t59b extension description v2: * just move folio->mapping ahead --- mm/huge_memory.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index efea42d68157..4e9e920f306d 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3929,6 +3929,16 @@ static int __folio_split(struct folio *folio, unsigned int new_order, if (folio != page_folio(split_at) || folio != page_folio(lock_at)) return -EINVAL; + /* + * Folios that just got truncated cannot get split. Signal to the + * caller that there was a race. + * + * TODO: this will also currently refuse shmem folios that are in the + * swapcache. + */ + if (!is_anon && !folio->mapping) + return -EBUSY; + if (new_order >= old_order) return -EINVAL; @@ -3965,18 +3975,6 @@ static int __folio_split(struct folio *folio, unsigned int new_order, gfp_t gfp; mapping = folio->mapping; - - /* Truncated ? */ - /* - * TODO: add support for large shmem folio in swap cache. - * When shmem is in swap cache, mapping is NULL and - * folio_test_swapcache() is true. - */ - if (!mapping) { - ret = -EBUSY; - goto out; - } - min_order = mapping_min_folio_order(folio->mapping); if (new_order < min_order) { ret = -EINVAL; -- 2.34.1

2 weeks, 4 days

5
6
0 0

[PATCH v2] spi: fsl-cpm: Check length parity before switching to 16 bit mode

by Christophe Leroy

Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even. Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") Cc: stable(a)vger.kernel.org Closes: https://lore.kernel.org/all/638496dd-ec60-4e53-bad7-eb657f67d580@csgroup.eu/ Signed-off-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Reviewed-by: Sverdlin Alexander <alexander.sverdlin(a)siemens.com> --- v2: Updated with comments from Alexander --- drivers/spi/spi-fsl-spi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c index 2f2082652a1a..481a7b28aacd 100644 --- a/drivers/spi/spi-fsl-spi.c +++ b/drivers/spi/spi-fsl-spi.c @@ -335,7 +335,7 @@ static int fsl_spi_prepare_message(struct spi_controller *ctlr, if (t->bits_per_word == 16 || t->bits_per_word == 32) t->bits_per_word = 8; /* pretend its 8 bits */ if (t->bits_per_word == 8 && t->len >= 256 && - (mpc8xxx_spi->flags & SPI_CPM1)) + !(t->len & 1) && (mpc8xxx_spi->flags & SPI_CPM1)) t->bits_per_word = 16; } } -- 2.49.0

2 weeks, 4 days

1
0
0 0

[PATCH] LoongArch: Don't panic if no valid cache info for PCI

by Huacai Chen

If there is no valid cache info detected (may happen in virtual machine) for pci_dfl_cache_line_size, kernel shouldn't panic. Because in the PCI core it will be evaluated to (L1_CACHE_BYTES >> 2). Cc: <stable(a)vger.kernel.org> Signed-off-by: Jiaxun Yang <jiaxun.yang(a)flygoat.com> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/pci/pci.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/loongarch/pci/pci.c b/arch/loongarch/pci/pci.c index 5bc9627a6cf9..d9fc5d520b37 100644 --- a/arch/loongarch/pci/pci.c +++ b/arch/loongarch/pci/pci.c @@ -50,11 +50,11 @@ static int __init pcibios_init(void) */ lsize = cpu_last_level_cache_line_size(); - BUG_ON(!lsize); + if (lsize) { + pci_dfl_cache_line_size = lsize >> 2; - pci_dfl_cache_line_size = lsize >> 2; - - pr_debug("PCI: pci_cache_line_size set to %d bytes\n", lsize); + pr_debug("PCI: pci_cache_line_size set to %d bytes\n", lsize); + } return 0; } -- 2.47.3

2 weeks, 4 days

1
0
0 0

[PATCH v3] usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths

by Manish Nagar

This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue. Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") Cc: stable(a)vger.kernel.org Suggested-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Acked-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Manish Nagar <manish.nagar(a)oss.qualcomm.com> --- Changes in v3: - Add the fixes tag , cc stable and acked-by tag. Changes in v2: - Add a check for request completion, in v1 I am avoiding this by wait for completion for ep0 then process the other eps. Link to v2: Link: https://lore.kernel.org/all/20251119171926.1622603-1-manish.nagar@oss.qualc… Link to v1: Link: https://lore.kernel.org/all/20251028080553.618304-1-manish.nagar@oss.qualco… drivers/usb/dwc3/ep0.c | 1 + drivers/usb/dwc3/gadget.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/drivers/usb/dwc3/ep0.c b/drivers/usb/dwc3/ep0.c index b4229aa13f37..e0bad5708664 100644 --- a/drivers/usb/dwc3/ep0.c +++ b/drivers/usb/dwc3/ep0.c @@ -94,6 +94,7 @@ static int __dwc3_gadget_ep0_queue(struct dwc3_ep *dep, req->request.actual = 0; req->request.status = -EINPROGRESS; req->epnum = dep->number; + req->status = DWC3_REQUEST_STATUS_QUEUED; list_add_tail(&req->list, &dep->pending_list); diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 6f18b4840a25..5e4997f974dd 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -228,6 +228,13 @@ void dwc3_gadget_giveback(struct dwc3_ep *dep, struct dwc3_request *req, { struct dwc3 *dwc = dep->dwc; + /* + * The request might have been processed and completed while the + * spinlock was released. Skip processing if already completed. + */ + if (req->status == DWC3_REQUEST_STATUS_COMPLETED) + return; + dwc3_gadget_del_and_unmap_request(dep, req, status); req->status = DWC3_REQUEST_STATUS_COMPLETED; -- 2.25.1

2 weeks, 4 days

1
0
0 0

Re: it's Seven again for PCBA One-stop Service

by Seven

Hi , What would it mean to you if your business was able to reduce Expenses by 20% (Clients: Littelfuse, Corsair, BMB, Mercedes-Benz, Fantac) We are a PCBA factory with an area of 6,000 square meters. We have been in this industry for 18 years and have an experienced team of engineers. Help you reduce BOM Expenses Fast delivery (15 days for Demo) Competitive prices (10% lower than peers) Real factory processing fees are Fees Complete quality management system (ISO9001,ISO14001,ISO13485,IATF16949,UL)Given how well our pcba service suits your needs, I think we could do some Excellent work together. Seven LeeChief Technology Officer Business Department | Shenzhen STHL Technology Co,Ltd +8618569002840 Seven(a)pcba-china.com 在2025-06-04，Seven <seven(a)ems-sthi.com> 写道:-----原始邮件----- 发件人： Seven <seven(a)ems-sthi.com> 发件时间: 2025年06月04日周三收件人： [Linux-stable-mirror <linux-stable-mirror(a)lists.linaro.org>] 主题： Re:Jordan recommend me get in touch Hi, Glad to know you and your company from Jordan. I‘m Seven CTO of STHL We are a one-stop service provider for PCBA. We can help you with production from PCB to finished product assembly. Why Partner With Us? ✅ One-Stop Expertise: From PCB fabrication, PCBA (SMT & Through-Hole), custom cable harnesses, , to final product assembly – we eliminate multi-vendor coordination risks. ✅ Cost Efficiency: 40%+ clients reduce logistics/QC costs through our integrated service model (ISO 9001:2015 certified). ✅ Speed-to-Market: Average 15% faster lead times achieved via in-house vertical integration. Recent Success Case: Helped a German IoT startup scale from prototype to 50K-unit/month production within 6 months through our: PCB Design-for-Manufacturing (DFM) optimization Automated PCBA with 99.98% first-pass yield Mechanical housing CNC machining & IP67-rated assembly Seven Marcus CTO Shenzhen STHL Technology Co,Ltd +8618569002840 Seven(a)pcba-china.com

2 weeks, 4 days

1
0
0 0

[PATCH net v5 0/5] net: dsa: microchip: Fix resource releases in error path

by Bastien Curutchet (Schneider Electric)

Hi all, I worked on adding PTP support for the KSZ8463. While doing so, I ran into a few bugs in the resource release process that occur when things go wrong arount IRQ initialization. This small series fixes those bugs. The next series, which will add the PTP support, depend on this one. Signed-off-by: Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com> --- Changes in v5: - All: Add Cc Tag. - PATCH 3: Use dsa_switch_for_each_user_port_continue_reverse() to only iterate over initialized ports. - PATCH 4: Also clean PTP IRQs on port initialization failures - Link to v4: https://lore.kernel.org/r/20251117-ksz-fix-v4-0-13e1da58a492@bootlin.com Changes in v4: - PATCH 1 & 2: Add Andrew's Reviewed-By. - PATCH 3: Ensure ksz_irq is initialized outside of ksz_irq_free() - Add PATCH 4 - PATCH 5: Fix symetry issues in ksz_ptp_msg_irq_{setup/free}() - Link to v3: https://lore.kernel.org/r/20251114-ksz-fix-v3-0-acbb3b9cc32f@bootlin.com Changes in v3: - PATCH 1 and 3: Fix Fixes tags - PATCH 3: Move the irq_dispose_mapping() behind the check that verifies that the domain is initialized - Link to v2: https://lore.kernel.org/r/20251106-ksz-fix-v2-0-07188f608873@bootlin.com Changes in v2: - Add Fixes tag. - Split PATCH 1 in two patches as it needed two different Fixes tags - Add details in commit logs - Link to v1: https://lore.kernel.org/r/20251031-ksz-fix-v1-0-7e46de999ed1@bootlin.com --- Bastien Curutchet (Schneider Electric) (5): net: dsa: microchip: common: Fix checks on irq_find_mapping() net: dsa: microchip: ptp: Fix checks on irq_find_mapping() net: dsa: microchip: Don't free uninitialized ksz_irq net: dsa: microchip: Free previously initialized ports on init failures net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}() drivers/net/dsa/microchip/ksz_common.c | 34 +++++++++++++++++----------------- drivers/net/dsa/microchip/ksz_ptp.c | 22 +++++++++------------- 2 files changed, 26 insertions(+), 30 deletions(-) --- base-commit: 09652e543e809c2369dca142fee5d9b05be9bdc7 change-id: 20251031-ksz-fix-db345df7635f Best regards, -- Bastien Curutchet (Schneider Electric) <bastien.curutchet(a)bootlin.com>

2 weeks, 4 days

3
7
0 0

[PATCH] scsi: aic94xx: fix use-after-free in device removal path

by moonafterrain＠outlook.com

From: Junrui Luo <moonafterrain(a)outlook.com> The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds. Reported-by: Yuhao Jiang <danisjiang(a)gmail.com> Reported-by: Junrui Luo <moonafterrain(a)outlook.com> Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") Cc: stable(a)vger.kernel.org Signed-off-by: Junrui Luo <moonafterrain(a)outlook.com> --- drivers/scsi/aic94xx/aic94xx_init.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/scsi/aic94xx/aic94xx_init.c b/drivers/scsi/aic94xx/aic94xx_init.c index adf3d9145606..95f3620059f7 100644 --- a/drivers/scsi/aic94xx/aic94xx_init.c +++ b/drivers/scsi/aic94xx/aic94xx_init.c @@ -882,6 +882,9 @@ static void asd_pci_remove(struct pci_dev *dev) asd_disable_ints(asd_ha); + /* Ensure all scheduled tasklets complete before freeing resources */ + tasklet_kill(&asd_ha->seq.dl_tasklet); + asd_remove_dev_attrs(asd_ha); /* XXX more here as needed */ -- 2.51.1.dirty

2 weeks, 4 days

2
1
0 0

[PATCH net 00/11] mptcp: misc fixes for v6.18-rc7

by Matthieu Baerts (NGI0)

Here are various unrelated fixes: - Patch 1: Fix window space computation for fallback connections which can affect ACK generation. A fix for v5.11. - Patch 2: Avoid unneeded subflow-level drops due to unsynced received window. A fix for v5.11. - Patch 3: Avoid premature close for fallback connections with PREEMPT kernels. A fix for v5.12. - Patch 4: Reset instead of fallback in case of data in the MPTCP out-of-order queue. A fix for v5.7. - Patches 5-7: Avoid also sending "plain" TCP reset when closing with an MP_FASTCLOSE. A fix for v6.1. - Patches 8-9: Longer timeout for background connections in MPTCP Join selftests. An additional fix for recent patches for v5.13/v6.1. - Patches 10-11: Fix typo in a check introduce in a recent refactoring. A fix for v6.15. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Gang Yan (2): mptcp: fix address removal logic in mptcp_pm_nl_rm_addr selftests: mptcp: add a check for 'add_addr_accepted' Matthieu Baerts (NGI0) (3): selftests: mptcp: join: fastclose: remove flaky marks selftests: mptcp: join: endpoints: longer timeout selftests: mptcp: join: userspace: longer timeout Paolo Abeni (6): mptcp: fix ack generation for fallback msk mptcp: avoid unneeded subflow-level drops mptcp: fix premature close in case of fallback mptcp: do not fallback when OoO is present mptcp: decouple mptcp fastclose from tcp close mptcp: fix duplicate reset on fastclose net/mptcp/options.c | 54 +++++++++++++++++++++- net/mptcp/pm_kernel.c | 2 +- net/mptcp/protocol.c | 59 +++++++++++++++++-------- net/mptcp/protocol.h | 3 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 27 ++++++----- 5 files changed, 113 insertions(+), 32 deletions(-) --- base-commit: 8e0a754b0836d996802713bbebc87bc1cc17925c change-id: 20251117-net-mptcp-misc-fixes-6-18-rc6-835d94cdc095 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

2 weeks, 4 days

3
12
0 0

[PATCH] mm/huge_memory: fix NULL pointer deference when splitting shmem folio in swap cache

by Wei Yang

Commit c010d47f107f ("mm: thp: split huge page to any lower order pages") introduced an early check on the folio's order via mapping->flags before proceeding with the split work. This check introduced a bug: for shmem folios in the swap cache, the mapping pointer can be NULL. Accessing mapping->flags in this state leads directly to a NULL pointer dereference. This commit fixes the issue by moving the check for mapping != NULL before any attempt to access mapping->flags. This fix necessarily changes the return value from -EBUSY to -EINVAL when mapping is NULL. After reviewing current callers, they do not differentiate between these two error codes, making this change safe. Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> --- This patch is based on current mm-new, latest commit: 056b93566a35 mm/vmalloc: warn only once when vmalloc detect invalid gfp flags Backport note: Current code evolved from original commit with following four changes. We should do proper adjustment respectively on backporting. commit c010d47f107f609b9f4d6a103b6dfc53889049e9 Author: Zi Yan <ziy(a)nvidia.com> Date: Mon Feb 26 15:55:33 2024 -0500 mm: thp: split huge page to any lower order pages commit 6a50c9b512f7734bc356f4bd47885a6f7c98491a Author: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Date: Fri Jun 7 17:40:48 2024 +0800 mm: huge_memory: fix misused mapping_large_folio_support() for anon folios commit 9b2f764933eb5e3ac9ebba26e3341529219c4401 Author: Zi Yan <ziy(a)nvidia.com> Date: Wed Jan 22 11:19:27 2025 -0500 mm/huge_memory: allow split shmem large folio to any lower order commit 58729c04cf1092b87aeef0bf0998c9e2e4771133 Author: Zi Yan <ziy(a)nvidia.com> Date: Fri Mar 7 12:39:57 2025 -0500 mm/huge_memory: add buddy allocator like (non-uniform) folio_split() --- mm/huge_memory.c | 68 +++++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 33 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 7c69572b6c3f..8701c3eef05f 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -3696,29 +3696,42 @@ bool folio_split_supported(struct folio *folio, unsigned int new_order, "Cannot split to order-1 folio"); if (new_order == 1) return false; - } else if (split_type == SPLIT_TYPE_NON_UNIFORM || new_order) { - if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && - !mapping_large_folio_support(folio->mapping)) { - /* - * We can always split a folio down to a single page - * (new_order == 0) uniformly. - * - * For any other scenario - * a) uniform split targeting a large folio - * (new_order > 0) - * b) any non-uniform split - * we must confirm that the file system supports large - * folios. - * - * Note that we might still have THPs in such - * mappings, which is created from khugepaged when - * CONFIG_READ_ONLY_THP_FOR_FS is enabled. But in that - * case, the mapping does not actually support large - * folios properly. - */ - VM_WARN_ONCE(warns, - "Cannot split file folio to non-0 order"); + } else { + const struct address_space *mapping = folio->mapping; + + /* Truncated ? */ + /* + * TODO: add support for large shmem folio in swap cache. + * When shmem is in swap cache, mapping is NULL and + * folio_test_swapcache() is true. + */ + if (!mapping) return false; + + if (split_type == SPLIT_TYPE_NON_UNIFORM || new_order) { + if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && + !mapping_large_folio_support(folio->mapping)) { + /* + * We can always split a folio down to a + * single page (new_order == 0) uniformly. + * + * For any other scenario + * a) uniform split targeting a large folio + * (new_order > 0) + * b) any non-uniform split + * we must confirm that the file system + * supports large folios. + * + * Note that we might still have THPs in such + * mappings, which is created from khugepaged + * when CONFIG_READ_ONLY_THP_FOR_FS is + * enabled. But in that case, the mapping does + * not actually support large folios properly. + */ + VM_WARN_ONCE(warns, + "Cannot split file folio to non-0 order"); + return false; + } } } @@ -3965,17 +3978,6 @@ static int __folio_split(struct folio *folio, unsigned int new_order, mapping = folio->mapping; - /* Truncated ? */ - /* - * TODO: add support for large shmem folio in swap cache. - * When shmem is in swap cache, mapping is NULL and - * folio_test_swapcache() is true. - */ - if (!mapping) { - ret = -EBUSY; - goto out; - } - min_order = mapping_min_folio_order(folio->mapping); if (new_order < min_order) { ret = -EINVAL; -- 2.34.1

2 weeks, 5 days

3
21
0 0

+ mm-huge_memory-fix-null-pointer-deference-when-splitting-folio.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/huge_memory: fix NULL pointer deference when splitting folio has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-huge_memory-fix-null-pointer-deference-when-splitting-folio.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Wei Yang <richard.weiyang(a)gmail.com> Subject: mm/huge_memory: fix NULL pointer deference when splitting folio Date: Wed, 19 Nov 2025 23:53:02 +0000 Commit c010d47f107f ("mm: thp: split huge page to any lower order pages") introduced an early check on the folio's order via mapping->flags before proceeding with the split work. This check introduced a bug: for shmem folios in the swap cache and truncated folios, the mapping pointer can be NULL. Accessing mapping->flags in this state leads directly to a NULL pointer dereference. This commit fixes the issue by moving the check for mapping != NULL before any attempt to access mapping->flags. Link: https://lkml.kernel.org/r/20251119235302.24773-1-richard.weiyang@gmail.com Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> Reviewed-by: Zi Yan <ziy(a)nvidia.com> Cc: "David Hildenbrand (Red Hat)" <david(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/huge_memory.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) --- a/mm/huge_memory.c~mm-huge_memory-fix-null-pointer-deference-when-splitting-folio +++ a/mm/huge_memory.c @@ -3619,6 +3619,16 @@ static int __folio_split(struct folio *f if (folio != page_folio(split_at) || folio != page_folio(lock_at)) return -EINVAL; + /* + * Folios that just got truncated cannot get split. Signal to the + * caller that there was a race. + * + * TODO: this will also currently refuse shmem folios that are in the + * swapcache. + */ + if (!is_anon && !folio->mapping) + return -EBUSY; + if (new_order >= folio_order(folio)) return -EINVAL; @@ -3659,18 +3669,6 @@ static int __folio_split(struct folio *f gfp_t gfp; mapping = folio->mapping; - - /* Truncated ? */ - /* - * TODO: add support for large shmem folio in swap cache. - * When shmem is in swap cache, mapping is NULL and - * folio_test_swapcache() is true. - */ - if (!mapping) { - ret = -EBUSY; - goto out; - } - min_order = mapping_min_folio_order(folio->mapping); if (new_order < min_order) { ret = -EINVAL; _ Patches currently in -mm which might be from richard.weiyang(a)gmail.com are mm-huge_memory-fix-null-pointer-deference-when-splitting-folio.patch mm-huge_memory-add-pmd-folio-to-ds_queue-in-do_huge_zero_wp_pmd.patch mm-khugepaged-unify-pmd-folio-installation-with-map_anon_folio_pmd.patch mm-huge_memory-only-get-folio_order-once-during-__folio_split.patch mm-huge_memory-introduce-enum-split_type-for-clarity.patch mm-huge_memory-merge-uniform_split_supported-and-non_uniform_split_supported.patch mm-khugepaged-remove-redundant-clearing-of-struct-collapse_control.patch mm-khugepaged-continue-to-collapse-on-scan_pmd_none.patch mm-khugepaged-unify-scan_pmd_none-and-scan_pmd_null-into-scan_no_pte_table.patch

2 weeks, 5 days

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror