* FAILED: patch "[PATCH] mm/huge_memory: fix NULL pointer deference when splitting" failed to apply to 6.12-stable tree
@ 2025-12-01 16:04 gregkh
2025-12-01 22:18 ` [PATCH 6.12.y] mm/huge_memory: fix NULL pointer deference when splitting folio Sasha Levin
0 siblings, 1 reply; 3+ messages in thread
From: gregkh @ 2025-12-01 16:04 UTC (permalink / raw)
To: richard.weiyang, akpm, baolin.wang, david, stable, ziy; +Cc: stable
The patch below does not apply to the 6.12-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y
git checkout FETCH_HEAD
git cherry-pick -x cff47b9e39a6abf03dde5f4f156f841b0c54bba0
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2025120102-geranium-elevator-ca86@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From cff47b9e39a6abf03dde5f4f156f841b0c54bba0 Mon Sep 17 00:00:00 2001
From: Wei Yang <richard.weiyang@gmail.com>
Date: Wed, 19 Nov 2025 23:53:02 +0000
Subject: [PATCH] mm/huge_memory: fix NULL pointer deference when splitting
folio
Commit c010d47f107f ("mm: thp: split huge page to any lower order pages")
introduced an early check on the folio's order via mapping->flags before
proceeding with the split work.
This check introduced a bug: for shmem folios in the swap cache and
truncated folios, the mapping pointer can be NULL. Accessing
mapping->flags in this state leads directly to a NULL pointer dereference.
This commit fixes the issue by moving the check for mapping != NULL before
any attempt to access mapping->flags.
Link: https://lkml.kernel.org/r/20251119235302.24773-1-richard.weiyang@gmail.com
Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages")
Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 2f2a521e5d68..6cba1cb14b23 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -3619,6 +3619,16 @@ static int __folio_split(struct folio *folio, unsigned int new_order,
if (folio != page_folio(split_at) || folio != page_folio(lock_at))
return -EINVAL;
+ /*
+ * Folios that just got truncated cannot get split. Signal to the
+ * caller that there was a race.
+ *
+ * TODO: this will also currently refuse shmem folios that are in the
+ * swapcache.
+ */
+ if (!is_anon && !folio->mapping)
+ return -EBUSY;
+
if (new_order >= folio_order(folio))
return -EINVAL;
@@ -3659,18 +3669,6 @@ static int __folio_split(struct folio *folio, unsigned int new_order,
gfp_t gfp;
mapping = folio->mapping;
-
- /* Truncated ? */
- /*
- * TODO: add support for large shmem folio in swap cache.
- * When shmem is in swap cache, mapping is NULL and
- * folio_test_swapcache() is true.
- */
- if (!mapping) {
- ret = -EBUSY;
- goto out;
- }
-
min_order = mapping_min_folio_order(folio->mapping);
if (new_order < min_order) {
ret = -EINVAL;
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH 6.12.y] mm/huge_memory: fix NULL pointer deference when splitting folio
2025-12-01 16:04 FAILED: patch "[PATCH] mm/huge_memory: fix NULL pointer deference when splitting" failed to apply to 6.12-stable tree gregkh
@ 2025-12-01 22:18 ` Sasha Levin
2025-12-02 7:44 ` Wei Yang
0 siblings, 1 reply; 3+ messages in thread
From: Sasha Levin @ 2025-12-01 22:18 UTC (permalink / raw)
To: stable
Cc: Wei Yang, Zi Yan, David Hildenbrand (Red Hat), Baolin Wang,
Andrew Morton, Sasha Levin
From: Wei Yang <richard.weiyang@gmail.com>
[ Upstream commit cff47b9e39a6abf03dde5f4f156f841b0c54bba0 ]
Commit c010d47f107f ("mm: thp: split huge page to any lower order pages")
introduced an early check on the folio's order via mapping->flags before
proceeding with the split work.
This check introduced a bug: for shmem folios in the swap cache and
truncated folios, the mapping pointer can be NULL. Accessing
mapping->flags in this state leads directly to a NULL pointer dereference.
This commit fixes the issue by moving the check for mapping != NULL before
any attempt to access mapping->flags.
Link: https://lkml.kernel.org/r/20251119235302.24773-1-richard.weiyang@gmail.com
Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages")
Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ applied fix to split_huge_page_to_list_to_order() instead of __folio_split() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/huge_memory.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index d68a22c729fb3..2065374c7e9e6 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -3404,6 +3404,16 @@ int split_huge_page_to_list_to_order(struct page *page, struct list_head *list,
if (new_order >= folio_order(folio))
return -EINVAL;
+ /*
+ * Folios that just got truncated cannot get split. Signal to the
+ * caller that there was a race.
+ *
+ * TODO: this will also currently refuse shmem folios that are in the
+ * swapcache.
+ */
+ if (!is_anon && !folio->mapping)
+ return -EBUSY;
+
if (is_anon) {
/* order-1 is not supported for anonymous THP. */
if (new_order == 1) {
@@ -3466,13 +3476,6 @@ int split_huge_page_to_list_to_order(struct page *page, struct list_head *list,
gfp_t gfp;
mapping = folio->mapping;
-
- /* Truncated ? */
- if (!mapping) {
- ret = -EBUSY;
- goto out;
- }
-
min_order = mapping_min_folio_order(folio->mapping);
if (new_order < min_order) {
VM_WARN_ONCE(1, "Cannot split mapped folio below min-order: %u",
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH 6.12.y] mm/huge_memory: fix NULL pointer deference when splitting folio
2025-12-01 22:18 ` [PATCH 6.12.y] mm/huge_memory: fix NULL pointer deference when splitting folio Sasha Levin
@ 2025-12-02 7:44 ` Wei Yang
0 siblings, 0 replies; 3+ messages in thread
From: Wei Yang @ 2025-12-02 7:44 UTC (permalink / raw)
To: Sasha Levin
Cc: stable, Wei Yang, Zi Yan, David Hildenbrand (Red Hat),
Baolin Wang, Andrew Morton
On Mon, Dec 01, 2025 at 05:18:18PM -0500, Sasha Levin wrote:
>From: Wei Yang <richard.weiyang@gmail.com>
>
>[ Upstream commit cff47b9e39a6abf03dde5f4f156f841b0c54bba0 ]
>
>Commit c010d47f107f ("mm: thp: split huge page to any lower order pages")
>introduced an early check on the folio's order via mapping->flags before
>proceeding with the split work.
>
>This check introduced a bug: for shmem folios in the swap cache and
>truncated folios, the mapping pointer can be NULL. Accessing
>mapping->flags in this state leads directly to a NULL pointer dereference.
>
>This commit fixes the issue by moving the check for mapping != NULL before
>any attempt to access mapping->flags.
>
>Link: https://lkml.kernel.org/r/20251119235302.24773-1-richard.weiyang@gmail.com
>Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages")
>Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
>Reviewed-by: Zi Yan <ziy@nvidia.com>
>Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
>Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
>Cc: <stable@vger.kernel.org>
>Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>[ applied fix to split_huge_page_to_list_to_order() instead of __folio_split() ]
>Signed-off-by: Sasha Levin <sashal@kernel.org>
>---
> mm/huge_memory.c | 17 ++++++++++-------
> 1 file changed, 10 insertions(+), 7 deletions(-)
>
>diff --git a/mm/huge_memory.c b/mm/huge_memory.c
>index d68a22c729fb3..2065374c7e9e6 100644
>--- a/mm/huge_memory.c
>+++ b/mm/huge_memory.c
>@@ -3404,6 +3404,16 @@ int split_huge_page_to_list_to_order(struct page *page, struct list_head *list,
> if (new_order >= folio_order(folio))
> return -EINVAL;
>
>+ /*
>+ * Folios that just got truncated cannot get split. Signal to the
>+ * caller that there was a race.
>+ *
>+ * TODO: this will also currently refuse shmem folios that are in the
>+ * swapcache.
>+ */
>+ if (!is_anon && !folio->mapping)
>+ return -EBUSY;
>+
Looks good, thanks.
> if (is_anon) {
> /* order-1 is not supported for anonymous THP. */
> if (new_order == 1) {
>@@ -3466,13 +3476,6 @@ int split_huge_page_to_list_to_order(struct page *page, struct list_head *list,
> gfp_t gfp;
>
> mapping = folio->mapping;
>-
>- /* Truncated ? */
>- if (!mapping) {
>- ret = -EBUSY;
>- goto out;
>- }
>-
> min_order = mapping_min_folio_order(folio->mapping);
> if (new_order < min_order) {
> VM_WARN_ONCE(1, "Cannot split mapped folio below min-order: %u",
>--
>2.51.0
--
Wei Yang
Help you, Help me
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-12-02 7:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-01 16:04 FAILED: patch "[PATCH] mm/huge_memory: fix NULL pointer deference when splitting" failed to apply to 6.12-stable tree gregkh
2025-12-01 22:18 ` [PATCH 6.12.y] mm/huge_memory: fix NULL pointer deference when splitting folio Sasha Levin
2025-12-02 7:44 ` Wei Yang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.