From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-189.mta1.migadu.com (out-189.mta1.migadu.com [95.215.58.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B431637416E for ; Thu, 26 Feb 2026 11:33:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.189 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772105618; cv=none; b=J63ar5TBNrPMbYqX1cwB6OgCmO+UtW/9ddRdNEIUG2t410VIe6qADc7xvGJAl9+HBDJHKfV1FgWfQAErhdcmGE+EPNrirOFXwTibpvyfiKoZzhxX3+oZC4ObPkg8eUVhaE4smTuhhJnKFReZhiv2d/39EOFvoA0s2fAhkpUUjoQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772105618; c=relaxed/simple; bh=jWNr9bp7CMcrs4J16sp5L4ZzsKS8zPrT2o2GCqfuflY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Jg0qEyhuh7b7SqKC2q02ilxoeDk9bZy2KaeTp8v0+2PXx4XjKhHF7SQoZ/CK4m4vUilsGq5xA24dAg6XaefFXCu77Wc1QIRmztSez91sCVkuKhwV2wKim2tXlHcl1lczT3vL0A4ZVEpwKNkf0jcTMunphuYZIYemjk3MsACI75M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=hUNYtyZh; arc=none smtp.client-ip=95.215.58.189 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="hUNYtyZh" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1772105610; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HcjsQV50nDatk8NFhsm3n/z/wAZY5b80YB+EzBptEz0=; b=hUNYtyZhaqlksnd9AfSZRt096lmVApHmXGQuSN2BpnlEr3x8YHG94GOzMTUoa/3r7gWEkq 45emp28Vxqc7n2wBQVg1LWyfVHtjlcaJ4w3bF7QR+JjA9SJu1LjAHrKEC+xPZYvhAhbt9r GhTu0cvDNKxZfXQZTdIFSvNtBxE363I= From: Usama Arif To: Andrew Morton , david@kernel.org, lorenzo.stoakes@oracle.com, willy@infradead.org, linux-mm@kvack.org Cc: fvdl@google.com, hannes@cmpxchg.org, riel@surriel.com, shakeel.butt@linux.dev, kas@kernel.org, baohua@kernel.org, dev.jain@arm.com, baolin.wang@linux.alibaba.com, npache@redhat.com, Liam.Howlett@oracle.com, ryan.roberts@arm.com, Vlastimil Babka , lance.yang@linux.dev, linux-kernel@vger.kernel.org, kernel-team@meta.com, maddy@linux.ibm.com, mpe@ellerman.id.au, linuxppc-dev@lists.ozlabs.org, hca@linux.ibm.com, gor@linux.ibm.com, agordeev@linux.ibm.com, borntraeger@linux.ibm.com, svens@linux.ibm.com, linux-s390@vger.kernel.org, Usama Arif Subject: [RFC v2 05/21] mm: thp: handle split failure in zap_pmd_range() Date: Thu, 26 Feb 2026 03:23:34 -0800 Message-ID: <20260226113233.3987674-6-usama.arif@linux.dev> In-Reply-To: <20260226113233.3987674-1-usama.arif@linux.dev> References: <20260226113233.3987674-1-usama.arif@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT zap_pmd_range() splits a huge PMD when the zap range doesn't cover the full PMD (partial unmap). If the split fails, the PMD stays huge. Falling through to zap_pte_range() would dereference the huge PMD entry as a PTE page table pointer. Skip the range covered by the PMD on split failure instead. The skip is safe across all call paths into zap_pmd_range(): - exit_mmap() and OOM reaper: the zap range covers entire VMAs, so every PMD is fully covered (next - addr == HPAGE_PMD_SIZE). The zap_huge_pmd() branch handles these without splitting. The split failure path is unreachable. - munmap / mmap overlay: vma_adjust_trans_huge() (called from __split_vma) splits any PMD straddling the VMA boundary before the VMA is split. If that PMD split fails, __split_vma() returns -ENOMEM and the munmap is aborted before reaching zap_pmd_range(). The split failure path is unreachable. - MADV_DONTNEED: advisory hint, the kernel is allowed to ignore it. The pages remain valid and accessible. A subsequent access returns existing data without faulting. Signed-off-by: Usama Arif --- mm/memory.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index 9385842c35034..7ba1221c63792 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1983,9 +1983,18 @@ static inline unsigned long zap_pmd_range(struct mmu_gather *tlb, do { next = pmd_addr_end(addr, end); if (pmd_is_huge(*pmd)) { - if (next - addr != HPAGE_PMD_SIZE) - __split_huge_pmd(vma, pmd, addr, false); - else if (zap_huge_pmd(tlb, vma, pmd, addr)) { + if (next - addr != HPAGE_PMD_SIZE) { + /* + * If split fails, the PMD stays huge. + * Skip the range to avoid falling through + * to zap_pte_range, which would treat the + * huge PMD entry as a page table pointer. + */ + if (__split_huge_pmd(vma, pmd, addr, false)) { + addr = next; + continue; + } + } else if (zap_huge_pmd(tlb, vma, pmd, addr)) { addr = next; continue; } -- 2.47.3