d regression tests.
- As a side note, I've kept the two mm fixes split intentionally for
  stable backports, even though patch one immediately gets superseded by
  patch two. The reason is they track back to different commits, so
  although patch 2 rewrites the same branch in newer trees, keeping the
  fixes separate preserves the correct Fixes: annotations and lets
  stable pick the applicable fix for a given tree.

---

Two fixes for the huge zero page path in move_pages_huge_pmd()
(UFFDIO_MOVE).

Patch 1 fixes a use of NULL folio introduced by the folio_mk_pmd()
conversion in commit e3981db444a0 ("mm: add folio_mk_pmd()"), which
replaced mk_huge_pmd(src_page, ...) with folio_mk_pmd(src_folio, ...) in
the huge zero page branch where src_folio is explicitly NULL. With
SPARSEMEM_VMEMMAP this silently produces a PMD with a bogus PFN, on
other memory models it is a NULL deref.

Patch 2 fixes huge zeropage refcount corruption after commit
d82d09e48219 ("mm/huge_memory: mark PMD mappings of the huge zero folio
special") by preserving the moved huge zero PMD state instead of
reconstructing the destination PMD from the folio. This keeps the PMD
special bit intact on CONFIG_ARCH_HAS_PTE_SPECIAL architectures and
avoids vm_normal_page_pmd() misclassifying the moved huge zeropage PMD
as a normal page.

Chris Down (3):
  mm/huge_memory: Fix use of NULL folio in move_pages_huge_pmd()
  mm/huge_memory: Prevent huge zeropage refcount corruption in PMD move
  selftests/mm: Add UFFDIO_MOVE huge zeropage PMD regression test

 mm/huge_memory.c                             |   3 +-
 tools/testing/selftests/mm/uffd-unit-tests.c | 176 +++++++++++++++++++
 2 files changed, 178 insertions(+), 1 deletion(-)

-- 
2.51.2[PATCH v2 0/3] mm/huge_memory: Fix move_pages_huge_pmd() for huge zero pagesChris Down <chris@chrisdown.name> undefinedAndrew Morton <akpm@linux-foundation.org> undefined undefined undefined undefined undefined undefined undefined…L†