In folio_zero_user(), the page pointer is calculated via folio_page() before checking if the number of pages to be cleared is greater than zero. Furthermore, folio_page() does not verify that the page number lies within folio. When 'addr_hint' is near the end of a large folio, the range 'r[0]' represents an empty interval. In this scenario, 'nr_pages' will be calculated as 0 and 'r[0].start' can be an index that is out-of-bounds for folio_page(). The code unconditionally calls folio_page() on a wrong index, even though the subsequent clearing logic is correctly skipped. While this does not cause a functional bug today, calculating a page pointer for an out-of-bounds index is logically unsound and fragile. It could pose a risk for future refactoring or trigger warnings from static analysis tools. To fix this, move the call to folio_page() inside the 'if (nr_pages > 0)' block. This ensures that the page pointer is only calculated when it is actually needed for a valid, non-empty range of pages, thus making the code more robust and logically correct. Signed-off-by: Li Zhe --- mm/memory.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index 07778814b4a8..6f8c55d604b5 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -7343,12 +7343,14 @@ void folio_zero_user(struct folio *folio, unsigned long addr_hint) r[0] = DEFINE_RANGE(r[2].end + 1, pg.end); for (i = 0; i < ARRAY_SIZE(r); i++) { - const unsigned long addr = base_addr + r[i].start * PAGE_SIZE; const long nr_pages = (long)range_len(&r[i]); - struct page *page = folio_page(folio, r[i].start); - if (nr_pages > 0) + if (nr_pages > 0) { + const unsigned long addr = base_addr + r[i].start * PAGE_SIZE; + struct page *page = folio_page(folio, r[i].start); + clear_contig_highpages(page, addr, nr_pages); + } } } -- 2.20.1