I looked at the definition of is_huge_zero_page():
static inline bool is_huge_zero_page(struct page *page)
{
return READ_ONCE(huge_zero_page) == page;
}
That made me raise my eyebrows a bit because it will return false for
tail pages of the HZP (that was at least unexpected for me). Then we
have this beauty:
void free_page_and_swap_cache(struct page *page)
{
struct folio *folio = page_folio(page);
free_swap_cache(folio);
if (!is_huge_zero_page(page))
folio_put(folio);
}
So if we can call free_page_and_swap_cache() with a tail of the HZP
we can absolutely screw up its refcounting. Now, we have VM_BUGs
to catch the refcount going below 0, and I haven't seen them being
hit, so I _presume_ it doesn't happen, but maybe somebody inventive
could come up with a way of putting a HZP tail into a page table ...?
