In the Linux kernel, the following vulnerability has been resolved:
mm/pagealloc: don't call pfntopage() on possibly non-existent PFN in splitlarge_buddy()
In splitlargebuddy(), we might call pfntopage() on a PFN that might not exist. In corner cases, such as when freeing the highest pageblock in the last memory section, this could result with CONFIGSPARSEMEM && !CONFIGSPARSEMEMEXTREME in _pfntosection() returning NULL and and _sectionmemmapaddr() dereferencing that NULL pointer.
Let's fix it, and avoid doing a pfntopage() call for the first iteration, where we already have the page.
So far this was found by code inspection, but let's just CC stable as the fix is easy.