From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id BDE2BC83000 for ; Mon, 30 Jun 2025 03:20:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2B1176B009B; Sun, 29 Jun 2025 23:20:05 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 288746B009D; Sun, 29 Jun 2025 23:20:05 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1C5CB6B009E; Sun, 29 Jun 2025 23:20:05 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 0B1566B009B for ; Sun, 29 Jun 2025 23:20:05 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 8255F104338 for ; Mon, 30 Jun 2025 03:20:04 +0000 (UTC) X-FDA: 83610613128.13.AAA6D86 Received: from tor.source.kernel.org (tor.source.kernel.org [172.105.4.254]) by imf20.hostedemail.com (Postfix) with ESMTP id 0DFA91C000D for ; Mon, 30 Jun 2025 03:20:02 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=KX9WY1hR; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf20.hostedemail.com: domain of sashal@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=sashal@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1751253603; a=rsa-sha256; cv=none; b=kfrdeIJt2lJel2VBrl+xnYhbZ5MRJIjM7MRfZ4AelxGpchmk4q2aV9Q1mgpRLywxQHry/w /xItXVwQMGyi1+Xci3PbtBQejIypm6frnTk1bnkxmVChf17IA+B4dGs9setdLIox662tZK HJkQHwErUeK91P++Vpca2uAY/UglJas= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=KX9WY1hR; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf20.hostedemail.com: domain of sashal@kernel.org designates 172.105.4.254 as permitted sender) smtp.mailfrom=sashal@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1751253603; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=fTNserS2Yz9Mxg1smhm5m1wupV2nWQEF/Pc4kGeTE8s=; b=CaNZzHVSN+6ixNYzcJYzGvFn8EIE4IjBHREbPEC60l2spMblZn4bIRCZbw02dawk4BuHfW 9GHvoHG6Dy67Oz1YuFfNJSS5Wmrn86bTsKQ1vOW3k8RhG1ARVskLws+OHIIdPBqXpRhBQu mhB8tP+ukiu6+cLySjDIA/EEEIfbsFw= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by tor.source.kernel.org (Postfix) with ESMTP id 4F0D360051; Mon, 30 Jun 2025 03:20:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 04368C4CEEB; Mon, 30 Jun 2025 03:20:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1751253602; bh=I+E03Pih6Nc8R/ntsygbzVXB+VC/CQ5HinZSLniQbM0=; h=From:To:Cc:Subject:Date:From; b=KX9WY1hRAbcunK11JaGE9UFymH5CUhaFBBbpAQTkvvBP+HAPGNz/+9Byw6Sl1tcDg 72Js+EaI382Ylk9jtThNh0JCi7/sQzn6YAu3U2mehSspH6WwrYsE7Le42wy5jCXBny aSVNvXXrsLUGm2eL0MngEhD8WUzxvf0El9qeKoNPp8HX6B+n24zM3EO0cW7+qWcevy zJSxxT54eEPe96wHEVspKO5lW6DEMjOHyM1OjIfZXniNY4g4KDesTBy6pcaonAOOwE GYyZ0MfiZupg4Yj0i7QL+pds5x6obGOPMHfyCTTfQSdm4jXMkeCdZaT5w693AhJFaD JUCSbcTohKVtA== From: Sasha Levin To: akpm@linux-foundation.org, peterx@redhat.com Cc: aarcange@redhat.com, surenb@google.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Sasha Levin , stable@vger.kernel.org Subject: [PATCH] mm/userfaultfd: fix missing PTE unmap for non-migration entries Date: Sun, 29 Jun 2025 23:19:58 -0400 Message-Id: <20250630031958.1225651-1-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 0DFA91C000D X-Stat-Signature: jmeq8ktjhfi646zho61a8iptuy8a4xd1 X-HE-Tag: 1751253602-770557 X-HE-Meta: U2FsdGVkX1/V5jInMQzECzZ2bPCGOmmle9QJx8glcFwYAqCu+98NeTf0J2V1/ExXycCYVwk+2Bwmjp3x0K1VDI4+4BpEw80hf8qDJUQjNCeNxTG4WstmNgA4Q9z090kanBRCfRXQEto8piJb2vSXeWIGJyusky1r/xgbAh7Wx4XMkdQ//CMSHdIgUGYPQopWmD7bGp9swIpm1p7dmiQRjSG7L/M1P9ck4LMEVC2uGLST3ctQb4tidcjNvCEwyPgFSYoXBOixSZg0MJD80nZHFE/sBdSO+I12eYl1IUdK9dPDarK2Cfdg3j0KRNSayaW5vFIWgaVWx6vnXXrfPIBi6CCVYIoUbEtt5tPtjoN+a7f043Wvu1Ws343ZkRxaWF0bOizAw9hYJQKUp9Hr6Z00aOn6jzfdBIzPLFaT8ARfzPr9xIvNn9MqvMZjw23SI18r84XvTpN8176ixLoIJKebADD8f8aDj/MTpywZM0ErLMBmFnH0qj6l1QupgNjXd1jCT8IMarnQ2Wv0gqB/D/H1yNR9OiMKaBaSK8QraRw2S5E7onbzL8qu8rxvljSzdMiqajE/2UXPH8DHIRhDjltYvV/yUBs+vfcYu1VQLSzEmTsMMbopmSVQiC5lLdgD1Oqdk7uMdMMuW/Wn7KcbOfaO2C5B0Z7AJ3hBw/IXXCXlredeHtF0lf31ZH1mI+/gd5b6FUoX08uXNOBkCjIRtXA1+HGLuDVX/ml/u25xLef984sbaiLCX+04MeD1KkNASBiQEAeHd/+KwhFioQ0yc4K4X4r1DjGziOPYu17+BU9ZocNm+DfFIJrHR/V7XagVoBDiGcD85WzwA9khQkBlUGp3THE1mAlE5OtxHB9kNT0EBhSD5He/GTAyY7ZcoQZit3E4vvvJDpG0y/E7amlf/IMxyeqI74WH1hDRzpoV0qGQZpUy2mYcpTumub2rLmTxRYu+dnDg3rUDf63endhpVqL +kzp/GeG PHYKSn51HjcMaBGWT++p/iSTluH8t0CKvSN/HLSeGUFaAu+kMtTCTEJSt51+Tn2dmSfeLhXVvpCcN3dQbGElKNh+pxK+Smum7U9cjhn33/Sff3Ax1EFvgC9QI8IriE7Lhw8BHhQi37UpysF4yonTqBeOqTyVE+QAwYmlOz+T+H+lPIGgUg4XuabB4M/ExGlXWVSdYYXzZSV6DOi2rt6AjYDz15dlo04SpGKG0tqOv4b/OWPPZ1OQEBzLjhWPoOZmAykGJrTMyLA58leI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: When handling non-swap entries in move_pages_pte(), the error handling for entries that are NOT migration entries fails to unmap the page table entries before jumping to the error handling label. This results in a kmap/kunmap imbalance which on CONFIG_HIGHPTE systems triggers a WARNING in kunmap_local_indexed() because the kmap stack is corrupted. Example call trace on ARM32 (CONFIG_HIGHPTE enabled): WARNING: CPU: 1 PID: 633 at mm/highmem.c:622 kunmap_local_indexed+0x178/0x17c Call trace: kunmap_local_indexed from move_pages+0x964/0x19f4 move_pages from userfaultfd_ioctl+0x129c/0x2144 userfaultfd_ioctl from sys_ioctl+0x558/0xd24 The issue was introduced with the UFFDIO_MOVE feature but became more frequent with the addition of guard pages (commit 7c53dfbdb024 ("mm: add PTE_MARKER_GUARD PTE marker")) which made the non-migration entry code path more commonly executed during userfaultfd operations. Fix this by ensuring PTEs are properly unmapped in all non-swap entry paths before jumping to the error handling label, not just for migration entries. Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Cc: stable@vger.kernel.org Signed-off-by: Sasha Levin --- mm/userfaultfd.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index 8253978ee0fb1..7c298e9cbc18f 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -1384,14 +1384,15 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, entry = pte_to_swp_entry(orig_src_pte); if (non_swap_entry(entry)) { + pte_unmap(src_pte); + pte_unmap(dst_pte); + src_pte = dst_pte = NULL; if (is_migration_entry(entry)) { - pte_unmap(src_pte); - pte_unmap(dst_pte); - src_pte = dst_pte = NULL; migration_entry_wait(mm, src_pmd, src_addr); err = -EAGAIN; - } else + } else { err = -EFAULT; + } goto out; } -- 2.39.5