From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7185C83030 for ; Tue, 1 Jul 2025 00:57:51 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1D0BD6B00A2; Mon, 30 Jun 2025 20:57:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1A83B6B00A3; Mon, 30 Jun 2025 20:57:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0E5756B00A4; Mon, 30 Jun 2025 20:57:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 009766B00A2 for ; Mon, 30 Jun 2025 20:57:50 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 3B199B74F1 for ; Tue, 1 Jul 2025 00:57:50 +0000 (UTC) X-FDA: 83613883500.28.6D8216D Received: from sea.source.kernel.org (sea.source.kernel.org [172.234.252.31]) by imf17.hostedemail.com (Postfix) with ESMTP id 59FAE4000C for ; Tue, 1 Jul 2025 00:57:48 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=ta2oT7cF; spf=pass (imf17.hostedemail.com: domain of akpm@linux-foundation.org designates 172.234.252.31 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1751331468; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=kpaYEipHU6WDSDUCp6rXnHC4rO20lw/+iG5rhU6Sb+k=; b=8pk0quDyXXA/1ATqkmiF8L+v0fGeZKk35qCEid14z8QIqJRVa6uVTmjPlaIeBtwCX/Rjic /0CP5tUYagqms/uLATCLGm/Jc7OkRmbLlS0qhi+kZvb5qnB8q5pa+97AhKMXjHj2LolLDR caKR7UvyyndoBxu7BA7ZNNoPMQ7ostU= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1751331468; a=rsa-sha256; cv=none; b=mjxam0pI0bo+MYiwFZCTWewxpEtv29sEe3LLhfBTY/iLEZZzx7A8nq0vIuzIuuFHjg51eV dL8UvHmcmrTBaJMyPe7f2srmWqkLfqrYgEmC4xx9zAfAE7PwYW1pR1KDVKdJAFzxOFxpmU 11y7yE0fIwCKInBjKSnu/gz6mk/FgvU= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=ta2oT7cF; spf=pass (imf17.hostedemail.com: domain of akpm@linux-foundation.org designates 172.234.252.31 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org; dmarc=none Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 22CA743A9C; Tue, 1 Jul 2025 00:57:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C118EC4CEF0; Tue, 1 Jul 2025 00:57:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1751331467; bh=0KXdqPxnq8u5m3JaoBAj3LQJmLTeItSenCMiTod8nuU=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=ta2oT7cFvsUGw9C9vm+YGKQtvnu3ivF2IZMKNpHx9yTkkBBYM6pH6fR+spvbLNyET lx/uBU5qSYdMjTK+I8sE1E5enbYZPdo1CGyOjfnu16+0MD647OdkcTDupzwFgwydyF xsUSP7uCnt9+w4tVj8KIp3fN90GFHulzlpUk/QRs= Date: Mon, 30 Jun 2025 17:57:46 -0700 From: Andrew Morton To: Sasha Levin Cc: peterx@redhat.com, aarcange@redhat.com, surenb@google.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] mm/userfaultfd: fix missing PTE unmap for non-migration entries Message-Id: <20250630175746.e52af129fd2d88deecc25169@linux-foundation.org> In-Reply-To: <20250630031958.1225651-1-sashal@kernel.org> References: <20250630031958.1225651-1-sashal@kernel.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 59FAE4000C X-Stat-Signature: zqxjdkkswhotpmtdzm11i5gpf8ihkcd7 X-Rspam-User: X-HE-Tag: 1751331468-453392 X-HE-Meta: U2FsdGVkX1/jl4/Q4W5xflhJLfv2NbwmuA99myoX7gRriFILHJ1pW708Yw0yicvkjIvVxbGdW9khkbFr6cR0psZSmIABLP7UGR+F81xYxplsDmVW1yJBygLd987rVmCUqD7/B/i4CR+K4Q3tdC1K4WKnI2a8lKH1sjY8Lsb7pE5VaoLkBduAwslbxwp3xoOlr5spgUMFB0r7L/MvSSVenwLRrZd6Y32HPb4FifSpy+7Uu9WKvmDFBs3gklVlFA4ogAOskQpniXRTXVCT7mbgCxJLjr5jXhVwZQtI2l8MTUF6glSuQLzBeMgAtJZriU+sKlABut43DsBMje2lPmFp+1Pxj58uIXnzvT8PNiXOU83U3WTQT+jw0LkyhCjmsswYqXm7dmnRuqKqkHo0NKK7+XJIbCmN3XzKAu0waI5+cmeAR+0XgzI9UCraD0XrecpqjTJfpKBlIbRIF+5gf4ZXTt61+00vWv90OdJg1jAWby9agnPtM57nGGvF1PG/S2c3Sb7XU5CEL/O3lBiHM55LDQNNJeWvZHveov8Hf0cBwX4n3Io/QpkpQDcG3+1WTwLpUqOX1k1bfhYShnDIxNAZeeORDF5ZO4xMHatpbqH74LcAN4YxkBLCyMbF8No7HXt+e6B1iffFZ80i1pPmFXEqak0py+mT04YthvKjYsQsdhQhgNyo37ojAOqoMi4VzfbWHGmNIm7Pr7GE5Plpedr15e1jSbofUYUNtSInR//LabHoUsPHtMf3fmY3FNG0Ynhr70Dm0zokFhmxfKo3w+2orrpj7me7c7hUhInFgyMmvpURqlQok6HyZFB8oqASkQ39xA0c4TxJC07y0ZXPQ6q9AD6yw7P/BYSp2j/Pr8ftSi5raz7DIP7LIoXL3hw059+LVs8urPD7CpWY50wZDGxDB0O/VOtxjN4tOqoGdn4Dlkp7y6y3SUTd9I1bH/XU/VdWxv+kemUkch11VignGRo j7LXU+NM RQkVMiFbhGSac0ITV1wv7fRBX/KPEmwd0nPJpoQ3qg3NlrdA9/d2PSu6fyGdxGCkxBdZ7GgBvn0q+Qo+DfnQXTM5wGB5SwKM1eAgJ1qh/IZwFsFcOFNzG7qG87V24ensgIuimeO7scCTD3m8Z0hMgOoGMna12VcnNlXaMvLT6YVxvbJIbR026MSXxMZ2jqTydJoIs1vobwV7RlvZZxBHwhWgfeOntm9W6uOKT9LOLp/raL/pz9wWh5pXbJD5XeP0oQl2EpQu2IQCRl10= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sun, 29 Jun 2025 23:19:58 -0400 Sasha Levin wrote: > When handling non-swap entries in move_pages_pte(), the error handling > for entries that are NOT migration entries fails to unmap the page table > entries before jumping to the error handling label. > > This results in a kmap/kunmap imbalance which on CONFIG_HIGHPTE systems > triggers a WARNING in kunmap_local_indexed() because the kmap stack is > corrupted. > > Example call trace on ARM32 (CONFIG_HIGHPTE enabled): > WARNING: CPU: 1 PID: 633 at mm/highmem.c:622 kunmap_local_indexed+0x178/0x17c > Call trace: > kunmap_local_indexed from move_pages+0x964/0x19f4 > move_pages from userfaultfd_ioctl+0x129c/0x2144 > userfaultfd_ioctl from sys_ioctl+0x558/0xd24 > > The issue was introduced with the UFFDIO_MOVE feature but became more > frequent with the addition of guard pages (commit 7c53dfbdb024 ("mm: add > PTE_MARKER_GUARD PTE marker")) which made the non-migration entry code > path more commonly executed during userfaultfd operations. > > Fix this by ensuring PTEs are properly unmapped in all non-swap entry > paths before jumping to the error handling label, not just for migration > entries. I don't get it. > --- a/mm/userfaultfd.c > +++ b/mm/userfaultfd.c > @@ -1384,14 +1384,15 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, > > entry = pte_to_swp_entry(orig_src_pte); > if (non_swap_entry(entry)) { > + pte_unmap(src_pte); > + pte_unmap(dst_pte); > + src_pte = dst_pte = NULL; > if (is_migration_entry(entry)) { > - pte_unmap(src_pte); > - pte_unmap(dst_pte); > - src_pte = dst_pte = NULL; > migration_entry_wait(mm, src_pmd, src_addr); > err = -EAGAIN; > - } else > + } else { > err = -EFAULT; > + } > goto out; where we have out: ... if (dst_pte) pte_unmap(dst_pte); if (src_pte) pte_unmap(src_pte);