From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9B15C8303C for ; Tue, 8 Jul 2025 12:48:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6DB996B0316; Tue, 8 Jul 2025 08:48:23 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6B1916B0318; Tue, 8 Jul 2025 08:48:23 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5EED26B0319; Tue, 8 Jul 2025 08:48:23 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 49E976B0316 for ; Tue, 8 Jul 2025 08:48:23 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id EE83D10B5AE for ; Tue, 8 Jul 2025 12:48:22 +0000 (UTC) X-FDA: 83641075644.17.AC896D9 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by imf20.hostedemail.com (Postfix) with ESMTP id C96651C0023 for ; Tue, 8 Jul 2025 12:48:20 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=ispras.ru header.s=default header.b=MgbluKzk; spf=pass (imf20.hostedemail.com: domain of pchelkin@ispras.ru designates 83.149.199.84 as permitted sender) smtp.mailfrom=pchelkin@ispras.ru; dmarc=pass (policy=none) header.from=ispras.ru ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=ispras.ru header.s=default header.b=MgbluKzk; spf=pass (imf20.hostedemail.com: domain of pchelkin@ispras.ru designates 83.149.199.84 as permitted sender) smtp.mailfrom=pchelkin@ispras.ru; dmarc=pass (policy=none) header.from=ispras.ru ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1751978901; a=rsa-sha256; cv=none; b=flEtYlN+3T+ZzaHyyNbQopv3Mkk6G1GBkbbzrPOX2D9B8hUlLB6611qoJLZPNifWD4Yf2u AKT/ti/DaSGVVHkLhcJ3GlrMNJ/RNKh5Yetr+DgN9PkTYXRBxh9PiayHJvTOuAjpDU5NJj QtLsg66Ozw/ZHPBUr6hN6LU4l2WIbco= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1751978901; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=ptejpQ6vwQDJ5G9kxUNZgJb4b3jMnundj3BEvGTdydc=; b=NzuKIAXl2CJwP4qgwfRjUe+tOtKc6hH0qhkw+dW8k10VgSd7p2zJu7rhVheGXbmdktSWrP dD0nydOmYhM/QlCTkYuNy7f817tbV9F/MnZJF1laH3l+xe39PNaeUEGZ8VC9oRag3FmoVe SoFKotxVRmHBACPxqBB1St92gtrisTM= Received: from fedora.intra.ispras.ru (unknown [10.10.165.16]) by mail.ispras.ru (Postfix) with ESMTPSA id EB4C24076176; Tue, 8 Jul 2025 12:48:17 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru EB4C24076176 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1751978898; bh=ptejpQ6vwQDJ5G9kxUNZgJb4b3jMnundj3BEvGTdydc=; h=From:To:Cc:Subject:Date:From; b=MgbluKzkqYLSRRLrSLHplA/vCXk/deqBOh05uMheFTCtU1Z1hJpc5M/1Z+ozPtA4Y otz8PyZWzclYJOAKPj63Z5qedo1Fhs031+IpXnWvWwSzMWPrC9AxhPD3R0u6W72raR qKFu+OYuWjNutvNJQaJ7yLaElErH1U9Aqwboclzg= From: Fedor Pchelkin To: stable@vger.kernel.org Cc: Fedor Pchelkin , Greg Kroah-Hartman , Andrew Morton , Oscar Salvador , Lorenzo Stoakes , Jann Horn , linux-mm@kvack.org, lvc-project@linuxtesting.org, Muchun Song , "Liam R. Howlett" , Vlastimil Babka , Pedro Falcato Subject: [PATCH 6.1] mm/hugetlb: fix assertion splat in hugetlb_split() Date: Tue, 8 Jul 2025 15:47:41 +0300 Message-ID: <20250708124743.939155-1-pchelkin@ispras.ru> X-Mailer: git-send-email 2.50.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: C96651C0023 X-Stat-Signature: mc3oj9sihkcowyarmmzoyqg4wuyqx8db X-Rspam-User: X-HE-Tag: 1751978900-207206 X-HE-Meta: U2FsdGVkX1+5+8hMXI5zP8aN4AdmNhurK5hx8bsbrklHCv86IL2smQJP17HPk0KNshLRfs7NMNPwfuD1kBm41GezE2mF1AD01I6SeUiH1a05vGvcFOGF/HTxVamzPjRpYFcQ8kFUThDZTZrCnWto//rgeyzNeHACm9dR/QI/8gzZjxju5HAGheFuoWjEpXObrnQEuHDgAj8AdZOAjfKUATA61GzeoKfy9Woq7JrcNpiTuReABwsSNRb2psMJwPQQRqLK0I5NDE7M+JbAl+qYRw3pqYSTvv4EeVmL8ilGTTrhVkbd8TMLULgWJ89VaOvk6N5UaEg0yQeDXNff2I0glpFX0g6gNV8BOdRhtYkEGde7377jMELPX9hSJM/pqGEMc2WMWQwGAE9gMHcVN0TGRTrmYwQx+o7LEhPUPoaiC0gP+8XqbF7lBNV/wzQd6/i/i7JdYbsvFKhK+usm+GL0W4uFV33LSwuJDt7Z627eLC2bsoli9yIZX2bl5w9rmED2gPJ1Ei9Seo9wTKAMNF5kBVPf9avJFMRL7/ppg/G0x4n2NEe1bZ3K7CTNGOvvPPAzIRGhTYY7K3n4U2OnHMPLxty43B5so2NlUeq2gYRzrC2w86Ax4qVNgqdjKLejT4udsYhW69BZG+6Yy5qofHgSImkcssFFptJ30Lrxv26FOcfyDS4MLMbD8gN4igNULobw0MdbNStEr4Ae9UDz7xi8btPaQ1gbWX6Ovjd7CmnMSLdMWLL87JDUWlcD+mPE5qahJgHDXK3oa+9n5CRzGeI38JSTeLny4TCMcOgsfJWi9srTY9/7XGaDNUzVipv5Ird8U4G1gpSUWIrO4pam06dryJI3PYN0btfsLsFNOgjIvk5Fm1I75gQ+VmrtclJRJe1nkAdQ1wScERUI4KZ2CVDQjSdYD+k4GR11BLxMbUKOlrEFdtn0FEwfsCpa9ZwGFE6g1YqNMCZyJJBJdr26IAG zHiwfr+0 oA6Gn/vinXTo/t+GUTJIS7vUz3bFWnDHr5XkXvOw9P60N8nypy/JBCadtI8YL8/a/bjPe6apFNcn+WbNjWeVYTBWOCOjh42Y8pcF71MQqZxdwdboghhwKamfcL9pruezk95Rd0nlalODPqSV9Ur87kSpC50qU4cnaydu/XVyYRuK1j/IoZKOk5PspqRrZH9vSjqpdJhi7XWx0IzSIYXPNmCxnRV6o2PKQJOu4QXlXJM9nH+ThBzVvkeRPbG/mcspfRXjbPxm5DLJ29jS+yngoSLut3wPoynJWy+bMG2gfFJAGx8PIalEdUxHdKkmf6BBWY6U+xHSNjs0VcLCvHGIi0Y7lQuwI3mM6aKKzhIQgCn2e7Ki623hiWTzLC0M+0x5Z5newPWeSr51Ag5NdhWkANgpv5n9WeQkh4WGhIkAZdplWiIgqaMoVNZWqA3sq74yVKGhmdTz/An94Mi7O+8g9k0NmK0DVpFyCl9MKYiln/IeSME3eL3LLks2V/4N4HQ5vzULbjmcW41oAtdY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: No upstream commit exists for this patch. The following assertion is firing on 5.10 to 6.1 stable kernels after backport of upstream commit 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before"): WARNING: CPU: 0 PID: 11489 at include/linux/fs.h:503 i_mmap_assert_write_locked include/linux/fs.h:503 [inline] WARNING: CPU: 0 PID: 11489 at include/linux/fs.h:503 hugetlb_split+0x267/0x300 mm/hugetlb.c:4917 Modules linked in: CPU: 0 PID: 11489 Comm: syz-executor.4 Not tainted 6.1.142-syzkaller-00296-gfd0df5221577 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:i_mmap_assert_write_locked include/linux/fs.h:503 [inline] RIP: 0010:hugetlb_split+0x267/0x300 mm/hugetlb.c:4917 Call Trace: __vma_adjust+0xd73/0x1c10 mm/mmap.c:736 vma_adjust include/linux/mm.h:2745 [inline] __split_vma+0x459/0x540 mm/mmap.c:2385 do_mas_align_munmap+0x5f2/0xf10 mm/mmap.c:2497 do_mas_munmap+0x26c/0x2c0 mm/mmap.c:2646 __mmap_region mm/mmap.c:2694 [inline] mmap_region+0x19f/0x1770 mm/mmap.c:2912 do_mmap+0x84b/0xf20 mm/mmap.c:1432 vm_mmap_pgoff+0x1af/0x280 mm/util.c:520 ksys_mmap_pgoff+0x41f/0x5a0 mm/mmap.c:1478 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x46a269 Those branches lack commit ccf1d78d8b86 ("mm/mmap: move vma_prepare before vma_adjust_trans_huge") so the needed locks are taken just after the newly added hugetlb_split(). Adjust the position of vma_adjust_trans_huge() blocks with the lock-taking code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 081056dc00a2 ("mm/hugetlb: unshare page tables during VMA split, not before") Signed-off-by: Fedor Pchelkin --- Tested with testcases/kernel/mem/hugetlb/hugemmap suite provided by LTP. For the report see: https://lore.kernel.org/stable/CAG48ez3LqUwXxhRY56tqQCpfGJsJ-GeXFG9FCcTZEBo2bWOK8Q@mail.gmail.com/T/#u mm/mmap.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 0f303dc8425a..941880ed62d7 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -543,8 +543,6 @@ inline int vma_expand(struct ma_state *mas, struct vm_area_struct *vma, if (mas_preallocate(mas, vma, GFP_KERNEL)) goto nomem; - vma_adjust_trans_huge(vma, start, end, 0); - if (file) { mapping = file->f_mapping; root = &mapping->i_mmap; @@ -562,6 +560,8 @@ inline int vma_expand(struct ma_state *mas, struct vm_area_struct *vma, vma_interval_tree_remove(vma, root); } + vma_adjust_trans_huge(vma, start, end, 0); + vma->vm_start = start; vma->vm_end = end; vma->vm_pgoff = pgoff; @@ -727,15 +727,6 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, return -ENOMEM; } - /* - * Get rid of huge pages and shared page tables straddling the split - * boundary. - */ - vma_adjust_trans_huge(orig_vma, start, end, adjust_next); - if (is_vm_hugetlb_page(orig_vma)) { - hugetlb_split(orig_vma, start); - hugetlb_split(orig_vma, end); - } if (file) { mapping = file->f_mapping; root = &mapping->i_mmap; @@ -775,6 +766,16 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start, vma_interval_tree_remove(next, root); } + /* + * Get rid of huge pages and shared page tables straddling the split + * boundary. + */ + vma_adjust_trans_huge(orig_vma, start, end, adjust_next); + if (is_vm_hugetlb_page(orig_vma)) { + hugetlb_split(orig_vma, start); + hugetlb_split(orig_vma, end); + } + if (start != vma->vm_start) { if ((vma->vm_start < start) && (!insert || (insert->vm_end != start))) { -- 2.50.0