From: Ackerley Tng <ackerleytng@google.com>
To: "David Hildenbrand (Arm)" <david@kernel.org>,
Deepanshu Kartikey <kartikey406@gmail.com>
Cc: akpm@linux-foundation.org, lorenzo.stoakes@oracle.com,
baolin.wang@linux.alibaba.com, Liam.Howlett@oracle.com,
npache@redhat.com, ryan.roberts@arm.com, dev.jain@arm.com,
baohua@kernel.org, seanjc@google.com, pbonzini@redhat.com,
michael.roth@amd.com, vannapurve@google.com, ziy@nvidia.com,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com,
Fangrui Song <i@maskray.me>
Subject: Re: [PATCH] mm: thp: Deny THP for guest_memfd and secretmem in file_thp_enabled()
Date: Wed, 11 Feb 2026 07:38:46 -0800 [thread overview]
Message-ID: <CAEvNRgH6yfFtOK3E3__hCjkNTQr55y-_N=SpBBr0i9_q6E2_8g@mail.gmail.com> (raw)
In-Reply-To: <bac19363-0705-4bb2-b022-66054e1f28cd@kernel.org>
"David Hildenbrand (Arm)" <david@kernel.org> writes:
> On 2/11/26 00:00, Ackerley Tng wrote:
>> "David Hildenbrand (Arm)" <david@kernel.org> writes:
>>
>>>>
>>>> I could give this a shot. 5.15.199 doesn't have AS_INACCESSIBLE. Should
>>>> we backport AS_INACCESSIBLE there or could the fix for 5.15.199 just be
>>>> special-casing secretmem like you suggested below?
>>>
>>> Yes. If there is no guest_memfd we wouldn't need it.
>>>
>>
>> Seems like on 5.15.199 there's a hugepage_vma_check(), which will return
>> false since secretmem has vma->vm_ops defined [1], so secretmem VMAs are
>> skipped.
>
> Are you sure? We check for CONFIG_READ_ONLY_THP_FOR_FS before that:
>
Ah... I was working on a reproducer then I realized 5.15 doesn't have
MADV_COLLAPSE, then I tried to hack in an ioctl to trigger
khugepaged. That turned out to be awkward but it got me to look at
hugepage_vma_check(), and then I went down the rabbit hole to keep
looking for the similar check function throughout the other stable
kernels... and amongst all of that forgot that
CONFIG_READ_ONLY_THP_FOR_FS was unset :(
You're probably right about VM_EXEC.
Here's the reproducer for 6.12, I put this in
tools/testing/selftests/mm/memfd_secret.c and called repro() from
main(). This time I enabled CONFIG_READ_ONLY_THP_FOR_FS :).
void repro(void)
{
uint8_t *mem;
int ret;
int fd;
int i;
printf("%d triggering secretmem\n", __LINE__);
fd = memfd_secret(0);
if (fd < 0) {
if (errno == ENOSYS)
ksft_exit_skip("memfd_secret is not supported\n");
else
ksft_exit_fail_msg("memfd_secret failed: %s\n",
strerror(errno));
}
if (ftruncate(fd, SZ_2M))
ksft_exit_fail_msg("ftruncate failed: %s\n", strerror(errno));
#define ALIGNED_ADDRESS ((void*)0x400000000UL)
mem = mmap(ALIGNED_ADDRESS, SZ_2M, PROT_READ | PROT_WRITE, MAP_FIXED
| MAP_SHARED, fd, 0);
if (mem != ALIGNED_ADDRESS)
ksft_exit_fail_msg("Couldn't allocate memory\n");
ret = madvise(mem, SZ_2M, MADV_HUGEPAGE);
if (ret)
ksft_exit_fail_msg("MADV_HUGEPAGE failed mem=%p ret=%d errno=%d\n",
mem, ret, errno);
#define READ_ONCE(x) (*(volatile typeof(x) *) &(x))
for (i = 0; i < SZ_2M; i += getpagesize())
READ_ONCE(mem[i]);
ret = madvise(mem, SZ_2M, MADV_COLLAPSE);
if (ret)
ksft_exit_fail_msg("MADV_COLLAPSE failed ret=%d errno=%d\n", ret, errno);
munmap(mem, SZ_2M);
close(fd);
}
This reproducer gets us to madvise_collapse() ->
hpage_collapse_scan_file() -> collapse_file(), and copy_mc_highpage()
fails because copy_mc_to_kernel() returns 4096.
memory_failure_queue() causes this to be printed on the console
[ 1068.322578] Memory failure: 0x106d96f: recovery action for clean
unevictable LRU page: Recovered
No crash :) Is a crash the requirement for a backport to stable kernels?
> /* Only regular file is valid */
> if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && vma->vm_file &&
> (vm_flags & VM_EXEC)) {
> struct inode *inode = vma->vm_file->f_inode;
>
> return !inode_is_open_for_write(inode) &&
> S_ISREG(inode->i_mode);
> }
>
>
> So if you have VM_EXEC on the VMA (mmaped with PROT_EXEC), it would work.
> I think secretmem sets SB_I_NOEXEC, which prevents that. Same for guest_memfd.
>
> v6.6.123 still has that VM_EXEC check in file_thp_enabled().
>
> The check was dropped in commit:
>
> commit 7fbb5e188248c50f737720825da1864ce42536d1
> Author: Fangrui Song <i@maskray.me>
> Date: Tue Dec 19 21:41:23 2023 -0800
>
> mm: remove VM_EXEC requirement for THP eligibility
>
> Commit e6be37b2e7bd ("mm/huge_memory.c: add missing read-only THP checking
> in transparent_hugepage_enabled()") introduced the VM_EXEC requirement,
> which is not strictly needed.
>
> lld's default --rosegment option and GNU ld's -z separate-code option
> (default on Linux/x86 since binutils 2.31) create a read-only PT_LOAD
> segment without the PF_X flag, which should be eligible for THP.
>
>
> So that one broke secretmem.
>
>
> So when we fix it, we should
>
> Fixes: 7fbb5e188248 ("mm: remove VM_EXEC requirement for THP eligibility")
>
>
> What about the following:
>
> diff --git a/mm/huge_memory.c b/mm/huge_memory.c
> index 44ff8a648afd..9fbe5c28a6bc 100644
> --- a/mm/huge_memory.c
> +++ b/mm/huge_memory.c
> @@ -94,6 +94,9 @@ static inline bool file_thp_enabled(struct vm_area_struct *vma)
>
> inode = file_inode(vma->vm_file);
>
> + if (IS_ANON_FILE(inode))
> + return false;
> +
> return !inode_is_open_for_write(inode) && S_ISREG(inode->i_mode);
> }
>
>
>
> --
> Cheers,
>
> David
next prev parent reply other threads:[~2026-02-11 15:38 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-09 3:35 Deepanshu Kartikey
2026-02-09 10:24 ` David Hildenbrand (Arm)
2026-02-09 10:41 ` David Hildenbrand (Arm)
2026-02-09 13:06 ` Deepanshu Kartikey
2026-02-09 18:22 ` Ackerley Tng
2026-02-09 19:45 ` David Hildenbrand (Arm)
2026-02-09 20:13 ` David Hildenbrand (Arm)
2026-02-09 21:31 ` Ackerley Tng
2026-02-10 9:33 ` David Hildenbrand (Arm)
2026-02-10 23:00 ` Ackerley Tng
2026-02-11 0:58 ` Ackerley Tng
2026-02-11 2:01 ` Deepanshu Kartikey
2026-02-11 9:29 ` David Hildenbrand (Arm)
2026-02-11 16:16 ` Ackerley Tng
2026-02-11 16:35 ` David Hildenbrand (Arm)
2026-02-11 16:44 ` David Hildenbrand (Arm)
2026-02-11 1:59 ` Deepanshu Kartikey
2026-02-11 9:28 ` David Hildenbrand (Arm)
2026-02-11 14:50 ` Deepanshu Kartikey
2026-02-11 15:38 ` Ackerley Tng [this message]
2026-02-11 16:45 ` David Hildenbrand (Arm)
2026-02-12 22:19 ` Ackerley Tng
2026-02-13 5:02 ` Deepanshu Kartikey
2026-02-13 9:06 ` David Hildenbrand (Arm)
2026-02-21 4:37 ` Deepanshu Kartikey
2026-02-10 1:51 ` Deepanshu Kartikey
2026-02-10 9:33 ` David Hildenbrand (Arm)
2026-02-09 23:37 ` kernel test robot
2026-02-10 17:51 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEvNRgH6yfFtOK3E3__hCjkNTQr55y-_N=SpBBr0i9_q6E2_8g@mail.gmail.com' \
--to=ackerleytng@google.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=baohua@kernel.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=david@kernel.org \
--cc=dev.jain@arm.com \
--cc=i@maskray.me \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=michael.roth@amd.com \
--cc=npache@redhat.com \
--cc=pbonzini@redhat.com \
--cc=ryan.roberts@arm.com \
--cc=seanjc@google.com \
--cc=syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com \
--cc=vannapurve@google.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox