From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 50572C7EE2A for ; Fri, 27 Jun 2025 22:43:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D4CF66B00B8; Fri, 27 Jun 2025 18:43:03 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D24666B00B9; Fri, 27 Jun 2025 18:43:03 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C615F6B00BB; Fri, 27 Jun 2025 18:43:03 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id B62C86B00B8 for ; Fri, 27 Jun 2025 18:43:03 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 37B58B92C5 for ; Fri, 27 Jun 2025 22:43:03 +0000 (UTC) X-FDA: 83602657446.18.6A4B066 Received: from mail-vk1-f173.google.com (mail-vk1-f173.google.com [209.85.221.173]) by imf08.hostedemail.com (Postfix) with ESMTP id 59DCB160003 for ; Fri, 27 Jun 2025 22:43:01 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=eX2qX2EP; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf08.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.221.173 as permitted sender) smtp.mailfrom=21cnbao@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1751064181; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=u4NjeapwgPl7o9j68s8R5yPMQayON7gZ7uf9DS/utGE=; b=zfavJvMW3qwXzwa7/ojrUdXouTzYaNzxaw3FhCyo9YTeP3miWM2aeQVM4V2+PDviM4vBZD NYmIEFfpIFllHioQw8jWcGilVy4WyAhYGh2yq4q2NDy3ncZh/nRIqoEokFWuMnOxD/SFkk yinD8EeWJTs7bn2EaCks7C22YVZqi1s= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1751064181; a=rsa-sha256; cv=none; b=jn+R3O8zXipTQaTHFp7aAYAXKdIgpEy84XGJNisxH0W1zyed+O79ED0X/45iVkuvbSkAkD ZJYFCIw4U4kW/JwSk3RaRzxOOQ5v43LGdPu+66+V1rUG19AcuDDYbzJT07jjc01uWFozoH +uye5+LAZkJudemBuinqtTJq1F5xy7A= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=eX2qX2EP; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf08.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.221.173 as permitted sender) smtp.mailfrom=21cnbao@gmail.com Received: by mail-vk1-f173.google.com with SMTP id 71dfb90a1353d-53159d11cecso1608113e0c.2 for ; Fri, 27 Jun 2025 15:43:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1751064180; x=1751668980; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=u4NjeapwgPl7o9j68s8R5yPMQayON7gZ7uf9DS/utGE=; b=eX2qX2EPO0iNA9Jl5ek3sQT/OTBfMHj8J3Kkd3a3YnnL77goV/Y4mAksZhYOXmbU+D PXVXRtXfap/LI1ZusIhlm0AnUSQSq72N3joLwVc3Zv6agdPOyK/t9gTSXpmIgh+YjWto DoS4/8sgujXU/Lhad7RaDvxrpt7qMghoPdv13nbizpK7C7FuUTRu0l+QKVriOB0f2uIZ 48dG/+Hk+JrYYePBEpzr23fOgigsHi5szQ2X07ciSNJ9Fb/h2WqxV72/7KY9GwcSXh6+ vbGx8U6gdZaYUoTkp1DEtpeQmVQqYFa+vOI1UrLQPveV8HaziLzwQhpGXmcXdkMxA5In xk9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751064180; x=1751668980; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=u4NjeapwgPl7o9j68s8R5yPMQayON7gZ7uf9DS/utGE=; b=q2bkgHSYXUC0hxd9s+7ceHUf6EHqFkCHQPKTxy2kRNquDCz4V1+CmcK3TIk3ztTSdm ZPjZXbc2pxvlUYsicXRzZ1/FLcliCSJcgWMEec1dNeJBZ/vZRPmY1xybes/yJELd7oMC zvbtFrzhK/mpNV0IxiHtRBqBQLDLwKwfhVH4rfNau9pvL2xOv+k+8QDLOSDILj1hO/d4 iSC+nIxx1UUvWHhMudInVzDmEL7QPJph4UMnYJXFrVKROAGwyBDMb0yYrvTNLYO2b9v2 vzfk79ALlrTMvtTDPfCEoye+MrovWdx2XxDprA2qYZBCWr4KH8xqPJFGwQKXcr/I7tZI souA== X-Forwarded-Encrypted: i=1; AJvYcCVLKIB8PKQdH2/nuluctRmokDAtn66eJx8YN5sXEy2U6i0B3wBnfSOvRQFTTSmUMxyCVolkY1Bxkw==@kvack.org X-Gm-Message-State: AOJu0YykATtYfsT//xrpTG3f+Ebr3mBqDX61PaaLsfK0GI6YBvY/Tkvd 5ABFwIGcVZmW6vXr/zCW0GpRLoDI7V3/4S/P2xniMWv1+dwsr5fcqI4HrAZGdGKlRP6naDaq6OQ V55aGshS4sdS7T0lIaqYjjh2tIfhDeRA= X-Gm-Gg: ASbGnctNPwm/SWAsnzE3bVKNExJwnrGM+bnerM81dcXPXatfiJyRJEWP3OhbGd0WhDE VBhiPGa6h5A0/VdAhac71ysDMev+WrvDEgyGEcBrTE46aokSKlfwOav+c/q/Pra799wyPo/Y29v GW3hQkfF/doY/TWvYg/2sxVov9XVlkmFRTK3xdwZLvadA= X-Google-Smtp-Source: AGHT+IFk0Ei4GgmAkHyX5mZ9ZCWUvEwxuRN77hDGrq2whD37UOPWeYi0DQsxO0na667fxWtBBPxMAXvU8evvWeuNBWE= X-Received: by 2002:a05:6122:660a:b0:523:dd87:fe95 with SMTP id 71dfb90a1353d-5330c0c680emr4562995e0c.9.1751064180351; Fri, 27 Jun 2025 15:43:00 -0700 (PDT) MIME-Version: 1.0 References: <20250627062319.84936-1-lance.yang@linux.dev> <1d39b66e-4009-4143-a8fa-5d876bc1f7e7@linux.dev> <609409c7-91a8-4898-ab29-fa00eb36df02@redhat.com> <530101b3-34d2-49bb-9a12-c7036b0c0a69@linux.dev> In-Reply-To: <530101b3-34d2-49bb-9a12-c7036b0c0a69@linux.dev> From: Barry Song <21cnbao@gmail.com> Date: Sat, 28 Jun 2025 10:42:49 +1200 X-Gm-Features: Ac12FXxGFmLgQUm1TzQ4GRXvYtSFtMDf_ZQxI7m__F1iEVPCgA6gaIbZBp5ogkM Message-ID: Subject: Re: [PATCH v2 1/1] mm/rmap: fix potential out-of-bounds page table access during batched unmap To: Lance Yang Cc: David Hildenbrand , akpm@linux-foundation.org, baolin.wang@linux.alibaba.com, chrisl@kernel.org, kasong@tencent.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-riscv@lists.infradead.org, lorenzo.stoakes@oracle.com, ryan.roberts@arm.com, v-songbaohua@oppo.com, x86@kernel.org, huang.ying.caritas@gmail.com, zhengtangquan@oppo.com, riel@surriel.com, Liam.Howlett@oracle.com, vbabka@suse.cz, harry.yoo@oracle.com, mingzhe.yang@ly.com, stable@vger.kernel.org, Lance Yang Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: obasazcjyrji5jjon66uqd3p418z53zf X-Rspamd-Queue-Id: 59DCB160003 X-Rspam-User: X-Rspamd-Server: rspam07 X-HE-Tag: 1751064181-20114 X-HE-Meta: U2FsdGVkX1/ycFCiKfAE7B8cBLjhgyKfyl310nI+I06mckCMrWQuPiorvis0ncP/FSAOUUOkllUgt18O+iP99+2UZmNVtU+rjcpe47XjlZlDciy5EzRD8nwKfW/mSOmLnQhweoDzxqPx8NNAsunfJnT4Zc7M272uBD58EsiZ1VW140e4yp4f7uwL5TZ39jnzJaNL3Shwnf1zcUUrNdT549u0bEzr9MSX6eLM24agzSLUcShsBbY2oKg3lfIo/AuUeAhwgeuClkW7edf8ZokK8X2dq6+cUR4WQznp5zUr0Grg58E4H6W0OySftakrqrvH3o1gHYRyuNGK7H3PO2077dVozK1drTd9Rsv68YYe9/1DC/aajM0XOvUn04POSKKMhKriNiJXsDcylE2Alfe+UgxjLBh64vwNgzZaZVx3zdXGKdcxYZt/B4J1iJZx2jHq6My6+31bJ5YJSJXiGQKv7grl9HZsrMxuEqmEDT4uIJ+EuBOKG2G8YEn8jOJEHalW2KuKNTFSM8eOPeRUgkEnrNSp4ATk00FJfWFVIBm1KldqGFd75gWdVR/uSIKHijRdbjMtFWlM85U1x+zs/ZHsGCXhpAPZ7Ojhc2OnTVbhX12e0OSE/dojAQ9Cz6yKWQAUMvoVI1ccMtMSQcLZ5cvqEkjzaSPrYv3lTVmO4dKhSdnW9jROIy2MTbjrrNNe6698FA1K7bRg4gUKaZcP4wleKm6DTkaq/wAn7peJLsinwqBL3+0YYGaCpHVYcsTDRTSjdFJBQHNk5zceZsb/+Rj1sU9GqACnCJC0ZZQaZ284ghKTb1PRmHsuwvX5UQuTo3quiqbmjBZsj7SIl1siXUJA59Vph/Rf+y4l1p5POhdxx8W23Ru0hQW4D1fyRVSl6sj78H2iNB8+XGTJCAUOQGleorOECUK+kDgt5BqYsvRHn2Vpwk8Rc0+0ccejZwck6PhpTeqfyY9OQ9aJLfo20RS xmDosYRk PjLEp89tmtv1aLv8KcseBDGpfl0HR1DkpWpxGfRDPHCcNDZdhCgw29ZTey28+Ampc0opO3IXrfEcvZTaSZHpMQB53QL6voKA2y3C0GxNEeFF7M3/ozKCIHgII2YyYO4Me/+aC7dZSkVPJRkaboEE4dmQI9YdIfLYaKQSz5leWnnPMqiODJl3VEDndQ4W5bhivKRD+C2kBDWfAlRfzK/Yhm3p7SVAHweHLkoy+Xl2qjBVa4VBUhjgL6jmK22rT7PDRtWbj6wd17gM5aNK35PxyKTjSVfFFJEPew7nXXSMQ/ZWtQpiYkle7h1V9Ozo1qAeRZDMEquubZ0QauoToB0e1CShbz05pppLwM/aZyv8hBgrzkFFLSKPj1wuUJ7msxYRlqS5kIGu3YVBBqb3FPT6QWbBwH8h1KKi3Ckh4VsO/d0OyCQg7BfcwthO7xSaAZGcYTnl2 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sat, Jun 28, 2025 at 3:29=E2=80=AFAM Lance Yang w= rote: [...] > > Based on that, I think we're on the same page now. I'd like to post > the following commit message for the next version: > > ``` > As pointed out by David[1], the batched unmap logic in try_to_unmap_one() > may read past the end of a PTE table when a large folio's PTE mappings > are not fully contained within a single page table. > > While this scenario might be rare, an issue triggerable from userspace mu= st > be fixed regardless of its likelihood. This patch fixes the out-of-bounds > access by refactoring the logic into a new helper, folio_unmap_pte_batch(= ). > > The new helper correctly calculates the safe batch size by capping the > scan at both the VMA and PMD boundaries. To simplify the code, it also > supports partial batching (i.e., any number of pages from 1 up to the > calculated safe maximum), as there is no strong reason to special-case > for fully mapped folios. > ``` > > So, wdyt? > Acked-by: Barry Song Thanks Barry