From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B121C8303C for ; Tue, 8 Jul 2025 15:33:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B427D6B0099; Tue, 8 Jul 2025 11:33:03 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AF3086B009A; Tue, 8 Jul 2025 11:33:03 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9E1F76B009B; Tue, 8 Jul 2025 11:33:03 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 8816F6B0099 for ; Tue, 8 Jul 2025 11:33:03 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 042605A513 for ; Tue, 8 Jul 2025 15:33:02 +0000 (UTC) X-FDA: 83641490646.21.5EC14A1 Received: from mail-qt1-f173.google.com (mail-qt1-f173.google.com [209.85.160.173]) by imf09.hostedemail.com (Postfix) with ESMTP id 0DF3614000C for ; Tue, 8 Jul 2025 15:33:00 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=BvEqtALd; spf=pass (imf09.hostedemail.com: domain of surenb@google.com designates 209.85.160.173 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1751988781; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=g9tZiU5eIxoOobBKXVYQ5QlOi0wUutX8iQEeH++Ok0M=; b=ZYmKQGTU62XNSbpIcWTsQjCz1d3AWSd20yeNJM10mz878oIHXgp7lWxsMqqmORszvFRzNN +591QNUwTWkphE42i/uAaTn+MJh6frrevD5vdDggDM0I51NbDXuXu0Z5G049Doh7U3IHrp H+tx7hrVhtcItBDCAbnob6Aap9xDtiE= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=BvEqtALd; spf=pass (imf09.hostedemail.com: domain of surenb@google.com designates 209.85.160.173 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1751988781; a=rsa-sha256; cv=none; b=iOvPEV8WnEKgz5X2651dxU994dim1yG8455rXtb3HZv9PQhHuU/oxwJ9fNVuIyeAZMAelW u6OkOIQ3vYxAAMXl8zgYS6Ep1CbM24phTLbxmfg5NAfA6EAyKSQjIEzkO+RRETVLiTyq1F nShCRUtLxIRCfiv7Q6kHSYqFHAKrWc4= Received: by mail-qt1-f173.google.com with SMTP id d75a77b69052e-4a5ac8fae12so530261cf.0 for ; Tue, 08 Jul 2025 08:33:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1751988780; x=1752593580; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=g9tZiU5eIxoOobBKXVYQ5QlOi0wUutX8iQEeH++Ok0M=; b=BvEqtALdatwIl5y1QZXWWJt4yV84JIJcTuZLr3Vqkv4O66CAK1Owg007wwrcmV7sUC usQG10zNq2FctYpPftZXhqCN0UKe8SCj3Ay5zYLzUsTWSvVbPkY+p/QxI2uHtaOoEtF3 Kfjk5dQydkbW4xq1k+C5rfk3/HmRAAI+lSKwj9cOoIKGiQs7UVh9KEbyV+8CPBXzM1RU kAt6gtj9wyG5OnQp+SQXfZI+qVBX5SfjfIpiC0HU8KCa7G4O7MNphuxQlScio95VUNYj 9hTIP6Op3d2FIvMYpXZwXToUzTe3HBe8oqXAWiro9Q4UhpXEwsthyxCWAFriwLIdoU/B /Sdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751988780; x=1752593580; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=g9tZiU5eIxoOobBKXVYQ5QlOi0wUutX8iQEeH++Ok0M=; b=MzIxnJ93spc9bv3nuddFTmUYSbsLp3/Y0d30lZBuySla04aiMY7sUu71jmzVhKxy3S BYLhe0LLna9IgFOmzSutZ7vXEYxUvd89vGbL/yN0pQW9S05uWTvilqeRjaPEMksXgble VUbPLmjQxakMoUEnP4nyM46BP0ZvOFHmjTg2fhOPdzRQFoNXn44+N2GJGk1Q7HBbO0Be Hgp38BT5xtrI9/o/nJhGkfSpw4EwSUajBfGk0ojj23d9VmDl6IlL0cUZ/5P/pxuXEvXe Z1tfCZpuxccpCyH7TL4eOA5xomx7BvHYkU7retKL59eQ6gBfGQatxGikOLQlmqqE1VSQ jCRQ== X-Forwarded-Encrypted: i=1; AJvYcCXjFOYZv3K7/hzvGcr9PHDOiymoA31MzHLC9/kBDFbcZpPdjc+ZZaarSdoMXegw4wKZknfYEN6dVw==@kvack.org X-Gm-Message-State: AOJu0YwwqE5IgV9F5SDe/y+k00/PqPwmS+u3HlmxqfArwY2RT4wnNIcz jysVQ+HDyGgZ0c1LKJ16+Mhq4kOtsNpgvpsbCZk7hj9E3LoMQu5+cAdQRRAca64AfXINWrxHSGO r9KUi7d9dBNyEpfmlElw0shhRR1Bxu8NZBq0ccmur X-Gm-Gg: ASbGncuc3z8CcI1jKaLaNU8PleVu5p4yN0GsAP68PKE/ywpNf03BsKe7gVvdTAF358X 4KF7tdFGCWnbnN6v2HPFAYc/ogc+V+XXbBX0XQU0bPFG9GeNZQEecOrWHJXvo7CUy9YzBVNaLE4 K1atb7RDlXZfQFVBKuGqb2eaWtphYBG6NXW2LqQ6K0XMaD1I2wMZ3X73CicWBSTWK5HnZzIsdrh g== X-Google-Smtp-Source: AGHT+IG7fz++CeO2vs2J17V+ScGy3kEvPCUHnRVl6BVmyw4ZsfTyk9kTInu9aaiKvmmFZvE1OA0cyA+m/0vknmyY/rE= X-Received: by 2002:a05:622a:d10:b0:4a9:7c7e:f2f9 with SMTP id d75a77b69052e-4a9d4818812mr2838841cf.17.1751988779418; Tue, 08 Jul 2025 08:32:59 -0700 (PDT) MIME-Version: 1.0 References: <20250630031958.1225651-1-sashal@kernel.org> <20250630175746.e52af129fd2d88deecc25169@linux-foundation.org> In-Reply-To: From: Suren Baghdasaryan Date: Tue, 8 Jul 2025 08:32:48 -0700 X-Gm-Features: Ac12FXzacz7_GNV6Umyb4v4clDu6vWsu0ttd-4YoNOndub-L61ooXKLtNoloNTs Message-ID: Subject: Re: [PATCH] mm/userfaultfd: fix missing PTE unmap for non-migration entries To: David Hildenbrand Cc: Andrew Morton , Sasha Levin , peterx@redhat.com, aarcange@redhat.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: pxpeiutwy9q13pjanq5okicd9jfdaq9o X-Rspamd-Queue-Id: 0DF3614000C X-Rspamd-Server: rspam11 X-Rspam-User: X-HE-Tag: 1751988780-939595 X-HE-Meta: U2FsdGVkX19gg3fzWFEZQa6+lOVxgSmQGLAYZNyf1S9ptqinSGxiGfyBvCuLILCfEg+6SrOnB2TLAXm0C7pI7BOg8uiqER0iP5CLSdgsn3J3Dn0H3MCDcGFxYTkTYqflVbr3XLQO7S6fmMkBeovcK7hcvqnPZhXCKx72KeEO9eJw0rqqdQnaBVUiTismaYwnYjkVh/Zb0ikLEsEi+Cr4YAFPZG8PXZnBraSfur0boG2dFZP68yHw7W++yFhvVFaOOcu4GdpxLDjKRUZBHbNFaeL3XOt1PwxIV5N+c521Dv/8+5xFBYNFW7A51FkQOAnfLFx/zRJcrGYBZWIgC862niuy2LcabmAGIRVahAZEaQUmDkP554OP0UpRL06xEYc9O7Q8ymxz6LnZzIlERV2Mo3+WZJ5+8D0LtQY14Df8cAMUhgK2bGNejvs94Io5hoYS7P91fmFSoZC/Y9JbnAtuzkKOBt2ioQ23N8ti2MWn/iF82DOI+DDuj7HtxKorHUtxgbC8BkpjB74j84kbHYIU8+QdxxpV17afiuwMCpDlvvDptGfjikJvY36rcsY1F9SUF4NDhfQy2Z7TjbQroGhdxsLsVD/1Z5sa9X3nESB0q/jrxIdKWS4iQfdq8wT9Up58gmMAvvtEaVYJ9kSaMfrVrUM7TjFnIhCS8YJTxcwS5u7LVJDe0YHp2PQvskATFsYHkLEphqtUu1KEfEDbXWiRSp3F1FJVSwC7JUzp+jwPIVz0TlRXcqncYHEnsb0pKvKoiPQcIH88yw+6C3ASTz+nj5IkhBPxb64cy9UkJ1HxVNSfMgmihy+S9aoDSSz2XhEh5RyFPGAj+HODr9W5f8jOk13VIod3BvjrxB1irkDseBMkVE1oT4eBXNDnNcyyjrJEI4RDVOZAgFcTTKzMTx5aphS4nxEiTFnCjpT0ijmPHttz885O69JZqLL3EouNaCpfJxX0+RdwOEvtBlZITYK Zr66Wr9x 0JJCrc6birPTDQ2XZqtH9+hlvXc1gFymJU9GeUquEoBWY6eq+i3VWcxCt6gHkzPOPzvB29PVBd+N7NkwPnUPzoKxbys/pN0Hta2yISgQxfiHHXxLyWRW1Ekq7jZwK2+jN7l7Cl1us0wayfUWr4/9z8A30zZ1LDocZWdrke38VOcfj7g7wbGISTvM/HGonake1eBQuVJ8Jy49LIAw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Jul 8, 2025 at 8:10=E2=80=AFAM David Hildenbrand = wrote: > > On 01.07.25 02:57, Andrew Morton wrote: > > On Sun, 29 Jun 2025 23:19:58 -0400 Sasha Levin wrot= e: > > > >> When handling non-swap entries in move_pages_pte(), the error handling > >> for entries that are NOT migration entries fails to unmap the page tab= le > >> entries before jumping to the error handling label. > >> > >> This results in a kmap/kunmap imbalance which on CONFIG_HIGHPTE system= s > >> triggers a WARNING in kunmap_local_indexed() because the kmap stack is > >> corrupted. > >> > >> Example call trace on ARM32 (CONFIG_HIGHPTE enabled): > >> WARNING: CPU: 1 PID: 633 at mm/highmem.c:622 kunmap_local_indexed+0= x178/0x17c > >> Call trace: > >> kunmap_local_indexed from move_pages+0x964/0x19f4 > >> move_pages from userfaultfd_ioctl+0x129c/0x2144 > >> userfaultfd_ioctl from sys_ioctl+0x558/0xd24 > >> > >> The issue was introduced with the UFFDIO_MOVE feature but became more > >> frequent with the addition of guard pages (commit 7c53dfbdb024 ("mm: a= dd > >> PTE_MARKER_GUARD PTE marker")) which made the non-migration entry code > >> path more commonly executed during userfaultfd operations. > >> > >> Fix this by ensuring PTEs are properly unmapped in all non-swap entry > >> paths before jumping to the error handling label, not just for migrati= on > >> entries. > > > > I don't get it. > > > >> --- a/mm/userfaultfd.c > >> +++ b/mm/userfaultfd.c > >> @@ -1384,14 +1384,15 @@ static int move_pages_pte(struct mm_struct *mm= , pmd_t *dst_pmd, pmd_t *src_pmd, > >> > >> entry =3D pte_to_swp_entry(orig_src_pte); > >> if (non_swap_entry(entry)) { > >> + pte_unmap(src_pte); > >> + pte_unmap(dst_pte); > >> + src_pte =3D dst_pte =3D NULL; > >> if (is_migration_entry(entry)) { > >> - pte_unmap(src_pte); > >> - pte_unmap(dst_pte); > >> - src_pte =3D dst_pte =3D NULL; > >> migration_entry_wait(mm, src_pmd, src_add= r); > >> err =3D -EAGAIN; > >> - } else > >> + } else { > >> err =3D -EFAULT; > >> + } > >> goto out; > > > > where we have > > > > out: > > ... > > if (dst_pte) > > pte_unmap(dst_pte); > > if (src_pte) > > pte_unmap(src_pte); > > AI slop? Hmm, but there is even a Call trace in the report. I wonder if the issue is somewhere else? > > -- > Cheers, > > David / dhildenb >