[PATCH v2] x86/mm/pat: (un)track_pfn_copy() fix + doc improvements

[PATCH v2] x86/mm/pat: (un)track_pfn_copy() fix + doc improvements

[David Hildenbrand]

We got a late smatch warning and some additional review feedback.

	smatch warnings:
	mm/memory.c:1428 copy_page_range() error: uninitialized symbol 'pfn'.

We actually use the pfn only when it is properly initialized; however,
we may pass an uninitialized value to a function -- although it will not
use it that likely still is UB in C.

So let's just fix it by always initializing pfn in the caller of
track_pfn_copy(), and improving the documentation of track_pfn_copy().

While at it, clarify the doc of untrack_pfn_copy(), that internal checks
make sure if we actually have to untrack anything.

Fixes: dc84bc2aba85 ("x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202503270941.IFILyNCX-lkp@intel.com/
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Rik van Riel <riel@surriel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David Hildenbrand <david@redhat.com>
---

v1 -> v2:
* Adjust the doc instead of initializing the pfn whenever returning 0
* Decided to keep Lorenzo's RB :)
* Retested

---
 include/linux/pgtable.h | 9 ++++++---
 mm/memory.c             | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
index e2b705c149454..b50447ef1c921 100644
--- a/include/linux/pgtable.h
+++ b/include/linux/pgtable.h
@@ -1511,8 +1511,9 @@ static inline void track_pfn_insert(struct vm_area_struct *vma, pgprot_t *prot,
 
 /*
  * track_pfn_copy is called when a VM_PFNMAP VMA is about to get the page
- * tables copied during copy_page_range(). On success, stores the pfn to be
- * passed to untrack_pfn_copy().
+ * tables copied during copy_page_range(). Will store the pfn to be
+ * passed to untrack_pfn_copy() only if there is something to be untracked.
+ * Callers should initialize the pfn to 0.
  */
 static inline int track_pfn_copy(struct vm_area_struct *dst_vma,
 		struct vm_area_struct *src_vma, unsigned long *pfn)
@@ -1522,7 +1523,9 @@ static inline int track_pfn_copy(struct vm_area_struct *dst_vma,
 
 /*
  * untrack_pfn_copy is called when a VM_PFNMAP VMA failed to copy during
- * copy_page_range(), but after track_pfn_copy() was already called.
+ * copy_page_range(), but after track_pfn_copy() was already called. Can
+ * be called even if track_pfn_copy() did not actually track anything:
+ * handled internally.
  */
 static inline void untrack_pfn_copy(struct vm_area_struct *dst_vma,
 		unsigned long pfn)
diff --git a/mm/memory.c b/mm/memory.c
index 2d8c265fc7d60..1a35165622e1c 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1361,7 +1361,7 @@ copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma)
 	struct mm_struct *dst_mm = dst_vma->vm_mm;
 	struct mm_struct *src_mm = src_vma->vm_mm;
 	struct mmu_notifier_range range;
-	unsigned long next, pfn;
+	unsigned long next, pfn = 0;
 	bool is_cow;
 	int ret;
 
-- 
2.48.1

Re: [PATCH v2] x86/mm/pat: (un)track_pfn_copy() fix + doc improvements

[Lorenzo Stoakes]

On Tue, Apr 08, 2025 at 10:59:50AM +0200, David Hildenbrand wrote:
> We got a late smatch warning and some additional review feedback.
>
> 	smatch warnings:
> 	mm/memory.c:1428 copy_page_range() error: uninitialized symbol 'pfn'.
>
> We actually use the pfn only when it is properly initialized; however,
> we may pass an uninitialized value to a function -- although it will not
> use it that likely still is UB in C.
>
> So let's just fix it by always initializing pfn in the caller of
> track_pfn_copy(), and improving the documentation of track_pfn_copy().
>
> While at it, clarify the doc of untrack_pfn_copy(), that internal checks
> make sure if we actually have to untrack anything.
>
> Fixes: dc84bc2aba85 ("x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()")
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Closes: https://lore.kernel.org/r/202503270941.IFILyNCX-lkp@intel.com/
> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: Borislav Petkov <bp@alien8.de>
> Cc: Rik van Riel <riel@surriel.com>
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: David Hildenbrand <david@redhat.com>
> ---
>
> v1 -> v2:
> * Adjust the doc instead of initializing the pfn whenever returning 0
> * Decided to keep Lorenzo's RB :)

All good with me :) the patch in this form is fine!

> * Retested
>
> ---
>  include/linux/pgtable.h | 9 ++++++---
>  mm/memory.c             | 2 +-
>  2 files changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
> index e2b705c149454..b50447ef1c921 100644
> --- a/include/linux/pgtable.h
> +++ b/include/linux/pgtable.h
> @@ -1511,8 +1511,9 @@ static inline void track_pfn_insert(struct vm_area_struct *vma, pgprot_t *prot,
>
>  /*
>   * track_pfn_copy is called when a VM_PFNMAP VMA is about to get the page
> - * tables copied during copy_page_range(). On success, stores the pfn to be
> - * passed to untrack_pfn_copy().
> + * tables copied during copy_page_range(). Will store the pfn to be
> + * passed to untrack_pfn_copy() only if there is something to be untracked.
> + * Callers should initialize the pfn to 0.
>   */
>  static inline int track_pfn_copy(struct vm_area_struct *dst_vma,
>  		struct vm_area_struct *src_vma, unsigned long *pfn)
> @@ -1522,7 +1523,9 @@ static inline int track_pfn_copy(struct vm_area_struct *dst_vma,
>
>  /*
>   * untrack_pfn_copy is called when a VM_PFNMAP VMA failed to copy during
> - * copy_page_range(), but after track_pfn_copy() was already called.
> + * copy_page_range(), but after track_pfn_copy() was already called. Can
> + * be called even if track_pfn_copy() did not actually track anything:
> + * handled internally.
>   */
>  static inline void untrack_pfn_copy(struct vm_area_struct *dst_vma,
>  		unsigned long pfn)
> diff --git a/mm/memory.c b/mm/memory.c
> index 2d8c265fc7d60..1a35165622e1c 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -1361,7 +1361,7 @@ copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma)
>  	struct mm_struct *dst_mm = dst_vma->vm_mm;
>  	struct mm_struct *src_mm = src_vma->vm_mm;
>  	struct mmu_notifier_range range;
> -	unsigned long next, pfn;
> +	unsigned long next, pfn = 0;
>  	bool is_cow;
>  	int ret;
>
> --
> 2.48.1
>

Re: [PATCH v2] x86/mm/pat: (un)track_pfn_copy() fix + doc improvements

[Ingo Molnar]

* David Hildenbrand <david@redhat.com> wrote:

> We got a late smatch warning and some additional review feedback.
> 
> 	smatch warnings:
> 	mm/memory.c:1428 copy_page_range() error: uninitialized symbol 'pfn'.
> 
> We actually use the pfn only when it is properly initialized; however,
> we may pass an uninitialized value to a function -- although it will not
> use it that likely still is UB in C.
> 
> So let's just fix it by always initializing pfn in the caller of
> track_pfn_copy(), and improving the documentation of track_pfn_copy().
> 
> While at it, clarify the doc of untrack_pfn_copy(), that internal checks
> make sure if we actually have to untrack anything.

Note that the title isn't accurate anymore, it's not an 'x86/mm/pat' 
patch, but an 'mm' patch.

Thanks,

	Ingo

Re: [PATCH v2] x86/mm/pat: (un)track_pfn_copy() fix + doc improvements

[David Hildenbrand]

On 09.04.25 12:32, Ingo Molnar wrote:
> 
> * David Hildenbrand <david@redhat.com> wrote:
> 
>> We got a late smatch warning and some additional review feedback.
>>
>> 	smatch warnings:
>> 	mm/memory.c:1428 copy_page_range() error: uninitialized symbol 'pfn'.
>>
>> We actually use the pfn only when it is properly initialized; however,
>> we may pass an uninitialized value to a function -- although it will not
>> use it that likely still is UB in C.
>>
>> So let's just fix it by always initializing pfn in the caller of
>> track_pfn_copy(), and improving the documentation of track_pfn_copy().
>>
>> While at it, clarify the doc of untrack_pfn_copy(), that internal checks
>> make sure if we actually have to untrack anything.
> 
> Note that the title isn't accurate anymore, it's not an 'x86/mm/pat'
> patch, but an 'mm' patch.

Agreed. Who will take this patch? If it's Andrew, can you fixup the 
subject please?

-- 
Cheers,

David / dhildenb

Re: [PATCH v2] x86/mm/pat: (un)track_pfn_copy() fix + doc improvements

[Ingo Molnar]

* David Hildenbrand <david@redhat.com> wrote:

> On 09.04.25 12:32, Ingo Molnar wrote:
> > 
> > * David Hildenbrand <david@redhat.com> wrote:
> > 
> > > We got a late smatch warning and some additional review feedback.
> > > 
> > > 	smatch warnings:
> > > 	mm/memory.c:1428 copy_page_range() error: uninitialized symbol 'pfn'.
> > > 
> > > We actually use the pfn only when it is properly initialized; however,
> > > we may pass an uninitialized value to a function -- although it will not
> > > use it that likely still is UB in C.
> > > 
> > > So let's just fix it by always initializing pfn in the caller of
> > > track_pfn_copy(), and improving the documentation of track_pfn_copy().
> > > 
> > > While at it, clarify the doc of untrack_pfn_copy(), that internal checks
> > > make sure if we actually have to untrack anything.
> > 
> > Note that the title isn't accurate anymore, it's not an 'x86/mm/pat'
> > patch, but an 'mm' patch.
> 
> Agreed. Who will take this patch? If it's Andrew, can you fixup the subject
> please?

I was assuming Andrew would pick it up:

  Acked-by: Ingo Molnar <mingo@kernel.org>

But can pick it up too via tip:x86/urgent.

Thanks,

	Ingo

Re: [PATCH v2] x86/mm/pat: (un)track_pfn_copy() fix + doc improvements

[Andrew Morton]

On Wed, 9 Apr 2025 12:34:47 +0200 David Hildenbrand <david@redhat.com> wrote:

> > Note that the title isn't accurate anymore, it's not an 'x86/mm/pat'
> > patch, but an 'mm' patch.
> 
> Agreed. Who will take this patch? If it's Andrew, can you fixup the 
> subject please?

I edited the mm.git copy.

Re: [PATCH v2] x86/mm/pat: (un)track_pfn_copy() fix + doc improvements

[Ingo Molnar]

* Andrew Morton <akpm@linux-foundation.org> wrote:

> On Wed, 9 Apr 2025 12:34:47 +0200 David Hildenbrand <david@redhat.com> wrote:
> 
> > > Note that the title isn't accurate anymore, it's not an 'x86/mm/pat'
> > > patch, but an 'mm' patch.
> > 
> > Agreed. Who will take this patch? If it's Andrew, can you fixup the 
> > subject please?
> 
> I edited the mm.git copy.

Thanks!

	Ingo