From nobody Wed Apr 8 07:59:49 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02701C38A2D for ; Mon, 24 Oct 2022 21:29:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234294AbiJXV2z (ORCPT ); Mon, 24 Oct 2022 17:28:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233617AbiJXV2d (ORCPT ); Mon, 24 Oct 2022 17:28:33 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C1B91132248 for ; Mon, 24 Oct 2022 12:35:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1666640023; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sZ8v+EwY2bNX8aSl1hAi5ZLb9PPb9KwOp7fvuUkZC2g=; b=XfRf4UmJmSNh4Xrfh1qQrn7WP5b7ZAiIjSyiDWpIP2u4k83eyi5cE/Bk3sA6jErLTcZljz VvwCFPUhts6OplzTubrMUA+jy0GjkOZ/Ho1emUv4HAX1gQ5U8KsF7d0h3ply8/RW9/ytzi uScTBpz7DJpxW+YuQ2PMsK8pVu8v6Vg= Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-348-B-dJxrEsNzKYDqn1yCJL5A-1; Mon, 24 Oct 2022 15:33:41 -0400 X-MC-Unique: B-dJxrEsNzKYDqn1yCJL5A-1 Received: by mail-qt1-f199.google.com with SMTP id f19-20020ac84713000000b00397692bdaecso7723500qtp.22 for ; Mon, 24 Oct 2022 12:33:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sZ8v+EwY2bNX8aSl1hAi5ZLb9PPb9KwOp7fvuUkZC2g=; b=6KpigDMYt6s9qpd7QcM4tMAkjbCo9EhsO+8/MoiRRZ+jtF0L207QKKUQUWpxe4fAcw C102M86DSVaVSEftD1eiNzdE94eV5jBwsAuPBhtV9Zx9UsGpM3bN9rqNTIgdf/RTRFYB e1T0uRh4j8u5yaA7tr8dRKzkF1m4Nqt2uWzG3YN7QgovrS9ihn3eaTlzion+j2pQiWUr FR2JJ8Zr2FFOgU8hA8lcf1WKDqVfA+RCtIDUDS9gXEVbnHwPkONmaXJaoLaKmUYdVf8x KQpKnh0cE2qvRQWWN0wlkXsJ9YPtlH3YYmYxU8Ilset/W09hg55MSfkxTA5n+3mErKsY JUHA== X-Gm-Message-State: ACrzQf2V/+OCm1AooDTRnUd77KJmk1eE7o+y5+UIYnwXQZu4DLmkskit euedzl8CQEOijkkkA0dF1QhjlBtf9FG6WmtRltuvICdjUCEZlVG7gDxIuuRB5gnsOMxqWZ2KbYU WgWznj8ac4G6QTmerOCGPaxeN X-Received: by 2002:ac8:5dd3:0:b0:39d:1847:872a with SMTP id e19-20020ac85dd3000000b0039d1847872amr18544501qtx.645.1666640020369; Mon, 24 Oct 2022 12:33:40 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6yZixs/k9ipGQk+YxOWJ1akEpX25bTl/zf3AiVYxllzKHCwgi54KXtb6GwKtr88nUataLr5Q== X-Received: by 2002:ac8:5dd3:0:b0:39d:1847:872a with SMTP id e19-20020ac85dd3000000b0039d1847872amr18544482qtx.645.1666640020135; Mon, 24 Oct 2022 12:33:40 -0700 (PDT) Received: from x1n.redhat.com (bras-base-aurron9127w-grc-46-70-31-27-79.dsl.bell.ca. [70.31.27.79]) by smtp.gmail.com with ESMTPSA id t15-20020a05620a450f00b006cddf59a600sm545164qkp.34.2022.10.24.12.33.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Oct 2022 12:33:39 -0700 (PDT) From: Peter Xu To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: Axel Rasmussen , peterx@redhat.com, Andrew Morton , Andrea Arcangeli , Nadav Amit Subject: [PATCH 1/2] mm/uffd: Fix vma check on userfault for wp Date: Mon, 24 Oct 2022 15:33:35 -0400 Message-Id: <20221024193336.1233616-2-peterx@redhat.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221024193336.1233616-1-peterx@redhat.com> References: <20221024193336.1233616-1-peterx@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" We used to have a report that pte-marker code can be reached even when uffd-wp is not compiled in for file memories, here: https://lore.kernel.org/all/YzeR+R6b4bwBlBHh@x1n/T/#u I just got time to revisit this and found that the root cause is we simply messed up with the vma check, so that for !PTE_MARKER_UFFD_WP system, we will allow UFFDIO_REGISTER of MINOR & WP upon shmem as the check was wrong: if (vm_flags & VM_UFFD_MINOR) return is_vm_hugetlb_page(vma) || vma_is_shmem(vma); Where we'll allow anything to pass on shmem as long as minor mode is requested. Axel did it right when introducing minor mode but I messed it up in b1f9e876862d when moving code around. Fix it. Cc: Axel Rasmussen Fixes: b1f9e876862d ("mm/uffd: enable write protection for shmem & hugetlbf= s") Signed-off-by: Peter Xu --- include/linux/userfaultfd_k.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h index f07e6998bb68..9df0b9a762cc 100644 --- a/include/linux/userfaultfd_k.h +++ b/include/linux/userfaultfd_k.h @@ -146,9 +146,9 @@ static inline bool userfaultfd_armed(struct vm_area_str= uct *vma) static inline bool vma_can_userfault(struct vm_area_struct *vma, unsigned long vm_flags) { - if (vm_flags & VM_UFFD_MINOR) - return is_vm_hugetlb_page(vma) || vma_is_shmem(vma); - + if ((vm_flags & VM_UFFD_MINOR) && + (!is_vm_hugetlb_page(vma) && !vma_is_shmem(vma))) + return false; #ifndef CONFIG_PTE_MARKER_UFFD_WP /* * If user requested uffd-wp but not enabled pte markers for --=20 2.37.3 From nobody Wed Apr 8 07:59:49 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0A14C67871 for ; Mon, 24 Oct 2022 23:33:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229988AbiJXXdp (ORCPT ); Mon, 24 Oct 2022 19:33:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54062 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230204AbiJXXdI (ORCPT ); Mon, 24 Oct 2022 19:33:08 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CFD422CB8CE for ; Mon, 24 Oct 2022 14:54:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1666648441; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=B26mrVLxvv94GHZ4EyopRcUEqjnA0ulPrAxRLMb69GQ=; b=fGCwNZIBhZQ0qnHIGvefzgF/aD/vkkXd96VP7VYsZtBnlgmRINJiOqGteg4wjJysHnWIjD OukveRPmea9/yjGcUHb0kEkKcNQ5B8hsQ+Y70DnoCeIC/9ydDzgaPeWdriBeIr8ZXQE1ui b11ML/6BZ6MiPHLfC0gO3CY5aYKcvoA= Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-460-U2zzMCwPMj2rznDcFf-6xg-1; Mon, 24 Oct 2022 15:33:42 -0400 X-MC-Unique: U2zzMCwPMj2rznDcFf-6xg-1 Received: by mail-qv1-f72.google.com with SMTP id nn2-20020a056214358200b004bb7bc3dfdcso1270821qvb.23 for ; Mon, 24 Oct 2022 12:33:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=B26mrVLxvv94GHZ4EyopRcUEqjnA0ulPrAxRLMb69GQ=; b=fbpXo+lG6P/joxVSKXnQvchiAZATesCjlIDZC8T4dsPxKZ+RQ3Vmb6J6oWu/2MMBel evfFY/NcY2AU/N/F5T0c+Vyia0ObzjFPxjrOEgAUq1k4+l+8NwJLdpU90lwGKjy14HsY ocoHKtjjZZOc88KFMMw7tdzBcRvPge2JlfoZDT5shBr4sToQ9eFyK6JmMlAzA8zHkpZQ Y+0LXVKQYU3sNHFex1Wetcn4FmcTkXxNksKZQ3n9efe8Px4dNw/SahVKOIB4+mGn0FUt dGZBwybso4YqeMezz8BdnH6bOZLNB4oi8hzv3NnEZOJmwa7HCgfggdMSbW8DHEB/at+E 5NIg== X-Gm-Message-State: ACrzQf3RGlguCEcHeC22Qo+PPgcR51pyaG1H3YRuz78MDc8HKIKO0HSY U4njJCZjbsXPhe4jXIwhK7+SGX99hw/hxNWtyR+UQbXjdEtvs/ToEG4tB5o/OiIsajcBvtPB8nw 3wCi533VIHU0e4QiTRaSWx+fa X-Received: by 2002:ac8:4d5b:0:b0:39c:b6d2:b631 with SMTP id x27-20020ac84d5b000000b0039cb6d2b631mr28890941qtv.487.1666640021573; Mon, 24 Oct 2022 12:33:41 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6R9fk2GOMQDrYgO/fAupULF4Tu6JcWydWZM0pW5ldS7Wd85SIl/rXdo1urC1LqoxV/541nKg== X-Received: by 2002:ac8:4d5b:0:b0:39c:b6d2:b631 with SMTP id x27-20020ac84d5b000000b0039cb6d2b631mr28890924qtv.487.1666640021327; Mon, 24 Oct 2022 12:33:41 -0700 (PDT) Received: from x1n.redhat.com (bras-base-aurron9127w-grc-46-70-31-27-79.dsl.bell.ca. [70.31.27.79]) by smtp.gmail.com with ESMTPSA id t15-20020a05620a450f00b006cddf59a600sm545164qkp.34.2022.10.24.12.33.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Oct 2022 12:33:40 -0700 (PDT) From: Peter Xu To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: Axel Rasmussen , peterx@redhat.com, Andrew Morton , Andrea Arcangeli , Nadav Amit Subject: [PATCH 2/2] Revert "mm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in" Date: Mon, 24 Oct 2022 15:33:36 -0400 Message-Id: <20221024193336.1233616-3-peterx@redhat.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221024193336.1233616-1-peterx@redhat.com> References: <20221024193336.1233616-1-peterx@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" With previous patch to fix the registration, we'll be safe to remove the macro hacks now. Signed-off-by: Peter Xu --- mm/hugetlb.c | 4 ---- mm/memory.c | 2 -- mm/mprotect.c | 2 -- 3 files changed, 8 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 1a7dc7b2e16c..b2fcb27f268a 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -5124,7 +5124,6 @@ static void __unmap_hugepage_range(struct mmu_gather = *tlb, struct vm_area_struct * unmapped and its refcount is dropped, so just clear pte here. */ if (unlikely(!pte_present(pte))) { -#ifdef CONFIG_PTE_MARKER_UFFD_WP /* * If the pte was wr-protected by uffd-wp in any of the * swap forms, meanwhile the caller does not want to @@ -5136,7 +5135,6 @@ static void __unmap_hugepage_range(struct mmu_gather = *tlb, struct vm_area_struct set_huge_pte_at(mm, address, ptep, make_pte_marker(PTE_MARKER_UFFD_WP)); else -#endif huge_pte_clear(mm, address, ptep, sz); spin_unlock(ptl); continue; @@ -5165,13 +5163,11 @@ static void __unmap_hugepage_range(struct mmu_gathe= r *tlb, struct vm_area_struct tlb_remove_huge_tlb_entry(h, tlb, ptep, address); if (huge_pte_dirty(pte)) set_page_dirty(page); -#ifdef CONFIG_PTE_MARKER_UFFD_WP /* Leave a uffd-wp pte marker if needed */ if (huge_pte_uffd_wp(pte) && !(zap_flags & ZAP_FLAG_DROP_MARKER)) set_huge_pte_at(mm, address, ptep, make_pte_marker(PTE_MARKER_UFFD_WP)); -#endif hugetlb_count_sub(pages_per_huge_page(h), mm); page_remove_rmap(page, vma, true); =20 diff --git a/mm/memory.c b/mm/memory.c index 8e72f703ed99..25b12d1a7db0 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1393,12 +1393,10 @@ zap_install_uffd_wp_if_needed(struct vm_area_struct= *vma, unsigned long addr, pte_t *pte, struct zap_details *details, pte_t pteval) { -#ifdef CONFIG_PTE_MARKER_UFFD_WP if (zap_drop_file_uffd_wp(details)) return; =20 pte_install_uffd_wp_if_needed(vma, addr, pte, pteval); -#endif } =20 static unsigned long zap_pte_range(struct mmu_gather *tlb, diff --git a/mm/mprotect.c b/mm/mprotect.c index 99762403cc8f..8d770855b591 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -267,7 +267,6 @@ static unsigned long change_pte_range(struct mmu_gather= *tlb, } else { /* It must be an none page, or what else?.. */ WARN_ON_ONCE(!pte_none(oldpte)); -#ifdef CONFIG_PTE_MARKER_UFFD_WP if (unlikely(uffd_wp && !vma_is_anonymous(vma))) { /* * For file-backed mem, we need to be able to @@ -279,7 +278,6 @@ static unsigned long change_pte_range(struct mmu_gather= *tlb, make_pte_marker(PTE_MARKER_UFFD_WP)); pages++; } -#endif } } while (pte++, addr +=3D PAGE_SIZE, addr !=3D end); arch_leave_lazy_mmu_mode(); --=20 2.37.3