From nobody Sun Feb  8 22:17:44 2026
Received: from flow-a1-smtp.messagingengine.com
 (flow-a1-smtp.messagingengine.com [103.168.172.136])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 807B5283CB0;
	Mon, 20 Oct 2025 16:31:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=103.168.172.136
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1760977866; cv=none;
 b=iUpaWpN+IoQkR2Qpb2ilLIbI18eZ8HaR31KlwIoHWFQTy0C+sRYFkwy1ocNzQXUANN6bX8RtI4iCTT5CVKQq0+PzPyEJTlBjHtJpJp72pDHjufUvwSpgPPWdDuNtsNHjslh3kzqbGEPN+AqVA7g3RdEeoWXZzUQNvQdm1mACJgY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1760977866; c=relaxed/simple;
	bh=V9NNa4vV+3A9kVRjNsq1xZDpduW8Yz5GvnvS/EjVVoc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=AZbXpEWsA50LS0xig+fX3mC1pgNXuGWzJX96ZBchqVqlZGudSUd8JHxjJjGn+/Xbp9/+UHznVFuyRzH6n+mI41SnzyoFCkPdhVSd4VsOUUi0quuksHfRcjXsxWGeGprZ2zYxJpDFz/ML94CEAMzCmGRmkJDytznw9O/vd1HnpYM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=shutemov.name;
 spf=pass smtp.mailfrom=shutemov.name;
 dkim=pass (2048-bit key) header.d=shutemov.name header.i=@shutemov.name
 header.b=K17103B6;
 dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com
 header.b=EW3kYtdN; arc=none smtp.client-ip=103.168.172.136
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=shutemov.name
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=shutemov.name
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=shutemov.name header.i=@shutemov.name
 header.b="K17103B6";
	dkim=pass (2048-bit key) header.d=messagingengine.com
 header.i=@messagingengine.com header.b="EW3kYtdN"
Received: from phl-compute-10.internal (phl-compute-10.internal [10.202.2.50])
	by mailflow.phl.internal (Postfix) with ESMTP id 62C3C13803F8;
	Mon, 20 Oct 2025 12:31:02 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-10.internal (MEProxy); Mon, 20 Oct 2025 12:31:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov.name;
	 h=cc:cc:content-transfer-encoding:content-type:date:date:from
	:from:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm1; t=1760977862; x=
	1760985062; bh=PGqcVqKR37HNE2kQKYG8FgWXCrKH2WKrmZjwByhBbVU=; b=K
	17103B6I93DTSHsItocCMFP7e1TRjkCoVCGyjn6o0q/iDjG0vmeAI3eGFeIGzj0I
	tzNHMMPGfVGOvuFkU6WpgEPW2yhBaQxTJ9ktKNe6Zt8m6YK/RoOgXsR1p/OHyb8h
	FbiRU+/NyqTnjDVC4ewuC00HO6wrBnz+/sf/QIloMtlFwKymLc06nhgOWGaWZiku
	xyO8XXttN0c8YNW6iOKQB51WBLIUUVeClyH+HQKI2+47In1/hMyUrHuxlU5xQkI7
	RGlo8okrEj24XrtDjGmz41/ziBfw3CcgRRw19huoPTFqgJnqchpyfC7Mzb69zZ4m
	ONig+TAZiIUWgAc9aL4gg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm2; t=1760977862; x=1760985062; bh=P
	GqcVqKR37HNE2kQKYG8FgWXCrKH2WKrmZjwByhBbVU=; b=EW3kYtdNaJ6Fo6ome
	VJTG8Ovfve8B/ydL5KkoA3IUIFx9K9Z9LiGPfZFGJV3NYuYnydpQvCSJ6f8nGiFg
	7OOaPYn9Ibm8G2oDIGGNPDIAxhzIhWvVJP+8GBf6VftMMekzevv/K48IPATJUp7+
	BI+3vvc+B3clxgcrb0Cgs900mO/gLcSX/fRSkWHT8szG5CazI+PIiLHBVF610iiA
	sctnEGw8h/h4lPGK7tDXQuH5HaMWRPsRviA8SVpgDCZO8aFFmKeUUk/EeO7oohAx
	jodXoCZRq7pfN3OR7LLQlWTBeOS3e3db5VQKXUjqIMVu5gjOJyrdZsIj7KHaE+Rl
	jAV5w==
X-ME-Sender: <xms:xWP2aKQY9yl0h4WLVdi9KNZBGRB2ehcZIW9BitM471FFccdxTURPOQ>
    <xme:xWP2aM8sweMLC2ViVVwl7X5iCGqIB_M5I5K3jM_V-Jq6k9zh0NzC0Kq_DXyslMcFT
    bvF6nMCz6AYNopMDTtjzzK85hAKw7fvO3b5qOopuYB6c3BZmuZ-dFg>
X-ME-Received: 
 <xmr:xWP2aMWGDVCzaL4--ehaeVcIJQNJjTm2XafKpw5BneAnBPJrrOguQ-LDmSPlZw>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddufeekfeduucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepmfhirhihlhcu
    ufhhuhhtshgvmhgruhcuoehkihhrihhllhesshhhuhhtvghmohhvrdhnrghmvgeqnecugg
    ftrfgrthhtvghrnhepgeevhedtgfdvhfdugeffueduvdegveejhfevveeghfdvveeiveet
    iedvheejhfejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh
    homhepkhhirhhilhhlsehshhhuthgvmhhovhdrnhgrmhgvpdhnsggprhgtphhtthhopedv
    vddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtoheprghkphhmsehlihhnuhigqdhfoh
    hunhgurghtihhonhdrohhrghdprhgtphhtthhopegurghvihgusehrvgguhhgrthdrtgho
    mhdprhgtphhtthhopehhuhhghhgusehgohhoghhlvgdrtghomhdprhgtphhtthhopeifih
    hllhihsehinhhfrhgruggvrggurdhorhhgpdhrtghpthhtohepvhhirhhoseiivghnihhv
    rdhlihhnuhigrdhorhhgrdhukhdprhgtphhtthhopegsrhgruhhnvghrsehkvghrnhgvlh
    drohhrghdprhgtphhtthhopehlohhrvghniihordhsthhorghkvghssehorhgrtghlvgdr
    tghomhdprhgtphhtthhopehlihgrmhdrhhhofihlvghtthesohhrrggtlhgvrdgtohhmpd
    hrtghpthhtohepvhgsrggskhgrsehsuhhsvgdrtgii
X-ME-Proxy: <xmx:xWP2aCNnPGYqoXOH7sYAWr3mQ2mudDWjUOZPOfBSconJvzMBooK4IQ>
    <xmx:xWP2aEdBZ6EL7vhKmMpp3j5R_4zFojS4JPzT_fHcTZVCZ8IBOKxrJA>
    <xmx:xWP2aBw8IgNDPdaSUfwOAIyHXWmE8c5-DGl824CYowEN7OMojuG2hw>
    <xmx:xWP2aFhcX5fCuBgvYpb3zfCAIf5OAAhZXnTmwlZGCNiD2C9oNrBOTA>
    <xmx:xmP2aHWz9CFkk4kk49CWeTfiXu9T-_M-elqIr2JcTTa3lBKZU0LoxV-v>
Feedback-ID: ie3994620:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 20 Oct 2025 12:31:01 -0400 (EDT)
From: Kiryl Shutsemau <kirill@shutemov.name>
To: Andrew Morton <akpm@linux-foundation.org>,
	David Hildenbrand <david@redhat.com>,
	Hugh Dickins <hughd@google.com>,
	Matthew Wilcox <willy@infradead.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
	"Liam R. Howlett" <Liam.Howlett@oracle.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	Mike Rapoport <rppt@kernel.org>,
	Suren Baghdasaryan <surenb@google.com>,
	Michal Hocko <mhocko@suse.com>,
	Rik van Riel <riel@surriel.com>,
	Harry Yoo <harry.yoo@oracle.com>,
	Johannes Weiner <hannes@cmpxchg.org>,
	Shakeel Butt <shakeel.butt@linux.dev>,
	Baolin Wang <baolin.wang@linux.alibaba.com>,
	"Darrick J. Wong" <djwong@kernel.org>,
	linux-mm@kvack.org,
	linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Kiryl Shutsemau <kas@kernel.org>
Subject: [PATCH 1/2] mm/memory: Do not populate page table entries beyond
 i_size.
Date: Mon, 20 Oct 2025 17:30:53 +0100
Message-ID: <20251020163054.1063646-2-kirill@shutemov.name>
X-Mailer: git-send-email 2.50.1
In-Reply-To: <20251020163054.1063646-1-kirill@shutemov.name>
References: <20251020163054.1063646-1-kirill@shutemov.name>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Kiryl Shutsemau <kas@kernel.org>

Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are
supposed to generate SIGBUS.

Recent changes attempted to fault in full folio where possible. They did
not respect i_size, which led to populating PTEs beyond i_size and
breaking SIGBUS semantics.

Darrick reported generic/749 breakage because of this.

However, the problem existed before the recent changes. With huge=3Dalways
tmpfs, any write to a file leads to PMD-size allocation. Following the
fault-in of the folio will install PMD mapping regardless of i_size.

Fix filemap_map_pages() and finish_fault() to not install:
  - PTEs beyond i_size;
  - PMD mappings across i_size;

Not-yet-signed-off-by: Kiryl Shutsemau <kas@kernel.org>
Fixes: 19773df031bc ("mm/fault: try to map the entire file folio in finish_=
fault()")
Fixes: 357b92761d94 ("mm/filemap: map entire large folio faultaround")
Fixes: 800d8c63b2e9 ("shmem: add huge pages support")
Reported-by: "Darrick J. Wong" <djwong@kernel.org>
---
 mm/filemap.c | 18 ++++++++++--------
 mm/memory.c  | 12 ++++++++++--
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/mm/filemap.c b/mm/filemap.c
index 13f0259d993c..0d251f6ab480 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3681,7 +3681,8 @@ static struct folio *next_uptodate_folio(struct xa_st=
ate *xas,
 static vm_fault_t filemap_map_folio_range(struct vm_fault *vmf,
 			struct folio *folio, unsigned long start,
 			unsigned long addr, unsigned int nr_pages,
-			unsigned long *rss, unsigned short *mmap_miss)
+			unsigned long *rss, unsigned short *mmap_miss,
+			pgoff_t file_end)
 {
 	unsigned int ref_from_caller =3D 1;
 	vm_fault_t ret =3D 0;
@@ -3697,7 +3698,8 @@ static vm_fault_t filemap_map_folio_range(struct vm_f=
ault *vmf,
 	 */
 	addr0 =3D addr - start * PAGE_SIZE;
 	if (folio_within_vma(folio, vmf->vma) &&
-	    (addr0 & PMD_MASK) =3D=3D ((addr0 + folio_size(folio) - 1) & PMD_MASK=
)) {
+	    (addr0 & PMD_MASK) =3D=3D ((addr0 + folio_size(folio) - 1) & PMD_MASK=
) &&
+	    file_end >=3D folio_next_index(folio)) {
 		vmf->pte -=3D start;
 		page -=3D start;
 		addr =3D addr0;
@@ -3817,7 +3819,11 @@ vm_fault_t filemap_map_pages(struct vm_fault *vmf,
 	if (!folio)
 		goto out;
=20
-	if (filemap_map_pmd(vmf, folio, start_pgoff)) {
+	file_end =3D DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1;
+	end_pgoff =3D min(end_pgoff, file_end);
+
+	if (file_end >=3D folio_next_index(folio) &&
+	    filemap_map_pmd(vmf, folio, start_pgoff)) {
 		ret =3D VM_FAULT_NOPAGE;
 		goto out;
 	}
@@ -3830,10 +3836,6 @@ vm_fault_t filemap_map_pages(struct vm_fault *vmf,
 		goto out;
 	}
=20
-	file_end =3D DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1;
-	if (end_pgoff > file_end)
-		end_pgoff =3D file_end;
-
 	folio_type =3D mm_counter_file(folio);
 	do {
 		unsigned long end;
@@ -3850,7 +3852,7 @@ vm_fault_t filemap_map_pages(struct vm_fault *vmf,
 		else
 			ret |=3D filemap_map_folio_range(vmf, folio,
 					xas.xa_index - folio->index, addr,
-					nr_pages, &rss, &mmap_miss);
+					nr_pages, &rss, &mmap_miss, file_end);
=20
 		folio_unlock(folio);
 	} while ((folio =3D next_uptodate_folio(&xas, mapping, end_pgoff)) !=3D N=
ULL);
diff --git a/mm/memory.c b/mm/memory.c
index 74b45e258323..dfa5b437c9d9 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -5480,6 +5480,7 @@ vm_fault_t finish_fault(struct vm_fault *vmf)
 	int type, nr_pages;
 	unsigned long addr;
 	bool needs_fallback =3D false;
+	pgoff_t file_end =3D -1UL;
=20
 fallback:
 	addr =3D vmf->address;
@@ -5501,8 +5502,14 @@ vm_fault_t finish_fault(struct vm_fault *vmf)
 			return ret;
 	}
=20
+	if (vma->vm_file) {
+		struct inode *inode =3D vma->vm_file->f_mapping->host;
+		file_end =3D DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
+	}
+
 	if (pmd_none(*vmf->pmd)) {
-		if (folio_test_pmd_mappable(folio)) {
+		if (folio_test_pmd_mappable(folio) &&
+		    file_end >=3D folio_next_index(folio)) {
 			ret =3D do_set_pmd(vmf, folio, page);
 			if (ret !=3D VM_FAULT_FALLBACK)
 				return ret;
@@ -5533,7 +5540,8 @@ vm_fault_t finish_fault(struct vm_fault *vmf)
 		if (unlikely(vma_off < idx ||
 			    vma_off + (nr_pages - idx) > vma_pages(vma) ||
 			    pte_off < idx ||
-			    pte_off + (nr_pages - idx)  > PTRS_PER_PTE)) {
+			    pte_off + (nr_pages - idx)  > PTRS_PER_PTE ||
+			    file_end < folio_next_index(folio))) {
 			nr_pages =3D 1;
 		} else {
 			/* Now we can set mappings for the whole large folio. */
--=20
2.50.1
From nobody Sun Feb  8 22:17:44 2026
Received: from flow-a1-smtp.messagingengine.com
 (flow-a1-smtp.messagingengine.com [103.168.172.136])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BD2728A731;
	Mon, 20 Oct 2025 16:31:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=103.168.172.136
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1760977867; cv=none;
 b=TyLAhNaE8nQapOqGxEA6kDKSKGvDAP0w7d4lQdSyOtUY0zG2qGZFQ0H3b2st1P8RCmUOa05lOIbwicJWtCXuAh0jCgLWRim1yohqHw3HH2+MhFS8SmD9Z3OGpwua5CRqRkl+6BZura+zV5XszM2HWfGVmp8TlfIkdTyPNh9U9dk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1760977867; c=relaxed/simple;
	bh=mvPxrr95qIzSEAF380/kWf1SjQNBxPwK9J1so35XCno=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=QeHm/EZMTCiGO8Ymjxw0SqzdjRIyYF38udxFnqJ4iPr4zzdKGi5tE+xHVPa3hNwVEBs7+CtpskD/Ytkg00gAWs71BJ/WRSINV2mO0/5NgeIa2CVztObKevdWz18ydTOE6gfhzye0ampXerPyvfLfLOSn2F5igfn23jGZ4oZWQQM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=shutemov.name;
 spf=pass smtp.mailfrom=shutemov.name;
 dkim=pass (2048-bit key) header.d=shutemov.name header.i=@shutemov.name
 header.b=esxEoVPS;
 dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com
 header.b=EgFwTQ1k; arc=none smtp.client-ip=103.168.172.136
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=shutemov.name
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=shutemov.name
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=shutemov.name header.i=@shutemov.name
 header.b="esxEoVPS";
	dkim=pass (2048-bit key) header.d=messagingengine.com
 header.i=@messagingengine.com header.b="EgFwTQ1k"
Received: from phl-compute-09.internal (phl-compute-09.internal [10.202.2.49])
	by mailflow.phl.internal (Postfix) with ESMTP id 75CC913803F9;
	Mon, 20 Oct 2025 12:31:04 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
  by phl-compute-09.internal (MEProxy); Mon, 20 Oct 2025 12:31:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov.name;
	 h=cc:cc:content-transfer-encoding:content-type:date:date:from
	:from:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to; s=fm1; t=1760977864; x=
	1760985064; bh=2Xy6EWOYD4UAz4zp+o+bvixxHmLQtxXlubeiPFw8ss4=; b=e
	sxEoVPSi2W1xtgJsouEe7y43NaYbWy5g3RqjYy7jDiU3mA7vupLMXbQL3rGi5EfL
	oveSQMr0pBDuv4oDdKZUm45zBtVdH4x6SSRU0YHcB/UnX/PS4kDL+xaSPKmhYi1u
	aUmuhsMN1kVohnLm/cNGHaR9vXwcOi8WGV65OGg3TLvFFI220PXODyf8UxYHRuf9
	08OfFoZp/R/+3b+9crIcqRjlVjcsrRFjbAmDVMreYAy41cBTheaj2XDLE9Z9wyvu
	SCrxShTK/R+qXm5B9LpO1LP5LZoM+Tdy/qXFFgKltPuAVh7i18P2Slt1BLu133aU
	ak6Q3AIjVCzW/PwguYHWw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm2; t=1760977864; x=1760985064; bh=2
	Xy6EWOYD4UAz4zp+o+bvixxHmLQtxXlubeiPFw8ss4=; b=EgFwTQ1kLDHGiZBlb
	ckemRhyM0BSQsYXaWcaeP0uCapsne3I7LBJ6yQX8UeTwvsv1eMweYYhYtIKexLvK
	JLYUo9fPUkOCd/MauKukJFadCfoxtzibqUmYuW4dniGolPn8d62LNna1ZIVzHENp
	mfFySM5EqY8Yv8TJYg06XzGR4CRFiRXO+m03cz3I+S0JuKHFS29yHeI6W2tRwWiY
	KlbX09DNAeU8IoExV9q1k0ppN7aP8FbqPMw0uefnE5Yh+zEsXdTowZ8e3fI+OdS2
	7kvnIW2hoZS5eD8VESkAP+iOH5ePhgCnqPUkR//JuudbyKBh3QQSggoBTCdKc8Ez
	orGHg==
X-ME-Sender: <xms:yGP2aMs-4DWXLytnXZ2S-1Yo13Ckf_VESJWNssW56aK9bs0HWR9BEA>
    <xme:yGP2aGp1QWzhw9KodSo5tZJJPQ0o1xeEtkGcTcqqLXg1qi98gKPn97EX8ig7JpSyd
    EjBHgks4aOXKBbq5GqDiZm9x7z3bW_phxal4tSMW8XxztGjXCUjoMxU>
X-ME-Received: 
 <xmr:yGP2aMSyywhNkWdmsGcFDlpRfot8c53DBWTnYzZMnJIWNnYW6IXbXwMYKspHIA>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddufeekfedtucetufdoteggodetrf
    dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu
    rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf
    gurhephffvvefufffkofgjfhgggfestdekredtredttdenucfhrhhomhepmfhirhihlhcu
    ufhhuhhtshgvmhgruhcuoehkihhrihhllhesshhhuhhtvghmohhvrdhnrghmvgeqnecugg
    ftrfgrthhtvghrnhepgeevhedtgfdvhfdugeffueduvdegveejhfevveeghfdvveeiveet
    iedvheejhfejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh
    homhepkhhirhhilhhlsehshhhuthgvmhhovhdrnhgrmhgvpdhnsggprhgtphhtthhopedv
    vddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtoheprghkphhmsehlihhnuhigqdhfoh
    hunhgurghtihhonhdrohhrghdprhgtphhtthhopegurghvihgusehrvgguhhgrthdrtgho
    mhdprhgtphhtthhopehhuhhghhgusehgohhoghhlvgdrtghomhdprhgtphhtthhopeifih
    hllhihsehinhhfrhgruggvrggurdhorhhgpdhrtghpthhtohepvhhirhhoseiivghnihhv
    rdhlihhnuhigrdhorhhgrdhukhdprhgtphhtthhopegsrhgruhhnvghrsehkvghrnhgvlh
    drohhrghdprhgtphhtthhopehlohhrvghniihordhsthhorghkvghssehorhgrtghlvgdr
    tghomhdprhgtphhtthhopehlihgrmhdrhhhofihlvghtthesohhrrggtlhgvrdgtohhmpd
    hrtghpthhtohepvhgsrggskhgrsehsuhhsvgdrtgii
X-ME-Proxy: <xmx:yGP2aLY80JtbkhfCLa7gysiKzMzZstZ4Gd8lnD90oueAIz1FnOuy6Q>
    <xmx:yGP2aN5Cv6DbkDPeL7T-imR9aTx28o88AwwBhmMYhcwuJJxrFRQEyA>
    <xmx:yGP2aGeTPDbbAoet1vGSuCnQzNVKaNFw8b3MizFI_OrxI2LdZb1vCA>
    <xmx:yGP2aEfpJ4fx0si0VxpU6fPTSHjzfqoRyKoQTQS8p0vOQ6Hlw4bYWA>
    <xmx:yGP2aDQZc_smkf6P_rPDwMqi6pQvtRnNiyw8tiaYTfJ34xxUDKCjBrvx>
Feedback-ID: ie3994620:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 20 Oct 2025 12:31:03 -0400 (EDT)
From: Kiryl Shutsemau <kirill@shutemov.name>
To: Andrew Morton <akpm@linux-foundation.org>,
	David Hildenbrand <david@redhat.com>,
	Hugh Dickins <hughd@google.com>,
	Matthew Wilcox <willy@infradead.org>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
	"Liam R. Howlett" <Liam.Howlett@oracle.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	Mike Rapoport <rppt@kernel.org>,
	Suren Baghdasaryan <surenb@google.com>,
	Michal Hocko <mhocko@suse.com>,
	Rik van Riel <riel@surriel.com>,
	Harry Yoo <harry.yoo@oracle.com>,
	Johannes Weiner <hannes@cmpxchg.org>,
	Shakeel Butt <shakeel.butt@linux.dev>,
	Baolin Wang <baolin.wang@linux.alibaba.com>,
	"Darrick J. Wong" <djwong@kernel.org>,
	linux-mm@kvack.org,
	linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Kiryl Shutsemau <kas@kernel.org>
Subject: [PATCH 2/2] mm/truncate: Unmap large folio on split failure
Date: Mon, 20 Oct 2025 17:30:54 +0100
Message-ID: <20251020163054.1063646-3-kirill@shutemov.name>
X-Mailer: git-send-email 2.50.1
In-Reply-To: <20251020163054.1063646-1-kirill@shutemov.name>
References: <20251020163054.1063646-1-kirill@shutemov.name>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Kiryl Shutsemau <kas@kernel.org>

Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are
supposed to generate SIGBUS.

This behavior might not be respected on truncation.

During truncation, the kernel splits a large folio in order to reclaim
memory. As a side effect, it unmaps the folio and destroys PMD mappings
of the folio. The folio will be refaulted as PTEs and SIGBUS semantics
are preserved.

However, if the split fails, PMD mappings are preserved and the user
will not receive SIGBUS on any accesses within the PMD.

Unmap the folio on split failure. It will lead to refault as PTEs and
preserve SIGBUS semantics.

Not-yet-signed-off-by: Kiryl Shutsemau <kas@kernel.org>
---
 mm/truncate.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/mm/truncate.c b/mm/truncate.c
index 91eb92a5ce4f..cdb698b5f7fa 100644
--- a/mm/truncate.c
+++ b/mm/truncate.c
@@ -177,6 +177,28 @@ int truncate_inode_folio(struct address_space *mapping=
, struct folio *folio)
 	return 0;
 }
=20
+static int try_folio_split_or_unmap(struct folio *folio, struct page *spli=
t_at)
+{
+	enum ttu_flags ttu_flags =3D
+		TTU_RMAP_LOCKED |
+		TTU_SYNC |
+		TTU_BATCH_FLUSH |
+		TTU_SPLIT_HUGE_PMD |
+		TTU_IGNORE_MLOCK;
+	int ret;
+
+	ret =3D try_folio_split(folio, split_at, NULL);
+
+	/*
+	 * If the split fails, unmap the folio, so it will be refaulted
+	 * with PTEs to respect SIGBUS semantics.
+	 */
+	if (ret)
+		try_to_unmap(folio, ttu_flags);
+
+	return ret;
+}
+
 /*
  * Handle partial folios.  The folio may be entirely within the
  * range if a split has raced with us.  If not, we zero the part of the
@@ -224,7 +246,7 @@ bool truncate_inode_partial_folio(struct folio *folio, =
loff_t start, loff_t end)
 		return true;
=20
 	split_at =3D folio_page(folio, PAGE_ALIGN_DOWN(offset) / PAGE_SIZE);
-	if (!try_folio_split(folio, split_at, NULL)) {
+	if (!try_folio_split_or_unmap(folio, split_at)) {
 		/*
 		 * try to split at offset + length to make sure folios within
 		 * the range can be dropped, especially to avoid memory waste
@@ -249,12 +271,13 @@ bool truncate_inode_partial_folio(struct folio *folio=
, loff_t start, loff_t end)
 			goto out;
=20
 		/*
+		 * Split the folio.
+		 *
 		 * make sure folio2 is large and does not change its mapping.
-		 * Its split result does not matter here.
 		 */
 		if (folio_test_large(folio2) &&
 		    folio2->mapping =3D=3D folio->mapping)
-			try_folio_split(folio2, split_at2, NULL);
+			try_folio_split_or_unmap(folio2, split_at2);
=20
 		folio_unlock(folio2);
 out:
--=20
2.50.1