From: Kiryl Shutsemau <kas@kernel.org>
Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are
supposed to generate SIGBUS.
This behavior might not be respected on truncation.
During truncation, the kernel splits a large folio in order to reclaim
memory. As a side effect, it unmaps the folio and destroys PMD mappings
of the folio. The folio will be refaulted as PTEs and SIGBUS semantics
are preserved.
However, if the split fails, PMD mappings are preserved and the user
will not receive SIGBUS on any accesses within the PMD.
Unmap the folio on split failure. It will lead to refault as PTEs and
preserve SIGBUS semantics.
Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
---
mm/truncate.c | 31 +++++++++++++++++++++++++------
1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/mm/truncate.c b/mm/truncate.c
index 91eb92a5ce4f..304c383ccbf0 100644
--- a/mm/truncate.c
+++ b/mm/truncate.c
@@ -177,6 +177,28 @@ int truncate_inode_folio(struct address_space *mapping, struct folio *folio)
return 0;
}
+static int try_folio_split_or_unmap(struct folio *folio, struct page *split_at)
+{
+ enum ttu_flags ttu_flags =
+ TTU_SYNC |
+ TTU_SPLIT_HUGE_PMD |
+ TTU_IGNORE_MLOCK;
+ int ret;
+
+ ret = try_folio_split(folio, split_at, NULL);
+
+ /*
+ * If the split fails, unmap the folio, so it will be refaulted
+ * with PTEs to respect SIGBUS semantics.
+ */
+ if (ret) {
+ try_to_unmap(folio, ttu_flags);
+ WARN_ON(folio_mapped(folio));
+ }
+
+ return ret;
+}
+
/*
* Handle partial folios. The folio may be entirely within the
* range if a split has raced with us. If not, we zero the part of the
@@ -224,7 +246,7 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end)
return true;
split_at = folio_page(folio, PAGE_ALIGN_DOWN(offset) / PAGE_SIZE);
- if (!try_folio_split(folio, split_at, NULL)) {
+ if (!try_folio_split_or_unmap(folio, split_at)) {
/*
* try to split at offset + length to make sure folios within
* the range can be dropped, especially to avoid memory waste
@@ -248,13 +270,10 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end)
if (!folio_trylock(folio2))
goto out;
- /*
- * make sure folio2 is large and does not change its mapping.
- * Its split result does not matter here.
- */
+ /* make sure folio2 is large and does not change its mapping */
if (folio_test_large(folio2) &&
folio2->mapping == folio->mapping)
- try_folio_split(folio2, split_at2, NULL);
+ try_folio_split_or_unmap(folio2, split_at2);
folio_unlock(folio2);
out:
--
2.50.1On Thu, 23 Oct 2025, Kiryl Shutsemau wrote: > From: Kiryl Shutsemau <kas@kernel.org> > > Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are > supposed to generate SIGBUS. > > This behavior might not be respected on truncation. > > During truncation, the kernel splits a large folio in order to reclaim > memory. As a side effect, it unmaps the folio and destroys PMD mappings > of the folio. The folio will be refaulted as PTEs and SIGBUS semantics > are preserved. > > However, if the split fails, PMD mappings are preserved and the user > will not receive SIGBUS on any accesses within the PMD. > > Unmap the folio on split failure. It will lead to refault as PTEs and > preserve SIGBUS semantics. > > Signed-off-by: Kiryl Shutsemau <kas@kernel.org> It's taking me too long to understand what truncate_inode_partial_folio() had become before your changes, to be very sure of your changes to it. But if your commit does indeed achieve what's intended, then I have no objection to it applying to shmem/tmpfs as well as other filesystems: we always hope that a split will succeed, so I don't mind you tightening up what is done when it fails. However, a few points that have occurred to me... If 1/2's exception for shmem/tmpfs huge=always does the simple thing, of just judging by whether a huge page is already there in the file (without reference to mount option), which I think is okay: then this 2/2 will not be doing anything useful on shmem/tmpfs, because when the split fails, the huge page will remain, and after 2/2's unmap it will just get remapped by PMD again afterwards, so why bother to unmap at all in the shmem/tmpfs case?. But it's arguable whether it would then be worth making an exception for shmem/tmpfs here in 2/2 - how much do we care about optimizing failed splits? At least a comment I guess, but you might prefer to do it quite differently. Aside from shmem/tmpfs, it does seem to me that this patch is doing more work than it needs to (but how many lines of source do we want to add to avoid doing work in the failed split case?): The intent is to enable SIGBUS beyond EOF: but the changes are being applied unnecessarily to hole-punch in addition to truncation. Does the folio2 part actually need to unmap again? And if it does, then what about when its trylock failed? But it's hole-punch anyway. And a final nit: I'd delete that WARN_ON(folio_mapped(folio)) myself, all it could ever achieve is perhaps a very rare syzbot report which nobody would want to spend time on. Hugh
On Mon, Oct 27, 2025 at 03:10:29AM -0700, Hugh Dickins wrote: > On Thu, 23 Oct 2025, Kiryl Shutsemau wrote: > > > From: Kiryl Shutsemau <kas@kernel.org> > > > > Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are > > supposed to generate SIGBUS. > > > > This behavior might not be respected on truncation. > > > > During truncation, the kernel splits a large folio in order to reclaim > > memory. As a side effect, it unmaps the folio and destroys PMD mappings > > of the folio. The folio will be refaulted as PTEs and SIGBUS semantics > > are preserved. > > > > However, if the split fails, PMD mappings are preserved and the user > > will not receive SIGBUS on any accesses within the PMD. > > > > Unmap the folio on split failure. It will lead to refault as PTEs and > > preserve SIGBUS semantics. > > > > Signed-off-by: Kiryl Shutsemau <kas@kernel.org> > > It's taking me too long to understand what truncate_inode_partial_folio() > had become before your changes, to be very sure of your changes to it. > > But if your commit does indeed achieve what's intended, then I have > no objection to it applying to shmem/tmpfs as well as other filesystems: > we always hope that a split will succeed, so I don't mind you tightening > up what is done when it fails. > > However, a few points that have occurred to me... > > If 1/2's exception for shmem/tmpfs huge=always does the simple thing, > of just judging by whether a huge page is already there in the file > (without reference to mount option), which I think is okay: then > this 2/2 will not be doing anything useful on shmem/tmpfs, because > when the split fails, the huge page will remain, and after 2/2's > unmap it will just get remapped by PMD again afterwards, so why > bother to unmap at all in the shmem/tmpfs case?. > > But it's arguable whether it would then be worth making an > exception for shmem/tmpfs here in 2/2 - how much do we care about > optimizing failed splits? At least a comment I guess, but you > might prefer to do it quite differently. It is easy enough to skip unmap for shmem. > Aside from shmem/tmpfs, it does seem to me that this patch is > doing more work than it needs to (but how many lines of source > do we want to add to avoid doing work in the failed split case?): > > The intent is to enable SIGBUS beyond EOF: but the changes are > being applied unnecessarily to hole-punch in addition to truncation. I am not sure much it should apply to hole-punch. Filesystem folks talk about writing to a folio beyond round_up(i_size, PAGE_SIZE) being problematic for correctness. I have no clue if the same applies to writing to hole-punched parts of the folio. Dave, any comments? Hm. But if it is problematic it has be caught on fault. We don't do this. It will be silently mapped. > Does the folio2 part actually need to unmap again? And if it does, > then what about when its trylock failed? But it's hole-punch anyway. I don't think we can do much for !trylock case, unless we a willing to upgrade it to folio_lock(). try_to_unmap() requires the folio to be locked or we will race with fault. Maybe folio_lock() is not too bad here for freshly split folio. > And a final nit: I'd delete that WARN_ON(folio_mapped(folio)) myself, > all it could ever achieve is perhaps a very rare syzbot report which > nobody would want to spend time on. David asked for it. I am fine either way. -- Kiryl Shutsemau / Kirill A. Shutemov
On Mon, 27 Oct 2025, Kiryl Shutsemau wrote: > On Mon, Oct 27, 2025 at 03:10:29AM -0700, Hugh Dickins wrote: ... > > > Aside from shmem/tmpfs, it does seem to me that this patch is > > doing more work than it needs to (but how many lines of source > > do we want to add to avoid doing work in the failed split case?): > > > > The intent is to enable SIGBUS beyond EOF: but the changes are > > being applied unnecessarily to hole-punch in addition to truncation. > > I am not sure much it should apply to hole-punch. Filesystem folks talk > about writing to a folio beyond round_up(i_size, PAGE_SIZE) being > problematic for correctness. I have no clue if the same applies to > writing to hole-punched parts of the folio. > > Dave, any comments? > > Hm. But if it is problematic it has be caught on fault. We don't do > this. It will be silently mapped. There are strict rules about what happens beyond i_size, hence this patch. But hole-punch has no persistent "i_size" to define it, and silently remapping in a fresh zeroed page is the correct behaviour. So the patch is making more work than is needed for hole-punch. But I am thinking there of the view from above, from userspace. If I think of the view from below, from the filesystem, then I'm not at all sure how a filesystem is expected to deal with a failed folio_split - and that goes beyond this patch, and therefore I don't think it should concern you in this patch. If a filesystem is asked to punch a hole, but mm cannot split the folio which covers that hole, then page cache and filesystem are left out of synch? And if filesystem thinks one block has been freed, and it's the last block in that filesystem, and it's then given out to someone else, then our unsplit folio hides an ENOSPC? Maybe this has all been well thought out, and each large folio filesystem deals with it appropriately somehow; but I wouldn't know, since a tmpfs is simply backed by its page cache. Hugh
On Wed, Oct 29, 2025 at 02:12:48AM -0700, Hugh Dickins wrote: > On Mon, 27 Oct 2025, Kiryl Shutsemau wrote: > > On Mon, Oct 27, 2025 at 03:10:29AM -0700, Hugh Dickins wrote: > ... > > > > > Aside from shmem/tmpfs, it does seem to me that this patch is > > > doing more work than it needs to (but how many lines of source > > > do we want to add to avoid doing work in the failed split case?): > > > > > > The intent is to enable SIGBUS beyond EOF: but the changes are > > > being applied unnecessarily to hole-punch in addition to truncation. > > > > I am not sure much it should apply to hole-punch. Filesystem folks talk > > about writing to a folio beyond round_up(i_size, PAGE_SIZE) being > > problematic for correctness. I have no clue if the same applies to > > writing to hole-punched parts of the folio. > > > > Dave, any comments? > > > > Hm. But if it is problematic it has be caught on fault. We don't do > > this. It will be silently mapped. > > There are strict rules about what happens beyond i_size, hence this > patch. But hole-punch has no persistent "i_size" to define it, and > silently remapping in a fresh zeroed page is the correct behaviour. I missed that we seems to be issuing vm_ops->page_mkwrite() on remaping the page, so it is not completely silent for filesystem and can do its thing to re-allocate metadata (or whatever) after hole-punch. So, I see unmap on punch-hole being justified. -- Kiryl Shutsemau / Kirill A. Shutemov
On Wed, Oct 29, 2025 at 10:21:53AM +0000, Kiryl Shutsemau wrote: > On Wed, Oct 29, 2025 at 02:12:48AM -0700, Hugh Dickins wrote: > > On Mon, 27 Oct 2025, Kiryl Shutsemau wrote: > > > On Mon, Oct 27, 2025 at 03:10:29AM -0700, Hugh Dickins wrote: > > ... > > > > > > > Aside from shmem/tmpfs, it does seem to me that this patch is > > > > doing more work than it needs to (but how many lines of source > > > > do we want to add to avoid doing work in the failed split case?): > > > > > > > > The intent is to enable SIGBUS beyond EOF: but the changes are > > > > being applied unnecessarily to hole-punch in addition to truncation. > > > > > > I am not sure much it should apply to hole-punch. Filesystem folks talk > > > about writing to a folio beyond round_up(i_size, PAGE_SIZE) being > > > problematic for correctness. I have no clue if the same applies to > > > writing to hole-punched parts of the folio. > > > > > > Dave, any comments? > > > > > > Hm. But if it is problematic it has be caught on fault. We don't do > > > this. It will be silently mapped. > > > > There are strict rules about what happens beyond i_size, hence this > > patch. But hole-punch has no persistent "i_size" to define it, and > > silently remapping in a fresh zeroed page is the correct behaviour. > > I missed that we seems to be issuing vm_ops->page_mkwrite() on remaping > the page, so it is not completely silent for filesystem and can do its > thing to re-allocate metadata (or whatever) after hole-punch. > > So, I see unmap on punch-hole being justified. Most hole punching implementations in filesystems will take i_rwsem and mmap_invalidate lock, flush the range to disk and unmap the pagecache for all the fsblocks around that range, and only then update the file space mappings. If the unmap fails because a PMD couldn't be split, then we'll just return that error to userspace and they can decide what to do when fallocate() fails. --D > -- > Kiryl Shutsemau / Kirill A. Shutemov >
On Wed, Oct 29, 2025 at 08:19:47AM -0700, Darrick J. Wong wrote: > On Wed, Oct 29, 2025 at 10:21:53AM +0000, Kiryl Shutsemau wrote: > > On Wed, Oct 29, 2025 at 02:12:48AM -0700, Hugh Dickins wrote: > > > On Mon, 27 Oct 2025, Kiryl Shutsemau wrote: > > > > On Mon, Oct 27, 2025 at 03:10:29AM -0700, Hugh Dickins wrote: > > > ... > > > > > > > > > Aside from shmem/tmpfs, it does seem to me that this patch is > > > > > doing more work than it needs to (but how many lines of source > > > > > do we want to add to avoid doing work in the failed split case?): > > > > > > > > > > The intent is to enable SIGBUS beyond EOF: but the changes are > > > > > being applied unnecessarily to hole-punch in addition to truncation. > > > > > > > > I am not sure much it should apply to hole-punch. Filesystem folks talk > > > > about writing to a folio beyond round_up(i_size, PAGE_SIZE) being > > > > problematic for correctness. I have no clue if the same applies to > > > > writing to hole-punched parts of the folio. > > > > > > > > Dave, any comments? > > > > > > > > Hm. But if it is problematic it has be caught on fault. We don't do > > > > this. It will be silently mapped. > > > > > > There are strict rules about what happens beyond i_size, hence this > > > patch. But hole-punch has no persistent "i_size" to define it, and > > > silently remapping in a fresh zeroed page is the correct behaviour. > > > > I missed that we seems to be issuing vm_ops->page_mkwrite() on remaping > > the page, so it is not completely silent for filesystem and can do its > > thing to re-allocate metadata (or whatever) after hole-punch. > > > > So, I see unmap on punch-hole being justified. > > Most hole punching implementations in filesystems will take i_rwsem and > mmap_invalidate lock, flush the range to disk and unmap the pagecache > for all the fsblocks around that range, and only then update the file > space mappings. If the unmap fails because a PMD couldn't be split, > then we'll just return that error to userspace and they can decide what > to do when fallocate() fails. Unmap does not fail and PMD can be split at any time. But split of large folios can fail if there's an external pin on it. -- Kiryl Shutsemau / Kirill A. Shutemov
> > And a final nit: I'd delete that WARN_ON(folio_mapped(folio)) myself, > all it could ever achieve is perhaps a very rare syzbot report which > nobody would want to spend time on. I think that's the crucial part: what are we supposed to do if both splitting and unmapping fails? Silently violate SIGBUS semantics like we did before this patch? So far our understanding was that for file pages, unmapping should not fail, but I am not 100% sure if that's really the case. -- Cheers David / dhildenb
On 23.10.25 11:32, Kiryl Shutsemau wrote: > From: Kiryl Shutsemau <kas@kernel.org> > > Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are > supposed to generate SIGBUS. > > This behavior might not be respected on truncation. > > During truncation, the kernel splits a large folio in order to reclaim > memory. As a side effect, it unmaps the folio and destroys PMD mappings > of the folio. The folio will be refaulted as PTEs and SIGBUS semantics > are preserved. > > However, if the split fails, PMD mappings are preserved and the user > will not receive SIGBUS on any accesses within the PMD. > > Unmap the folio on split failure. It will lead to refault as PTEs and > preserve SIGBUS semantics. > > Signed-off-by: Kiryl Shutsemau <kas@kernel.org> > --- Thanks! Acked-by: David Hildenbrand <david@redhat.com> -- Cheers David / dhildenb
On Thu, 23 Oct 2025 10:32:51 +0100 Kiryl Shutsemau <kirill@shutemov.name> wrote: > Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are > supposed to generate SIGBUS. > > This behavior might not be respected on truncation. > > During truncation, the kernel splits a large folio in order to reclaim > memory. As a side effect, it unmaps the folio and destroys PMD mappings > of the folio. The folio will be refaulted as PTEs and SIGBUS semantics > are preserved. > > However, if the split fails, PMD mappings are preserved and the user > will not receive SIGBUS on any accesses within the PMD. > > Unmap the folio on split failure. It will lead to refault as PTEs and > preserve SIGBUS semantics. This conflicts significantly with mm-hotfixes's https://lore.kernel.org/all/20251017013630.139907-1-ziy@nvidia.com/T/#u, whcih is cc:stable. What do do here?
On Thu, Oct 23, 2025 at 01:56:44PM -0700, Andrew Morton wrote:
> On Thu, 23 Oct 2025 10:32:51 +0100 Kiryl Shutsemau <kirill@shutemov.name> wrote:
>
> > Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are
> > supposed to generate SIGBUS.
> >
> > This behavior might not be respected on truncation.
> >
> > During truncation, the kernel splits a large folio in order to reclaim
> > memory. As a side effect, it unmaps the folio and destroys PMD mappings
> > of the folio. The folio will be refaulted as PTEs and SIGBUS semantics
> > are preserved.
> >
> > However, if the split fails, PMD mappings are preserved and the user
> > will not receive SIGBUS on any accesses within the PMD.
> >
> > Unmap the folio on split failure. It will lead to refault as PTEs and
> > preserve SIGBUS semantics.
>
> This conflicts significantly with mm-hotfixes's
> https://lore.kernel.org/all/20251017013630.139907-1-ziy@nvidia.com/T/#u,
> whcih is cc:stable.
>
> What do do here?
The patch below applies cleanly onto mm-everything.
Let me now if you want solve the conflict other way around. I can rebase
Zi's patch on top my patchset.
From 3ebc2c6690928def2b123e5f44014c02011cfc65 Mon Sep 17 00:00:00 2001
From: Kiryl Shutsemau <kas@kernel.org>
Date: Mon, 20 Oct 2025 14:08:21 +0100
Subject: [PATCH] mm/truncate: Unmap large folio on split failure
Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are
supposed to generate SIGBUS.
This behavior might not be respected on truncation.
During truncation, the kernel splits a large folio in order to reclaim
memory. As a side effect, it unmaps the folio and destroys PMD mappings
of the folio. The folio will be refaulted as PTEs and SIGBUS semantics
are preserved.
However, if the split fails, PMD mappings are preserved and the user
will not receive SIGBUS on any accesses within the PMD.
Unmap the folio on split failure. It will lead to refault as PTEs and
preserve SIGBUS semantics.
Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
---
mm/truncate.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
diff --git a/mm/truncate.c b/mm/truncate.c
index 9210cf808f5c..6936b8e88e72 100644
--- a/mm/truncate.c
+++ b/mm/truncate.c
@@ -177,6 +177,29 @@ int truncate_inode_folio(struct address_space *mapping, struct folio *folio)
return 0;
}
+static int try_folio_split_or_unmap(struct folio *folio, struct page *split_at,
+ unsigned long min_order)
+{
+ enum ttu_flags ttu_flags =
+ TTU_SYNC |
+ TTU_SPLIT_HUGE_PMD |
+ TTU_IGNORE_MLOCK;
+ int ret;
+
+ ret = try_folio_split_to_order(folio, split_at, min_order);
+
+ /*
+ * If the split fails, unmap the folio, so it will be refaulted
+ * with PTEs to respect SIGBUS semantics.
+ */
+ if (ret) {
+ try_to_unmap(folio, ttu_flags);
+ WARN_ON(folio_mapped(folio));
+ }
+
+ return ret;
+}
+
/*
* Handle partial folios. The folio may be entirely within the
* range if a split has raced with us. If not, we zero the part of the
@@ -226,7 +249,7 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end)
min_order = mapping_min_folio_order(folio->mapping);
split_at = folio_page(folio, PAGE_ALIGN_DOWN(offset) / PAGE_SIZE);
- if (!try_folio_split_to_order(folio, split_at, min_order)) {
+ if (!try_folio_split_or_unmap(folio, split_at, min_order)) {
/*
* try to split at offset + length to make sure folios within
* the range can be dropped, especially to avoid memory waste
@@ -250,13 +273,10 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end)
if (!folio_trylock(folio2))
goto out;
- /*
- * make sure folio2 is large and does not change its mapping.
- * Its split result does not matter here.
- */
+ /* make sure folio2 is large and does not change its mapping */
if (folio_test_large(folio2) &&
folio2->mapping == folio->mapping)
- try_folio_split_to_order(folio2, split_at2, min_order);
+ try_folio_split_or_unmap(folio2, split_at2, min_order);
folio_unlock(folio2);
out:
--
Kiryl Shutsemau / Kirill A. Shutemov
© 2016 - 2026 Red Hat, Inc.