From nobody Mon Feb 9 07:20:37 2026 Received: from mail-qv1-f97.google.com (mail-qv1-f97.google.com [209.85.219.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE39B3191CF for ; Wed, 24 Dec 2025 10:43:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.97 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766573014; cv=none; b=ollC5pS1UKC1ET4Tjtb8roTSPRDp4ObXFlbxaXc4hQJvECetl2Tb2GU1db5oHlOfQStlJWS3eEX43+WLmQ25FYSygLUI4STCv/VkL+fHg76/cg3qJ4+o1kI402jKTS0QtMXJzySDd3LTRkBklQzkHuFbbtEfVyAK7t1z6OjUBIk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766573014; c=relaxed/simple; bh=gtSHTc5KLEm2c3/Ii/6Ssf3DLdh0gefU1D1AZRjUdVA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=cRC9xH5x0RfmAXO2aYAqqgEwbJT5fR0cSn8Mink4zdPEdpcSYm3G5sEPshAUQjeMrvttJwZkH0BvWx16zs3weh/56hYXIFYgZkyOHBzaPbyM5nSfeyAl+wSlUMVzSrcIi/gcClPWEhnIfRyHGFeam16I21XaJPfU2g7lD+YkHcg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=QTmAy/0l; arc=none smtp.client-ip=209.85.219.97 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="QTmAy/0l" Received: by mail-qv1-f97.google.com with SMTP id 6a1803df08f44-8804f1bd6a7so55515126d6.2 for ; Wed, 24 Dec 2025 02:43:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766573011; x=1767177811; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=P1xHU9mQPsJeek2O22o16AKV8gYUfyitTbWLfmUirCg=; b=wUqEMbxyKwMBhPCXAKuMV5VeHFec/LNA2zx3Dwfl1IESXAMPDUHxIqbluzwB2SbYvt +/aFTDiFYr+eNDAaf/zaucB9nT4cAPz/jiYPRmFFYXyEKwMmz1U1GTp0gAeCPEMQZzGP ml57Zc4NeUQo2DDOJfHimPlb8x1r/KtX+zQRgFPlsohNI7zwcFIYMVjAj0VAgXz3YR0t 60giFqdN6mYYhxtcIUu9D9+Pjx1PVb3evl5xaNP0FK8+6Dj5T2BwptVV4eWvyEOEv4jN CN6WpY3ot8PgBGCKPKrG1uNx3jE6OrXgzwHWJeJUiDDzg4C0M4FTuao8Ssa+9pQP3sPC pq3g== X-Forwarded-Encrypted: i=1; AJvYcCWEXHj8yY898tbFu03u3r9OXmU89d+wDPNzY6tgZNkKeO6h76T+hMTmDfYIbl0cAJrw4PpIKnOJPilfxkg=@vger.kernel.org X-Gm-Message-State: AOJu0YwD1zqfam1DT/TU5H/bIHvAy+5njzOIY+IyzXlCc/9xdj14bIzD h6rE9ZxER3DRj1pxApbru4GSDl5XxPRTOW0e3XY0COL2j/MfYx8Z1qpEuxQIBtduDuzWoAWwmTI IC4DP50ONWNF7zedPXjOFByRYV2HaJoFL3DSVbfNsqBXdF1SAYhj1Srj2rUHnjro12CLMmHGg6z NHe7jYHHe+Tu8NkGN4dbm+s0d6diR7ITgpWrLFu5vAYb54bTEuMtzdNZkzwDc3XGjy9XNKKvWzy ofhy0I6vQaLjmkr2Cw= X-Gm-Gg: AY/fxX7t0dnAy/h3jE55GqO+zCxiLTDY+imF/kP5N5GgSz/dC7+DsNbevfydxViAqzD T1tIUPml+wCk0AspliKQ3iEX9gWhd0NrSL42EJnJPOIzjSOmasPwMzbq4NmtaHvDxKdsLeSSpfK NNjIWHTP4M+8Fg/M081GIw7amutzFf8U7uEZ70h63HajqUfD0mG6XOBP/0nKdPVV266Uha9gBB2 3ZVkd30Joe1eMD8O7CQlGqUlQrKaE7rwxQOiOt0idLQsp+yBOF9QCzBq8TEMgHuf33vtplNXTeT RXSE6YEn/4R9Np0eyYdcN0zrd+sYujfd6Ov0CW82aATT39xMlx6/cd5LUeM+MsPpfGZ1Q/LMx/1 Cevg4yZC64RnxQRbh2XrhXNNsuwBGG7MRDOqN/cre5TuUNHEntaCXADYqVET/sHWLfQUztmWE7X FocmfeQc5KEVcEGASsuvzzqENgiriAxp4RSeMHjHE= X-Google-Smtp-Source: AGHT+IG+R0SXD+Sr7xgyMsTYaoO7qr2LKXAzqNCtgE5+HYpfBNHNrQJzkPt4fAsu9Dda1lp3WQJ5z8vkSa57 X-Received: by 2002:a05:6214:d04:b0:88f:a4ff:454e with SMTP id 6a1803df08f44-88fa4ff4642mr180196066d6.10.1766573010809; Wed, 24 Dec 2025 02:43:30 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id 6a1803df08f44-88d94fcbfc5sm22531196d6.2.2025.12.24.02.43.30 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Dec 2025 02:43:30 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-pg1-f197.google.com with SMTP id 41be03b00d2f7-bc2a04abc5aso5241593a12.2 for ; Wed, 24 Dec 2025 02:43:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1766573009; x=1767177809; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=P1xHU9mQPsJeek2O22o16AKV8gYUfyitTbWLfmUirCg=; b=QTmAy/0lhBwTUuXiJ1YMYwi50qJYtNKPJpcxWB7x2ryvpR9tTAOozIjhOn9XgxGJJq AGPLXbA8uzA5VgWTXpbgIVFdsovq+sCFMijuP9tai6Pq2zON7lTHn9pBdQk+en+qgklm 3Yo8lril5Tnx6gxBGRIMDBfhu4vXAy9E8hGpU= X-Forwarded-Encrypted: i=1; AJvYcCWdzlF2cbV5ClOXzBSCup86tDDSA5XPMyl4YBLqVA5BN8futjUtMwdDc9Lmbk7YY2wSeLBHVc1Ow3eEAO8=@vger.kernel.org X-Received: by 2002:a05:7022:670b:b0:11a:fec5:d005 with SMTP id a92af1059eb24-121721aab84mr18748466c88.10.1766573008837; Wed, 24 Dec 2025 02:43:28 -0800 (PST) X-Received: by 2002:a05:7022:670b:b0:11a:fec5:d005 with SMTP id a92af1059eb24-121721aab84mr18748454c88.10.1766573008224; Wed, 24 Dec 2025 02:43:28 -0800 (PST) Received: from photon-dev-haas.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-1217254c734sm68746919c88.13.2025.12.24.02.43.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Dec 2025 02:43:27 -0800 (PST) From: Ajay Kaher To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: dave.hansen@linux.intel.com, luto@kernel.org, peterz@infradead.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Ma Wupeng , syzbot+5f488e922d047d8f00cc@syzkaller.appspotmail.com, Alexander Ofitserov Subject: [PATCH v6.1 1/2] x86/mm/pat: clear VM_PAT if copy_p4d_range failed Date: Wed, 24 Dec 2025 10:24:31 +0000 Message-Id: <20251224102432.923410-2-ajay.kaher@broadcom.com> X-Mailer: git-send-email 2.40.4 In-Reply-To: <20251224102432.923410-1-ajay.kaher@broadcom.com> References: <20251224102432.923410-1-ajay.kaher@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Ma Wupeng [ Upstream commit d155df53f31068c3340733d586eb9b3ddfd70fc5 ] Syzbot reports a warning in untrack_pfn(). Digging into the root we found that this is due to memory allocation failure in pmd_alloc_one. And this failure is produced due to failslab. In copy_page_range(), memory alloaction for pmd failed. During the error handling process in copy_page_range(), mmput() is called to remove all vmas. While untrack_pfn this empty pfn, warning happens. Here's a simplified flow: dup_mm dup_mmap copy_page_range copy_p4d_range copy_pud_range copy_pmd_range pmd_alloc __pmd_alloc pmd_alloc_one page =3D alloc_pages(gfp, 0); if (!page) return NULL; mmput exit_mmap unmap_vmas unmap_single_vma untrack_pfn follow_phys WARN_ON_ONCE(1); Since this vma is not generate successfully, we can clear flag VM_PAT. In this case, untrack_pfn() will not be called while cleaning this vma. Function untrack_pfn_moved() has also been renamed to fit the new logic. Link: https://lkml.kernel.org/r/20230217025615.1595558-1-mawupeng1@huawei.c= om Signed-off-by: Ma Wupeng Reported-by: Signed-off-by: Andrew Morton Signed-off-by: Alexander Ofitserov Cc: stable@vger.kernel.org [ Ajay: Modified to apply on v6.1 ] Signed-off-by: Ajay Kaher --- arch/x86/mm/pat/memtype.c | 12 ++++++++---- include/linux/pgtable.h | 7 ++++--- mm/memory.c | 1 + mm/mremap.c | 2 +- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c index d6fe9093e..1ad881017 100644 --- a/arch/x86/mm/pat/memtype.c +++ b/arch/x86/mm/pat/memtype.c @@ -1137,11 +1137,15 @@ void untrack_pfn(struct vm_area_struct *vma, unsign= ed long pfn, } =20 /* - * untrack_pfn_moved is called, while mremapping a pfnmap for a new region, - * with the old vma after its pfnmap page table has been removed. The new - * vma has a new pfnmap to the same pfn & cache type with VM_PAT set. + * untrack_pfn_clear is called if the following situation fits: + * + * 1) while mremapping a pfnmap for a new region, with the old vma after + * its pfnmap page table has been removed. The new vma has a new pfnmap + * to the same pfn & cache type with VM_PAT set. + * 2) while duplicating vm area, the new vma fails to copy the pgtable from + * old vma. */ -void untrack_pfn_moved(struct vm_area_struct *vma) +void untrack_pfn_clear(struct vm_area_struct *vma) { vma->vm_flags &=3D ~VM_PAT; } diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h index 82d78cba7..500a612ff 100644 --- a/include/linux/pgtable.h +++ b/include/linux/pgtable.h @@ -1214,9 +1214,10 @@ static inline void untrack_pfn(struct vm_area_struct= *vma, } =20 /* - * untrack_pfn_moved is called while mremapping a pfnmap for a new region. + * untrack_pfn_clear is called while mremapping a pfnmap for a new region + * or fails to copy pgtable during duplicate vm area. */ -static inline void untrack_pfn_moved(struct vm_area_struct *vma) +static inline void untrack_pfn_clear(struct vm_area_struct *vma) { } #else @@ -1228,7 +1229,7 @@ extern void track_pfn_insert(struct vm_area_struct *v= ma, pgprot_t *prot, extern int track_pfn_copy(struct vm_area_struct *vma); extern void untrack_pfn(struct vm_area_struct *vma, unsigned long pfn, unsigned long size); -extern void untrack_pfn_moved(struct vm_area_struct *vma); +extern void untrack_pfn_clear(struct vm_area_struct *vma); #endif =20 #ifdef CONFIG_MMU diff --git a/mm/memory.c b/mm/memory.c index 454d91844..41a03adcf 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1335,6 +1335,7 @@ copy_page_range(struct vm_area_struct *dst_vma, struc= t vm_area_struct *src_vma) continue; if (unlikely(copy_p4d_range(dst_vma, src_vma, dst_pgd, src_pgd, addr, next))) { + untrack_pfn_clear(dst_vma); ret =3D -ENOMEM; break; } diff --git a/mm/mremap.c b/mm/mremap.c index 930f65c31..6ed28eeae 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -682,7 +682,7 @@ static unsigned long move_vma(struct vm_area_struct *vm= a, =20 /* Tell pfnmap has moved from this vma */ if (unlikely(vma->vm_flags & VM_PFNMAP)) - untrack_pfn_moved(vma); + untrack_pfn_clear(vma); =20 if (unlikely(!err && (flags & MREMAP_DONTUNMAP))) { /* We always clear VM_LOCKED[ONFAULT] on the old vma */ --=20 2.40.4