From nobody Thu Apr  9 15:11:23 2026
Received: from mail-dy1-f180.google.com (mail-dy1-f180.google.com
 [74.125.82.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 127751A9F93
	for <linux-kernel@vger.kernel.org>; Sat,  7 Mar 2026 14:36:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.82.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772894175; cv=none;
 b=BtP9ObBMHpYQFTEKLEiXTPLln7lw7u7vOWEFwDgRfc0aHtFlerpYK4ZzXvNsmH3/qU1U4Z7cwpIlaMKbJqN34ZI52GhWChDn9pxfk6+/dKC/pmwyjZhQQE26QdINhsVnIgBIDOE+ntEpY7LGpdl/NRF/QYJItJfHd+OE/yXF18Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772894175; c=relaxed/simple;
	bh=tgHk/z7k/HzBTGlZ10i9USwUqv11xqNQR7L4O77YHC4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=DeO2OIA2jC5FhWxf+26c8Mycgq5rK7rKSwj8pJb6aw/WIWeP/N3sg9MQwu9pfLdirt24Jcz281p7MvJgxd2NlRK7GaiWU+OdJSKjKwYj0qTTPD/SodyJFBKKKDrmGJMpUSP8n3s5+JQTwjqAm18lq5obGiXCAL3jWbaz2XjCAfI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=QqRXE7GT; arc=none smtp.client-ip=74.125.82.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="QqRXE7GT"
Received: by mail-dy1-f180.google.com with SMTP id
 5a478bee46e88-2bdcf5970cdso6115205eec.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 07 Mar 2026 06:36:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772894172; x=1773498972;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FK4cahr2Z+5GEumxXm/3Zlvde4k/k71gu3JdZggtk9Q=;
        b=QqRXE7GTjc0jj2CDIr4k1YWdq+KFgXn6kvG6RYz3m2rpo9I/4IokP6HirRxZZgA3lG
         nkPJbRhs2cGbBfcEEgamiJQHHsoiOYVW1wmBSMv7E3MMiQ0dRofMHns+swW//hXDwItV
         dlFg03Lqcim4oIYMeT2+EEZW4wW4L7IET/aGGh9HWTAqP6B0m7YvNwoTJXB67tmU0Khw
         hOTcyuaBufyUd9Q3DSMSRhRrSc4Aqc2pAxIDkTxMSExdmuT5bNHvHnLaJGuJw6n9FByZ
         QhaPK0xdE8bq/fSGnZwFjSXxhd6ku7BgxsFFR8fycaUPAJabvOZAGTucMjDTSsH6Ez9i
         VhwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772894172; x=1773498972;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=FK4cahr2Z+5GEumxXm/3Zlvde4k/k71gu3JdZggtk9Q=;
        b=W/JNSfKQY+oHg81KxKZXgCFBg3QIr5i9fW79tkPecfuIBrerFYe+Ri2bM0HNc5YDcb
         LYeWLd752Rbp02gX7rMmlQPHDwSZzbJg6Y03mrjhiRSxN5lQbpyklIIUx600wjHrIxPp
         qCWFAjO9hOy9vWSSH6CWsTA5A2trNq3DDxVxB7hTh5YHBzifzji3XhmQoBu4tub3m3d7
         9sDA16puwkY4UxLrUsyHrG5/bosdb2DGKfQ+UvaIDtTFkvBSzKKBk3+Xa8BEnoRcjoj5
         mQAwoFMWEBpVYGpF+aTQGxU2CqxtltAGINfLwhG+L6hqBr6mkVCYW2gL/pqmDKN8AzoG
         oqRg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXdBBt1V+dznl+QF7v5poqKDKObqwJqVcxAJlpiI+wBlPKN5BtyY3txCXXZS9hNbJdxGoPPlKmWJYrcqz0=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxe/qP/3l/d7pb4j+OE11pbzqkfTdnQkudRtBx1gTB0TOsJzcYC
	rn4jK0i+oSB6+3+ikLUdEPOqkFpLVcXTkfiqibLjF+sPlT2p7zRbJKVK
X-Gm-Gg: ATEYQzzr0LIo2L5CYDP97s9v66k7i0uGB3Nin/GHtXGkrcszsaA09cqgLDSkPyVjlJ7
	BASpvpfvRyXFOCqclW+bMKoSqL3CFiLMMOuSLqKcUYVvx620Xe1GW6P2hOIac+tsO64m33s7B4J
	8ZY35lklKPQEcylWbVy7H2Ca1VVSZm3iGVL5oP/1m6xkt3pvcDiG7cu2ItB5igXaYp+BhDchO+n
	/qKFSEmoOSFPhdGK2iGm8xNR4vEtPJieLvlMzjT77wbfdBVwZ5STVX/YZ8hK+02au73UV4h3L2u
	t7PIhvomGHeQITwDLlBXZw+O7Lv5C3NtmrPtvEuHlMBL0HaVRh7MAM6fvrOEyxMAlmLoOgSWXXd
	WYf1rLgQO82ZR1x7sDst7Z2xezV3LxXWbwbB3BovmiZ73NfBiUIp/4dORjWps+kvzkvLIOUq0hw
	1peDBcBk5B6KLplQsgzw==
X-Received: by 2002:a05:693c:60d3:b0:2ba:a7b8:3fe9 with SMTP id
 5a478bee46e88-2be3e18f4e7mr2691990eec.3.1772894171949;
        Sat, 07 Mar 2026 06:36:11 -0800 (PST)
Received: from zjh-MS-7E01.. ([2602:fbf1:b002::1032])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2be4f96f64dsm3481762eec.27.2026.03.07.06.36.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 07 Mar 2026 06:36:11 -0800 (PST)
From: Jianhui Zhou <jianhuizzzzz@gmail.com>
To: Muchun Song <muchun.song@linux.dev>,
	Oscar Salvador <osalvador@suse.de>,
	Andrew Morton <akpm@linux-foundation.org>,
	Mike Rapoport <rppt@kernel.org>
Cc: David Hildenbrand <david@kernel.org>,
	Peter Xu <peterx@redhat.com>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	SeongJae Park <sj@kernel.org>,
	Jonas Zhou <jonaszhou@zhaoxin.com>,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	syzbot+f525fd79634858f478e7@syzkaller.appspotmail.com,
	Jianhui Zhou <jianhuizzzzz@gmail.com>
Subject: [PATCH v2] mm/userfaultfd: fix hugetlb fault mutex hash calculation
Date: Sat,  7 Mar 2026 22:35:39 +0800
Message-ID: <20260307143542.179953-1-jianhuizzzzz@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260306140332.171078-1-jianhuizzzzz@gmail.com>
References: <20260306140332.171078-1-jianhuizzzzz@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the
page index for hugetlb_fault_mutex_hash(). However, linear_page_index()
returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash()
expects the index in huge page units (as calculated by
vma_hugecache_offset()). This mismatch means that different addresses
within the same huge page can produce different hash values, leading to
the use of different mutexes for the same huge page. This can cause
races between faulting threads, which can corrupt the reservation map
and trigger the BUG_ON in resv_map_release().

Fix this by replacing linear_page_index() with vma_hugecache_offset()
and applying huge_page_mask() to align the address properly. To make
vma_hugecache_offset() available outside of mm/hugetlb.c, move it to
include/linux/hugetlb.h as a static inline function.

Fixes: 60d4d2d2b40e ("userfaultfd: hugetlbfs: add __mcopy_atomic_hugetlb fo=
r huge page UFFDIO_COPY")
Reported-by: syzbot+f525fd79634858f478e7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Df525fd79634858f478e7
Cc: stable@vger.kernel.org
Signed-off-by: Jianhui Zhou <jianhuizzzzz@gmail.com>
---
v2:
- Remove unnecessary !CONFIG_HUGETLB_PAGE stub for vma_hugecache_offset()
  (Peter Xu, SeongJae Park)

 include/linux/hugetlb.h | 11 +++++++++++
 mm/hugetlb.c            | 11 -----------
 mm/userfaultfd.c        |  5 ++++-
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
index 65910437be1c..f003afe0cc91 100644
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -796,6 +796,17 @@ static inline unsigned huge_page_shift(struct hstate *=
h)
 	return h->order + PAGE_SHIFT;
 }
=20
+/*
+ * Convert the address within this vma to the page offset within
+ * the mapping, huge page units here.
+ */
+static inline pgoff_t vma_hugecache_offset(struct hstate *h,
+		struct vm_area_struct *vma, unsigned long address)
+{
+	return ((address - vma->vm_start) >> huge_page_shift(h)) +
+		(vma->vm_pgoff >> huge_page_order(h));
+}
+
 static inline bool order_is_gigantic(unsigned int order)
 {
 	return order > MAX_PAGE_ORDER;
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 0beb6e22bc26..b87ed652c748 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1006,17 +1006,6 @@ static long region_count(struct resv_map *resv, long=
 f, long t)
 	return chg;
 }
=20
-/*
- * Convert the address within this vma to the page offset within
- * the mapping, huge page units here.
- */
-static pgoff_t vma_hugecache_offset(struct hstate *h,
-			struct vm_area_struct *vma, unsigned long address)
-{
-	return ((address - vma->vm_start) >> huge_page_shift(h)) +
-			(vma->vm_pgoff >> huge_page_order(h));
-}
-
 /**
  * vma_kernel_pagesize - Page size granularity for this VMA.
  * @vma: The user mapping.
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 927086bb4a3c..8efebc47a410 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -507,6 +507,7 @@ static __always_inline ssize_t mfill_atomic_hugetlb(
 	pgoff_t idx;
 	u32 hash;
 	struct address_space *mapping;
+	struct hstate *h;
=20
 	/*
 	 * There is no default zero huge page for all huge page sizes as
@@ -564,6 +565,8 @@ static __always_inline ssize_t mfill_atomic_hugetlb(
 			goto out_unlock;
 	}
=20
+	h =3D hstate_vma(dst_vma);
+
 	while (src_addr < src_start + len) {
 		VM_WARN_ON_ONCE(dst_addr >=3D dst_start + len);
=20
@@ -573,7 +576,7 @@ static __always_inline ssize_t mfill_atomic_hugetlb(
 		 * in the case of shared pmds.  fault mutex prevents
 		 * races with other faulting threads.
 		 */
-		idx =3D linear_page_index(dst_vma, dst_addr);
+		idx =3D vma_hugecache_offset(h, dst_vma, dst_addr & huge_page_mask(h));
 		mapping =3D dst_vma->vm_file->f_mapping;
 		hash =3D hugetlb_fault_mutex_hash(mapping, idx);
 		mutex_lock(&hugetlb_fault_mutex_table[hash]);
--=20
2.43.0