From nobody Thu Apr 9 06:37:28 2026 Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE263382F29 for ; Tue, 10 Mar 2026 11:05:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773140703; cv=none; b=kaJ87bkhaURJxz/pjckoGfekpEyzcZVAxr3cG4m5xzVOlwpnZgOMauTnQbA7zPWS7UeC+fsSzfiLLiFkyYPGOSCKBD0RNJeLNh/NuadyTzzcf559l1SBtvev8OY89FAaQhE7HZxpWfLGP1zwJMybnsbzRjws2cjOoVf4DGXhsfo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773140703; c=relaxed/simple; bh=y/Y49EAr01paPWu39qxKvb9Xx3oXrJtEm6wtVh7OKWk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IZqzTKOYl1N1RZuwyMh+6/+c1ELO1TCAVH8YuWb6XIpYo5Bfphrszlu350CRp0iEEEFQZDOrXUfe8DW+nbppKoBVDqJwaFvbCyLvcKnIYwWdkF8nVr44YSvfsR5LtJFpm3gRjynet4sj7ATM0450Nlvu4tu/PAQ3z4rdUTBuwnE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Q3U0XS5Z; arc=none smtp.client-ip=209.85.214.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Q3U0XS5Z" Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2ae41544dcfso107487875ad.1 for ; Tue, 10 Mar 2026 04:05:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773140701; x=1773745501; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GGNmukUV6ZynmQPnufsr7pSOWgOJq6CQN8CVvI47374=; b=Q3U0XS5ZpxJUk8sMw14B8ohs8ber8RLzyDEdXMsmHMs9Q1jHZ4ocDFsxnUaUwKQ1YB WqBVU9sWYR9Yy44OfjP6NxRin3xjgpfBbp9y+/0Lpw/ROIZ/4qhZF3khl0vPnz5CNj6c NSx5JQe0iAn1AMZ+50mRhoDQzsv00khZuMKdQnJiBZPFDnSypDyzb3bM7ofEzYyQYFCk HTjGrJa7z+hHj6Y/iWiRdCvk+C1jsGcfyHr3gWSHTt6ofJFmqhpkziFhtVfZPWTmG04P hhmvdWMZz50wkzp9y1KT+po/HIuRhnEbwfS3go46Hs3QvhyS0fSpvFskf1DYtQbhSmJ9 nong== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773140701; x=1773745501; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=GGNmukUV6ZynmQPnufsr7pSOWgOJq6CQN8CVvI47374=; b=SRsgQij+IbY6oGuvqWIq3fwvXc3ZuDJy6W1h3V2G1acmWf9GUsR8dfD2AYHe/o9fol ZnnXMfbBs3DuztR5f8HZBOf1FQN9uov+ntBWMXxnXLtAi+g9EF02YNKVaMTKnbI+aWrX xNh66L8iKj7C9omLM9Y5+XWH1EiaXaqI+ORlG4BjEVRkBXHn0J7X9tFxeOc34VwE9xA1 LiNDT9TZT7RNdVc9sJb3Vzal7ybFXKuQvh5IsdpR/cTmw9HJwtu8m1L7KQ+1mhynyLx8 6kJ5gGoM1jdiT/FlJv+BXi0oW5HXkZcz6niPYkNXF4GqvbklV+5PktFPuwvDAHvVoQeg teZQ== X-Forwarded-Encrypted: i=1; AJvYcCX1tzDocdGiq7ct0v1OzgQ+kCtjBYvfSutnQlm7OJQjW3EzpxAbQDHrTyQSCxEE0w0ePaNpaFFVLR0LHxg=@vger.kernel.org X-Gm-Message-State: AOJu0YzgDFWbW0e54UQrvV2ae0SGcfGq9I+dylNxObzQcVIsziAZn8BB JYtUP0yAlCKAufUrdNMiSWbIfRrgae5MyaDeAolYJRMj2S1ZD8oiGI6j X-Gm-Gg: ATEYQzy2xEqUXjekGXqKP8LSHOaNifgNYtCxjILstukswsTzEPQpxj9Iap4kKh0kJQt v5gGyY5cPKn90VfIZIY0Gml6cE0XRCpSl4hyHWRdIuYBAWk4MxK6C38sK12qTIRa9sacgsRfH/I Mcc7Dr6aJOfYFwTPncatGs//N75BZn4Rq0I1clv1NKjHn+0aTsE0S804N7tQLQ/yDZyWrwKl5Ev QNvaRmqL2ZoLBS9ZwlH1uG0fuLLugwLXASDZsZ68uP5I3GM7tA7+jI/7vmJzT8gG84abOF4EUAB u2pxMu24lnpKOVtt6J0aUOdN8EL/FQVpN5nMlhczjZjxMcDqovthUWh4U52md7HN31HSv+gMUSw Ndbu9wdUvigR0pj0lGVq5UGd69WSK+wa/j2odfbX1IfHW/tihmCNylEAMZD8Dfusj2kcstnaAmy 6F/8ryrcRJR+xZ9BzKOKq0MnVX4oawZsN+7ON9HqI= X-Received: by 2002:a17:903:2283:b0:2ae:5223:59ac with SMTP id d9443c01a7336-2ae823849famr139615335ad.13.1773140701141; Tue, 10 Mar 2026 04:05:01 -0700 (PDT) Received: from zjh-os.zhaoxin.com ([2404:7ac0:6c5d:6b3c:b482:76f9:3eac:e82d]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2ae83e5c167sm141829815ad.1.2026.03.10.04.04.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Mar 2026 04:05:00 -0700 (PDT) From: Jianhui Zhou To: Muchun Song , Oscar Salvador , Andrew Morton , Mike Rapoport Cc: David Hildenbrand , Peter Xu , Andrea Arcangeli , Mike Kravetz , SeongJae Park , Hugh Dickins , Sidhartha Kumar , Jonas Zhou , linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+f525fd79634858f478e7@syzkaller.appspotmail.com, Jianhui Zhou Subject: [PATCH v4] mm/userfaultfd: fix hugetlb fault mutex hash calculation Date: Tue, 10 Mar 2026 19:05:26 +0800 Message-ID: <20260310110526.335749-1-jianhuizzzzz@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260306140332.171078-1-jianhuizzzzz@gmail.com> References: <20260306140332.171078-1-jianhuizzzzz@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the page index for hugetlb_fault_mutex_hash(). However, linear_page_index() returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash() expects the index in huge page units. This mismatch means that different addresses within the same huge page can produce different hash values, leading to the use of different mutexes for the same huge page. This can cause races between faulting threads, which can corrupt the reservation map and trigger the BUG_ON in resv_map_release(). Fix this by introducing hugetlb_linear_page_index(), which returns the page index in huge page granularity, and using it in place of linear_page_index(). Fixes: a08c7193e4f1 ("mm/filemap: remove hugetlb special casing in filemap.= c") Reported-by: syzbot+f525fd79634858f478e7@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Df525fd79634858f478e7 Cc: stable@vger.kernel.org Signed-off-by: Jianhui Zhou Acked-by: Mike Rapoport (Microsoft) Acked-by: SeongJae Park Reviewed-by: David Hildenbrand (Arm) --- v4: - Introduce hugetlb_linear_page_index() instead of exposing vma_hugecache_offset(); call hstate_vma() internally to simplify the API (David Hildenbrand) v3: - Fix Fixes tag to a08c7193e4f1 (Hugh Dickins) v2: - Remove unnecessary !CONFIG_HUGETLB_PAGE stub for vma_hugecache_offset() (Peter Xu, SeongJae Park) include/linux/hugetlb.h | 17 +++++++++++++++++ mm/userfaultfd.c | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 65910437be1c..67d4f0924646 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -796,6 +796,23 @@ static inline unsigned huge_page_shift(struct hstate *= h) return h->order + PAGE_SHIFT; } =20 +/** + * hugetlb_linear_page_index() - linear_page_index() but in hugetlb + * page size granularity. + * @vma: the hugetlb VMA + * @address: the virtual address within the VMA + * + * Return: the page offset within the mapping in huge page units. + */ +static inline pgoff_t hugetlb_linear_page_index(struct vm_area_struct *vma, + unsigned long address) +{ + struct hstate *h =3D hstate_vma(vma); + + return ((address - vma->vm_start) >> huge_page_shift(h)) + + (vma->vm_pgoff >> huge_page_order(h)); +} + static inline bool order_is_gigantic(unsigned int order) { return order > MAX_PAGE_ORDER; diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index 927086bb4a3c..5590989e18c7 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -573,7 +573,7 @@ static __always_inline ssize_t mfill_atomic_hugetlb( * in the case of shared pmds. fault mutex prevents * races with other faulting threads. */ - idx =3D linear_page_index(dst_vma, dst_addr); + idx =3D hugetlb_linear_page_index(dst_vma, dst_addr); mapping =3D dst_vma->vm_file->f_mapping; hash =3D hugetlb_fault_mutex_hash(mapping, idx); mutex_lock(&hugetlb_fault_mutex_table[hash]); --=20 2.43.0