From nobody Tue Apr 7 11:16:39 2026 Received: from mail-dl1-f49.google.com (mail-dl1-f49.google.com [74.125.82.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8406739DBDF for ; Fri, 13 Mar 2026 14:18:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773411499; cv=none; b=UHi2ab6e8sTSKjnVWp8SmoywxIMyOgZ4vmaUwNdFMLTI5mLryU1Z/isJyxr0n2px/m1sXWZ0BeGJhSeBdjTvp8KXb6tBpcIVaiGbo/abi1N2m96DuS4fH5KpIupXP+75rKMWZ60HTAuybCLgRUcMeD7lzYvQ8INAUxQNez4M13Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773411499; c=relaxed/simple; bh=45307bwtCMKYaz+srE3pio5b1Z37UV5EuhIAyaflkeU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=UGcayt15YBdszAEredRNOKu7cx4pNaCNpOE8kPXdlcPjFBHUYzTZBD+j+99n1j1r0GnddL0HsiZU6UYmhWhpI75RalSx4uU7WMWFwniYeQi2tHSjN/5uJLyQa04dfSD+OmwyIhnoHSmyDNInfhVtY89pbMYaONQqeS57bLPFf1I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dver7KOw; arc=none smtp.client-ip=74.125.82.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dver7KOw" Received: by mail-dl1-f49.google.com with SMTP id a92af1059eb24-127380532eeso2546968c88.1 for ; Fri, 13 Mar 2026 07:18:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773411497; x=1774016297; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=r1meeHFmJysBuX7/16oB76k0jIo/jgbnm0xUY/2rAoc=; b=dver7KOwUy5AX95btNJpTjEFVWt88p5HWrd68lFiLKRtGlIdos2eUzsxFH+rotpWKy nIfwy67cOsq1iXeVt5421OPQSVDm2ydJD9twsvZxBb9m/xz71TlLCM1HE5snuhwM90Pu hR/gr/uOCONEQPb1sLTXGYeHQAqb2Sh0rpEGPbE7LTMsmn8Yi+yq4ELeFA/H1dhdn8do EBNSgI+BpZqpxBQbQUb4GsmIVEBMKIKfKoQdX3QCzpc6mJDZgpMSw7XpiQ6pQsu1h+z6 yz5scE2S78ZaXxOKvkf7xP9KivPf01S78dpy0ApcFF45Ng+bkLIryRtLwwsoI++tiAUz VcCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773411497; x=1774016297; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=r1meeHFmJysBuX7/16oB76k0jIo/jgbnm0xUY/2rAoc=; b=S5ttDRWn3EOGjnc2aLauH+fUeYmh4R+44+lYdPYU6qB7lMjiYUdFOs5e2G03sZHf5B bFMdYNS8KwAIez1L5YMs+lzhCtqWKn4OXmOq7FNT6J9gr9MqhE5ucSjFC9/JClBCLdNl GUIh8Z6DtHsX3fOEgUVIp0o9vxN4tVaYaEWQBFz41QUB/X9GtAhOMNPNg8qrvkG7gLqZ haWQ9ZpjiSMi7KT5WE5AceqrhhbkxrDOKJjXF/S7MEFXizZ+s+OjHcPZbaO8brpqwA9p vB9qlnaM9y3bE/9WDulLarev5L//CJhmv7LdyWubNTtg6YYevre3zg6umeRPCBPCam3C iQwQ== X-Forwarded-Encrypted: i=1; AJvYcCXzTOPHPidksW8P0o7hniYkkpvAchA7z2EWvoZuC5wMZkPdBYpRrYOoZ74wUDT2I2OJVlZTU4lwypoZEgM=@vger.kernel.org X-Gm-Message-State: AOJu0Yy8tuCDZltDpIRyG4aCB/qmlEQv6nzu2MRrA4pNNr07vNzVZ68S +8RFLHgz+La4WNykUweeT4RM7xEGeWvxbtnWjEwb2DciEEzhLAwp8Kd8 X-Gm-Gg: ATEYQzxh/6MxLxr0DlUg1fDYzv1NDXA68MkGrgwJEx2Gch3uhaIvRogmjfCDT3kEjWy G9+P/jV3/FKBHhs8/Pgd7w5j2nAex7EkeKQUfRuz4BA4KSc/wMfLVMOWtD2ZATN9X6CsHUzVcG0 Ski6P++Z+uUjxXtEvH+pAT1rGN+3phC4SYGlXG3Pz49vbdu3pyj1IG0CF27gOU+QyPlwN8ECWfX ugQH7QbFOhiSxvRdtODFLTH/SWBuw7X+SApTstAAU+pKTlVE9EQkBkF9wXJvwZvzsYd8z5bti/3 wWen/MuGPJMJzbaF3KV/NKwYBwl9IwYylPWRGe5SHHt7zMh48cF13keT4ajvldppz5KQ3GthXYN ZyT0QmNcRRel6cULy4G3BViIKWbinLedAPT0JR/NSLCCo43yYKJ+WCi8AaYVTpc5XgMBD5wYVsD NLbJKp1Yf6HvTTQCf5T+FohIHEy/SfFEB97Qnsfa+xG+7X7OaOX6EhX+c= X-Received: by 2002:a05:7301:3806:b0:2ba:a712:51e3 with SMTP id 5a478bee46e88-2bea558f2dcmr1668586eec.21.1773411496218; Fri, 13 Mar 2026 07:18:16 -0700 (PDT) Received: from fedora ([177.73.136.69]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2beab526d61sm3023095eec.17.2026.03.13.07.18.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Mar 2026 07:18:15 -0700 (PDT) From: Pedro Demarchi Gomes To: Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Boris Brezillon , Loic Molinari Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, Pedro Demarchi Gomes Subject: [PATCH v2] drm/shmem-helper: Fix Map huge page mapping in fault handler Date: Fri, 13 Mar 2026 11:17:19 -0300 Message-ID: <20260313141719.3949700-1-pedrodemargomes@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When running ./tools/testing/selftests/mm/split_huge_page_test multiple times with /sys/kernel/mm/transparent_hugepage/shmem_enabled and /sys/kernel/mm/transparent_hugepage/enabled set as always the following BUG occurs: [ 232.728858] ------------[ cut here ]------------ [ 232.729458] kernel BUG at mm/memory.c:2276! [ 232.729726] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI [ 232.730217] CPU: 19 UID: 60578 PID: 1497 Comm: llvmpipe-9 Not tainted 7.= 0.0-rc1mm-new+ #19 PREEMPT(lazy) [ 232.730855] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS = 1.17.0-9.fc43 06/10/2025 [ 232.731360] RIP: 0010:walk_to_pmd+0x29e/0x3c0 [ 232.731569] Code: d8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 89 = ea 48 89 de 4c 89 f7 e8 ae 85 ff ff 85 c0 0f 84 1f fe ff ff 31 db eb d0 <0f= > 0b 48 89 ea 48 89 de 4c 89 f7 e8 92 8b ff ff 85 c0 75 e8 48 b8 [ 232.732614] RSP: 0000:ffff8881aa6ff9a8 EFLAGS: 00010282 [ 232.732991] RAX: 8000000142e002e7 RBX: ffff8881433cae10 RCX: dffffc00000= 00000 [ 232.733362] RDX: 0000000000000000 RSI: 00007fb47840b000 RDI: 8000000142e= 002e7 [ 232.733801] RBP: 00007fb47840b000 R08: 0000000000000000 R09: 1ffff110354= dff46 [ 232.734168] R10: fffffbfff0cb921d R11: 00000000910da5ce R12: 1ffffffff0c= 1fcdd [ 232.734459] R13: 1ffffffff0c23f36 R14: ffff888171628040 R15: 00000000000= 00000 [ 232.734861] FS: 00007fb4907f86c0(0000) GS:ffff888791f2c000(0000) knlGS:= 0000000000000000 [ 232.735265] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 232.735548] CR2: 00007fb47840be00 CR3: 000000015e6dc000 CR4: 00000000000= 006f0 [ 232.736031] Call Trace: [ 232.736273] [ 232.736500] get_locked_pte+0x1f/0xa0 [ 232.736878] insert_pfn+0x9f/0x350 [ 232.737190] ? __pfx_pat_pagerange_is_ram+0x10/0x10 [ 232.737614] ? __pfx_insert_pfn+0x10/0x10 [ 232.737990] ? __pfx_css_rstat_updated+0x10/0x10 [ 232.738281] ? __pfx_pfn_modify_allowed+0x10/0x10 [ 232.738552] ? lookup_memtype+0x62/0x180 [ 232.738761] vmf_insert_pfn_prot+0x14b/0x340 [ 232.739012] ? __pfx_vmf_insert_pfn_prot+0x10/0x10 [ 232.739247] ? __pfx___might_resched+0x10/0x10 [ 232.739475] drm_gem_shmem_fault.cold+0x18/0x39 [ 232.739677] ? rcu_read_unlock+0x20/0x70 [ 232.739882] __do_fault+0x251/0x7b0 [ 232.740028] do_fault+0x6e1/0xc00 [ 232.740167] ? __lock_acquire+0x590/0xc40 [ 232.740335] handle_pte_fault+0x439/0x760 [ 232.740498] ? mtree_range_walk+0x252/0xae0 [ 232.740669] ? __pfx_handle_pte_fault+0x10/0x10 [ 232.740899] __handle_mm_fault+0xa02/0xf30 [ 232.741066] ? __pfx___handle_mm_fault+0x10/0x10 [ 232.741255] ? find_vma+0xa1/0x120 [ 232.741403] handle_mm_fault+0x2bf/0x8f0 [ 232.741564] do_user_addr_fault+0x2d3/0xed0 [ 232.741736] ? trace_page_fault_user+0x1bf/0x240 [ 232.741969] exc_page_fault+0x87/0x120 [ 232.742124] asm_exc_page_fault+0x26/0x30 [ 232.742288] RIP: 0033:0x7fb4d73ed546 [ 232.742441] Code: 66 41 0f 6f fb 66 44 0f 6d dc 66 44 0f 6f c6 66 41 0f = 6d f1 66 0f 6c fc 66 45 0f 6c c1 66 44 0f 6f c9 66 0f 6d ca 66 0f db f0 <66= > 0f df 04 08 66 44 0f 6c ca 66 45 0f db c2 66 44 0f df 10 66 44 [ 232.743193] RSP: 002b:00007fb4907f68a0 EFLAGS: 00010206 [ 232.743565] RAX: 00007fb47840aa00 RBX: 00007fb4d73ec070 RCX: 00000000000= 01400 [ 232.743871] RDX: 0000000000002800 RSI: 0000000000003c00 RDI: 00000000000= 00001 [ 232.744150] RBP: 0000000000000004 R08: 0000000000001400 R09: 00007fb4d73= ec060 [ 232.744433] R10: 000055f0261a4288 R11: 00007fb4c013da40 R12: 00000000000= 00008 [ 232.744712] R13: 0000000000000000 R14: 4332322132212110 R15: 00000000000= 00004 [ 232.746616] [ 232.746711] Modules linked in: nft_nat nft_masq veth bridge stp llc snd_= seq_dummy snd_hrtimer snd_seq snd_seq_device snd_timer snd soundcore overla= y rfkill nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fi= b_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 n= ft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag= _ipv4 nf_tables qrtr ppdev 9pnet_virtio 9pnet parport_pc i2c_piix4 netfs pc= spkr parport i2c_smbus joydev sunrpc vfat fat loop dm_multipath nfnetlink v= sock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport zr= am lz4hc_compress vmw_vmci lz4_compress vsock e1000 bochs serio_raw ata_gen= eric pata_acpi scsi_dh_rdac scsi_dh_emc scsi_dh_alua i2c_dev fuse qemu_fw_c= fg [ 232.749308] ---[ end trace 0000000000000000 ]--- [ 232.749507] RIP: 0010:walk_to_pmd+0x29e/0x3c0 [ 232.749692] Code: d8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 89 = ea 48 89 de 4c 89 f7 e8 ae 85 ff ff 85 c0 0f 84 1f fe ff ff 31 db eb d0 <0f= > 0b 48 89 ea 48 89 de 4c 89 f7 e8 92 8b ff ff 85 c0 75 e8 48 b8 [ 232.750428] RSP: 0000:ffff8881aa6ff9a8 EFLAGS: 00010282 [ 232.750645] RAX: 8000000142e002e7 RBX: ffff8881433cae10 RCX: dffffc00000= 00000 [ 232.750954] RDX: 0000000000000000 RSI: 00007fb47840b000 RDI: 8000000142e= 002e7 [ 232.751232] RBP: 00007fb47840b000 R08: 0000000000000000 R09: 1ffff110354= dff46 [ 232.751514] R10: fffffbfff0cb921d R11: 00000000910da5ce R12: 1ffffffff0c= 1fcdd [ 232.751837] R13: 1ffffffff0c23f36 R14: ffff888171628040 R15: 00000000000= 00000 [ 232.752124] FS: 00007fb4907f86c0(0000) GS:ffff888791f2c000(0000) knlGS:= 0000000000000000 [ 232.752441] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 232.752674] CR2: 00007fb47840be00 CR3: 000000015e6dc000 CR4: 00000000000= 006f0 [ 232.752983] Kernel panic - not syncing: Fatal exception [ 232.753510] Kernel Offset: disabled [ 232.754643] ---[ end Kernel panic - not syncing: Fatal exception ]--- This happens when two concurrent page faults occur within the same PMD rang= e. One fault installs a PMD mapping through vmf_insert_pfn_pmd(), while the ot= her attempts to install a PTE mapping via vmf_insert_pfn(). The bug is triggered because a pmd_trans_huge is not expected when walking the page table inside vmf_insert_pfn. Avoid this race by adding a huge_fault callback to drm_gem_shmem_vm_ops so = that PMD-sized mappings are handled through the appropriate huge page fault path. Fixes: 211b9a39f261 ("drm/shmem-helper: Map huge pages in fault handler") Signed-off-by: Pedro Demarchi Gomes --- Changes in v2: - Keep the #ifdef unindented - Create drm_gem_shmem_any_fault to handle faults of any order and use drm_gem_shmem_[huge_]fault() as wrappers --- drivers/gpu/drm/drm_gem_shmem_helper.c | 67 +++++++++++++++----------- 1 file changed, 39 insertions(+), 28 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_shmem_helper.c b/drivers/gpu/drm/drm_g= em_shmem_helper.c index 7b5a49935ae4..fb8b74ac3057 100644 --- a/drivers/gpu/drm/drm_gem_shmem_helper.c +++ b/drivers/gpu/drm/drm_gem_shmem_helper.c @@ -550,36 +550,19 @@ int drm_gem_shmem_dumb_create(struct drm_file *file, = struct drm_device *dev, } EXPORT_SYMBOL_GPL(drm_gem_shmem_dumb_create); =20 -static bool drm_gem_shmem_try_map_pmd(struct vm_fault *vmf, unsigned long = addr, - struct page *page) -{ -#ifdef CONFIG_ARCH_SUPPORTS_PMD_PFNMAP - unsigned long pfn =3D page_to_pfn(page); - unsigned long paddr =3D pfn << PAGE_SHIFT; - bool aligned =3D (addr & ~PMD_MASK) =3D=3D (paddr & ~PMD_MASK); - - if (aligned && - pmd_none(*vmf->pmd) && - folio_test_pmd_mappable(page_folio(page))) { - pfn &=3D PMD_MASK >> PAGE_SHIFT; - if (vmf_insert_pfn_pmd(vmf, pfn, false) =3D=3D VM_FAULT_NOPAGE) - return true; - } -#endif - - return false; -} - -static vm_fault_t drm_gem_shmem_fault(struct vm_fault *vmf) +static vm_fault_t drm_gem_shmem_any_fault(struct vm_fault *vmf, + unsigned int order) { struct vm_area_struct *vma =3D vmf->vma; struct drm_gem_object *obj =3D vma->vm_private_data; struct drm_gem_shmem_object *shmem =3D to_drm_gem_shmem_obj(obj); loff_t num_pages =3D obj->size >> PAGE_SHIFT; - vm_fault_t ret; + vm_fault_t ret =3D VM_FAULT_FALLBACK; struct page **pages =3D shmem->pages; pgoff_t page_offset; unsigned long pfn; + unsigned long paddr; + bool aligned; =20 /* Offset to faulty address in the VMA. */ page_offset =3D vmf->pgoff - vma->vm_pgoff; @@ -593,13 +576,24 @@ static vm_fault_t drm_gem_shmem_fault(struct vm_fault= *vmf) goto out; } =20 - if (drm_gem_shmem_try_map_pmd(vmf, vmf->address, pages[page_offset])) { - ret =3D VM_FAULT_NOPAGE; - goto out; - } - pfn =3D page_to_pfn(pages[page_offset]); - ret =3D vmf_insert_pfn(vma, vmf->address, pfn); + switch (order) { + case 0: + ret =3D vmf_insert_pfn(vma, vmf->address, pfn); + break; +#ifdef CONFIG_ARCH_SUPPORTS_PMD_PFNMAP + case PMD_ORDER: + paddr =3D pfn << PAGE_SHIFT; + aligned =3D (vmf->address & ~PMD_MASK) =3D=3D (paddr & ~PMD_MASK); + + if (aligned && + folio_test_pmd_mappable(page_folio(pages[page_offset]))) { + pfn &=3D PMD_MASK >> PAGE_SHIFT; + ret =3D vmf_insert_pfn_pmd(vmf, pfn, false); + } + break; +#endif + } =20 out: dma_resv_unlock(shmem->base.resv); @@ -607,6 +601,20 @@ static vm_fault_t drm_gem_shmem_fault(struct vm_fault = *vmf) return ret; } =20 +static vm_fault_t drm_gem_shmem_huge_fault(struct vm_fault *vmf, + unsigned int order) +{ + if (order !=3D PMD_ORDER) + return VM_FAULT_FALLBACK; + + return drm_gem_shmem_any_fault(vmf, order); +} + +static vm_fault_t drm_gem_shmem_fault(struct vm_fault *vmf) +{ + return drm_gem_shmem_any_fault(vmf, 0); +} + static void drm_gem_shmem_vm_open(struct vm_area_struct *vma) { struct drm_gem_object *obj =3D vma->vm_private_data; @@ -643,6 +651,9 @@ static void drm_gem_shmem_vm_close(struct vm_area_struc= t *vma) =20 const struct vm_operations_struct drm_gem_shmem_vm_ops =3D { .fault =3D drm_gem_shmem_fault, +#ifdef CONFIG_ARCH_SUPPORTS_HUGE_PFNMAP + .huge_fault =3D drm_gem_shmem_huge_fault, +#endif .open =3D drm_gem_shmem_vm_open, .close =3D drm_gem_shmem_vm_close, }; --=20 2.53.0