RISC-V THP splitting uses a temporary invalid PMD state where
pmd_mkinvalid() clears _PAGE_PRESENT and _PAGE_PROT_NONE but leaves
_PAGE_LEAF set so the MM code can still recognize the PMD as a THP split
in-progress entry.

That temporary state no longer describes a user-accessible mapping, but
page_table_check currently treats it as one because the RISC-V PMD
user-accessibility test only checks whether the PMD is a leaf and has
user permissions.

As a result, when a PMD-sized anonymous THP is split during a COW fault,
page_table_check can account the invalid intermediate PMD as a live PMD
mapping, and then account the replacement PTE mappings again when the
split installs the PTE table. This leaves stale PMD accounting behind and
later triggers page_table_check failures such as a non-zero
anon_map_count when the folio is freed.

Fix this by tightening pmd_user_accessible_page() so PMD page-table-check
accounting only considers leaf PMDs that still carry either
_PAGE_PRESENT or _PAGE_PROT_NONE. This preserves the THP split semantics
required by the MM code while preventing page_table_check from treating
invalid split PMDs as live user mappings.

With CONFIG_PAGE_TABLE_CHECK=y and CONFIG_PAGE_TABLE_CHECK_ENFORCED=y,
tools/testing/selftests/mm/cow completes successfully on RISC-V after
this change.

Fixes: 3fee229a8eb9 ("riscv/mm: enable ARCH_SUPPORTS_PAGE_TABLE_CHECK")
Cc: stable@vger.kernel.org
Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
---
 arch/riscv/include/asm/pgtable.h | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h
index 1725f0861f6c7..88c599fda5779 100644
--- a/arch/riscv/include/asm/pgtable.h
+++ b/arch/riscv/include/asm/pgtable.h
@@ -1209,7 +1209,14 @@ static inline bool pte_user_accessible_page(pte_t pte)
 
 static inline bool pmd_user_accessible_page(pmd_t pmd)
 {
-	return pmd_leaf(pmd) && pmd_user(pmd);
+	/*
+	 * page_table_check() must ignore THP split invalidation entries created by
+	 * pmd_mkinvalid(). These retain _PAGE_LEAF so pmd_present()/pmd_leaf() stay
+	 * true during the split, but they no longer describe a user-accessible
+	 * mapping once both _PAGE_PRESENT and _PAGE_PROT_NONE are cleared.
+	 */
+	return (pmd_val(pmd) & (_PAGE_PRESENT | _PAGE_PROT_NONE)) &&
+		(pmd_val(pmd) & _PAGE_LEAF) && pmd_user(pmd);
 }
 
 static inline bool pud_user_accessible_page(pud_t pud)
-- 
2.39.5

On Fri, 15 May 2026, Yunhui Cui wrote:

> RISC-V THP splitting uses a temporary invalid PMD state where
> pmd_mkinvalid() clears _PAGE_PRESENT and _PAGE_PROT_NONE but leaves
> _PAGE_LEAF set so the MM code can still recognize the PMD as a THP split
> in-progress entry.
> 
> That temporary state no longer describes a user-accessible mapping, but
> page_table_check currently treats it as one because the RISC-V PMD
> user-accessibility test only checks whether the PMD is a leaf and has
> user permissions.
> 
> As a result, when a PMD-sized anonymous THP is split during a COW fault,
> page_table_check can account the invalid intermediate PMD as a live PMD
> mapping, and then account the replacement PTE mappings again when the
> split installs the PTE table. This leaves stale PMD accounting behind and
> later triggers page_table_check failures such as a non-zero
> anon_map_count when the folio is freed.
> 
> Fix this by tightening pmd_user_accessible_page() so PMD page-table-check
> accounting only considers leaf PMDs that still carry either
> _PAGE_PRESENT or _PAGE_PROT_NONE. This preserves the THP split semantics
> required by the MM code while preventing page_table_check from treating
> invalid split PMDs as live user mappings.
> 
> With CONFIG_PAGE_TABLE_CHECK=y and CONFIG_PAGE_TABLE_CHECK_ENFORCED=y,
> tools/testing/selftests/mm/cow completes successfully on RISC-V after
> this change.
> 
> Fixes: 3fee229a8eb9 ("riscv/mm: enable ARCH_SUPPORTS_PAGE_TABLE_CHECK")
> Cc: stable@vger.kernel.org
> Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>

Thanks for the patch, but it doesn't apply as-is.  Could you fix it and 
resend?


- Paul

Hi Paul,

On Sat, May 23, 2026 at 7:10 AM Paul Walmsley <pjw@kernel.org> wrote:
>
> On Fri, 15 May 2026, Yunhui Cui wrote:
>
> > RISC-V THP splitting uses a temporary invalid PMD state where
> > pmd_mkinvalid() clears _PAGE_PRESENT and _PAGE_PROT_NONE but leaves
> > _PAGE_LEAF set so the MM code can still recognize the PMD as a THP split
> > in-progress entry.
> >
> > That temporary state no longer describes a user-accessible mapping, but
> > page_table_check currently treats it as one because the RISC-V PMD
> > user-accessibility test only checks whether the PMD is a leaf and has
> > user permissions.
> >
> > As a result, when a PMD-sized anonymous THP is split during a COW fault,
> > page_table_check can account the invalid intermediate PMD as a live PMD
> > mapping, and then account the replacement PTE mappings again when the
> > split installs the PTE table. This leaves stale PMD accounting behind and
> > later triggers page_table_check failures such as a non-zero
> > anon_map_count when the folio is freed.
> >
> > Fix this by tightening pmd_user_accessible_page() so PMD page-table-check
> > accounting only considers leaf PMDs that still carry either
> > _PAGE_PRESENT or _PAGE_PROT_NONE. This preserves the THP split semantics
> > required by the MM code while preventing page_table_check from treating
> > invalid split PMDs as live user mappings.
> >
> > With CONFIG_PAGE_TABLE_CHECK=y and CONFIG_PAGE_TABLE_CHECK_ENFORCED=y,
> > tools/testing/selftests/mm/cow completes successfully on RISC-V after
> > this change.
> >
> > Fixes: 3fee229a8eb9 ("riscv/mm: enable ARCH_SUPPORTS_PAGE_TABLE_CHECK")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
>
> Thanks for the patch, but it doesn't apply as-is.  Could you fix it and
> resend?

Thanks for the heads-up. I have fixed the apply issue and resent it here:
https://lore.kernel.org/all/20260523042052.35476-1-cuiyunhui@bytedance.com/

>
>
> - Paul

 Thanks,
 Yunhui