From nobody Sun May 24 19:34:44 2026 Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E9611B86C7 for ; Sat, 23 May 2026 04:21:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779510069; cv=none; b=ahkq9qaEmS/mDXy4zB9ONN9Ozy96l7DNC9/B6SwYLDsuL+gHbCmQgkLqwdTif8TsDEHf6GK4r4+3yHSxKVw4dJNMPhDv34/Pftg08lHWMug3gXwxLwY6UTIp8hnu/+4V3EAWDBQmjDoi0b2cLhFkrU/ODQv9X4n8uyA9GocR05g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779510069; c=relaxed/simple; bh=mVg/T5HYjgFU7eMUwI0GAnZvdunIU8AoQenlq8cq08I=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=m0exOoBBN9fh278HHTd0RYNl5wfLmBbpW/yHS1GpgCmZsLDy+8B8Bx3aO4qZGtK4dZDrOsSCjWTP8EggOAfP+WVhXhADhNnZGnkE9J+Uo+gWBvivNpFFK8JyOGfsg5Q1zbKNeNyR8XSleRd3ULgEd2XShHuf50+Ub/eHHPyLtUY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=E44O6uwj; arc=none smtp.client-ip=209.85.215.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="E44O6uwj" Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-c795f441ff7so6215355a12.2 for ; Fri, 22 May 2026 21:21:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1779510067; x=1780114867; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=o/Sl4PO82ChheiWAx9Tl91kUcgmggvPPYrF2yLqTz6g=; b=E44O6uwj+ddFa1TjEyWnISGASGMHIecuy0ONjCTTso9DH1oC2zgkJuYz4eUbRIlBhD kcjmYa/s/9mj+scU4mjmQi5pZqqND2C6bFaeA8yX6Tu8GWGia3jL7QfT3wRIeFNLsRPt Ueyi1o5daffXK9p0JA1JsTJLP4+LSiX+UWU2+/kKn8dcM21e2/Th5sqE+rhj5U5UBKyc 8Kp3uW9RpxxSBpEgAhs8ak12EJQqXsgDLVzzo3hfbGovsxLpREBDyekzZt+YINKPosDO j2oN2/CssFf79udiu6uZYLFnsqU1kXXMDH+HOQAt7LCAL+sY0kqv7tcYTFDBhJk/Ma9A DrPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779510067; x=1780114867; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=o/Sl4PO82ChheiWAx9Tl91kUcgmggvPPYrF2yLqTz6g=; b=d7rCx5Kx7zZndstrwXGojdi1LT1q3wMhUphID1F1PoONuivKTV5Iaky0HnIou5zVeU w5zH+I1g4k1TpgChkrfIiRCi3bMd7yJ9+o5iGAsygEhf+d4QCSb01Kr9UeMIlI6vlF3I pXTkVPaOj4Be+YLCQRzFmBgzBNnqEFdY2h+8ILKKh5MGOH8mCqmbK4uVY575dJMRRPma wqfwYM1+zPIQWyd9KiP71GXgXqDPpvxN1Jhp+lSFvPJRc5rrO77XmPCwM1gSXWqN1RWF Uze5S8w6qQ53YCjtuAuiRYJe5sf1ZAGHEPVItjkXCYsvnH4uy39LXkIZm5pG0ATDc7qG lcUQ== X-Forwarded-Encrypted: i=1; AFNElJ92/jbBOlEUTsNerwuGpW9/rDBc6mImIaS0OOe5BevUMedIqu8DkTGfWTw278hdAiDw25quGXsNjAN6pwo=@vger.kernel.org X-Gm-Message-State: AOJu0Yz2zM3bpqFcQh2tagZm+UU0ao0FSeUMfDq2OMJkrkJ8k4ZOAomX dhpPVgtOaMBVFmxRQQIVeTGNFU4YMQVqPa+tIp1e95g7oTZiOwCvGLEqpaGhgdPOzrI= X-Gm-Gg: Acq92OFQSkvatEh9ZkmZ0olvB1gf/wQVeLzhYggZ00RvpA24EVva6ggxX88SYFm2lil pBMLqaDpTZZU1KReAihKEJCsZ7Jn+hNwAKVmBFOaO8rIYphq1RzMb+TkCc7KWCjNXYbD7iQLu3s LWfPvzUTLv+orwzhGeK/d3sWmXQ4SMVruvTrAUQaRjGO3U6+X8sUcxatmBZzrGtK6Ly2QrJdrYa jonOes6lO79lu2LjvQAcCL+Tn2lhYL5kD1C1lcF6iggDb+5Tl+O5Sh8rtqatZfhmhLecFzUjx6I VQnafTMAG7uUSXqt0t6VStmvL/7+rXHKi4Tc1qgz9q8wL9QA4vpj8v/Nj/MJXaevB39vQk2xIN5 udnGNsXsU909+J54jY+tcfZKdHpGOni46QgKGIJEd1vcWD4rYownmPyUZiSGGMaPPRjCylCrSiB VQ/zFjQL4kt7+M5j2USlspPAItt3xkXGnS3jZb2zpUkH3OT1crrlPuJ64aenltDQ== X-Received: by 2002:a05:6a21:4d8d:b0:3b3:10e1:a883 with SMTP id adf61e73a8af0-3b328f4a760mr7138152637.47.1779510066555; Fri, 22 May 2026 21:21:06 -0700 (PDT) Received: from L6YN4KR4K9.bytedance.net ([139.177.225.253]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c8520561e94sm2962104a12.22.2026.05.22.21.21.02 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Fri, 22 May 2026 21:21:05 -0700 (PDT) From: Yunhui Cui To: paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, cuiyunhui@bytedance.com, tongtiangen@huawei.com, akpm@linux-foundation.org, pasha.tatashin@soleen.com, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Subject: [RESEND PATCH] riscv: mm: exclude invalid THP PMDs from page table check Date: Sat, 23 May 2026 12:20:52 +0800 Message-Id: <20260523042052.35476-1-cuiyunhui@bytedance.com> X-Mailer: git-send-email 2.39.2 (Apple Git-143) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" RISC-V THP splitting uses a temporary invalid PMD state where pmd_mkinvalid() clears _PAGE_PRESENT and _PAGE_PROT_NONE but leaves _PAGE_LEAF set so the MM code can still recognize the PMD as a THP split in-progress entry. That temporary state no longer describes a user-accessible mapping, but page_table_check currently treats it as one because the RISC-V PMD user-accessibility test only checks whether the PMD is a leaf and has user permissions. As a result, when a PMD-sized anonymous THP is split during a COW fault, page_table_check can account the invalid intermediate PMD as a live PMD mapping, and then account the replacement PTE mappings again when the split installs the PTE table. This leaves stale PMD accounting behind and later triggers page_table_check failures such as a non-zero anon_map_count when the folio is freed. Fix this by tightening pmd_user_accessible_page() so PMD page-table-check accounting only considers leaf PMDs that still carry either _PAGE_PRESENT or _PAGE_PROT_NONE. This preserves the THP split semantics required by the MM code while preventing page_table_check from treating invalid split PMDs as live user mappings. With CONFIG_PAGE_TABLE_CHECK=3Dy and CONFIG_PAGE_TABLE_CHECK_ENFORCED=3Dy, tools/testing/selftests/mm/cow completes successfully on RISC-V after this change. Fixes: 3fee229a8eb9 ("riscv/mm: enable ARCH_SUPPORTS_PAGE_TABLE_CHECK") Cc: stable@vger.kernel.org Signed-off-by: Yunhui Cui --- arch/riscv/include/asm/pgtable.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgta= ble.h index a1a7c6520a095..ecea48affd7aa 100644 --- a/arch/riscv/include/asm/pgtable.h +++ b/arch/riscv/include/asm/pgtable.h @@ -976,7 +976,14 @@ static inline bool pte_user_accessible_page(struct mm_= struct *mm, unsigned long =20 static inline bool pmd_user_accessible_page(struct mm_struct *mm, unsigned= long addr, pmd_t pmd) { - return pmd_leaf(pmd) && pmd_user(pmd); + /* + * page_table_check() must ignore THP split invalidation entries created = by + * pmd_mkinvalid(). These retain _PAGE_LEAF so pmd_present()/pmd_leaf() s= tay + * true during the split, but they no longer describe a user-accessible + * mapping once both _PAGE_PRESENT and _PAGE_PROT_NONE are cleared. + */ + return (pmd_val(pmd) & (_PAGE_PRESENT | _PAGE_PROT_NONE)) && + (pmd_val(pmd) & _PAGE_LEAF) && pmd_user(pmd); } =20 static inline bool pud_user_accessible_page(struct mm_struct *mm, unsigned= long addr, pud_t pud) --=20 2.39.5