From nobody Tue Jun  9 00:55:10 2026
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A28061DFFD
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 02:52:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779677559; cv=none;
 b=olpEFnLnr9NAeUUpg0qR9aGXwVZNpfx0gKp8Xvo82Vn8w2T62vIge5ozxctsTFRDeOrboSM2ovgycDRdq5CZrsDCyA7wN/hw5yJhp/4gfcF6w8oILE+lzVmqG/NruUKrB+kYE5a7cGiHJHTuyi49Hv97mFtaJe65Qa5YN+LRHYI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779677559; c=relaxed/simple;
	bh=nHQY9QXjiD5On6yyl9oIYY/vSVbNsWlP0beGt1pgmK0=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=Q64YcYIoliU+Szsg4KBRWOBsf4eLN2UPgJn23uIFTghguPkJ0lsf0ipthbY7p0BB73HOL7g6gk+Rwv5JEZ0qD1/KB6KkmS3L/4r9L15QqK0PQ28V6vVd4DPJvLw6cDMBPthCwWgSBHCUS67sXzOOo0B8sTopqbR6PH7xLBB28aQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com;
 spf=pass smtp.mailfrom=bytedance.com;
 dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b=JuRlLaRZ; arc=none smtp.client-ip=209.85.214.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b="JuRlLaRZ"
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-2ba0714574fso49541535ad.2
        for <linux-kernel@vger.kernel.org>;
 Sun, 24 May 2026 19:52:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance.com; s=google; t=1779677556; x=1780282356;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=Zj/X4pvgFZcL9zGnArV+92F7pzdoDEC4xvQFc9PbqWU=;
        b=JuRlLaRZu9RrGtX6vdEIFBha03SBU13yk9KeKfJCe7GuqTED8J6ZS2XruybXujww5z
         s2iO6g6hpXp8oG6u7l5KkGc1v7x2EzvAHi4A/aYkK1TG4OAnLN6YjMthAClKtK1mSDgN
         +Py0RcLcAebkDA3JGY3ujUORtthmxb/Gkm+mrBUsoADRSKCVtZ9+/AufbtyWe9h7iOcU
         a0b6EvIWUP3Rh1Mr6sE74epWCG8ymdmqS0nE3p/BdOeraGj1H4LvcSLdp/YoFIt59l/G
         v25lKPOs/fZIfHdbTFv+ZKR8ZSKkeUVboXXHyY8y2NFJVih9lTGiT5YiEw5pf+ic9Fd1
         sKsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779677556; x=1780282356;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Zj/X4pvgFZcL9zGnArV+92F7pzdoDEC4xvQFc9PbqWU=;
        b=mIIKw/R3Ov+YbG1AQWRVemFOQvPx3yKpPcR+Br4asg6+NiwTOr005dSu74/vPe6OP4
         0gU58jhxtqFmCU/oFMfWkEeJieJ3+ANQKUgNtczqaqGsSeB1JbF4kzMXul6DIs5SsAtg
         EJz+nNuzveWCHD7gHOU3mMBRgFKDmKu3iXD/ToDlZYtpB8HAgW6KHd48EEmXEN2uOhBq
         gqiOdrjSTD1z9lFNl/I0eNy1Ol35YwGhD3vvzrKv6VNZ8qJUp91juZJo8Bo0n9ePoFEs
         uM3R3tTv/5GeK/d4by1jP0BqRF8wCTKNUvpeTDlHXUzKMGYjOe7nWyBy7kx3RUueNInK
         xyNw==
X-Forwarded-Encrypted: i=1;
 AFNElJ9M8TSWWXPOi7+An6siRbrHO+ICK/h5mmffAyXBbbsPffUyChCQRMXSvBbp0C2JHsgCvqrSGNEnp+nYvqk=@vger.kernel.org
X-Gm-Message-State: AOJu0YzcWvdTg0cOjupuiLrry3ZPoRBuYVbPf0Fo0rHnqzJjE20XQSLZ
	YZusbNPGnJ8wT2oVqabSS3kCp0hN3QZdubUBigIYSXQBs0NH1spZmzPjUqZQ46FPL2A=
X-Gm-Gg: Acq92OELTWgfp7Flu843JPvZCDBx0ysHRjwqq9ckcH2sDnQyRbBa/6cNL0BUDbwNZBR
	TuzOHQ+KvG/6zhFfvIMvH5KT+cN0KA1ngR3X1Hd5btiNwPkuPOfXUBcUEHTO45HCSU8F41uFiuX
	xe7+efcvRJ1WjrK4RgzrJdmAqpUP5x4vZj2rc5tfFn81qg/gHUhTdnUCAnIsjcWTHCX2IoQOFo2
	DWDDOlNJn+lWh0crpQHuWmOH0SYHZe1iQlwtGrTXNjuKXmCbl+0t+vAHftKBBJVEKEpp5gaSJru
	y0Wq23jedIZQfOyftbJ3yFsx5+0DyFq6GshjcP8z6WnFAHoI9hS6r45QXCh7S8eG+zl5R9aYwRs
	pH2ppaoZ8706eXgrMvO5B7xiTQyQKCHV1UzvTMduGDYcbH8PdQIXAAbYqCSSWBKu0okoCedFvi+
	7q+drp/J6bza+rvqpDUWkwA768H7jF
X-Received: by 2002:a17:903:3c6d:b0:2b7:86be:7673 with SMTP id
 d9443c01a7336-2beb0366450mr131723115ad.6.1779677555752;
        Sun, 24 May 2026 19:52:35 -0700 (PDT)
Received: from n232-176-004.byted.org ([240e:83:200::347])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2beb5695f54sm80182155ad.10.2026.05.24.19.52.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 24 May 2026 19:52:34 -0700 (PDT)
From: Muchun Song <songmuchun@bytedance.com>
To: Muchun Song <muchun.song@linux.dev>,
	Oscar Salvador <osalvador@suse.de>,
	Andrew Morton <akpm@linux-foundation.org>
Cc: David Hildenbrand <david@kernel.org>,
	Kiryl Shutsemau <kas@kernel.org>,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Muchun Song <songmuchun@bytedance.com>
Subject: [PATCH] mm/hugetlb_vmemmap: fix incorrect vmemmap restore in rollback
Date: Mon, 25 May 2026 10:52:13 +0800
Message-ID: <20260525025213.2229628-1-songmuchun@bytedance.com>
X-Mailer: git-send-email 2.54.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

vmemmap_restore_pte() rebuilds restored vmemmap pages from a
tail-page template derived from compound_head(). This is wrong when the
current PTE already maps a page whose contents are not tail-page
metadata.

In the rollback path of vmemmap_remap_free(), the first restored PTE is
backed by vmemmap_head and contains head-page metadata. Reconstructing
that page from a tail-page template overwrites the head-page state and
corrupts the restored vmemmap page.

Fix this by copying the full page from the page currently mapped by the
PTE. Also pass vmemmap_tail to the rollback walk so only PTEs backed by
the shared tail page are restored, while the head PTE remains mapped to
vmemmap_head. Add VM_WARN_ON_ONCE() checks for unexpected cases.

Fixes: c0b495b91a47 ("mm/hugetlb: refactor code around vmemmap_walk")
Cc: stable@vger.kernel.org
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Acked-by: Kiryl Shutsemau <kas@kernel.org>
Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
---
 mm/hugetlb_vmemmap.c | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/mm/hugetlb_vmemmap.c b/mm/hugetlb_vmemmap.c
index 4a077d231d3a..133b46dfb09f 100644
--- a/mm/hugetlb_vmemmap.c
+++ b/mm/hugetlb_vmemmap.c
@@ -207,6 +207,8 @@ static void vmemmap_remap_pte(pte_t *pte, unsigned long=
 addr,
=20
 	/* Remapping the head page requires r/w */
 	if (unlikely(walk->nr_walked =3D=3D 0 && walk->vmemmap_head)) {
+		VM_WARN_ON_ONCE(!PageHead((const struct page *)addr));
+
 		list_del(&walk->vmemmap_head->lru);
=20
 		/*
@@ -218,6 +220,8 @@ static void vmemmap_remap_pte(pte_t *pte, unsigned long=
 addr,
=20
 		entry =3D mk_pte(walk->vmemmap_head, PAGE_KERNEL);
 	} else {
+		VM_WARN_ON_ONCE(!PageTail((const struct page *)addr));
+
 		/*
 		 * Remap the tail pages as read-only to catch illegal write
 		 * operation to the tail pages.
@@ -232,33 +236,28 @@ static void vmemmap_remap_pte(pte_t *pte, unsigned lo=
ng addr,
 static void vmemmap_restore_pte(pte_t *pte, unsigned long addr,
 				struct vmemmap_remap_walk *walk)
 {
-	struct page *page;
-	struct page *from, *to;
-
-	page =3D list_first_entry(walk->vmemmap_pages, struct page, lru);
-	list_del(&page->lru);
+	struct page *src =3D pte_page(ptep_get(pte)), *dst;
=20
 	/*
-	 * Initialize tail pages in the newly allocated vmemmap page.
-	 *
-	 * There is folio-scope metadata that is encoded in the first few
-	 * tail pages.
-	 *
-	 * Use the value last tail page in the page with the head page
-	 * to initialize the rest of tail pages.
+	 * When rolling back vmemmap_remap_free(), keep the copied head page
+	 * mapping and restore only PTEs currently pointing at the shared tail
+	 * page.
 	 */
-	from =3D compound_head((struct page *)addr) +
-		PAGE_SIZE / sizeof(struct page) - 1;
-	to =3D page_to_virt(page);
-	for (int i =3D 0; i < PAGE_SIZE / sizeof(struct page); i++, to++)
-		*to =3D *from;
+	if (walk->vmemmap_tail && walk->vmemmap_tail !=3D src)
+		return;
+
+	VM_WARN_ON_ONCE(PageHead((const struct page *)addr));
+
+	dst =3D list_first_entry(walk->vmemmap_pages, struct page, lru);
+	list_del(&dst->lru);
+	copy_page(page_to_virt(dst), page_to_virt(src));
=20
 	/*
 	 * Makes sure that preceding stores to the page contents become visible
 	 * before the set_pte_at() write.
 	 */
 	smp_wmb();
-	set_pte_at(&init_mm, addr, pte, mk_pte(page, PAGE_KERNEL));
+	set_pte_at(&init_mm, addr, pte, mk_pte(dst, PAGE_KERNEL));
 }
=20
 /**
@@ -324,6 +323,7 @@ static int vmemmap_remap_free(unsigned long start, unsi=
gned long end,
 	 */
 	walk =3D (struct vmemmap_remap_walk) {
 		.remap_pte	=3D vmemmap_restore_pte,
+		.vmemmap_tail	=3D vmemmap_tail,
 		.vmemmap_pages	=3D vmemmap_pages,
 		.flags		=3D 0,
 	};

base-commit: e98d21c170b01ddef366f023bbfcf6b31509fa83
--=20
2.54.0