illa-Status: 0001 X-Mozilla-Status2: 00000000 >From stable+bounces-181745-hi=josie.lol@vger.kernel.org Thu Sep 25 20:35:10 2025 Return-path: Envelope-to: hi@josie.lol Delivery-date: Thu, 25 Sep 2025 20:35:10 +0000 Received: from sv.mirrors.kernel.org ([139.178.88.99]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1v1sgH-0000000HSlk-31sH for hi@josie.lol; Thu, 25 Sep 2025 20:35:10 +0000 Received: from smtp.subspace.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B611F3A64BB for ; Thu, 25 Sep 2025 20:35:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 486B71F03DE; Thu, 25 Sep 2025 20:35:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="17RYXXM3" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0EE9235940; Thu, 25 Sep 2025 20:35:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758832505; cv=none; b=lj70FoLTf+NXFt7ocVJVtFNoGJTxsokp5yr6Nm2P4z7dbBzlfjjXy5pjRck0XcXXWryKnq8M6W/EErm65o9z/zayw/YR2DLMbe1RhnAHAcyZI6SLDdrPO1FRl1y9AMRd2EdtCaJoSDy2v0aLMA9P9xhMGuqwH1riZgcOYnbbc3I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758832505; c=relaxed/simple; bh=UXqrSeyJfQ5VVk+A27k67uRWkFpFX7EluQAj7zgGa4c=; h=Date:To:From:Subject:Message-Id; b=FvN1xg7/4+/xIsBPayRHODquIWByfNLjj7aUpV7FqpcVLHtfYSwYqMDCeA2NQOFtZR6jOBoEJpGUtngqp90AOvePlIyPM6nVzxqZzoAhn8I980m+r2Cnn14hRXKsUtwMUytqqBiUKa81yNbH8vuNFfotXZDXcjWS3Zqbvhj6HHg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b=17RYXXM3; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7BE02C4CEF7; Thu, 25 Sep 2025 20:35:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1758832504; bh=UXqrSeyJfQ5VVk+A27k67uRWkFpFX7EluQAj7zgGa4c=; h=Date:To:From:Subject:From; b=17RYXXM3Pew41qykdf0bS8QoHdfN7Bjm8zKnHN2wp4D0evEjc7VTUqZouUrc/3Kid pTQskJVdJCOVDCIXQt9VicxDHqbGdZ/yK4J1M3AgS0b6dYG6MAlJWwZ7AYNpYipHMT vEm2egIMeNKiHCq58B9gZUy9jwOTefYhlx6DIEjE= Date: Thu, 25 Sep 2025 13:35:03 -0700 To: mm-commits@vger.kernel.org,stable@vger.kernel.org,osalvador@suse.de,muchun.song@linux.dev,david@redhat.com,kartikey406@gmail.com,akpm@linux-foundation.org From: Andrew Morton Message-Id: <20250925203504.7BE02C4CEF7@smtp.kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: X-DKIM: signer='linux-foundation.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 25.4 (+++++++++++++++++++++++++) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (25.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: linux-foundation.org] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [139.178.88.99 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [139.178.88.99 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [139.178.88.99 listed in sa-accredit.habeas.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 25 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager X-Old-Subject:+ hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch added to mm-new branch Subject:*****SPAM***** + hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch added to mm-new branch X-Spam-Status: Yes, score=25.4, +20 total spam score SpamTally: Final spam score: 274 The patch titled Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list has been added to the -mm mm-new branch. Its filename is hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch This patch will later appear in the mm-new branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Note, mm-new is a provisional staging ground for work-in-progress patches, and acceptance into mm-new is a notification for others take notice and to finish up reviews. Please do not hesitate to respond to review feedback and post updated versions to replace or incrementally fixup patches in mm-new. Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Deepanshu Kartikey Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list Date: Thu, 25 Sep 2025 20:19:32 +0530 hugetlb_vmdelete_list() uses trylock to acquire VMA locks during truncate operations. As per the original design in commit 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization"), if the trylock fails or the VMA has no lock, it should skip that VMA. Any remaining mapped pages are handled by remove_inode_hugepages() which is called after hugetlb_vmdelete_list() and uses proper lock ordering to guarantee unmapping success. Currently, when hugetlb_vma_trylock_write() returns success (1) for VMAs without shareable locks, the code proceeds to call unmap_hugepage_range(). This causes assertion failures in huge_pmd_unshare() → hugetlb_vma_assert_locked() because no lock is actually held: WARNING: CPU: 1 PID: 6594 Comm: syz.0.28 Not tainted Call Trace: hugetlb_vma_assert_locked+0x1dd/0x250 huge_pmd_unshare+0x2c8/0x540 __unmap_hugepage_range+0x6e3/0x1aa0 unmap_hugepage_range+0x32e/0x410 hugetlb_vmdelete_list+0x189/0x1f0 Fix by explicitly skipping VMAs without shareable locks after trylock succeeds, consistent with the original design where such VMAs are deferred to remove_inode_hugepages() for proper handling. Link: https://lkml.kernel.org/r/20250925144934.150299-1-kartikey406@gmail.com Signed-off-by: Deepanshu Kartikey Reported-by: syzbot+f26d7c75c26ec19790e7@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=f26d7c75c26ec19790e7 Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization") Tested-by: syzbot+f26d7c75c26ec19790e7@syzkaller.appspotmail.com Cc: David Hildenbrand Cc: Muchun Song Cc: Oscar Salvador Cc: Signed-off-by: Andrew Morton --- fs/hugetlbfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/hugetlbfs/inode.c~hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list +++ a/fs/hugetlbfs/inode.c @@ -487,7 +487,8 @@ hugetlb_vmdelete_list(struct rb_root_cac if (!hugetlb_vma_trylock_write(vma)) continue; - + if (!__vma_shareable_lock(vma)) + continue; v_start = vma_offset_start(vma, start); v_end = vma_offset_end(vma, end); _ Patches currently in -mm which might be from kartikey406@gmail.com are hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch From - Fri Sep 26 06:51:26 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 >From stable+bounces-181748-hi=josie.lol@vger.kernel.org Thu Sep 25 21:50:38 2025 Return-path: Envelope-to: hi@josie.lol Delivery-date: Thu, 25 Sep 2025 21:50:38 +0000 Received: from am.mirrors.kernel.org ([147.75.80.249]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1v1trK-00000002G05-0WOb for hi@josie.lol; Thu, 25 Sep 2025 21:50:38 +0000 Received: from smtp.subspace.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 7466A1C826FD for ; Thu, 25 Sep 2025 21:50:54 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 40D772E8B6B; Thu, 25 Sep 2025 21:50:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="XMsv8+jE" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14D62275106; Thu, 25 Sep 2025 21:50:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758837018; cv=none; b=Sut+ZoUUFPM3riNy/yxMQf+yQJ0b13xihCA86QG7NVBWBIFhDiGQV9OvmMIEou3gme8MWkvHJ4axQxHF+XQbHdaFtvpVS4BPgV/37CfwIx73aGv6GTe7Il3pNIfJvppg3hfx7+pIX9X17ndTf8ob36fDZI+kllWxwkrB9ETcZCc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758837018; c=relaxed/simple; bh=oX+ffFtrNxS4S7E+QeUkUElYRbcpE88o28dPbhem8is=; h=Date:To:From:Subject:Message-Id; b=Ty2l5PFIVgDabmKn9aOOaMmgjtTxzDulgV6kdDMQEeI4iAjAKVEzty38ic6TW71/MwMnNrOqUR26PyLTLXq3NSLYGbrU/p2oFVwRuHVeeZv6fwX2rIt6oK9RnR2kLEQDNKt002VvZY2lo1WIDObrOS5tWz4ANW2gWQB35gAJ0X0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b=XMsv8+jE; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7B0A5C4CEF0; Thu, 25 Sep 2025 21:50:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1758837016; bh=oX+ffFtrNxS4S7E+QeUkUElYRbcpE88o28dPbhem8is=; h=Date:To:From:Subject:From; b=XMsv8+jEExn7TLAEuilIYSzECZOlrqIEByK/EYTheGlcbPbwfZNWF7qdOnPtz/Vqa awmUVwUHTYfQyTKJ1lQqLSykW6EwnF+kE9D0wcJoZRYCMu55jWeqYLjbkjh8CApwlR mAxY8oTfdPdS6/PcBOc4ptRlcn5lViYm3ylTniq0= Date: Thu, 25 Sep 2025 14:50:15 -0700 To: mm-commits@vger.kernel.org,stable@vger.kernel.org,osalvador@suse.de,muchun.song@linux.dev,david@redhat.com,kartikey406@gmail.com,akpm@linux-foundation.org From: Andrew Morton Message-Id: <20250925215016.7B0A5C4CEF0@smtp.kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: X-DKIM: signer='linux-foundation.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 25.4 (+++++++++++++++++++++++++) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (25.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: syzkaller.appspot.com] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [147.75.80.249 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [147.75.80.249 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [147.75.80.249 listed in bl.score.senderscore.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 25 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager X-Old-Subject:[failures] hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch removed from -mm tree Subject:*****SPAM***** [failures] hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch removed from -mm tree X-Spam-Status: Yes, score=25.4, +20 total spam score SpamTally: Final spam score: 274 The quilt patch titled Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list has been removed from the -mm tree. Its filename was hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list.patch This patch was dropped because it had testing failures ------------------------------------------------------ From: Deepanshu Kartikey Subject: hugetlbfs: skip VMAs without shareable locks in hugetlb_vmdelete_list Date: Thu, 25 Sep 2025 20:19:32 +0530 hugetlb_vmdelete_list() uses trylock to acquire VMA locks during truncate operations. As per the original design in commit 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization"), if the trylock fails or the VMA has no lock, it should skip that VMA. Any remaining mapped pages are handled by remove_inode_hugepages() which is called after hugetlb_vmdelete_list() and uses proper lock ordering to guarantee unmapping success. Currently, when hugetlb_vma_trylock_write() returns success (1) for VMAs without shareable locks, the code proceeds to call unmap_hugepage_range(). This causes assertion failures in huge_pmd_unshare() → hugetlb_vma_assert_locked() because no lock is actually held: WARNING: CPU: 1 PID: 6594 Comm: syz.0.28 Not tainted Call Trace: hugetlb_vma_assert_locked+0x1dd/0x250 huge_pmd_unshare+0x2c8/0x540 __unmap_hugepage_range+0x6e3/0x1aa0 unmap_hugepage_range+0x32e/0x410 hugetlb_vmdelete_list+0x189/0x1f0 Fix by explicitly skipping VMAs without shareable locks after trylock succeeds, consistent with the original design where such VMAs are deferred to remove_inode_hugepages() for proper handling. Link: https://lkml.kernel.org/r/20250925144934.150299-1-kartikey406@gmail.com Signed-off-by: Deepanshu Kartikey Reported-by: syzbot+f26d7c75c26ec19790e7@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=f26d7c75c26ec19790e7 Fixes: 40549ba8f8e0 ("hugetlb: use new vma_lock for pmd sharing synchronization") Tested-by: syzbot+f26d7c75c26ec19790e7@syzkaller.appspotmail.com Cc: David Hildenbrand Cc: Muchun Song Cc: Oscar Salvador Cc: Signed-off-by: Andrew Morton --- fs/hugetlbfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/hugetlbfs/inode.c~hugetlbfs-skip-vmas-without-shareable-locks-in-hugetlb_vmdelete_list +++ a/fs/hugetlbfs/inode.c @@ -487,7 +487,8 @@ hugetlb_vmdelete_list(struct rb_root_cac if (!hugetlb_vma_trylock_write(vma)) continue; - + if (!__vma_shareable_lock(vma)) + continue; v_start = vma_offset_start(vma, start); v_end = vma_offset_end(vma, end); _ Patches currently in -mm which might be from kartikey406@gmail.com are From - Fri Sep 26 06:51:26 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 >From stable+bounces-181751-hi=josie.lol@vger.kernel.org Thu Sep 25 23:11:22 2025 Return-path: Envelope-to: hi@josie.lol Delivery-date: Thu, 25 Sep 2025 23:11:22 +0000 Received: from sy.mirrors.kernel.org ([147.75.48.161]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1v1v7S-00000004kQz-0cbV for hi@josie.lol; Thu, 25 Sep 2025 23:11:22 +0000 Received: from smtp.subspace.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id DA6E77B19C5 for ; Thu, 25 Sep 2025 23:09:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 738E32ED163; Thu, 25 Sep 2025 23:11:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="A+LlfugZ" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4A1BE2D837E; Thu, 25 Sep 2025 23:11:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758841870; cv=none; b=W4FW8d4VzBDsFa9IYXJ81xUgO7g1YWMucCZfxnsEwkTb6jKN9qdXIAm+hAsE8BouhDlqv8b4kjKy3hnk4H3keyUze11T2RQbNM7G0lg8zie9LW4Old18jq325w6GkaniA9gLCQDg8sU4usHPI88dAW2BLcgdYHYMmbqJQzTzWVA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758841870; c=relaxed/simple; bh=7mA1KD2uW5O4ACTarVWNMcJRxuIdk+3apoEZTmxDZ14=; h=Date:To:From:Subject:Message-Id; b=OOLPX52m0uKAFjesjkGoBDgNzNm0ngmIgfWxDKjY8nSIzukaoVWBJg1FHiJBWcA9zfE1DN3L4n9QpnJ1aM7guq6efvi+pPOpMPI15a83y4gQ+FJqQew7pOO95Dfy/Mn0ZGYptq1I4VMcSAMq9OU46ynlQjAzuAziP6/OiKEyfJU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b=A+LlfugZ; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id B3823C4CEF0; Thu, 25 Sep 2025 23:11:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1758841869; bh=7mA1KD2uW5O4ACTarVWNMcJRxuIdk+3apoEZTmxDZ14=; h=Date:To:From:Subject:From; b=A+LlfugZJqVhohf2rOUaz1XnfKmbhK1gN0o2XBxRiUSzDZ8Ip430IQNuA6hIbTEWJ 1dZy+vnJW2Q4hdJJtpeKBjVXMRwxEge152zGTpxc4ITV1q06Q1BThOYBGllAitaRDJ n8py6ZwR9lolfNktnjIzulQBN3BaKX0JE5pkm+CI= Date: Thu, 25 Sep 2025 16:11:09 -0700 To: mm-commits@vger.kernel.org,vbabka@suse.cz,usama.anjum@collabora.com,tujinjiang@huawei.com,surenb@google.com,superman.xpt@gmail.com,stable@vger.kernel.org,sfr@canb.auug.org.au,ryan.roberts@arm.com,mirq-linux@rere.qmqm.pl,lorenzo.stoakes@oracle.com,david@redhat.com,broonie@kernel.org,baolin.wang@linux.alibaba.com,avagin@gmail.com,acsjakub@amazon.de,akpm@linux-foundation.org From: Andrew Morton Message-Id: <20250925231109.B3823C4CEF0@smtp.kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: X-DKIM: signer='linux-foundation.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 25.4 (+++++++++++++++++++++++++) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (25.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: linux-foundation.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [147.75.48.161 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [147.75.48.161 listed in bl.score.senderscore.com] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [147.75.48.161 listed in list.dnswl.org] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 25 PP_MIME_FAKE_ASCII_TEXT BODY: MIME text/plain claims to be ASCII but isn't -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager X-Old-Subject:[merged mm-hotfixes-stable] fs-proc-task_mmu-check-p-vec_buf-for-null.patch removed from -mm tree Subject:*****SPAM***** [merged mm-hotfixes-stable] fs-proc-task_mmu-check-p-vec_buf-for-null.patch removed from -mm tree X-Spam-Status: Yes, score=25.4, +20 total spam score SpamTally: Final spam score: 274 The quilt patch titled Subject: fs/proc/task_mmu: check p->vec_buf for NULL has been removed from the -mm tree. Its filename was fs-proc-task_mmu-check-p-vec_buf-for-null.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jakub Acs Subject: fs/proc/task_mmu: check p->vec_buf for NULL Date: Mon, 22 Sep 2025 08:22:05 +0000 When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches pagemap_scan_backout_range(), kernel panics with null-ptr-deref: [ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) [ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 [ 44.946828] Call Trace: [ 44.947030] [ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 [ 44.952593] walk_pmd_range.isra.0+0x302/0x910 [ 44.954069] walk_pud_range.isra.0+0x419/0x790 [ 44.954427] walk_p4d_range+0x41e/0x620 [ 44.954743] walk_pgd_range+0x31e/0x630 [ 44.955057] __walk_page_range+0x160/0x670 [ 44.956883] walk_page_range_mm+0x408/0x980 [ 44.958677] walk_page_range+0x66/0x90 [ 44.958984] do_pagemap_scan+0x28d/0x9c0 [ 44.961833] do_pagemap_cmd+0x59/0x80 [ 44.962484] __x64_sys_ioctl+0x18d/0x210 [ 44.962804] do_syscall_64+0x5b/0x290 [ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are allocated and p->vec_buf remains set to NULL. This breaks an assumption made later in pagemap_scan_backout_range(), that page_region is always allocated for p->vec_buf_index. Fix it by explicitly checking p->vec_buf for NULL before dereferencing. Other sites that might run into same deref-issue are already (directly or transitively) protected by checking p->vec_buf. Note: >>From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output is requested and it's only the side effects caller is interested in, hence it passes check in pagemap_scan_get_args(). This issue was found by syzkaller. Link: https://lkml.kernel.org/r/20250922082206.6889-1-acsjakub@amazon.de Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Signed-off-by: Jakub Acs Reviewed-by: Muhammad Usama Anjum Acked-by: David Hildenbrand Cc: Vlastimil Babka Cc: Lorenzo Stoakes Cc: Jinjiang Tu Cc: Suren Baghdasaryan Cc: Penglei Jiang Cc: Mark Brown Cc: Baolin Wang Cc: Ryan Roberts Cc: Andrei Vagin Cc: "Michał Mirosław" Cc: Stephen Rothwell Cc: Signed-off-by: Andrew Morton --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/proc/task_mmu.c~fs-proc-task_mmu-check-p-vec_buf-for-null +++ a/fs/proc/task_mmu.c @@ -2417,6 +2417,9 @@ static void pagemap_scan_backout_range(s { struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + if (!p->vec_buf) + return; + if (cur_buf->start != addr) cur_buf->end = addr; else _ Patches currently in -mm which might be from acsjakub@amazon.de are From - Tue Sep 30 13:13:39 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 >From stable+bounces-181997-hi=josie.lol@vger.kernel.org Mon Sep 29 21:44:16 2025 Return-path: Envelope-to: hi@josie.lol Delivery-date: Mon, 29 Sep 2025 21:44:16 +0000 Received: from sv.mirrors.kernel.org ([139.178.88.99]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1v3LfM-00000005p32-0vTP for hi@josie.lol; Mon, 29 Sep 2025 21:44:16 +0000 Received: from smtp.subspace.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id E54623C0CFE for ; Mon, 29 Sep 2025 21:44:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 54FCA242D63; Mon, 29 Sep 2025 21:44:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="HA1LS6CC" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C0491FE451; Mon, 29 Sep 2025 21:44:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759182251; cv=none; b=thxnuZPQPaGhq5Iu5e3B784ziaHMMbHaAciOBvnXMDDCIp8opYAsL8LlPyf7BRU7EmK0S/RqpYhmR23RXBPoe9BAsZSJu/pA4MloVPEerd8kcz2aF+ZfEqYPlOxbMEgNOM3PXiCYere1SNojAfXQyqn3RjCxC2qnm3D/EB2h/do= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759182251; c=relaxed/simple; bh=H