tmakin/ack-tegra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
testing-6.12
ack-tegra/mm
History
Barry Song ddd07215be UPSTREAM: mm: fix the race between collapse and PT_RECLAIM under per-vma lock 
The check_pmd_still_valid() call during collapse is currently only
protected by the mmap_lock in write mode, which was sufficient when
pt_reclaim always ran under mmap_lock in read mode.  However, since
madvise_dontneed can now execute under a per-VMA lock, this assumption is
no longer valid.  As a result, a race condition can occur between collapse
and PT_RECLAIM, potentially leading to a kernel panic.

 [   38.151897] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] SMP KASI
 [   38.153519] KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
 [   38.154605] CPU: 0 UID: 0 PID: 721 Comm: repro Not tainted 6.16.0-next-20250801-next-2025080 #1 PREEMPT(voluntary)
 [   38.155929] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org4
 [   38.157418] RIP: 0010:kasan_byte_accessible+0x15/0x30
 [   38.158125] Code: 03 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 b8 00 00 00 00 00 fc0
 [   38.160461] RSP: 0018:ffff88800feef678 EFLAGS: 00010286
 [   38.161220] RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 1ffffffff0dde60c
 [   38.162232] RDX: 0000000000000000 RSI: ffffffff85da1e18 RDI: dffffc0000000003
 [   38.163176] RBP: ffff88800feef698 R08: 0000000000000001 R09: 0000000000000000
 [   38.164195] R10: 0000000000000000 R11: ffff888016a8ba58 R12: 0000000000000018
 [   38.165189] R13: 0000000000000018 R14: ffffffff85da1e18 R15: 0000000000000000
 [   38.166100] FS:  0000000000000000(0000) GS:ffff8880e3b40000(0000) knlGS:0000000000000000
 [   38.167137] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [   38.167891] CR2: 00007f97fadfe504 CR3: 0000000007088005 CR4: 0000000000770ef0
 [   38.168812] PKRU: 55555554
 [   38.169275] Call Trace:
 [   38.169647]  <TASK>
 [   38.169975]  ? __kasan_check_byte+0x19/0x50
 [   38.170581]  lock_acquire+0xea/0x310
 [   38.171083]  ? rcu_is_watching+0x19/0xc0
 [   38.171615]  ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
 [   38.172343]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
 [   38.173130]  _raw_spin_lock+0x38/0x50
 [   38.173707]  ? __pte_offset_map_lock+0x1a2/0x3c0
 [   38.174390]  __pte_offset_map_lock+0x1a2/0x3c0
 [   38.174987]  ? __pfx___pte_offset_map_lock+0x10/0x10
 [   38.175724]  ? __pfx_pud_val+0x10/0x10
 [   38.176308]  ? __sanitizer_cov_trace_const_cmp1+0x1e/0x30
 [   38.177183]  unmap_page_range+0xb60/0x43e0
 [   38.177824]  ? __pfx_unmap_page_range+0x10/0x10
 [   38.178485]  ? mas_next_slot+0x133a/0x1a50
 [   38.179079]  unmap_single_vma.constprop.0+0x15b/0x250
 [   38.179830]  unmap_vmas+0x1fa/0x460
 [   38.180373]  ? __pfx_unmap_vmas+0x10/0x10
 [   38.180994]  ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
 [   38.181877]  exit_mmap+0x1a2/0xb40
 [   38.182396]  ? lock_release+0x14f/0x2c0
 [   38.182929]  ? __pfx_exit_mmap+0x10/0x10
 [   38.183474]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
 [   38.184188]  ? mutex_unlock+0x16/0x20
 [   38.184704]  mmput+0x132/0x370
 [   38.185208]  do_exit+0x7e7/0x28c0
 [   38.185682]  ? __this_cpu_preempt_check+0x21/0x30
 [   38.186328]  ? do_group_exit+0x1d8/0x2c0
 [   38.186873]  ? __pfx_do_exit+0x10/0x10
 [   38.187401]  ? __this_cpu_preempt_check+0x21/0x30
 [   38.188036]  ? _raw_spin_unlock_irq+0x2c/0x60
 [   38.188634]  ? lockdep_hardirqs_on+0x89/0x110
 [   38.189313]  do_group_exit+0xe4/0x2c0
 [   38.189831]  __x64_sys_exit_group+0x4d/0x60
 [   38.190413]  x64_sys_call+0x2174/0x2180
 [   38.190935]  do_syscall_64+0x6d/0x2e0
 [   38.191449]  entry_SYSCALL_64_after_hwframe+0x76/0x7e

This patch moves the vma_start_write() call to precede
check_pmd_still_valid(), ensuring that the check is also properly
protected by the per-VMA lock.

Link: https://lkml.kernel.org/r/20250805035447.7958-1-21cnbao@gmail.com
Fixes: a6fde7add78d ("mm: use per_vma lock for MADV_DONTNEED")
Signed-off-by: Barry Song <v-songbaohua@oppo.com>
Tested-by: "Lai, Yi" <yi1.lai@linux.intel.com>
Reported-by: "Lai, Yi" <yi1.lai@linux.intel.com>
Closes: https://lore.kernel.org/all/aJAFrYfyzGpbm+0m@ly-workstation/
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Jann Horn <jannh@google.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Lokesh Gidra <lokeshgidra@google.com>
Cc: Tangquan Zheng <zhengtangquan@oppo.com>
Cc: Lance Yang <ioworker0@gmail.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Dev Jain <dev.jain@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

Bug: 441636500
Bug: 451083029
(cherry picked from commit 366a4532d96fc357998465133db34d34edb79e4c)
Change-Id: Ic2cec5f18f86415b252dc8568f02dc6bbb016e45
Signed-off-by: yipeng xiang <yipengxiang@honor.corp-partner.google.com>
Signed-off-by: liwei <liwei1234@oppo.com>
2025-10-15 07:40:49 -07:00
..
damon
mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write
2025-07-06 11:01:38 +02:00
kasan
Merge 1ef4cf5f98 ("rust: alloc: update module comment of alloc.rs") into android16-6.12
2025-04-07 05:41:55 -07:00
kfence
kfence: skip __GFP_THISNODE allocations on NUMA systems
2025-02-17 10:05:31 +01:00
kmsan
dma: kmsan: export kmsan_handle_dma() for modules
2025-03-13 13:01:58 +01:00
backing-dev.c
ANDROID: writeback: export symbols to do a hierarchical writeback control
2025-03-13 14:33:59 -07:00
balloon_compaction.c
bootmem_info.c
cleancache.c
cma_debug.c
cma_sysfs.c
ANDROID: integrate GCMA with CMA using dt-bindings
2025-04-16 13:40:02 +00:00
cma.c
ANDROID: android: Export cma tracehooks
2025-08-13 12:43:53 -07:00
cma.h
ANDROID: integrate GCMA with CMA using dt-bindings
2025-04-16 13:40:02 +00:00
compaction.c
ANDROID: vendor_hook: Added hook for memory reclaim tuning
2025-07-31 08:34:12 -07:00
debug_page_alloc.c
debug_page_ref.c
debug_vm_pgtable.c
debug.c
FROMGIT: mm/debug: print vm_refcnt state when dumping the vma
2025-02-28 02:29:43 -08:00
dmapool_test.c
dmapool.c
early_ioremap.c
execmem.c
BACKPORT: alloc_tag: populate memory for module tags as needed
2025-02-12 07:50:05 -08:00
fadvise.c
fail_page_alloc.c
failslab.c
filemap.c
ANDROID: mm: add vendor hooks for file folio reclaim.
2025-10-15 07:32:27 -07:00
folio-compat.c
gcma_sysfs.c
ANDROID: mm: add allocated and total pages for GCMA areas
2025-07-18 15:27:13 -07:00
gcma_sysfs.h
ANDROID: mm: add allocated and total pages for GCMA areas
2025-07-18 15:27:13 -07:00
gcma.c
ANDROID: ensure pages allocated from GCMA are correctly refcounted
2025-08-15 14:57:23 -07:00
gup_test.c
gup_test.h
gup.c
ANDROID: vendor_hook: Added hook to tune reclaimed huge page
2025-07-31 08:34:12 -07:00
highmem.c
hmm.c
huge_memory.c
ANDROID: vendor_hook: customize gfp and decide whether to bypass in the large folio allocation path
2025-08-12 14:18:04 -07:00
hugetlb_cgroup.c
hugetlb_vmemmap.c
hugetlb_vmemmap.h
hugetlb.c
Merge 6.12.35 into android16-6.12-lts
2025-07-10 16:01:38 +00:00
hwpoison-inject.c
init-mm.c
BACKPORT: FROMGIT: mm: replace vm_lock and detached flag with a reference count
2025-02-28 02:29:43 -08:00
internal.h
FROMGIT: mm: page_alloc: tighten up find_suitable_fallback()
2025-06-06 07:28:38 +00:00
interval_tree.c
io-mapping.c
ioremap.c
Kconfig
FROMGIT: mm: add CONFIG_PAGE_BLOCK_ORDER to select page block order
2025-06-09 14:13:45 -07:00
Kconfig.debug
ANDROID: mm: introduce page_pinner
2025-02-28 08:35:52 -08:00
khugepaged.c
UPSTREAM: mm: fix the race between collapse and PT_RECLAIM under per-vma lock
2025-10-15 07:40:49 -07:00
kmemleak.c
mm: kmemleak: fix upper boundary check for physical address objects
2025-02-17 10:05:36 +01:00
ksm.c
list_lru.c
maccess.c
madvise.c
BACKPORT: mm: use per_vma lock for MADV_DONTNEED
2025-10-15 07:40:49 -07:00
Makefile
ANDROID: 16K: Introduce /sys/kernel/mm/pgsize_migration/enabled
2025-05-16 12:18:08 +00:00
mapping_dirty_helpers.c
memblock.c
Merge d133023c9a ("ocfs2: stop quota recovery before disabling quotas") into android16-6.12-lts
2025-06-03 06:28:39 +00:00
memcontrol-v1.c
ANDROID: mm: Added memcg1_charge_batch
2025-07-31 08:34:12 -07:00
memcontrol-v1.h
ANDROID: mm: Added memcg1_charge_batch
2025-07-31 08:34:12 -07:00
memcontrol.c
Merge 6.12.31 into android16-6.12-lts
2025-07-03 07:19:01 +00:00
memfd.c
mm: reinstate ability to map write-sealed memfd mappings read-only
2025-01-09 13:33:54 +01:00
memory_hotplug.c
Merge android16-6.12 into android16-6.12-lts
2025-05-30 13:37:58 +00:00
memory-failure.c
mm/hwpoison: do not send SIGBUS to processes with recovered clean pages
2025-04-20 10:15:49 +02:00
memory-tiers.c
memory.c
ANDROID: vendor_hook: customize gfp and orders to alloc large folio
2025-08-12 14:18:04 -07:00
mempolicy.c
mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM
2024-12-14 20:03:32 +01:00
mempool.c
memremap.c
memtest.c
migrate_device.c
mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()
2025-02-27 04:30:22 -08:00
migrate.c
ANDROID: vendor_hook: Added hook to tune reclaimed huge page
2025-07-31 08:34:12 -07:00
mincore.c
ANDROID: 16K: Fix mincore emulation
2025-05-16 12:18:06 +00:00
mlock.c
ANDROID: 16K: Fixup padding vm_flags bits on VMA splits
2025-05-16 12:18:10 +00:00
mm_init.c
FROMGIT: mm: add CONFIG_PAGE_BLOCK_ORDER to select page block order
2025-06-09 14:13:45 -07:00
mm_slot.h
mmap_lock.c
mmap.c
ANDROID: vendor_hooks: Add hook in mmap_region()
2025-06-04 10:00:02 -07:00
mmu_gather.c
mmu_notifier.c
ANDROID: mm: Export several symbols
2025-07-31 08:34:12 -07:00
mmzone.c
ANDROID: mm: Create hooks for ZONE_MOVABLE allocs
2025-05-22 00:51:52 -07:00
mprotect.c
ANDROID: 16K: Fixup padding vm_flags bits on VMA splits
2025-05-16 12:18:10 +00:00
mremap.c
Merge branch 'android16-6.12' into branch 'android16-6.12-lts'
2025-05-19 06:36:53 +00:00
mseal.c
ANDROID: 16K: Ensure mseal start and len are 16kB multiples
2025-05-16 12:18:05 +00:00
msync.c
ANDROID: 16K: msync: __PAGE_ALIGN addr and len
2025-05-16 12:18:02 +00:00
nommu.c
ANDROID: 16K: Handle filemap faults
2025-05-16 12:18:01 +00:00
numa_emulation.c
numa_memblks.c
numa.c
oom_kill.c
ANDROID: vendor_hooks: add hooks for exting task's swp_entrys
2025-05-20 04:44:02 -07:00
page_alloc.c
ANDROID: mm: add vendor hooks for file folio reclaim.
2025-10-15 07:32:27 -07:00
page_counter.c
page_ext.c
ANDROID: mm: Export page_ext_[get|put]
2025-03-03 16:06:25 -08:00
page_idle.c
ANDROID: 16K: Disable kernel APIs indexed by PFNs
2025-05-16 12:18:07 +00:00
page_io.c
ANDROID: restricted vendor_hook: add swap_read_folio_bdev_sync
2025-08-25 11:12:34 -07:00
page_isolation.c
Merge 6.12.20 into android16-6.12
2025-04-22 10:18:37 -07:00
page_owner.c
ANDROID: mm: add get_page_owner_handle function
2025-03-03 16:06:25 -08:00
page_pinner.c
ANDROID: page_pinner: add missing page_pinner_put_page
2025-02-28 08:35:52 -08:00
page_poison.c
page_reporting.c
Revert "ANDROID: KVM: arm64: balloon: Notify hyp before reporting free pages to host"
2025-03-17 09:59:58 +00:00
page_reporting.h
page_size_compat.c
ANDROID: 16K: Duplicate command line for parsing page_shift
2025-05-16 12:18:08 +00:00
page_table_check.c
page_vma_mapped.c
Merge 6.12.24 into android16-6.12-lts
2025-05-10 12:51:04 +00:00
page-writeback.c
Merge 6.12.35 into android16-6.12-lts
2025-07-10 16:01:38 +00:00
pagewalk.c
UPSTREAM: mm: pagewalk: add the ability to install PTEs
2025-05-16 12:17:53 +00:00
percpu-internal.h
percpu-km.c
percpu-stats.c
percpu-vm.c
percpu.c
ANDROID: mm: Export pcpu_nr_pages
2025-03-03 16:06:25 -08:00
pgalloc-track.h
pgsize_migration.c
ANDROID: Fix build error in linker_ctx() when CONFIG_PER_VMA_LOCK=n
2025-10-15 07:40:49 -07:00
pgtable-generic.c
ANDROID: mm: export __pte_offset_map/unuse_swap_pte/read_swap_cache_async
2025-05-08 08:05:57 -07:00
process_vm_access.c
ptdump.c
readahead.c
ANDROID: mm/readahead: add for bypass high order allocation
2025-07-11 10:50:43 -07:00
rmap.c
ANDROID: vendor_hook: Added hook to tune reclaimed huge page
2025-07-31 08:34:12 -07:00
rodata_test.c
secretmem.c
fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass
2025-07-10 16:05:09 +02:00
shmem_quota.c
shmem.c
Merge android16-6.12 into android16-6.12-lts
2025-06-06 06:53:56 +00:00
show_mem.c
FROMLIST: mm: add nr_free_highatomic in show_free_areas
2025-05-05 17:47:41 +08:00
shrinker_debug.c
shrinker.c
ANDROID: vendor_hook: Add hook is to optimize the time consumption of shrink slab.
2025-06-18 22:15:56 -07:00
shuffle.c
shuffle.h
slab_common.c
ANDROID: vendor_hooks: Add hooks for memory when debug
2025-02-05 14:28:37 -08:00
slab.h
ANDROID: vendor_hooks: Add hook in kmalloc_slab()
2025-04-14 16:45:21 -07:00
slub.c
UPSTREAM: mm: slub: avoid wake up kswapd in set_track_prepare
2025-10-14 03:02:12 -07:00
sparse-vmemmap.c
sparse.c
swap_cgroup.c
swap_slots.c
swap_state.c
ANDROID: mm: Export several symbols
2025-07-31 08:34:12 -07:00
swap.c
ANDROID: export folio_deactivate() for GKI purpose.
2025-07-10 09:10:08 -07:00
swap.h
swapfile.c
ANDROID: mm: Export several symbols
2025-07-31 08:34:12 -07:00
TEST_MAPPING
ANDROID: Add CtsJobSchedulerTestCases to the presubmit group.
2025-04-16 13:46:28 -07:00
truncate.c
ANDROID: mm: add vendor hooks to adjust memory reclamation
2025-04-02 05:36:04 -07:00
usercopy.c
userfaultfd.c
Merge 6.12.37 into android16-6.12-lts
2025-07-13 12:24:55 +00:00
util.c
ANDROID: 16K: Remove unescessary err log in randomize_page()
2025-05-16 12:18:04 +00:00
vma_internal.h
mm/hugetlb: unshare page tables during VMA split, not before
2025-06-27 11:11:40 +01:00
vma.c
Merge 6.12.36 into android16-6.12-lts
2025-07-10 18:44:05 +00:00
vma.h
Merge 6.12.25 into android16-6.12-lts
2025-05-19 11:25:01 +00:00
vmalloc.c
Merge 6.12.37 into android16-6.12-lts
2025-07-13 12:24:55 +00:00
vmpressure.c
vmscan.c
ANDROID: mm: mglru: add vendor_hook for should_abort_scan()
2025-10-15 07:32:27 -07:00
vmstat.c
ANDROID: mm: add a hook to amend /proc/pagetypeinfo output
2025-02-06 11:39:37 -08:00
workingset.c
BACKPORT: mm/mglru: rework workingset protection
2025-03-19 13:28:31 +00:00
z3fold.c
zbud.c
zpool.c
zsmalloc.c
ANDROID: mm: add vendor hook in zs_shrinker
2025-02-20 11:04:16 -08:00
zswap.c
mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()
2025-04-10 14:39:40 +02:00