From: Lance Yang <lance.yang@linux.dev>
To: David Hildenbrand <david@redhat.com>,
akpm@linux-foundation.org, 21cnbao@gmail.com
Cc: baolin.wang@linux.alibaba.com, chrisl@kernel.org,
kasong@tencent.com, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-riscv@lists.infradead.org, lorenzo.stoakes@oracle.com,
ryan.roberts@arm.com, v-songbaohua@oppo.com, x86@kernel.org,
huang.ying.caritas@gmail.com, zhengtangquan@oppo.com,
riel@surriel.com, Liam.Howlett@oracle.com, vbabka@suse.cz,
harry.yoo@oracle.com, mingzhe.yang@ly.com,
stable@vger.kernel.org, Barry Song <baohua@kernel.org>,
Lance Yang <ioworker0@gmail.com>
Subject: Re: [PATCH v3 1/1] mm/rmap: fix potential out-of-bounds page table access during batched unmap
Date: Tue, 1 Jul 2025 22:15:27 +0800 [thread overview]
Message-ID: <0a96ce38-163e-4566-b666-b074bd82c75a@linux.dev> (raw)
In-Reply-To: <330f29ee-ba55-4ae6-a695-ddaba58d5cb8@redhat.com>
On 2025/7/1 22:03, David Hildenbrand wrote:
> On 30.06.25 03:13, Lance Yang wrote:
>> From: Lance Yang <lance.yang@linux.dev>
>>
>> As pointed out by David[1], the batched unmap logic in try_to_unmap_one()
>> may read past the end of a PTE table when a large folio's PTE mappings
>> are not fully contained within a single page table.
>>
>> While this scenario might be rare, an issue triggerable from userspace
>> must
>> be fixed regardless of its likelihood. This patch fixes the out-of-bounds
>> access by refactoring the logic into a new helper,
>> folio_unmap_pte_batch().
>>
>> The new helper correctly calculates the safe batch size by capping the
>> scan
>> at both the VMA and PMD boundaries. To simplify the code, it also
>> supports
>> partial batching (i.e., any number of pages from 1 up to the calculated
>> safe maximum), as there is no strong reason to special-case for fully
>> mapped folios.
>>
>> [1] https://lore.kernel.org/linux-mm/
>> a694398c-9f03-4737-81b9-7e49c857fcbe@redhat.com
>>
>> Fixes: 354dffd29575 ("mm: support batched unmap for lazyfree large
>> folios during reclamation")
>> Cc: <stable@vger.kernel.org>
>> Acked-by: Barry Song <baohua@kernel.org>
>> Suggested-by: David Hildenbrand <david@redhat.com>
>
> Realized this now: This should probably be a "Reported-by:" with the
> "Closes:" and and a link to my mail.
Got it. Both tags (Reported-by/Closes) will be in the next commit ;)
WARNING: multiple messages have this Message-ID (diff)
From: Lance Yang <lance.yang@linux.dev>
To: David Hildenbrand <david@redhat.com>,
akpm@linux-foundation.org, 21cnbao@gmail.com
Cc: baolin.wang@linux.alibaba.com, chrisl@kernel.org,
kasong@tencent.com, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-riscv@lists.infradead.org, lorenzo.stoakes@oracle.com,
ryan.roberts@arm.com, v-songbaohua@oppo.com, x86@kernel.org,
huang.ying.caritas@gmail.com, zhengtangquan@oppo.com,
riel@surriel.com, Liam.Howlett@oracle.com, vbabka@suse.cz,
harry.yoo@oracle.com, mingzhe.yang@ly.com,
stable@vger.kernel.org, Barry Song <baohua@kernel.org>,
Lance Yang <ioworker0@gmail.com>
Subject: Re: [PATCH v3 1/1] mm/rmap: fix potential out-of-bounds page table access during batched unmap
Date: Tue, 1 Jul 2025 22:15:27 +0800 [thread overview]
Message-ID: <0a96ce38-163e-4566-b666-b074bd82c75a@linux.dev> (raw)
In-Reply-To: <330f29ee-ba55-4ae6-a695-ddaba58d5cb8@redhat.com>
On 2025/7/1 22:03, David Hildenbrand wrote:
> On 30.06.25 03:13, Lance Yang wrote:
>> From: Lance Yang <lance.yang@linux.dev>
>>
>> As pointed out by David[1], the batched unmap logic in try_to_unmap_one()
>> may read past the end of a PTE table when a large folio's PTE mappings
>> are not fully contained within a single page table.
>>
>> While this scenario might be rare, an issue triggerable from userspace
>> must
>> be fixed regardless of its likelihood. This patch fixes the out-of-bounds
>> access by refactoring the logic into a new helper,
>> folio_unmap_pte_batch().
>>
>> The new helper correctly calculates the safe batch size by capping the
>> scan
>> at both the VMA and PMD boundaries. To simplify the code, it also
>> supports
>> partial batching (i.e., any number of pages from 1 up to the calculated
>> safe maximum), as there is no strong reason to special-case for fully
>> mapped folios.
>>
>> [1] https://lore.kernel.org/linux-mm/
>> a694398c-9f03-4737-81b9-7e49c857fcbe@redhat.com
>>
>> Fixes: 354dffd29575 ("mm: support batched unmap for lazyfree large
>> folios during reclamation")
>> Cc: <stable@vger.kernel.org>
>> Acked-by: Barry Song <baohua@kernel.org>
>> Suggested-by: David Hildenbrand <david@redhat.com>
>
> Realized this now: This should probably be a "Reported-by:" with the
> "Closes:" and and a link to my mail.
Got it. Both tags (Reported-by/Closes) will be in the next commit ;)
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2025-07-01 16:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-30 1:13 [PATCH v3 1/1] mm/rmap: fix potential out-of-bounds page table access during batched unmap Lance Yang
2025-06-30 1:13 ` Lance Yang
2025-06-30 13:39 ` Lorenzo Stoakes
2025-06-30 13:39 ` Lorenzo Stoakes
2025-06-30 13:41 ` David Hildenbrand
2025-06-30 13:41 ` David Hildenbrand
2025-07-01 14:03 ` David Hildenbrand
2025-07-01 14:03 ` David Hildenbrand
2025-07-01 14:15 ` Lance Yang [this message]
2025-07-01 14:15 ` Lance Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0a96ce38-163e-4566-b666-b074bd82c75a@linux.dev \
--to=lance.yang@linux.dev \
--cc=21cnbao@gmail.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=baohua@kernel.org \
--cc=baolin.wang@linux.alibaba.com \
--cc=chrisl@kernel.org \
--cc=david@redhat.com \
--cc=harry.yoo@oracle.com \
--cc=huang.ying.caritas@gmail.com \
--cc=ioworker0@gmail.com \
--cc=kasong@tencent.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-riscv@lists.infradead.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mingzhe.yang@ly.com \
--cc=riel@surriel.com \
--cc=ryan.roberts@arm.com \
--cc=stable@vger.kernel.org \
--cc=v-songbaohua@oppo.com \
--cc=vbabka@suse.cz \
--cc=x86@kernel.org \
--cc=zhengtangquan@oppo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.