From: Chengming Zhou <chengming.zhou@linux.dev>
To: Sasha Levin <sashal@kernel.org>,
akpm@linux-foundation.org, david@kernel.org
Cc: xu.xin16@zte.com.cn, pedrodemargomes@gmail.com,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm/ksm: fix pte_unmap_unlock of wrong address in break_ksm_pmd_entry
Date: Mon, 22 Dec 2025 16:23:13 +0800 [thread overview]
Message-ID: <30e2087c-3bca-479c-9974-0681f0187cc2@linux.dev> (raw)
In-Reply-To: <20251220202926.318366-1-sashal@kernel.org>
On 2025/12/21 04:29, Sasha Levin wrote:
> On ARM32 with HIGHMEM/HIGHPTE, break_ksm_pmd_entry() triggers a BUG
> during KSM unmerging because pte_unmap_unlock() is passed a pointer
> that may be beyond the mapped PTE page.
>
> The issue occurs when the PTE iteration loop completes without finding
> a KSM page. After the loop, 'ptep' has been incremented past the last
> PTE entry. On ARM32 LPAE with 512 PTEs per page (512 * 8 = 4096 bytes),
> this means ptep points to the next page, outside the kmap'd region.
>
> When pte_unmap_unlock(ptep, ptl) calls kunmap_local(ptep), it unmaps
> the wrong page address, leaving the original kmap slot still mapped.
> The next kmap_local then finds this slot unexpectedly occupied:
>
> WARNING: mm/highmem.c:622 kunmap_local_indexed (address mismatch)
> kernel BUG at mm/highmem.c:564 __kmap_local_pfn_prot (slot not empty)
>
> Fix this by passing start_ptep to pte_unmap_unlock(), which always
> points within the originally mapped PTE page.
>
> Reproducer: Run LTP ksm03 test on ARM32 with HIGHMEM enabled. The test
> triggers KSM merging followed by unmerging (writing 0 then 2 to
> /sys/kernel/mm/ksm/run), which exercises break_ksm_pmd_entry().
>
> Fixes: 5d4939fc2258 ("ksm: perform a range-walk in break_ksm")
> Assisted-by: claude-opus-4-5-20251101
> Signed-off-by: Sasha Levin <sashal@kernel.org>
Reviewed-by: Chengming Zhou <chengming.zhou@linux.dev>
Thanks.
> ---
> mm/ksm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/ksm.c b/mm/ksm.c
> index cfc182255c7b..2d89a7c8b4eb 100644
> --- a/mm/ksm.c
> +++ b/mm/ksm.c
> @@ -650,7 +650,7 @@ static int break_ksm_pmd_entry(pmd_t *pmdp, unsigned long addr, unsigned long en
> }
> }
> out_unlock:
> - pte_unmap_unlock(ptep, ptl);
> + pte_unmap_unlock(start_ptep, ptl);
> return found;
> }
>
prev parent reply other threads:[~2025-12-22 8:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-20 20:29 [PATCH] mm/ksm: fix pte_unmap_unlock of wrong address in break_ksm_pmd_entry Sasha Levin
2025-12-21 8:46 ` David Hildenbrand (Red Hat)
2025-12-22 8:23 ` Chengming Zhou [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=30e2087c-3bca-479c-9974-0681f0187cc2@linux.dev \
--to=chengming.zhou@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=david@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pedrodemargomes@gmail.com \
--cc=sashal@kernel.org \
--cc=xu.xin16@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.