From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
To: Dave Vasilevsky via B4 Relay
<devnull+dave.vasilevsky.ca@kernel.org>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
Christophe Leroy <christophe.leroy@csgroup.eu>,
Nadav Amit <nadav.amit@gmail.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, Dave Vasilevsky <dave@vasilevsky.ca>,
linux-mm@kvack.org
Subject: Re: [PATCH] powerpc: Fix mprotect on book3s32
Date: Sun, 09 Nov 2025 00:46:04 +0530 [thread overview]
Message-ID: <878qgg49or.ritesh.list@gmail.com> (raw)
In-Reply-To: <20251027-vasi-mprotect-g3-v1-1-3c5187085f9a@vasilevsky.ca>
++linux-mm to get some pointers on how to test such mmu_gather changes
Dave Vasilevsky via B4 Relay <devnull+dave.vasilevsky.ca@kernel.org>
writes:
> From: Dave Vasilevsky <dave@vasilevsky.ca>
>
> On 32-bit book3s with hash-MMUs, tlb_flush() was a no-op. This was
> unnoticed because all uses until recently were for unmaps, and thus
> handled by __tlb_remove_tlb_entry().
>
> After commit 4a18419f71cd ("mm/mprotect: use mmu_gather") in kernel 5.19,
> tlb_gather_mmu() started being used for mprotect as well. This caused
> mprotect to simply not work on these machines:
>
> int *ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
> *ptr = 1; // force HPTE to be created
> mprotect(ptr, 4096, PROT_READ);
> *ptr = 2; // should segfault, but succeeds
I am surprised how come this was not caught? Don't we have any straight
forward selftest for this?
Not just mprotect then right.. Many other MM paths must also be using
mmu_gather right?
>
> Fixed by making tlb_flush() actually flush TLB pages. This finally
> agrees with the behaviour of boot3s64's tlb_flush().
>
> Fixes: 4a18419f71cd ("mm/mprotect: use mmu_gather")
> Signed-off-by: Dave Vasilevsky <dave@vasilevsky.ca>
> ---
> arch/powerpc/include/asm/book3s/32/tlbflush.h | 8 ++++++--
> arch/powerpc/mm/book3s32/tlb.c | 6 ++++++
> 2 files changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/arch/powerpc/include/asm/book3s/32/tlbflush.h b/arch/powerpc/include/asm/book3s/32/tlbflush.h
> index e43534da5207aa3b0cb3c07b78e29b833c141f3f..b8c587ad2ea954f179246a57d6e86e45e91dcfdc 100644
> --- a/arch/powerpc/include/asm/book3s/32/tlbflush.h
> +++ b/arch/powerpc/include/asm/book3s/32/tlbflush.h
> @@ -11,6 +11,7 @@
> void hash__flush_tlb_mm(struct mm_struct *mm);
> void hash__flush_tlb_page(struct vm_area_struct *vma, unsigned long vmaddr);
> void hash__flush_range(struct mm_struct *mm, unsigned long start, unsigned long end);
> +void hash__flush_gather(struct mmu_gather *tlb);
>
> #ifdef CONFIG_SMP
> void _tlbie(unsigned long address);
> @@ -28,9 +29,12 @@ void _tlbia(void);
> */
> static inline void tlb_flush(struct mmu_gather *tlb)
> {
> - /* 603 needs to flush the whole TLB here since it doesn't use a hash table. */
> - if (!mmu_has_feature(MMU_FTR_HPTE_TABLE))
> + if (mmu_has_feature(MMU_FTR_HPTE_TABLE)) {
> + hash__flush_gather(tlb);
> + } else {
> + /* 603 needs to flush the whole TLB here since it doesn't use a hash table. */
> _tlbia();
> + }
> }
>
> static inline void flush_range(struct mm_struct *mm, unsigned long start, unsigned long end)
> diff --git a/arch/powerpc/mm/book3s32/tlb.c b/arch/powerpc/mm/book3s32/tlb.c
> index 9ad6b56bfec96e989b96f027d075ad5812500854..3da95ecfbbb296303082e378425e92a5fbdbfac8 100644
> --- a/arch/powerpc/mm/book3s32/tlb.c
> +++ b/arch/powerpc/mm/book3s32/tlb.c
> @@ -105,3 +105,9 @@ void hash__flush_tlb_page(struct vm_area_struct *vma, unsigned long vmaddr)
> flush_hash_pages(mm->context.id, vmaddr, pmd_val(*pmd), 1);
> }
> EXPORT_SYMBOL(hash__flush_tlb_page);
> +
> +void hash__flush_gather(struct mmu_gather *tlb)
> +{
> + hash__flush_range(tlb->mm, tlb->start, tlb->end);
> +}
> +EXPORT_SYMBOL(hash__flush_gather);
Shouldn't we flush all if we get tlb_flush request for full mm? e.g.
Something like this maybe?
+void hash__tlb_flush(struct mmu_gather *tlb)
+{
+ if (tlb->fullmm || tlb->need_flush_all)
+ hash__flush_tlb_mm(tlb->mm);
+ else
+ hash__flush_range(tlb->mm, tlb->start, tlb->end);
+}
It will be quicker if someone already has a set of tests which we can
run to validate. If not, I will take a look and see what tests one can
run to validate mmu_gather feature.
>
> ---
> base-commit: dcb6fa37fd7bc9c3d2b066329b0d27dedf8becaa
> change-id: 20251027-vasi-mprotect-g3-f8f5278d4140
>
> Best regards,
> --
> Dave Vasilevsky <dave@vasilevsky.ca>
Thanks again for pointing this out. How did you find this though?
What hardware do you use?
-ritesh
next prev parent reply other threads:[~2025-11-08 20:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 23:21 [PATCH] powerpc: Fix mprotect on book3s32 Dave Vasilevsky
2025-10-27 23:21 ` Dave Vasilevsky via B4 Relay
2025-10-27 23:28 ` kernel test robot
2025-11-08 19:16 ` Ritesh Harjani [this message]
2025-11-08 22:24 ` Dave Vasilevsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878qgg49or.ritesh.list@gmail.com \
--to=ritesh.list@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=christophe.leroy@csgroup.eu \
--cc=dave@vasilevsky.ca \
--cc=devnull+dave.vasilevsky.ca@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=nadav.amit@gmail.com \
--cc=npiggin@gmail.com \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.