From: Balbir Singh <balbirs@nvidia.com>
To: "David Hildenbrand (Arm)" <david@kernel.org>
Cc: Lance Yang <lance.yang@linux.dev>,
richard.weiyang@gmail.com, akpm@linux-foundation.org,
ljs@kernel.org, riel@surriel.com, liam@infradead.org,
vbabka@kernel.org, harry@kernel.org, jannh@google.com,
ziy@nvidia.com, sj@kernel.org, linux-mm@kvack.org,
lorenzo.stoakes@oracle.com, stable@vger.kernel.org
Subject: Re: [Patch v2] mm/page_vma_mapped: revalidate and do proper check before return device-private pmd
Date: Wed, 17 Jun 2026 12:11:14 +1000 [thread overview]
Message-ID: <ajIBTyWCLDo9RAHR@parvat> (raw)
In-Reply-To: <666dc40b-e37a-46eb-af55-7a81bc1643f1@kernel.org>
On Tue, Jun 16, 2026 at 03:07:53PM +0200, David Hildenbrand (Arm) wrote:
> On 6/16/26 14:30, Lance Yang wrote:
> >
> > On Tue, Jun 16, 2026 at 06:34:36AM +0000, Wei Yang wrote:
> > [...]
> >> diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c
> >> index 2ccbabfb2cc1..21635fab209c 100644
> >> --- a/mm/page_vma_mapped.c
> >> +++ b/mm/page_vma_mapped.c
> >> @@ -243,40 +243,28 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw)
> >> */
> >> pmde = pmdp_get_lockless(pvmw->pmd);
> >>
> >> - if (pmd_trans_huge(pmde) || pmd_is_migration_entry(pmde)) {
> >> - pvmw->ptl = pmd_lock(mm, pvmw->pmd);
> >> - pmde = *pvmw->pmd;
> >> - if (!pmd_present(pmde)) {
> >> - softleaf_t entry;
> >> -
> >> - if (!thp_migration_supported() ||
> >> - !(pvmw->flags & PVMW_MIGRATION))
> >> - return not_found(pvmw);
> >> - entry = softleaf_from_pmd(pmde);
> >> -
> >> - if (!softleaf_is_migration(entry) ||
> >> - !check_pmd(softleaf_to_pfn(entry), pvmw))
> >> - return not_found(pvmw);
> >> - return true;
> >> - }
> >> - if (likely(pmd_trans_huge(pmde))) {
> >> - if (pvmw->flags & PVMW_MIGRATION)
> >> - return not_found(pvmw);
> >> - if (!check_pmd(pmd_pfn(pmde), pvmw))
> >> - return not_found(pvmw);
> >> - return true;
> >> - }
> >> - /* THP pmd was split under us: handle on pte level */
> >> - spin_unlock(pvmw->ptl);
> >> - pvmw->ptl = NULL;
> >> - } else if (!pmd_present(pmde)) {
> >> - const softleaf_t entry = softleaf_from_pmd(pmde);
> >> -
> >> - if (softleaf_is_device_private(entry)) {
> >> - pvmw->ptl = pmd_lock(mm, pvmw->pmd);
> >> - return true;
> >> - }
> >> + if (pmd_present(pmde)) {
> >> + if (!pmd_leaf(pmde))
> >> + goto pte_table;
> >> + if (pvmw->flags & PVMW_MIGRATION)
> >> + return not_found(pvmw);
> >> + if (!check_pmd(pmd_pfn(pmde), pvmw))
> >> + return not_found(pvmw);
> >> + } else if (pmd_is_migration_entry(pmde)) {
> >> + softleaf_t entry = softleaf_from_pmd(pmde);
> >> +
> >> + if (!(pvmw->flags & PVMW_MIGRATION))
> >> + return not_found(pvmw);
> >
> > Looked at history a bit, and I wonder if this changed something old
> > here ...
> >
> > Since 616b8371539a ("mm: thp: enable thp migration in generic path"), PMD
> > migration handling took PTL before doing PVMW_MIGRATION/PFN checks,
> > including not_found() cases. So lockless PMD read was just a filter ...
> >
> > With this fix, true case gets final pmd_same() check, but this
> > not_found() case happens before taking PTL.
> >
> > So a !PVMW_MIGRATION walker could race with someone, e.g.
> > remove_migration_pmd(): we make the not_found() decision from old PMD
> > value that still says "migration", while real *pvmw->pmd may already be
> > present again. We return without ever taking PTL :)
> >
> > Not sure about practical fallout, but should these PMD-level not_found()
> > cases also take PTL and restart if PMD changed?
> I was hoping that we could so something similar to the PTE case.
>
> In map_pte(), we check whether the PMD changed, which is slightly different.
>
> The actual check happens in check_pte() after grabbing the PTL.
>
> For the case you describe, map_pte() would find !pte_none(ptent) ...
> !pte_present(ptent) and !is_migration, and effectively grab the lock and proceed
> to check_pte().
>
> In check_pte() we re-check under lock indeed.
>
Thinking of the practical fallout, not finding the PMD for a non
migration worker should be OK. Is there a case where it's not OK to
report the old state.
Balbir
next prev parent reply other threads:[~2026-06-17 2:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260616063436.20455-1-richard.weiyang@gmail.com>
2026-06-16 12:30 ` [Patch v2] mm/page_vma_mapped: revalidate and do proper check before return device-private pmd Lance Yang
2026-06-16 23:50 ` Wei Yang
2026-06-17 2:32 ` Lance Yang
[not found] ` <666dc40b-e37a-46eb-af55-7a81bc1643f1@kernel.org>
2026-06-17 2:11 ` Balbir Singh [this message]
2026-06-17 3:14 ` Lance Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajIBTyWCLDo9RAHR@parvat \
--to=balbirs@nvidia.com \
--cc=akpm@linux-foundation.org \
--cc=david@kernel.org \
--cc=harry@kernel.org \
--cc=jannh@google.com \
--cc=lance.yang@linux.dev \
--cc=liam@infradead.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=richard.weiyang@gmail.com \
--cc=riel@surriel.com \
--cc=sj@kernel.org \
--cc=stable@vger.kernel.org \
--cc=vbabka@kernel.org \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.