Re: [PATCH v5 09/18] mm: add MM_CP_UFFD_RWP change_protection() flag

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] `pgtable_split_needed()` does not force a split for `MM_CP_UFFD_RWP` on file THPs, leading to silent loss of RWP tracking on transparent split.
--

commit 6bd2366f8f7b6b871a5d79d6481ff66d78832c91
Author: Kiryl Shutsemau (Meta) <kas@kernel.org>

mm: add MM_CP_UFFD_RWP change_protection() flag

This commit introduces the MM_CP_UFFD_RWP and MM_CP_UFFD_RWP_RESOLVE
change_protection() flags for userfaultfd RWP. It wires these flags through
change_pte_range(), change_huge_pmd(), and hugetlb_change_protection() to
allow installing PAGE_NONE with the uffd PTE bit set.

> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index 6499cfb61dc4b..f79801816f327 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -3297,6 +3297,11 @@ int get_cmdline(struct task_struct *task, char *buffer, int buflen);
>  #define  MM_CP_UFFD_WP_RESOLVE             (1UL << 3) /* Resolve wp */
>  #define  MM_CP_UFFD_WP_ALL                 (MM_CP_UFFD_WP | \
>  					    MM_CP_UFFD_WP_RESOLVE)
> +/* Whether this change is for uffd RWP */
> +#define  MM_CP_UFFD_RWP                    (1UL << 4) /* do rwp */
> +#define  MM_CP_UFFD_RWP_RESOLVE            (1UL << 5) /* resolve rwp */
> +#define  MM_CP_UFFD_RWP_ALL                (MM_CP_UFFD_RWP | \
> +					    MM_CP_UFFD_RWP_RESOLVE)

[Severity: High]
Does pgtable_split_needed() need to be updated to force a split for
MM_CP_UFFD_RWP on file THPs?

When MM_CP_UFFD_RWP is applied to a file-backed THP (e.g. shmem),
change_huge_pmd() successfully modifies the PMD to PAGE_NONE and sets the
_PAGE_UFFD bit. However, unlike anonymous THPs, file-backed THPs are split
by completely erasing the PMD (pmdp_huge_clear_flush()), leaving the PTEs
to be re-instantiated from the page cache upon the next page fault.

Because pgtable_split_needed() was not updated to check cp_flags for
MM_CP_UFFD_RWP, it allows RWP to be applied to the huge PMD without forcing
a split first.

If the kernel later splits this THP (e.g., due to memory pressure or a
shrinker), the PMD is erased and the RWP tracking state is irreversibly
lost. The next user access will trigger a standard missing page fault that
maps the file page readable (vma->vm_page_prot), silently bypassing the RWP
tracking for a previously protected, populated page.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260526130509.2748441-1-kirill@shutemov.name?part=9