Linux-ARM-Kernel Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Dev Jain <dev.jain@arm.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: muchun.song@linux.dev, osalvador@suse.de, ljs@kernel.org,
	david@kernel.org, liam@infradead.org, riel@surriel.com,
	vbabka@kernel.org, harry@kernel.org, jannh@google.com,
	lance.yang@linux.dev, kas@kernel.org, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, apopple@nvidia.com,
	rcampbell@nvidia.com, ziy@nvidia.com, matthew.brost@intel.com,
	joshua.hahnjy@gmail.com, rakie.kim@sk.com, byungchul@sk.com,
	gourry@gourry.net, ying.huang@linux.alibaba.com,
	ak@linux.intel.com, nao.horiguchi@gmail.com, mel@csn.ul.ie,
	j-nomura@ce.jp.nec.com, pfalcato@suse.de, tglx@kernel.org,
	dave.hansen@intel.com, jpoimboe@kernel.org,
	catalin.marinas@arm.com, will@kernel.org,
	linux-arm-kernel@lists.infradead.org, ryan.roberts@arm.com,
	anshuman.khandual@arm.com
Subject: Re: [PATCH v3 6/6] mm/mprotect: use huge_ptep_get() for hugetlb
Date: Sun, 5 Jul 2026 14:17:39 +0530	[thread overview]
Message-ID: <e4513917-e02a-4e60-9df5-f90085d6193d@arm.com> (raw)
In-Reply-To: <20260705013337.2bbc075b508b5db36b954051@linux-foundation.org>



On 05/07/26 2:03 pm, Andrew Morton wrote:
> On Fri,  3 Jul 2026 11:41:59 +0000 Dev Jain <dev.jain@arm.com> wrote:
> 
>> prot_none_hugetlb_entry() is the hugetlb callback for the early
>> mprotect(PROT_NONE) PFN permission walk on x86.
>>
>> The callback passes the decoded PFN to pfn_modify_allowed(). For a
>> hugetlb callback, the pte pointer refers to a hugetlb entry. On
>> architectures where hugetlb entries need huge_ptep_get(), reading that
>> entry with ptep_get() can make the permission check use the wrong PFN.
>>
>> Use huge_ptep_get() before decoding the hugetlb PFN.
>>
>> Currently there is no path which can trigger a bug: huge_ptep_get() is a
>> simple ptep_get() for x86, and the prot_none walk occurs only for x86.
>>
>> So no need to backport - use the correct helper anyways.
>>
>> ...
>>
>> --- a/mm/mprotect.c
>> +++ b/mm/mprotect.c
>> @@ -699,14 +699,20 @@ static int prot_none_pte_entry(pte_t *pte, unsigned long addr,
>>  		0 : -EACCES;
>>  }
>>  
>> +#ifdef CONFIG_HUGETLB_PAGE
>>  static int prot_none_hugetlb_entry(pte_t *pte, unsigned long hmask,
>>  				   unsigned long addr, unsigned long next,
>>  				   struct mm_walk *walk)
>>  {
>> -	return pfn_modify_allowed(pte_pfn(ptep_get(pte)),
>> -				  *(pgprot_t *)(walk->private)) ?
>> -		0 : -EACCES;
>> +	const pte_t entry = huge_ptep_get(walk->mm, addr, pte);
>> +
>> +	if (pfn_modify_allowed(pte_pfn(entry), *(pgprot_t *)(walk->private)))
>> +		return 0;
>> +	return -EACCESS;
> 
> "EACCES".
> 
>>  }
>> +#else
>> +#define prot_none_hugetlb_entry	NULL
>> +#endif
> 
> Presumably your .config resulted in this change not being tested...

Thanks for folding in the fix!

On arm64, this entire path does not exist. The prot none pagewalk is
only done on x86. Also before sending patches I do an LLM review and
very surprisingly the "language" model did not catch a language issue ...

On the other thing by Sashiko, that looks wrong. There are existing
huge_ptep_get callers not taking the lock. And, there won't be a torn
read because we are using __ptep_get() instead of *ptep.




  reply	other threads:[~2026-07-05  8:48 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 11:41 [PATCH v3 0/6] Fix incorrect access of hugetlb pte entries Dev Jain
2026-07-03 11:41 ` [PATCH v3 1/6] arm64: make huge_ptep_get handled unaligned addresses Dev Jain
2026-07-04  2:42   ` Muchun Song
2026-07-05  7:35   ` Andrew Morton
2026-07-05  8:08     ` Dev Jain
2026-07-03 11:41 ` [PATCH v3 2/6] mm/rmap: use huge_ptep_get() in try_to_unmap_one() Dev Jain
2026-07-04  2:44   ` Muchun Song
2026-07-03 11:41 ` [PATCH v3 3/6] mm/rmap: use huge_ptep_get() in try_to_migrate_one() Dev Jain
2026-07-03 11:41 ` [PATCH v3 4/6] mm/migrate: use huge_ptep_get() in remove_migration_pte() Dev Jain
2026-07-03 11:41 ` [PATCH v3 5/6] mm/page_vma_mapped: use huge_ptep_get() for hugetlb Dev Jain
2026-07-03 11:41 ` [PATCH v3 6/6] mm/mprotect: " Dev Jain
2026-07-05  8:33   ` Andrew Morton
2026-07-05  8:47     ` Dev Jain [this message]
2026-07-05  7:45 ` [PATCH v3 0/6] Fix incorrect access of hugetlb pte entries Andrew Morton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e4513917-e02a-4e60-9df5-f90085d6193d@arm.com \
    --to=dev.jain@arm.com \
    --cc=ak@linux.intel.com \
    --cc=akpm@linux-foundation.org \
    --cc=anshuman.khandual@arm.com \
    --cc=apopple@nvidia.com \
    --cc=byungchul@sk.com \
    --cc=catalin.marinas@arm.com \
    --cc=dave.hansen@intel.com \
    --cc=david@kernel.org \
    --cc=gourry@gourry.net \
    --cc=harry@kernel.org \
    --cc=j-nomura@ce.jp.nec.com \
    --cc=jannh@google.com \
    --cc=joshua.hahnjy@gmail.com \
    --cc=jpoimboe@kernel.org \
    --cc=kas@kernel.org \
    --cc=lance.yang@linux.dev \
    --cc=liam@infradead.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=ljs@kernel.org \
    --cc=matthew.brost@intel.com \
    --cc=mel@csn.ul.ie \
    --cc=muchun.song@linux.dev \
    --cc=nao.horiguchi@gmail.com \
    --cc=osalvador@suse.de \
    --cc=pfalcato@suse.de \
    --cc=rakie.kim@sk.com \
    --cc=rcampbell@nvidia.com \
    --cc=riel@surriel.com \
    --cc=ryan.roberts@arm.com \
    --cc=tglx@kernel.org \
    --cc=vbabka@kernel.org \
    --cc=will@kernel.org \
    --cc=ying.huang@linux.alibaba.com \
    --cc=ziy@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox