From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A768EC7EE31 for ; Fri, 27 Jun 2025 06:14:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A033A6B00AD; Fri, 27 Jun 2025 02:14:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9DB436B00AF; Fri, 27 Jun 2025 02:14:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 918796B00B0; Fri, 27 Jun 2025 02:14:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 826196B00AD for ; Fri, 27 Jun 2025 02:14:45 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id B826D59A7B for ; Fri, 27 Jun 2025 06:14:44 +0000 (UTC) X-FDA: 83600166888.14.1D3BF66 Received: from out-188.mta1.migadu.com (out-188.mta1.migadu.com [95.215.58.188]) by imf29.hostedemail.com (Postfix) with ESMTP id C4AD712000A for ; Fri, 27 Jun 2025 06:14:42 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=YfudznCY; spf=pass (imf29.hostedemail.com: domain of lance.yang@linux.dev designates 95.215.58.188 as permitted sender) smtp.mailfrom=lance.yang@linux.dev; dmarc=pass (policy=none) header.from=linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1751004883; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=RIqr1G8w341JdjB67nlcBhtQ9EOdz3z9dERZmNVdkZk=; b=q+07L5IDxtFyiix8QAKEfHA3roPM8GYCACWw28yF8W3jdpN264++G/8PRpeJ34XwZglfNW 6JBwp0Xrw6e+rBhMsQX4tZ72Goan2THDAXWkxhrRCxC35qqvzjXh2ISaUH/pxBgBuT71rD ndT0GkSFsfGPnGm2HGm+GKLYeYKLr3g= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1751004883; a=rsa-sha256; cv=none; b=CdtnvmgId91e04QLdphp/N/2xgg3klxmROsAoSdTVTRu9ifk9WKGgx+EyF68ggx6QkHmno zA9p/KTaLA+pI5hc0vNcTNuv6tAGcMY0M8s4HzAjl2vITII2fHMzl8Vie1+URITRo7Nkc1 bleFBSyB32CmOL1SVmORLXNuiVETH6Y= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=YfudznCY; spf=pass (imf29.hostedemail.com: domain of lance.yang@linux.dev designates 95.215.58.188 as permitted sender) smtp.mailfrom=lance.yang@linux.dev; dmarc=pass (policy=none) header.from=linux.dev Message-ID: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1751004880; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RIqr1G8w341JdjB67nlcBhtQ9EOdz3z9dERZmNVdkZk=; b=YfudznCYk3WoX9DBBDdaJTY5VlTsRNSRfpU+C/HCgg4VyCUC021HG0XVnTunKtN57mjv5I P9Md7kHGGVfC0XgIc8DZFDdo/bVJqb8S9fohOQPbyv4PUceTJBy2Cwl1fATsK446rJr5f1 YBewEH6Gy68GWtDSCHkKRwOtL6+xozs= Date: Fri, 27 Jun 2025 14:14:32 +0800 MIME-Version: 1.0 Subject: Re: [PATCH 1/1] mm/rmap: make folio unmap batching safe and support partial batches Content-Language: en-US To: Barry Song <21cnbao@gmail.com> Cc: akpm@linux-foundation.org, david@redhat.com, baolin.wang@linux.alibaba.com, chrisl@kernel.org, kasong@tencent.com, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-riscv@lists.infradead.org, lorenzo.stoakes@oracle.com, ryan.roberts@arm.com, v-songbaohua@oppo.com, x86@kernel.org, huang.ying.caritas@gmail.com, zhengtangquan@oppo.com, riel@surriel.com, Liam.Howlett@oracle.com, vbabka@suse.cz, harry.yoo@oracle.com, mingzhe.yang@ly.com, Lance Yang References: <20250627025214.30887-1-lance.yang@linux.dev> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Lance Yang In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT X-Rspamd-Queue-Id: C4AD712000A X-Stat-Signature: hy8m1e3c5im6c1uipa151khbo4gp3bmk X-Rspam-User: X-Rspamd-Server: rspam01 X-HE-Tag: 1751004882-426778 X-HE-Meta: U2FsdGVkX180QUUIBDB5kH89U/qLJG/7UH0y/fPhieTzVNlNj8+BgthpKjo0O9KvBTupMePLXmtfyVrHJDQ3nFKoKFEjevHs4fIlZ3KTqFCjenUAsXjMoEGMLmeVMZ/CUYPwBldLotUQ/v7UWa3zUNB+4RE50Lbulvc99og+PvyvJK4bc/whDNUizRzkneaUu5XuqT2g5ujkbQ/jK09ITOnERqh1Kp4UqPs6KPQfpFCs3QWfGhzJqWD/Y0Ew9I058OzIDHM7/l1CJzARrh41Cp3/u1vEBplEuM+cmTbDon8dZQ8QXyXBu62x+vBISK1FmJ4iTzOrFrl0YRQ2r5sK6WgV98S91EpCNj/gBWluyRNeMuk5RfISG+o8smmmOcn9o9px6LKg4cSJZXpblqNQ3CyCzfS5bCT/XfwAc0UK0PuX5RJjAUbivnGNLlg23GJaEo3lG0L2PbQXxjk9sye182F+TLKPbdHVVP0k5yQnUq25NeL9sFx8If/1nC9Dd7Syq68XrXtohu7MRL7+qbVp5VZCxtIjZq6MQyKOoqCCgTNyJvVA+4UbnMICs6fsTj/ZLbUavxGtcJE4QFj7YneRQhzSGaO+FzN7v0vIZ6/9fyecPGZS5y/Ln++FCvckjIEn2/5t8yEjrEpr79mixxU0XB5CweffvGN+AYNDeuHDAY0A4v92/7bxHntBTfuiKuIll13LVB4yji3/SS0WQtd/YLNz9Kq+WnBoO0EduaeWHSgM2NjY3tOUdp6iv1OZdX+QPsIaqVDdwkyyUPoEk6Xgu8akOcDK0uM9SMWgWDH62ZyTWHSlq8WFrfXmzmETrYkI+UmAL74UtnmM361hp9pODXCmvJ5Uc9eymy5JsGeEvEhPE63JOlFWahSQRxyo7Kv2Ju0qUMK7MJRzuZAed/pb/1ADajiUsi8M6KedTmdHx8MJU3bpc6vovOmr+7s2NfQp355TahXYc1Fg2iy6tmN FVfSazAJ +ip6McE1n0DBFpYyRvlyN0oo0Rh1TDRQ2R/ExHL5Fut0pS2YbbPPgLoWW1PJ12cOPIgMrkkBxTqXDRAERtrBldH/GYKgwKmXP6Qx7i4MPlYae0jVgBtZC8e97t2gQhUcMY8aOCO5BfnfdXPUKlH6qNyEy01M+WFA5JtlRCgDgDiFKaExNmIylMjPX3HXC5IQplS/KaKFXBB5tf/c6QZADcSwGjloknoWjy3dPK2pN6SSbztec1Eidl2r8po7HNRIOol22NF+PZ4Gn8YjP6UifiJDPJ6c1xoid6TITQ+a2+4zRg6tZDN5nXgt2rvlNYV81BbE34WnNW7k0NniVcdkZlwryA/23EBJu3wYoBpSnSlZzt0V4gfcm2KAubkOX/xZhV0ee X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2025/6/27 13:02, Barry Song wrote: > On Fri, Jun 27, 2025 at 2:53 PM Lance Yang wrote: >> >> From: Lance Yang >> >> As pointed out by David[1], the batched unmap logic in try_to_unmap_one() >> can read past the end of a PTE table if a large folio is mapped starting at >> the last entry of that table. >> >> So let's fix the out-of-bounds read by refactoring the logic into a new >> helper, folio_unmap_pte_batch(). >> >> The new helper now correctly calculates the safe number of pages to scan by >> limiting the operation to the boundaries of the current VMA and the PTE >> table. >> >> In addition, the "all-or-nothing" batching restriction is removed to >> support partial batches. The reference counting is also cleaned up to use >> folio_put_refs(). >> >> [1] https://lore.kernel.org/linux-mm/a694398c-9f03-4737-81b9-7e49c857fcbe@redhat.com >> >> Fixes: 354dffd29575 ("mm: support batched unmap for lazyfree large folios during reclamation") >> Suggested-by: David Hildenbrand >> Suggested-by: Barry Song >> Signed-off-by: Lance Yang > > I'd prefer changing the subject to something like > "Fix potential out-of-bounds page table access during batched unmap" Yep, that's much better. > > Supporting partial batching is a cleanup-related benefit of this fix. > It's worth mentioning that the affected cases are quite rare, > since MADV_FREE typically performs split_folio(). Yeah, it would be quite rare in practice ;) > > Also, we need to Cc stable. Thanks! Will do.