From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail3-167.sinamail.sina.com.cn (mail3-167.sinamail.sina.com.cn [202.108.3.167])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E8B8131353C
	for <linux-kernel@vger.kernel.org>; Tue, 23 Dec 2025 09:52:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.108.3.167
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1766483541; cv=none; b=Fvg4yeA/MeFxmJd80qAqCwUUIThps0CH28Ve6TX8OuVaPvjk2Enq0z9zRNUtrp1YEVEmJgjG/LQzpASitcc0KYwFEphmhk90Q3hMb/jHkJF9WTQx1qZKjRV8DzTXjWyT1434g/560e5glgDECZHGMSDycvKyLLuKmMVvJOI9m9U=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1766483541; c=relaxed/simple;
	bh=YunNwBLpP3+0GjR2nWkVc/+S5i0EuHm8BOJNouwtSpA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=HyedUCyq6C7dXCu7x7ZnKXcStf98qx3paNVuyUAm4THx9ii+rsRuy2g4oLW+5qNnq68+TAh1xDRiz/GkZ+te7Z6E/45Sy7ClS4OiQoLy66jriCQBM59nfp99uLPlLf4xoR+S0YZVz4zKlX1mG8M5y59q/2n1ygKynze8rfANV70=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b=sK/Yjp6w; arc=none smtp.client-ip=202.108.3.167
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b="sK/Yjp6w"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sina.com; s=201208; t=1766483536;
	bh=gzfByeKAfXaQc/+9O/d7q2QUioTT4+xAgNIgZJPoUaU=;
	h=From:Subject:Date:Message-ID;
	b=sK/Yjp6wijVtJElIrpd2xSg/o+b8oejL9Pn7xhcGd/xDVPwSFG2Lg2Gtf4+AmUAC/
	 fvScv8lEkhDHwxIlkguY2/AF9Ue6hS8MF0JUAKX2gyhteCTzFs3l8+ezeXtnNNBEEA
	 TaJRMa9COguvTyn25F8IYMw4TPmunftJi1fTluBA=
X-SMAIL-HELO: localhost.localdomain
Received: from unknown (HELO localhost.localdomain)([114.249.57.85])
	by sina.com (10.54.253.33) with ESMTP
	id 694A64090000354A; Tue, 23 Dec 2025 17:42:34 +0800 (CST)
X-Sender: hdanton@sina.com
X-Auth-ID: hdanton@sina.com
Authentication-Results: sina.com;
	 spf=none smtp.mailfrom=hdanton@sina.com;
	 dkim=none header.i=none;
	 dmarc=none action=none header.from=hdanton@sina.com
X-SMAIL-MID: 9019686685043
X-SMAIL-UIID: D3E305957A724E918FF6F8F36DBE9220-20251223-174234-1
From: Hillf Danton <hdanton@sina.com>
To: syzbot <syzbot+b165fc2e11771c66d8ba@syzkaller.appspotmail.com>
Cc: linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [mm?] WARNING in folio_remove_rmap_ptes
Date: Tue, 23 Dec 2025 17:42:26 +0800
Message-ID: <20251223094227.1771-1-hdanton@sina.com>
In-Reply-To: <694a2745.050a0220.19928e.0017.GAE@google.com>
References: 
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit

> Date: Mon, 22 Dec 2025 21:23:17 -0800
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    9094662f6707 Merge tag 'ata-6.19-rc2' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1411f77c580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a11e0f726bfb6765
> dashboard link: https://syzkaller.appspot.com/bug?extid=b165fc2e11771c66d8ba
> compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11998b1a580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=128cdb1a580000

#syz test

--- x/include/linux/mm.h
+++ y/include/linux/mm.h
@@ -2626,6 +2626,9 @@ static inline void zap_vma_pages(struct
 void unmap_vmas(struct mmu_gather *tlb, struct ma_state *mas,
 		struct vm_area_struct *start_vma, unsigned long start,
 		unsigned long end, unsigned long tree_end);
+void lock_unmap_vmas(struct mmu_gather *tlb, struct ma_state *mas,
+		struct vm_area_struct *start_vma, unsigned long start,
+		unsigned long end, unsigned long tree_end);
 
 struct mmu_notifier_range;
 
--- x/mm/memory.c
+++ y/mm/memory.c
@@ -2104,7 +2104,31 @@ void unmap_vmas(struct mmu_gather *tlb,
 	} while (vma && likely(!xa_is_zero(vma)));
 	mmu_notifier_invalidate_range_end(&range);
 }
+void lock_unmap_vmas(struct mmu_gather *tlb, struct ma_state *mas,
+		struct vm_area_struct *vma, unsigned long start_addr,
+		unsigned long end_addr, unsigned long tree_end)
+{
+	struct mmu_notifier_range range;
+	struct zap_details details = {
+		.zap_flags = ZAP_FLAG_DROP_MARKER | ZAP_FLAG_UNMAP,
+		/* Careful - we need to zap private pages too! */
+		.even_cows = true,
+	};
 
+	mmu_notifier_range_init(&range, MMU_NOTIFY_UNMAP, 0, vma->vm_mm,
+				start_addr, end_addr);
+	mmu_notifier_invalidate_range_start(&range);
+	do {
+		unsigned long start = start_addr;
+		unsigned long end = end_addr;
+		hugetlb_zap_begin(vma, &start, &end);
+		vma_start_write(vma);
+		unmap_single_vma(tlb, vma, start, end, &details);
+		hugetlb_zap_end(vma, &details);
+		vma = mas_find(mas, tree_end - 1);
+	} while (vma && likely(!xa_is_zero(vma)));
+	mmu_notifier_invalidate_range_end(&range);
+}
 /**
  * zap_page_range_single_batched - remove user pages in a given range
  * @tlb: pointer to the caller's struct mmu_gather
--- x/mm/vma.c
+++ y/mm/vma.c
@@ -1228,7 +1228,7 @@ static inline void vms_clear_ptes(struct
 	mas_set(mas_detach, 1);
 	tlb_gather_mmu(&tlb, vms->vma->vm_mm);
 	update_hiwater_rss(vms->vma->vm_mm);
-	unmap_vmas(&tlb, mas_detach, vms->vma, vms->start, vms->end,
+	lock_unmap_vmas(&tlb, mas_detach, vms->vma, vms->start, vms->end,
 		   vms->vma_count);
 
 	mas_set(mas_detach, 1);
@@ -1271,8 +1271,6 @@ static void vms_complete_munmap_vmas(str
 	mm = current->mm;
 	mm->map_count -= vms->vma_count;
 	mm->locked_vm -= vms->locked_vm;
-	if (vms->unlock)
-		mmap_write_downgrade(mm);
 
 	if (!vms->nr_pages)
 		return;
@@ -1298,7 +1296,7 @@ static void vms_complete_munmap_vmas(str
 	vm_unacct_memory(vms->nr_accounted);
 	validate_mm(mm);
 	if (vms->unlock)
-		mmap_read_unlock(mm);
+		mmap_write_unlock(mm);
 
 	__mt_destroy(mas_detach->tree);
 }
--