From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 51DA237FF7A
	for <linux-kernel@vger.kernel.org>; Fri, 29 May 2026 17:23:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780075424; cv=none; b=oeH5la9RbmVbxLGvVuEreWlCQScQrOfvENI0/ClvrP1nYGdhyDppr6KVTTXdAs2efbKX/ZGy3L+4M/CJD2NNUHPA6pSUBpqNpbZakwQ7II77BgNjktQTCkJ4R2+Kx35x73NOy5Mv2nBj0KaxGHYvxKtOFYzR7IwBhD7Uz0eYVDE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780075424; c=relaxed/simple;
	bh=Ch+8+tbtbj9eNHVjpGsuv5r0oFDaFtJtPfV+YJSqQlY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=f968RUMFjRt3eR/T5imVZ2ceepdbJ5o54wtNZsi7Edw5aLhOULYs3/VRGw3bEhwrIiigUbunne79DDRRytHBpqUlPctBbvk9+oksMaEPU8N2zpTgsHya9vLHiH9um/w1hEVWQofK0PskfBmz1CCTME/tghMrwdqcBPz9qlsX1ow=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=eSpSQgsD; arc=none smtp.client-ip=100.103.45.18
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="eSpSQgsD"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C30F71F00893;
	Fri, 29 May 2026 17:23:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org;
	s=k20260515; t=1780075423;
	bh=RPrn2/bxAVyENuntwWUEW6oDZF8UkuB5Ook8E7BZnh0=;
	h=From:To:Cc:Subject:Date;
	b=eSpSQgsDWD/S4laLkkqVNvGY8mXwFU6KJ8xIYMxc86ZeJF5RRX/Ys1yMG0pj4Gfa8
	 uX5w/TvUpeIYg4IH9dIdvMVhoVYgdFfOnVO2gdEtmnI7XOyPrExE0riXNNr3dEpMNj
	 n5jpGKkhzZJILdQ4VWrMWlnx+2p60dyDZjqY46l5R7xDfxpy85SyOfFa/SqaHCzRdy
	 RMn5Yj981kOTYlbGrLSaeYFp8NHhLGCVsquJ7ZMbebMMoBCwCtGs/32OqKa5I/bkve
	 nzSkwrTrDNJi60r81rKm3dEoYok+WeD5Qo8Y8hmDxCeB9Z51u8alLU2fsnoF81hNtG
	 5STWmS8NHXnqQ==
Received: from phl-compute-12.internal (phl-compute-12.internal [10.202.2.52])
	by mailfauth.phl.internal (Postfix) with ESMTP id 16383F4006D;
	Fri, 29 May 2026 13:23:42 -0400 (EDT)
Received: from phl-frontend-03 ([10.202.2.162])
  by phl-compute-12.internal (MEProxy); Fri, 29 May 2026 13:23:42 -0400
X-ME-Sender: <xms:nssZahM9Gg5khnXfxnwbzs8zhQnkU9rCGjrVH0bkm-Jlk0r_PX3P2w>
    <xme:nssZamMXXVoyaj2vSm6CrYH-WOqTJ-k0yfQOxvf584bG9iim9-b-YDpXiSUitS1K7
    9u4xdwrL1MFVAXehGH0F_0zkITMPaSyXlCeXirhgeKRIok04he50XE>
X-ME-Received: <xmr:nssZaijDLXHDaWxU6dQBdyWK6GGr6GJCd9VDqXHgPYeIrHo0IuJ-o3rP9sVU9Q>
X-ME-Proxy-Cause: dmFkZTGJO121lzqEjzVUUb/I3hYGcVW+idk06I4e5a8zkge8Oc9/f6cR3X2tUT4kmpvjEB
    vl1JWnyaesWx58xQ0U30pPFukXTVTzQwvp1dlT7tqH1Fx9m3bOUQ8gMGXOiPMkSTWgyItz
    0Cvz/Ngwan2IDdcuhND+uh5UOTVg9QE3hbZMB+1+InbXEST2DmWQDCr5YeVUAKztEqr/wF
    BP0BW7ojMsW/NH5Q1K3Onhv/GSQ5TG8AWBbGQ8u/5evo1gMBkLI+NJZ8SZbPAXzfN/57yo
    pmcV9Ai5RG3hj5OUDLot5dir6V8vdH3VgVc05DIW/9p7mY7yiG+xQF6KZmCz6JknepqcSU
    Gye/qUYv2XQmjyTeIBp/Kix3+21JhlJMUVgOGsvs7Mc6MfaV2L0vB+YnkhFw0ehcWq7fB8
    aCBQXxA5iIPs8bryVyqtcVyXn0mXewd9Hyqx0jHkAFQSgmJcBmjTQvvtDgQTmrho6nGlqY
    ZDJQ3fpWO+PoS4tjHY97YKUOBBK7VhjCMMSWJxhkXCpPJDEjl1pRdcc7Yqp52bXgrXIRCI
    MZ4Y9JHnzpJ9o9zFzmhCiLT3+i7KUo0ZUAGtJ5g6L7ce6P8CfVydGit0e3rhJsZ4GwPyO2
    TbUiwBL/WrX6lnmRsWytDYUeTypzmK/wlwcveIu4cuqWk7jz1MxLd0dS3hKg
X-ME-Proxy: <xmx:nssZajt2YXXSeIEVHNL8zzfGGGmZoNfs1XmaxDK_Vfri5-oKbddiEQ>
    <xmx:nssZaoQt0frVZ7wnxb_OVVYZIk2x4ktPv2-GQiQlSj-_GtV8LR1O4A>
    <xmx:nssZav1Y8nl07NTvQrN3dlVNI3ChOfD3ZDjpErjR6M8FCT2iC25JZQ>
    <xmx:nssZaluNOYtaB8jkd5x_i0YArmTj708i487LdK_7uVJiVEwWW6NTRw>
    <xmx:nssZatjszcQgkpEIbOevVV7ekK4PvkiU1ZfiHpXEaecvVaQ5fuc-qHvm>
Feedback-ID: i10464835:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri,
 29 May 2026 13:23:40 -0400 (EDT)
From: "Kiryl Shutsemau (Meta)" <kas@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Lorenzo Stoakes <ljs@kernel.org>,
	Mike Rapoport <rppt@kernel.org>,
	David Hildenbrand <david@kernel.org>,
	"Kiryl Shutsemau (Meta)" <kas@kernel.org>
Subject: [PATCH 0/6] userfaultfd/pagemap: pre-existing fixes
Date: Fri, 29 May 2026 18:23:24 +0100
Message-ID: <20260529172331.356655-1-kas@kernel.org>
X-Mailer: git-send-email 2.54.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

These are pre-existing bug fixes that were carried at the front of the
userfaultfd RWP working-set-tracking series up to v5 [1]. Per review
feedback that fixes should not sit in the middle of a feature series,
they are split out and sent on their own; the RWP series is reposted
rebased on top of this.

All six were flagged by the Sashiko AI review of the RWP series and
carry Reported-by: Sashiko AI review <sashiko-bot@kernel.org>. They are
independent of RWP, apply to mm-new directly, and carry Cc: stable@.

  1: fs/proc/task_mmu: a missing huge_ptep_modify_prot_start() in
     make_uffd_wp_huge_pte() can lose hardware Dirty/Accessed updates
     when PAGEMAP_SCAN write-protects a hugetlb PTE.

  2: fs/proc/task_mmu: pagemap_scan_hugetlb_entry() compares the range
     against HPAGE_SIZE rather than the hstate page size, so it never
     write-protects gigantic hugetlb pages.

  3: fs/proc/task_mmu: PAGEMAP_SCAN with PM_SCAN_WP_MATCHING over an
     unpopulated hugetlb range self-deadlocks -- pagemap_scan_pte_hole()
     calls uffd_wp_range() while walk_hugetlb_range() holds the hugetlb
     vma lock for read, and hugetlb_change_protection() then takes it
     for write. Install the marker inline instead.

  4: mm/huge_memory: change_non_present_huge_pmd() drops pmd_swp_uffd_wp
     on a device-private PMD permission downgrade, silently losing the
     uffd-wp marker.

  5: userfaultfd: must_wait() applies pte_write() to a locklessly read
     PTE without checking pte_present(), so swap/migration entries
     decode random offset bits and a thread can stay parked on a stale
     fault.

  6: userfaultfd: __VMA_UFFD_FLAGS feeds VMA_UFFD_MINOR_BIT (41) to
     mk_vma_flags() unconditionally, an out-of-bounds write into the
     single-word vma_flags_t on 32-bit. Build the mask from config-gated
     per-mode masks so an unavailable bit is never materialised.

[1] https://lore.kernel.org/all/20260526130509.2748441-1-kirill@shutemov.name/

Kiryl Shutsemau (Meta) (6):
  fs/proc/task_mmu: fix make_uffd_wp_huge_pte() prot-update race
  fs/proc/task_mmu: use huge_page_size() in pagemap_scan_hugetlb_entry()
  fs/proc/task_mmu: fix hugetlb self-deadlock in pagemap_scan_pte_hole()
  mm/huge_memory: preserve pmd_swp_uffd_wp on device-private PMD
    downgrade
  userfaultfd: gate must_wait writability check on pte_present()
  userfaultfd: build __VMA_UFFD_FLAGS from config-gated masks

 fs/proc/task_mmu.c            | 73 ++++++++++++++++++++++++++++++++---
 include/linux/mm.h            | 39 +++++++++++++++++++
 include/linux/userfaultfd_k.h |  4 +-
 mm/huge_memory.c              |  2 +
 mm/userfaultfd.c              | 20 ++++++++++
 5 files changed, 130 insertions(+), 8 deletions(-)


base-commit: 449a5df98f8dffa9b037e3b6838fc5af327df072
-- 
2.54.0