tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'mm-hotfixes-stable-2025-09-27-22-35' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

Pull misc fixes from Andrew Morton:
"7 hotfixes. 4 are cc:stable and the remainder address post-6.16 issues
or aren't considered necessary for -stable kernels. 6 of these fixes
are for MM.

All singletons, please see the changelogs for details"

* tag 'mm-hotfixes-stable-2025-09-27-22-35' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
include/linux/pgtable.h: convert arch_enter_lazy_mmu_mode() and friends to static inlines
mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call()
mailmap: add entry for Bence Csókás
fs/proc/task_mmu: check p->vec_buf for NULL
kmsan: fix out-of-bounds access to shadow memory
mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count
mm/hugetlb: fix folio is still mapped when deleted

Linus Torvalds 09d95bc8 51a24b7d

+49 -21
+1
.mailmap
··· 134 134 Ben Widawsky <bwidawsk@kernel.org> <ben@bwidawsk.net> 135 135 Ben Widawsky <bwidawsk@kernel.org> <ben.widawsky@intel.com> 136 136 Ben Widawsky <bwidawsk@kernel.org> <benjamin.widawsky@intel.com> 137 + Bence Csókás <bence98@sch.bme.hu> <csokas.bence@prolan.hu> 137 138 Benjamin Poirier <benjamin.poirier@gmail.com> <bpoirier@suse.de> 138 139 Benjamin Tissoires <bentiss@kernel.org> <benjamin.tissoires@gmail.com> 139 140 Benjamin Tissoires <bentiss@kernel.org> <benjamin.tissoires@redhat.com>
+6 -4
fs/hugetlbfs/inode.c
··· 517 517 518 518 /* 519 519 * If folio is mapped, it was faulted in after being 520 - * unmapped in caller. Unmap (again) while holding 521 - * the fault mutex. The mutex will prevent faults 522 - * until we finish removing the folio. 520 + * unmapped in caller or hugetlb_vmdelete_list() skips 521 + * unmapping it due to fail to grab lock. Unmap (again) 522 + * while holding the fault mutex. The mutex will prevent 523 + * faults until we finish removing the folio. Hold folio 524 + * lock to guarantee no concurrent migration. 523 525 */ 526 + folio_lock(folio); 524 527 if (unlikely(folio_mapped(folio))) 525 528 hugetlb_unmap_file_folio(h, mapping, folio, index); 526 529 527 - folio_lock(folio); 528 530 /* 529 531 * We must remove the folio from page cache before removing 530 532 * the region/ reserve map (hugetlb_unreserve_pages). In
+3
fs/proc/task_mmu.c
··· 2417 2417 { 2418 2418 struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; 2419 2419 2420 + if (!p->vec_buf) 2421 + return; 2422 + 2420 2423 if (cur_buf->start != addr) 2421 2424 cur_buf->end = addr; 2422 2425 else
+5
include/linux/mm_types.h
··· 631 631 { 632 632 return atomic_read(&ptdesc->pt_share_count); 633 633 } 634 + 635 + static inline bool ptdesc_pmd_is_shared(struct ptdesc *ptdesc) 636 + { 637 + return !!ptdesc_pmd_pts_count(ptdesc); 638 + } 634 639 #else 635 640 static inline void ptdesc_pmd_pts_init(struct ptdesc *ptdesc) 636 641 {
+3 -3
include/linux/pgtable.h
··· 232 232 * and the mode cannot be used in interrupt context. 233 233 */ 234 234 #ifndef __HAVE_ARCH_ENTER_LAZY_MMU_MODE 235 - #define arch_enter_lazy_mmu_mode() do {} while (0) 236 - #define arch_leave_lazy_mmu_mode() do {} while (0) 237 - #define arch_flush_lazy_mmu_mode() do {} while (0) 235 + static inline void arch_enter_lazy_mmu_mode(void) {} 236 + static inline void arch_leave_lazy_mmu_mode(void) {} 237 + static inline void arch_flush_lazy_mmu_mode(void) {} 238 238 #endif 239 239 240 240 #ifndef pte_batch_hint
+3 -1
mm/damon/sysfs.c
··· 1592 1592 struct damon_sysfs_kdamond *kdamond) 1593 1593 { 1594 1594 struct damon_call_control call_control = {}; 1595 + int err; 1595 1596 1596 1597 if (!kdamond->damon_ctx) 1597 1598 return -EINVAL; 1598 1599 call_control.fn = fn; 1599 1600 call_control.data = kdamond; 1600 - return damon_call(kdamond->damon_ctx, &call_control); 1601 + err = damon_call(kdamond->damon_ctx, &call_control); 1602 + return err ? err : call_control.return_code; 1601 1603 } 1602 1604 1603 1605 struct damon_sysfs_schemes_walk_data {
+5 -10
mm/hugetlb.c
··· 5594 5594 break; 5595 5595 } 5596 5596 5597 - /* 5598 - * If the pagetables are shared don't copy or take references. 5599 - * 5600 - * dst_pte == src_pte is the common case of src/dest sharing. 5601 - * However, src could have 'unshared' and dst shares with 5602 - * another vma. So page_count of ptep page is checked instead 5603 - * to reliably determine whether pte is shared. 5604 - */ 5605 - if (page_count(virt_to_page(dst_pte)) > 1) { 5597 + #ifdef CONFIG_HUGETLB_PMD_PAGE_TABLE_SHARING 5598 + /* If the pagetables are shared, there is nothing to do */ 5599 + if (ptdesc_pmd_is_shared(virt_to_ptdesc(dst_pte))) { 5606 5600 addr |= last_addr_mask; 5607 5601 continue; 5608 5602 } 5603 + #endif 5609 5604 5610 5605 dst_ptl = huge_pte_lock(h, dst, dst_pte); 5611 5606 src_ptl = huge_pte_lockptr(h, src, src_pte); ··· 7597 7602 hugetlb_vma_assert_locked(vma); 7598 7603 if (sz != PMD_SIZE) 7599 7604 return 0; 7600 - if (!ptdesc_pmd_pts_count(virt_to_ptdesc(ptep))) 7605 + if (!ptdesc_pmd_is_shared(virt_to_ptdesc(ptep))) 7601 7606 return 0; 7602 7607 7603 7608 pud_clear(pud);
+7 -3
mm/kmsan/core.c
··· 195 195 u32 origin, bool checked) 196 196 { 197 197 u64 address = (u64)addr; 198 - u32 *shadow_start, *origin_start; 198 + void *shadow_start; 199 + u32 *aligned_shadow, *origin_start; 199 200 size_t pad = 0; 200 201 201 202 KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size)); ··· 215 214 } 216 215 __memset(shadow_start, b, size); 217 216 218 - if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { 217 + if (IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { 218 + aligned_shadow = shadow_start; 219 + } else { 219 220 pad = address % KMSAN_ORIGIN_SIZE; 220 221 address -= pad; 222 + aligned_shadow = shadow_start - pad; 221 223 size += pad; 222 224 } 223 225 size = ALIGN(size, KMSAN_ORIGIN_SIZE); ··· 234 230 * corresponding shadow slot is zero. 235 231 */ 236 232 for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) { 237 - if (origin || !shadow_start[i]) 233 + if (origin || !aligned_shadow[i]) 238 234 origin_start[i] = origin; 239 235 } 240 236 }
+16
mm/kmsan/kmsan_test.c
··· 556 556 DEFINE_TEST_MEMSETXX(32) 557 557 DEFINE_TEST_MEMSETXX(64) 558 558 559 + /* Test case: ensure that KMSAN does not access shadow memory out of bounds. */ 560 + static void test_memset_on_guarded_buffer(struct kunit *test) 561 + { 562 + void *buf = vmalloc(PAGE_SIZE); 563 + 564 + kunit_info(test, 565 + "memset() on ends of guarded buffer should not crash\n"); 566 + 567 + for (size_t size = 0; size <= 128; size++) { 568 + memset(buf, 0xff, size); 569 + memset(buf + PAGE_SIZE - size, 0xff, size); 570 + } 571 + vfree(buf); 572 + } 573 + 559 574 static noinline void fibonacci(int *array, int size, int start) 560 575 { 561 576 if (start < 2 || (start == size)) ··· 692 677 KUNIT_CASE(test_memset16), 693 678 KUNIT_CASE(test_memset32), 694 679 KUNIT_CASE(test_memset64), 680 + KUNIT_CASE(test_memset_on_guarded_buffer), 695 681 KUNIT_CASE(test_long_origin_chain), 696 682 KUNIT_CASE(test_stackdepot_roundtrip), 697 683 KUNIT_CASE(test_unpoison_memory),