Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'mm-hotfixes-stable-2025-11-26-11-51' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull misc fixes from Andrew Morton:
"8 hotfixes. 4 are cc:stable, 7 are against mm/.
All are singletons - please see the respective changelogs for details"
* tag 'mm-hotfixes-stable-2025-11-26-11-51' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
mm/filemap: fix logic around SIGBUS in filemap_map_pages()
mm/huge_memory: fix NULL pointer deference when splitting folio
MAINTAINERS: add test_kho to KHO's entry
mailmap: add entry for Sam Protsenko
selftests/mm: fix division-by-zero in uffd-unit-tests
mm/mmap_lock: reset maple state on lock_vma_under_rcu() retry
mm/memfd: fix information leak in hugetlb folios
mm: swap: remove duplicate nr_swap_pages decrement in get_swap_page_of_type()
+63
-36
+2
.mailmap
+2
.mailmap
···
691
691
Sachin P Sant <ssant@in.ibm.com>
692
692
Sai Prakash Ranjan <quic_saipraka@quicinc.com> <saiprakash.ranjan@codeaurora.org>
693
693
Sakari Ailus <sakari.ailus@linux.intel.com> <sakari.ailus@iki.fi>
694
+
Sam Protsenko <semen.protsenko@linaro.org>
695
+
Sam Protsenko <semen.protsenko@linaro.org> <semen.protsenko@globallogic.com>
694
696
Sam Ravnborg <sam@mars.ravnborg.org>
695
697
Sankeerth Billakanti <quic_sbillaka@quicinc.com> <sbillaka@codeaurora.org>
696
698
Santosh Shilimkar <santosh.shilimkar@oracle.org>
+1
MAINTAINERS
+1
MAINTAINERS
+14
-13
mm/filemap.c
+14
-13
mm/filemap.c
···
3682
3682
struct folio *folio, unsigned long start,
3683
3683
unsigned long addr, unsigned int nr_pages,
3684
3684
unsigned long *rss, unsigned short *mmap_miss,
3685
-
bool can_map_large)
3685
+
pgoff_t file_end)
3686
3686
{
3687
+
struct address_space *mapping = folio->mapping;
3687
3688
unsigned int ref_from_caller = 1;
3688
3689
vm_fault_t ret = 0;
3689
3690
struct page *page = folio_page(folio, start);
···
3693
3692
unsigned long addr0;
3694
3693
3695
3694
/*
3696
-
* Map the large folio fully where possible.
3695
+
* Map the large folio fully where possible:
3697
3696
*
3698
-
* The folio must not cross VMA or page table boundary.
3697
+
* - The folio is fully within size of the file or belong
3698
+
* to shmem/tmpfs;
3699
+
* - The folio doesn't cross VMA boundary;
3700
+
* - The folio doesn't cross page table boundary;
3699
3701
*/
3700
3702
addr0 = addr - start * PAGE_SIZE;
3701
-
if (can_map_large && folio_within_vma(folio, vmf->vma) &&
3703
+
if ((file_end >= folio_next_index(folio) || shmem_mapping(mapping)) &&
3704
+
folio_within_vma(folio, vmf->vma) &&
3702
3705
(addr0 & PMD_MASK) == ((addr0 + folio_size(folio) - 1) & PMD_MASK)) {
3703
3706
vmf->pte -= start;
3704
3707
page -= start;
···
3817
3812
unsigned long rss = 0;
3818
3813
unsigned int nr_pages = 0, folio_type;
3819
3814
unsigned short mmap_miss = 0, mmap_miss_saved;
3820
-
bool can_map_large;
3821
3815
3822
3816
rcu_read_lock();
3823
3817
folio = next_uptodate_folio(&xas, mapping, end_pgoff);
···
3827
3823
end_pgoff = min(end_pgoff, file_end);
3828
3824
3829
3825
/*
3830
-
* Do not allow to map with PTEs beyond i_size and with PMD
3831
-
* across i_size to preserve SIGBUS semantics.
3826
+
* Do not allow to map with PMD across i_size to preserve
3827
+
* SIGBUS semantics.
3832
3828
*
3833
3829
* Make an exception for shmem/tmpfs that for long time
3834
3830
* intentionally mapped with PMDs across i_size.
3835
3831
*/
3836
-
can_map_large = shmem_mapping(mapping) ||
3837
-
file_end >= folio_next_index(folio);
3838
-
3839
-
if (can_map_large && filemap_map_pmd(vmf, folio, start_pgoff)) {
3832
+
if ((file_end >= folio_next_index(folio) || shmem_mapping(mapping)) &&
3833
+
filemap_map_pmd(vmf, folio, start_pgoff)) {
3840
3834
ret = VM_FAULT_NOPAGE;
3841
3835
goto out;
3842
3836
}
···
3863
3861
else
3864
3862
ret |= filemap_map_folio_range(vmf, folio,
3865
3863
xas.xa_index - folio->index, addr,
3866
-
nr_pages, &rss, &mmap_miss,
3867
-
can_map_large);
3864
+
nr_pages, &rss, &mmap_miss, file_end);
3868
3865
3869
3866
folio_unlock(folio);
3870
3867
} while ((folio = next_uptodate_folio(&xas, mapping, end_pgoff)) != NULL);
+10
-12
mm/huge_memory.c
+10
-12
mm/huge_memory.c
···
3619
3619
if (folio != page_folio(split_at) || folio != page_folio(lock_at))
3620
3620
return -EINVAL;
3621
3621
3622
+
/*
3623
+
* Folios that just got truncated cannot get split. Signal to the
3624
+
* caller that there was a race.
3625
+
*
3626
+
* TODO: this will also currently refuse shmem folios that are in the
3627
+
* swapcache.
3628
+
*/
3629
+
if (!is_anon && !folio->mapping)
3630
+
return -EBUSY;
3631
+
3622
3632
if (new_order >= folio_order(folio))
3623
3633
return -EINVAL;
3624
3634
···
3669
3659
gfp_t gfp;
3670
3660
3671
3661
mapping = folio->mapping;
3672
-
3673
-
/* Truncated ? */
3674
-
/*
3675
-
* TODO: add support for large shmem folio in swap cache.
3676
-
* When shmem is in swap cache, mapping is NULL and
3677
-
* folio_test_swapcache() is true.
3678
-
*/
3679
-
if (!mapping) {
3680
-
ret = -EBUSY;
3681
-
goto out;
3682
-
}
3683
-
3684
3662
min_order = mapping_min_folio_order(folio->mapping);
3685
3663
if (new_order < min_order) {
3686
3664
ret = -EINVAL;
+27
mm/memfd.c
+27
mm/memfd.c
···
96
96
NULL,
97
97
gfp_mask);
98
98
if (folio) {
99
+
u32 hash;
100
+
101
+
/*
102
+
* Zero the folio to prevent information leaks to userspace.
103
+
* Use folio_zero_user() which is optimized for huge/gigantic
104
+
* pages. Pass 0 as addr_hint since this is not a faulting path
105
+
* and we don't have a user virtual address yet.
106
+
*/
107
+
folio_zero_user(folio, 0);
108
+
109
+
/*
110
+
* Mark the folio uptodate before adding to page cache,
111
+
* as required by filemap.c and other hugetlb paths.
112
+
*/
113
+
__folio_mark_uptodate(folio);
114
+
115
+
/*
116
+
* Serialize hugepage allocation and instantiation to prevent
117
+
* races with concurrent allocations, as required by all other
118
+
* callers of hugetlb_add_to_page_cache().
119
+
*/
120
+
hash = hugetlb_fault_mutex_hash(memfd->f_mapping, idx);
121
+
mutex_lock(&hugetlb_fault_mutex_table[hash]);
122
+
99
123
err = hugetlb_add_to_page_cache(folio,
100
124
memfd->f_mapping,
101
125
idx);
126
+
127
+
mutex_unlock(&hugetlb_fault_mutex_table[hash]);
128
+
102
129
if (err) {
103
130
folio_put(folio);
104
131
goto err_unresv;
+1
mm/mmap_lock.c
+1
mm/mmap_lock.c
+1
-3
mm/swapfile.c
+1
-3
mm/swapfile.c
···
2005
2005
local_lock(&percpu_swap_cluster.lock);
2006
2006
offset = cluster_alloc_swap_entry(si, 0, 1);
2007
2007
local_unlock(&percpu_swap_cluster.lock);
2008
-
if (offset) {
2008
+
if (offset)
2009
2009
entry = swp_entry(si->type, offset);
2010
-
atomic_long_dec(&nr_swap_pages);
2011
-
}
2012
2010
}
2013
2011
put_swap_device(si);
2014
2012
}
+7
-8
tools/testing/selftests/mm/uffd-unit-tests.c
+7
-8
tools/testing/selftests/mm/uffd-unit-tests.c
···
1758
1758
uffd_test_ops = mem_type->mem_ops;
1759
1759
uffd_test_case_ops = test->test_case_ops;
1760
1760
1761
-
if (mem_type->mem_flag & (MEM_HUGETLB_PRIVATE | MEM_HUGETLB))
1761
+
if (mem_type->mem_flag & (MEM_HUGETLB_PRIVATE | MEM_HUGETLB)) {
1762
1762
gopts.page_size = default_huge_page_size();
1763
-
else
1763
+
if (gopts.page_size == 0) {
1764
+
uffd_test_skip("huge page size is 0, feature missing?");
1765
+
continue;
1766
+
}
1767
+
} else {
1764
1768
gopts.page_size = psize();
1769
+
}
1765
1770
1766
1771
/* Ensure we have at least 2 pages */
1767
1772
gopts.nr_pages = MAX(UFFD_TEST_MEM_SIZE, gopts.page_size * 2)
···
1781
1776
continue;
1782
1777
1783
1778
uffd_test_start("%s on %s", test->name, mem_type->name);
1784
-
if ((mem_type->mem_flag == MEM_HUGETLB ||
1785
-
mem_type->mem_flag == MEM_HUGETLB_PRIVATE) &&
1786
-
(default_huge_page_size() == 0)) {
1787
-
uffd_test_skip("huge page size is 0, feature missing?");
1788
-
continue;
1789
-
}
1790
1779
if (!uffd_feature_supported(test)) {
1791
1780
uffd_test_skip("feature missing");
1792
1781
continue;