6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dev Jain dev.jain@arm.com
commit 04d1c9d60c6ec4c0003d433572eaa45f8b217788 upstream.
Currently mremap folio pte batch ignores the writable bit during figuring out a set of similar ptes mapping the same folio. Suppose that the first pte of the batch is writable while the others are not - set_ptes will end up setting the writable bit on the other ptes, which is a violation of mremap semantics. Therefore, use FPB_RESPECT_WRITE to check the writable bit while determining the pte batch.
Link: https://lkml.kernel.org/r/20251028063952.90313-1-dev.jain@arm.com Signed-off-by: Dev Jain dev.jain@arm.com Fixes: f822a9a81a31 ("mm: optimize mremap() by PTE batching") Reported-by: David Hildenbrand david@redhat.com Debugged-by: David Hildenbrand david@redhat.com Acked-by: David Hildenbrand david@redhat.com Acked-by: Pedro Falcato pfalcato@suse.de Reviewed-by: Lorenzo Stoakes lorenzo.stoakes@oracle.com Cc: Barry Song baohua@kernel.org Cc: Jann Horn jannh@google.com Cc: Liam Howlett liam.howlett@oracle.com Cc: Vlastimil Babka vbabka@suse.cz Cc: stable@vger.kernel.org [6.17+] Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- mm/mremap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/mremap.c b/mm/mremap.c index bd7314898ec5..419a0ea0a870 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -187,7 +187,7 @@ static int mremap_folio_pte_batch(struct vm_area_struct *vma, unsigned long addr if (!folio || !folio_test_large(folio)) return 1;
- return folio_pte_batch(folio, ptep, pte, max_nr); + return folio_pte_batch_flags(folio, NULL, ptep, &pte, max_nr, FPB_RESPECT_WRITE); }
static int move_ptes(struct pagetable_move_control *pmc,