arm64 supports multiple huge_pte sizes. Some of the sizes are covered by a single pte entry at a particular level (PMD_SIZE, PUD_SIZE), and some are covered by multiple ptes at a particular level (CONT_PTE_SIZE, CONT_PMD_SIZE). So the function has to figure out the size from the huge_pte pointer. This was previously done by walking the pgtable to determine the level and by using the PTE_CONT bit to determine the number of ptes at the level.

But the PTE_CONT bit is only valid when the pte is present. For non-present pte values (e.g. markers, migration entries), the previous implementation was therefore erroneously determining the size. There is at least one known caller in core-mm, move_huge_pte(), which may call huge_ptep_get_and_clear() for a non-present pte. So we must be robust to this case. Additionally the "regular" ptep_get_and_clear() is robust to being called for non-present ptes so it makes sense to follow the behavior.

Fix this by using the new sz parameter which is now provided to the function. Additionally when clearing each pte in a contig range, don't gather the access and dirty bits if the pte is not present.

An alternative approach that would not require API changes would be to store the PTE_CONT bit in a spare bit in the swap entry pte for the non-present case. But it felt cleaner to follow other APIs' lead and just pass in the size.

As an aside, PTE_CONT is bit 52, which corresponds to bit 40 in the swap entry offset field (layout of non-present pte). Since hugetlb is never swapped to disk, this field will only be populated for markers, which always set this bit to 0 and hwpoison swap entries, which set the offset field to a PFN; So it would only ever be 1 for a 52-bit PVA system where memory in that high half was poisoned (I think!). So in practice, this bit would almost always be zero for non-present ptes and we would only clear the first entry if it was actually a contiguous block. That's probably a less severe symptom than if it was always interpreted as 1 and cleared out potentially-present neighboring PTEs.

Cc: stable@vger.kernel.org Fixes: 66b3923a1a0f ("arm64: hugetlb: add support for PTE contiguous bit") Reviewed-by: Catalin Marinas catalin.marinas@arm.com Signed-off-by: Ryan Roberts ryan.roberts@arm.com Link: https://lore.kernel.org/r/20250226120656.2400136-3-ryan.roberts@arm.com Signed-off-by: Will Deacon will@kernel.org (cherry picked from commit 49c87f7677746f3c5bd16c81b23700bb6b88bfd4) Signed-off-by: Ryan Roberts ryan.roberts@arm.com --- arch/arm64/mm/hugetlbpage.c | 53 ++++++++++++++----------------------- 1 file changed, 20 insertions(+), 33 deletions(-)

diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c index f86a09309807..06efc3a1652e 100644 --- a/arch/arm64/mm/hugetlbpage.c +++ b/arch/arm64/mm/hugetlbpage.c @@ -121,20 +121,11 @@ static int find_num_contig(struct mm_struct *mm, unsigned long addr,

static inline int num_contig_ptes(unsigned long size, size_t *pgsize) { - int contig_ptes = 0; + int contig_ptes = 1;

*pgsize = size;

switch (size) { -#ifndef __PAGETABLE_PMD_FOLDED - case PUD_SIZE: - if (pud_sect_supported()) - contig_ptes = 1; - break; -#endif - case PMD_SIZE: - contig_ptes = 1; - break; case CONT_PMD_SIZE: *pgsize = PMD_SIZE; contig_ptes = CONT_PMDS; @@ -143,6 +134,8 @@ static inline int num_contig_ptes(unsigned long size, size_t *pgsize) *pgsize = PAGE_SIZE; contig_ptes = CONT_PTES; break; + default: + WARN_ON(!__hugetlb_valid_size(size)); }

return contig_ptes; @@ -184,24 +177,23 @@ static pte_t get_clear_contig(struct mm_struct *mm, unsigned long pgsize, unsigned long ncontig) { - pte_t orig_pte = ptep_get(ptep); - unsigned long i; - - for (i = 0; i < ncontig; i++, addr += pgsize, ptep++) { - pte_t pte = ptep_get_and_clear(mm, addr, ptep); - - /* - * If HW_AFDBM is enabled, then the HW could turn on - * the dirty or accessed bit for any page in the set, - * so check them all. - */ - if (pte_dirty(pte)) - orig_pte = pte_mkdirty(orig_pte); - - if (pte_young(pte)) - orig_pte = pte_mkyoung(orig_pte); + pte_t pte, tmp_pte; + bool present; + + pte = ptep_get_and_clear(mm, addr, ptep); + present = pte_present(pte); + while (--ncontig) { + ptep++; + addr += pgsize; + tmp_pte = ptep_get_and_clear(mm, addr, ptep); + if (present) { + if (pte_dirty(tmp_pte)) + pte = pte_mkdirty(pte); + if (pte_young(tmp_pte)) + pte = pte_mkyoung(pte); + } } - return orig_pte; + return pte; }

static pte_t get_clear_contig_flush(struct mm_struct *mm, @@ -408,13 +400,8 @@ pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, { int ncontig; size_t pgsize; - pte_t orig_pte = ptep_get(ptep); - - if (!pte_cont(orig_pte)) - return ptep_get_and_clear(mm, addr, ptep); - - ncontig = find_num_contig(mm, addr, ptep, &pgsize);

+ ncontig = num_contig_ptes(sz, &pgsize); return get_clear_contig(mm, addr, ptep, pgsize, ncontig); }

On 06/03/2025 19:11, Sasha Levin wrote:

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues: ❌ Build failures detected

I think this is becuase you didn't include the dependent patch? See below.

⚠️ Found matching upstream commit but patch is missing proper reference to it

Same question as the other patch, I thought adding:

(cherry picked from commit 49c87f7677746f3c5bd16c81b23700bb6b88bfd4)

to the commit log was sufficient?

Found matching upstream commit: 49c87f7677746f3c5bd16c81b23700bb6b88bfd4

Note: The patch differs from the upstream commit:

1: 49c87f7677746 ! 1: 180bfe1de8d8a arm64: hugetlb: Fix huge_ptep_get_and_clear() for non-present ptes @@ Commit message Signed-off-by: Ryan Roberts ryan.roberts@arm.com Link: https://lore.kernel.org/r/20250226120656.2400136-3-ryan.roberts@arm.com Signed-off-by: Will Deacon will@kernel.org + (cherry picked from commit 49c87f7677746f3c5bd16c81b23700bb6b88bfd4) + Signed-off-by: Ryan Roberts ryan.roberts@arm.com ## arch/arm64/mm/hugetlbpage.c ## @@ arch/arm64/mm/hugetlbpage.c: static int find_num_contig(struct mm_struct *mm, unsigned long addr, @@ arch/arm64/mm/hugetlbpage.c: static pte_t get_clear_contig(struct mm_struct *mm, unsigned long pgsize, unsigned long ncontig) { -- pte_t orig_pte = __ptep_get(ptep); +- pte_t orig_pte = ptep_get(ptep); - unsigned long i; - - for (i = 0; i < ncontig; i++, addr += pgsize, ptep++) { -- pte_t pte = __ptep_get_and_clear(mm, addr, ptep); +- pte_t pte = ptep_get_and_clear(mm, addr, ptep); - - /* - * If HW_AFDBM is enabled, then the HW could turn on @@ arch/arm64/mm/hugetlbpage.c: static pte_t get_clear_contig(struct mm_struct *mm, + pte_t pte, tmp_pte; + bool present; + -+ pte = __ptep_get_and_clear(mm, addr, ptep); ++ pte = ptep_get_and_clear(mm, addr, ptep); + present = pte_present(pte); + while (--ncontig) { + ptep++; + addr += pgsize; -+ tmp_pte = __ptep_get_and_clear(mm, addr, ptep); ++ tmp_pte = ptep_get_and_clear(mm, addr, ptep); + if (present) { + if (pte_dirty(tmp_pte)) + pte = pte_mkdirty(pte); @@ arch/arm64/mm/hugetlbpage.c: static pte_t get_clear_contig(struct mm_struct *mm, } static pte_t get_clear_contig_flush(struct mm_struct *mm, -@@ arch/arm64/mm/hugetlbpage.c: pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, +@@ arch/arm64/mm/hugetlbpage.c: pte_t huge_ptep_get_and_clear(struct mm_struct *mm, { int ncontig; size_t pgsize; -- pte_t orig_pte = __ptep_get(ptep); +- pte_t orig_pte = ptep_get(ptep); - - if (!pte_cont(orig_pte)) -- return __ptep_get_and_clear(mm, addr, ptep); +- return ptep_get_and_clear(mm, addr, ptep); - - ncontig = find_num_contig(mm, addr, ptep, &pgsize);

---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.6.y | Success | Failed |

Build Errors: Build error for stable/linux-6.6.y: arch/arm64/mm/hugetlbpage.c: In function 'huge_ptep_get_and_clear': arch/arm64/mm/hugetlbpage.c:404:35: error: 'sz' undeclared (first use in this function); did you mean 's8'? 404 | ncontig = num_contig_ptes(sz, &pgsize); | ^~ | s8

The previous patch (see 20250306144716.71199-1-ryan.roberts@arm.com) adds the sz parameter to the function. I think you built this without that patch present? I sent them out as a pair for that reason.

Should I be doing anything in the commit log or email body to mark up the dependency?

Thanks, Ryan

arch/arm64/mm/hugetlbpage.c:404:35: note: each undeclared identifier is reported only once for each function it appears in
make[4]: *** [scripts/Makefile.build:243: arch/arm64/mm/hugetlbpage.o] Error 1
make[4]: Target 'arch/arm64/mm/' not remade because of errors.
make[3]: *** [scripts/Makefile.build:480: arch/arm64/mm] Error 2
make[3]: Target 'arch/arm64/' not remade because of errors.
make[2]: *** [scripts/Makefile.build:480: arch/arm64] Error 2
make[2]: Target './' not remade because of errors.
make[1]: *** [/home/sasha/build/linus-next/Makefile:1916: .] Error 2
make[1]: Target '__all' not remade because of errors.
make: *** [Makefile:234: __sub-make] Error 2
make: Target '__all' not remade because of errors.

On 06/03/2025 19:11, Sasha Levin wrote:

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues: ⚠️ Found matching upstream commit but patch is missing proper reference to it

Hi,

I'm not sure what the issue is here? I've added the line:

(cherry picked from commit 02410ac72ac3707936c07ede66e94360d0d65319)

to the commit log. Is that not the correct/sufficient thing to do?

Thanks, Ryan

Found matching upstream commit: 02410ac72ac3707936c07ede66e94360d0d65319

Note: The patch differs from the upstream commit:

1: 02410ac72ac37 ! 1: db66591c2390e mm: hugetlb: Add huge page size param to huge_ptep_get_and_clear() @@ Commit message Acked-by: Alexander Gordeev agordeev@linux.ibm.com # s390 Link: https://lore.kernel.org/r/20250226120656.2400136-2-ryan.roberts@arm.com Signed-off-by: Will Deacon will@kernel.org + (cherry picked from commit 02410ac72ac3707936c07ede66e94360d0d65319) + Signed-off-by: Ryan Roberts ryan.roberts@arm.com ## arch/arm64/include/asm/hugetlb.h ## @@ arch/arm64/include/asm/hugetlb.h: extern int huge_ptep_set_access_flags(struct vm_area_struct *vma, @@ arch/arm64/include/asm/hugetlb.h: extern int huge_ptep_set_access_flags(struct v ## arch/arm64/mm/hugetlbpage.c ## @@ arch/arm64/mm/hugetlbpage.c: void huge_pte_clear(struct mm_struct *mm, unsigned long addr, - __pte_clear(mm, addr, ptep); + pte_clear(mm, addr, ptep); } -pte_t huge_ptep_get_and_clear(struct mm_struct *mm, @@ arch/arm64/mm/hugetlbpage.c: bool __init arch_hugetlb_valid_size(unsigned long s { + unsigned long psize = huge_page_size(hstate_vma(vma)); + - if (alternative_has_cap_unlikely(ARM64_WORKAROUND_2645198)) { + if (IS_ENABLED(CONFIG_ARM64_ERRATUM_2645198) && + cpus_have_const_cap(ARM64_WORKAROUND_2645198)) { /* - * Break-before-make (BBM) is required for all user space mappings @@ arch/arm64/mm/hugetlbpage.c: pte_t huge_ptep_modify_prot_start(struct vm_area_struct *vma, unsigned long addr - if (pte_user_exec(__ptep_get(ptep))) + if (pte_user_exec(READ_ONCE(*ptep))) return huge_ptep_clear_flush(vma, addr, ptep); } - return huge_ptep_get_and_clear(vma->vm_mm, addr, ptep); @@ arch/loongarch/include/asm/hugetlb.h: static inline void huge_pte_clear(struct m + unsigned long sz) { pte_t clear; - pte_t pte = ptep_get(ptep); + pte_t pte = *ptep; @@ arch/loongarch/include/asm/hugetlb.h: static inline pte_t huge_ptep_clear_flush(struct vm_area_struct *vma, unsigned long addr, pte_t *ptep) { @@ arch/parisc/include/asm/hugetlb.h: void set_huge_pte_at(struct mm_struct *mm, un - pte_t *ptep); + pte_t *ptep, unsigned long sz); - #define __HAVE_ARCH_HUGE_PTEP_CLEAR_FLUSH - static inline pte_t huge_ptep_clear_flush(struct vm_area_struct *vma, + /* + * If the arch doesn't supply something else, assume that hugepage ## arch/parisc/mm/hugetlbpage.c ## @@ arch/parisc/mm/hugetlbpage.c: void set_huge_pte_at(struct mm_struct *mm, unsigned long addr, @@ arch/parisc/mm/hugetlbpage.c: void set_huge_pte_at(struct mm_struct *mm, unsigne ## arch/powerpc/include/asm/hugetlb.h ## -@@ arch/powerpc/include/asm/hugetlb.h: void set_huge_pte_at(struct mm_struct *mm, unsigned long addr, pte_t *ptep, +@@ arch/powerpc/include/asm/hugetlb.h: void hugetlb_free_pgd_range(struct mmu_gather *tlb, unsigned long addr, #define __HAVE_ARCH_HUGE_PTEP_GET_AND_CLEAR static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm, @@ arch/riscv/mm/hugetlbpage.c: int huge_ptep_set_access_flags(struct vm_area_struc int pte_num; ## arch/s390/include/asm/hugetlb.h ## -@@ arch/s390/include/asm/hugetlb.h: void __set_huge_pte_at(struct mm_struct *mm, unsigned long addr, - #define __HAVE_ARCH_HUGE_PTEP_GET - pte_t huge_ptep_get(struct mm_struct *mm, unsigned long addr, pte_t *ptep); - +@@ arch/s390/include/asm/hugetlb.h: void set_huge_pte_at(struct mm_struct *mm, unsigned long addr, + void __set_huge_pte_at(struct mm_struct *mm, unsigned long addr, + pte_t *ptep, pte_t pte); + pte_t huge_ptep_get(pte_t *ptep); +-pte_t huge_ptep_get_and_clear(struct mm_struct *mm, +- unsigned long addr, pte_t *ptep); +pte_t __huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, + pte_t *ptep); + - #define __HAVE_ARCH_HUGE_PTEP_GET_AND_CLEAR --pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep); +static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm, + unsigned long addr, pte_t *ptep, + unsigned long sz) @@ arch/s390/include/asm/hugetlb.h: void __set_huge_pte_at(struct mm_struct *mm, un + return __huge_ptep_get_and_clear(mm, addr, ptep); +} - static inline void arch_clear_hugetlb_flags(struct folio *folio) - { + /* + * If the arch doesn't supply something else, assume that hugepage @@ arch/s390/include/asm/hugetlb.h: static inline void huge_pte_clear(struct mm_struct *mm, unsigned long addr, static inline pte_t huge_ptep_clear_flush(struct vm_area_struct *vma, unsigned long address, pte_t *ptep) @@ arch/s390/include/asm/hugetlb.h: static inline void huge_pte_clear(struct mm_str + return __huge_ptep_get_and_clear(vma->vm_mm, address, ptep); } - #define __HAVE_ARCH_HUGE_PTEP_SET_ACCESS_FLAGS + static inline int huge_ptep_set_access_flags(struct vm_area_struct *vma, @@ arch/s390/include/asm/hugetlb.h: static inline int huge_ptep_set_access_flags(struct vm_area_struct *vma, - int changed = !pte_same(huge_ptep_get(vma->vm_mm, addr, ptep), pte); - + { + int changed = !pte_same(huge_ptep_get(ptep), pte); if (changed) { - huge_ptep_get_and_clear(vma->vm_mm, addr, ptep); + __huge_ptep_get_and_clear(vma->vm_mm, addr, ptep); @@ arch/s390/include/asm/hugetlb.h: static inline int huge_ptep_set_access_flags(st { - pte_t pte = huge_ptep_get_and_clear(mm, addr, ptep); + pte_t pte = __huge_ptep_get_and_clear(mm, addr, ptep); - __set_huge_pte_at(mm, addr, ptep, pte_wrprotect(pte)); } + ## arch/s390/mm/hugetlbpage.c ## -@@ arch/s390/mm/hugetlbpage.c: pte_t huge_ptep_get(struct mm_struct *mm, unsigned long addr, pte_t *ptep) +@@ arch/s390/mm/hugetlbpage.c: pte_t huge_ptep_get(pte_t *ptep) return __rste_to_pte(pte_val(*ptep)); } @@ arch/s390/mm/hugetlbpage.c: pte_t huge_ptep_get(struct mm_struct *mm, unsigned l +pte_t __huge_ptep_get_and_clear(struct mm_struct *mm, + unsigned long addr, pte_t *ptep) { - pte_t pte = huge_ptep_get(mm, addr, ptep); + pte_t pte = huge_ptep_get(ptep); pmd_t *pmdp = (pmd_t *) ptep; ## arch/sparc/include/asm/hugetlb.h ## @@ mm/hugetlb.c: static void move_huge_pte(struct vm_area_struct *vma, unsigned lon - pte = huge_ptep_get_and_clear(mm, old_addr, src_pte); + pte = huge_ptep_get_and_clear(mm, old_addr, src_pte, sz); + set_huge_pte_at(mm, new_addr, dst_pte, pte, sz); - if (need_clear_uffd_wp && pte_marker_uffd_wp(pte)) - huge_pte_clear(mm, new_addr, dst_pte, sz); + if (src_ptl != dst_ptl) @@ mm/hugetlb.c: void __unmap_hugepage_range(struct mmu_gather *tlb, struct vm_area_struct *vma, set_vma_resv_flags(vma, HPAGE_RESV_UNMAPPED); }

---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.6.y | Success | Success |