qiurui
/
linux-kernelorg-stable
mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-kernelorg-stable/mm
History
Sasha Levin d6b5a8d6f1 mm/ksm: fix pte_unmap_unlock of wrong address in break_ksm_pmd_entry 
On ARM32 with HIGHMEM/HIGHPTE, break_ksm_pmd_entry() triggers a BUG during
KSM unmerging because pte_unmap_unlock() is passed a pointer that may be
beyond the mapped PTE page.

The issue occurs when the PTE iteration loop completes without finding a
KSM page.  After the loop, 'ptep' has been incremented past the last PTE
entry.  On ARM32 LPAE with 512 PTEs per page (512 * 8 = 4096 bytes), this
means ptep points to the next page, outside the kmap'd region.

When pte_unmap_unlock(ptep, ptl) calls kunmap_local(ptep), it unmaps the
wrong page address, leaving the original kmap slot still mapped.  The next
kmap_local then finds this slot unexpectedly occupied:

  WARNING: mm/highmem.c:622 kunmap_local_indexed  (address mismatch)
  kernel BUG at mm/highmem.c:564  __kmap_local_pfn_prot  (slot not empty)

Fix this by passing start_ptep to pte_unmap_unlock(), which always points
within the originally mapped PTE page.

Reproducer: Run LTP ksm03 test on ARM32 with HIGHMEM enabled.  The test
triggers KSM merging followed by unmerging (writing 0 then 2 to
/sys/kernel/mm/ksm/run), which exercises break_ksm_pmd_entry().

Link: https://lkml.kernel.org/r/20251220202926.318366-1-sashal@kernel.org
Fixes: 5d4939fc22 ("ksm: perform a range-walk in break_ksm")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Assisted-by: claude-opus-4-5-20251101
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Reviewed-by: Chengming Zhou <chengming.zhou@linux.dev>
Cc: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
Cc: xu xin <xu.xin16@zte.com.cn>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 		2025-12-23 11:23:17 -08:00
..
damon mm/damon/vaddr: fix missing pte_unmap_unlock in damos_va_migrate_pmd_entry() 2025-12-23 11:23:13 -08:00
kasan kasan: unpoison vms[area] addresses with a common tag 2025-12-23 11:23:12 -08:00
kfence Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
kmsan
Kconfig mm/memory-failure: remove the selection of RAS 2025-11-24 15:08:55 -08:00
Kconfig.debug mm: fix DEBUG_RODATA_TEST indentation in Kconfig 2025-11-29 10:41:09 -08:00
Makefile Significant patch series in this pull request: 2025-12-06 14:01:20 -08:00
backing-dev.c
balloon_compaction.c
bootmem_info.c
cma.c
cma.h
cma_debug.c
cma_sysfs.c
compaction.c
debug.c mm: constify __dump_folio() arguments 2025-11-20 13:43:57 -08:00
debug_page_alloc.c
debug_page_ref.c
debug_vm_pgtable.c mm: softdirty: add pgtable_supports_soft_dirty() 2025-11-24 15:08:54 -08:00
dmapool.c
dmapool_test.c
early_ioremap.c
execmem.c
fadvise.c
fail_page_alloc.c
failslab.c
filemap.c ARM: 2025-12-05 17:01:20 -08:00
folio-compat.c
gup.c
gup_test.c
gup_test.h
highmem.c
hmm.c Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
huge_memory.c Patch series in this pull request: 2025-12-13 20:35:41 +12:00
hugetlb.c mm/hugetlb: fix incorrect error return from hugetlb_reserve_pages() 2025-12-09 11:25:33 -08:00
hugetlb_cgroup.c
hugetlb_cma.c
hugetlb_cma.h
hugetlb_internal.h mm/hugetlb: extract sysctl into hugetlb_sysctl.c 2025-11-20 13:43:57 -08:00
hugetlb_sysctl.c mm/hugetlb: extract sysctl into hugetlb_sysctl.c 2025-11-20 13:43:57 -08:00
hugetlb_sysfs.c mm/hugetlb: extract sysfs into hugetlb_sysfs.c 2025-11-20 13:43:57 -08:00
hugetlb_vmemmap.c
hugetlb_vmemmap.h
hwpoison-inject.c
init-mm.c
internal.h Significant patch series in this pull request: 2025-12-06 14:01:20 -08:00
interval_tree.c
ioremap.c
khugepaged.c mm: declare VMA flags by bit 2025-11-29 10:41:08 -08:00
kmemleak.c
ksm.c mm/ksm: fix pte_unmap_unlock of wrong address in break_ksm_pmd_entry 2025-12-23 11:23:17 -08:00
list_lru.c
maccess.c
madvise.c mm: declare VMA flags by bit 2025-11-29 10:41:08 -08:00
mapping_dirty_helpers.c
memblock.c Significant patch series in this pull request: 2025-12-06 14:01:20 -08:00
memcontrol-v1.c
memcontrol-v1.h
memcontrol.c mm: memcg: fix unit conversion for K() macro in OOM log 2025-12-23 11:23:15 -08:00
memfd.c selinux/stable-6.19 PR 20251201 2025-12-03 10:45:47 -08:00
memfd_luo.c mm: memfd_luo: allow preserving memfd 2025-11-27 14:24:41 -08:00
memory-failure.c mm: fixup pfnmap memory failure handling to use pgoff 2025-12-23 11:23:15 -08:00
memory-tiers.c
memory.c Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
memory_hotplug.c Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
mempolicy.c ARM: 2025-12-05 17:01:20 -08:00
mempool.c slab updates for 6.19 2025-12-03 11:53:47 -08:00
memremap.c mm/memremap: fix spurious large folio warning for FS-DAX 2025-12-23 11:23:16 -08:00
memtest.c
migrate.c memcg: remove __mod_lruvec_state 2025-11-24 15:08:54 -08:00
migrate_device.c mm/huge_memory.c: introduce folio_split_unmapped 2025-11-24 15:08:53 -08:00
mincore.c mm: replace remaining pte_to_swp_entry() with softleaf_from_pte() 2025-11-24 15:08:52 -08:00
mlock.c mm: update vma_modify_flags() to handle residual flags, document 2025-11-20 13:43:58 -08:00
mm_init.c memblock: introduce check_pages boot parameter 2025-12-07 08:56:10 -08:00
mm_slot.h
mmap.c mm: softdirty: add pgtable_supports_soft_dirty() 2025-11-24 15:08:54 -08:00
mmap_lock.c mm: fix vma_start_write_killable() signal handling 2025-11-29 10:41:11 -08:00
mmu_gather.c
mmu_notifier.c
mmzone.c
mprotect.c mm: eliminate further swapops predicates 2025-11-24 15:08:52 -08:00
mremap.c mm: softdirty: add pgtable_supports_soft_dirty() 2025-11-24 15:08:54 -08:00
mseal.c mm: update vma_modify_flags() to handle residual flags, document 2025-11-20 13:43:58 -08:00
msync.c
nommu.c
numa.c
numa_emulation.c
numa_memblks.c
oom_kill.c mm: memcg: dump memcg protection info on oom or alloc failures 2025-11-20 13:43:59 -08:00
page-writeback.c Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
page_alloc.c mm/page_alloc: report 1 as zone_batchsize for !CONFIG_MMU 2025-12-23 11:23:16 -08:00
page_counter.c
page_ext.c
page_frag_cache.c
page_idle.c mm/rmap: extend rmap and migration support device-private entries 2025-11-24 15:08:48 -08:00
page_io.c
page_isolation.c
page_owner.c mm/page_owner: fix memory leak in page_owner_stack_fops->release() 2025-12-23 11:23:17 -08:00
page_poison.c
page_reporting.c
page_reporting.h
page_table_check.c mm: replace pmd_to_swp_entry() with softleaf_from_pmd() 2025-11-24 15:08:51 -08:00
page_vma_mapped.c mm: eliminate further swapops predicates 2025-11-24 15:08:52 -08:00
pagewalk.c mm: eliminate further swapops predicates 2025-11-24 15:08:52 -08:00
percpu-internal.h
percpu-km.c
percpu-stats.c
percpu-vm.c
percpu.c
pgalloc-track.h
pgtable-generic.c mm/huge_memory: add device-private THP support to PMD operations 2025-11-24 15:08:48 -08:00
process_vm_access.c
pt_reclaim.c
ptdump.c
readahead.c
rmap.c memcg: remove __lruvec_stat_mod_folio 2025-11-24 15:08:54 -08:00
rodata_test.c
secretmem.c Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
shmem.c a couple of shmem rename fixes - recent regression from tree-in-dcache 2025-12-16 19:44:36 +12:00
shmem_quota.c
show_mem.c
shrinker.c
shrinker_debug.c
shuffle.c
shuffle.h
slab.h mm/slab: introduce kvfree_rcu_barrier_on_cache() for cache destruction 2025-12-07 18:09:54 +01:00
slab_common.c slab fix for 6.19-rc1 2025-12-11 08:54:08 +09:00
slub.c slab fix for 6.19-rc2 2025-12-20 11:24:42 -08:00
sparse-vmemmap.c
sparse.c
swap.c
swap.h
swap_cgroup.c
swap_state.c mm, swap: remove redundant comment for read_swap_cache_async 2025-11-24 15:08:56 -08:00
swap_table.h
swapfile.c mm/swapfile: use plist_for_each_entry in __folio_throttle_swaprate 2025-11-29 10:41:11 -08:00
truncate.c vfs-6.19-rc1.folio 2025-12-01 10:26:38 -08:00
usercopy.c
userfaultfd.c mm: softdirty: add pgtable_supports_soft_dirty() 2025-11-24 15:08:54 -08:00
util.c
vma.c mm: softdirty: add pgtable_supports_soft_dirty() 2025-11-24 15:08:54 -08:00
vma.h mm: implement sticky VMA flags 2025-11-20 13:43:58 -08:00
vma_exec.c mm: softdirty: add pgtable_supports_soft_dirty() 2025-11-24 15:08:54 -08:00
vma_init.c
vma_internal.h
vmalloc.c kasan: refactor pcpu kasan vmalloc unpoison 2025-12-23 11:23:11 -08:00
vmpressure.c
vmscan.c Patch series in this pull request: 2025-12-13 20:35:41 +12:00
vmstat.c mm: vmstat: correct the comment above preempt_disable_nested() 2025-11-20 13:43:59 -08:00
workingset.c Significant patch series in this merge are as follows: 2025-12-05 13:52:43 -08:00
zpdesc.h
zsmalloc.c
zswap.c