Re: [PATCH 2/8] bpf: Recover arena kernel faults with scratch page

Next message: Balbir Singh: "Re: [PATCH 4/6] mm/huge_memory: preserve pmd_swp_uffd_wp on device-private PMD downgrade"
Previous message: Balbir Singh: "Re: [PATCH v2 2/2] selftests/mm/hmm-tests: test pagemap reads of PMD device-private entries"
In reply to: David Hildenbrand (Arm): "Re: [PATCH 2/8] bpf: Recover arena kernel faults with scratch page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexei Starovoitov

Date: Sun May 31 2026 - 20:16:44 EST

On Sun May 31, 2026 at 10:47 AM PDT, Tejun Heo wrote:
> Hello,
>
> I posted the check removal [1], and Sashiko's review flagged a
> break-before-make problem with it [2] that I think is real.

ohh. interesting.

> So instead of just dropping the check, the install should route through an
> invalid entry rather than overwrite in place:
>
> while (!ptep_try_set(pte, mk_pte(page, PAGE_KERNEL))) {
> old = ptep_get(pte);
> if (pte_none(old))
> continue;
> if (WARN_ON_ONCE(pte_page(old) != arena->scratch_page))
> return -EBUSY;
> ptep_get_and_clear(&init_mm, addr, pte);
> broke_scratch = true;
> }
>
> ptep_try_set() only fills a none slot, so the slot goes scratch->none->page
> and never valid->valid, and the loop copes with a concurrent fault
> re-scratching it. This also closes the set_pte_at()-vs-ptep_try_set() race
> I raised earlier, since both sides are now cmpxchg. A broken scratch entry
> was live, so the caller flush_tlb_kernel_range()s those pages when
> broke_scratch is set, like arena_free_pages() already does after clearing.

Makes sense to me.