Re: [PATCH 1/6] fs/proc/task_mmu: fix make_uffd_wp_huge_pte() prot-update race

From: Dev Jain

Date: Tue Jun 02 2026 - 02:38:22 EST



On 29/05/26 10:53 pm, Kiryl Shutsemau (Meta) wrote:
> make_uffd_wp_huge_pte() arms the UFFD_WP bit on a present HugeTLB PTE by
> calling huge_ptep_modify_prot_commit() with a ptent snapshot that was
> fetched without the corresponding huge_ptep_modify_prot_start(). The
> start helper is what atomically clears the entry so the kernel-owned
> snapshot stays consistent until the commit; without it, the hardware
> may set Dirty or Accessed in the live PTE between the original read
> and the commit, and huge_ptep_modify_prot_commit() (whose generic
> implementation just calls set_huge_pte_at()) then writes the stale
> snapshot back over the live hardware bits, losing the update.
>
> The non-hugetlb sibling make_uffd_wp_pte() does this correctly via
> ptep_modify_prot_start() / ptep_modify_prot_commit(). Mirror that
> pattern for the present-PTE branch. The migration case stays as-is --
> migration entries are non-present, so there's no hardware update to
> race against.
>
> Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: Sashiko AI review <sashiko-bot@xxxxxxxxxx>
> Signed-off-by: Kiryl Shutsemau <kas@xxxxxxxxxx>
> ---

LGTM

Reviewed-by: Dev Jain <dev.jain@xxxxxxx>


> fs/proc/task_mmu.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index 1e3a15bf46f4..e21a38ac745b 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -2610,12 +2610,16 @@ static void make_uffd_wp_huge_pte(struct vm_area_struct *vma,
> if (softleaf_is_hwpoison(entry) || softleaf_is_marker(entry))
> return;
>
> - if (softleaf_is_migration(entry))
> + if (softleaf_is_migration(entry)) {
> set_huge_pte_at(vma->vm_mm, addr, ptep,
> pte_swp_mkuffd_wp(ptent), psize);
> - else
> - huge_ptep_modify_prot_commit(vma, addr, ptep, ptent,
> - huge_pte_mkuffd_wp(ptent));
> + } else {
> + pte_t old_pte, new_pte;
> +
> + old_pte = huge_ptep_modify_prot_start(vma, addr, ptep);
> + new_pte = huge_pte_mkuffd_wp(old_pte);
> + huge_ptep_modify_prot_commit(vma, addr, ptep, old_pte, new_pte);
> + }
> }
> #endif /* CONFIG_HUGETLB_PAGE */
>