| Message ID | 20250404124931.2255618-1-david@redhat.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v1] x86/mm/pat: (un)track_pfn_copy() fix + improvements | expand |
On Fri, Apr 04, 2025 at 02:49:31PM +0200, David Hildenbrand wrote: > We got a late smatch warning and some additional review feedback. > > smatch warnings: > mm/memory.c:1428 copy_page_range() error: uninitialized symbol 'pfn'. > > We actually use the pfn only when it is properly initialized; however, > we may pass an uninitialized value to a function -- although it will not > use it that likely still is UB in C. > > Fix it by always initializing pfn when track_pfn_copy() returns 0 -- > just as we document ("On success, stores the pfn to be passed to > untrack_pfn_copy()"). In addition, to avoid further wrong smatch > warnings, just initialize pfn = 0 in the caller as well. > > While at it, clarify the doc of untrack_pfn_copy(), that internal checks > make sure if we actually have to untrack anything. > > Fixes: dc84bc2aba85 ("x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()") > Reported-by: kernel test robot <lkp@intel.com> > Reported-by: Dan Carpenter <error27@gmail.com> > Closes: https://lore.kernel.org/r/202503270941.IFILyNCX-lkp@intel.com/ > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> > Cc: Dave Hansen <dave.hansen@linux.intel.com> > Cc: Andy Lutomirski <luto@kernel.org> > Cc: Peter Zijlstra <peterz@infradead.org> > Cc: Thomas Gleixner <tglx@linutronix.de> > Cc: Ingo Molnar <mingo@redhat.com> > Cc: Borislav Petkov <bp@alien8.de> > Cc: Rik van Riel <riel@surriel.com> > Cc: "H. Peter Anvin" <hpa@zytor.com> > Cc: Linus Torvalds <torvalds@linux-foundation.org> > Signed-off-by: David Hildenbrand <david@redhat.com> LGTM, Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> > --- > arch/x86/mm/pat/memtype.c | 4 +++- > include/linux/pgtable.h | 5 ++++- > mm/memory.c | 2 +- > 3 files changed, 8 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c > index 72d8cbc611583..9ad3e5b055d8a 100644 > --- a/arch/x86/mm/pat/memtype.c > +++ b/arch/x86/mm/pat/memtype.c > @@ -992,8 +992,10 @@ int track_pfn_copy(struct vm_area_struct *dst_vma, > pgprot_t pgprot; > int rc; > > - if (!(src_vma->vm_flags & VM_PAT)) > + if (!(src_vma->vm_flags & VM_PAT)) { > + *pfn = 0; > return 0; > + } > > /* > * Duplicate the PAT information for the dst VMA based on the src > diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h > index e2b705c149454..9457064292141 100644 > --- a/include/linux/pgtable.h > +++ b/include/linux/pgtable.h > @@ -1517,12 +1517,15 @@ static inline void track_pfn_insert(struct vm_area_struct *vma, pgprot_t *prot, > static inline int track_pfn_copy(struct vm_area_struct *dst_vma, > struct vm_area_struct *src_vma, unsigned long *pfn) > { > + *pfn = 0; > return 0; > } > > /* > * untrack_pfn_copy is called when a VM_PFNMAP VMA failed to copy during > - * copy_page_range(), but after track_pfn_copy() was already called. > + * copy_page_range(), but after track_pfn_copy() was already called. Can > + * be called even if track_pfn_copy() did not actually track anything: > + * handled internally. > */ > static inline void untrack_pfn_copy(struct vm_area_struct *dst_vma, > unsigned long pfn) > diff --git a/mm/memory.c b/mm/memory.c > index 2d8c265fc7d60..1a35165622e1c 100644 > --- a/mm/memory.c > +++ b/mm/memory.c > @@ -1361,7 +1361,7 @@ copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma) > struct mm_struct *dst_mm = dst_vma->vm_mm; > struct mm_struct *src_mm = src_vma->vm_mm; > struct mmu_notifier_range range; > - unsigned long next, pfn; > + unsigned long next, pfn = 0; > bool is_cow; > int ret; > > -- > 2.48.1 >
diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c index 72d8cbc611583..9ad3e5b055d8a 100644 --- a/arch/x86/mm/pat/memtype.c +++ b/arch/x86/mm/pat/memtype.c @@ -992,8 +992,10 @@ int track_pfn_copy(struct vm_area_struct *dst_vma, pgprot_t pgprot; int rc; - if (!(src_vma->vm_flags & VM_PAT)) + if (!(src_vma->vm_flags & VM_PAT)) { + *pfn = 0; return 0; + } /* * Duplicate the PAT information for the dst VMA based on the src diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h index e2b705c149454..9457064292141 100644 --- a/include/linux/pgtable.h +++ b/include/linux/pgtable.h @@ -1517,12 +1517,15 @@ static inline void track_pfn_insert(struct vm_area_struct *vma, pgprot_t *prot, static inline int track_pfn_copy(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma, unsigned long *pfn) { + *pfn = 0; return 0; } /* * untrack_pfn_copy is called when a VM_PFNMAP VMA failed to copy during - * copy_page_range(), but after track_pfn_copy() was already called. + * copy_page_range(), but after track_pfn_copy() was already called. Can + * be called even if track_pfn_copy() did not actually track anything: + * handled internally. */ static inline void untrack_pfn_copy(struct vm_area_struct *dst_vma, unsigned long pfn) diff --git a/mm/memory.c b/mm/memory.c index 2d8c265fc7d60..1a35165622e1c 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1361,7 +1361,7 @@ copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma) struct mm_struct *dst_mm = dst_vma->vm_mm; struct mm_struct *src_mm = src_vma->vm_mm; struct mmu_notifier_range range; - unsigned long next, pfn; + unsigned long next, pfn = 0; bool is_cow; int ret;
We got a late smatch warning and some additional review feedback. smatch warnings: mm/memory.c:1428 copy_page_range() error: uninitialized symbol 'pfn'. We actually use the pfn only when it is properly initialized; however, we may pass an uninitialized value to a function -- although it will not use it that likely still is UB in C. Fix it by always initializing pfn when track_pfn_copy() returns 0 -- just as we document ("On success, stores the pfn to be passed to untrack_pfn_copy()"). In addition, to avoid further wrong smatch warnings, just initialize pfn = 0 in the caller as well. While at it, clarify the doc of untrack_pfn_copy(), that internal checks make sure if we actually have to untrack anything. Fixes: dc84bc2aba85 ("x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Closes: https://lore.kernel.org/r/202503270941.IFILyNCX-lkp@intel.com/ Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Rik van Riel <riel@surriel.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: David Hildenbrand <david@redhat.com> --- arch/x86/mm/pat/memtype.c | 4 +++- include/linux/pgtable.h | 5 ++++- mm/memory.c | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-)