[PATCH 0/3] page table check

[PATCH 0/3] page table check

[Pasha Tatashin]

From: Pasha Tatashin <tatashin@google.com>

Changelog:
v1:
- Added ptep_clear() to mm/debug_vm_pgtable.c (thanks Anshuman Khandual)
- Addressed documentation comments from Jonathan Corbet.

Ensure that some memory corruptions are prevented by checking at the
time of insertion of entries into user page tables that there is no
illegal sharing.

We have recently found a problem [1] that existed in kernel since 4.14.
The problem was caused by broken page ref count and led to memory
leaking from one process into another. The problem was accidentally
detected by studying a dump of one process and noticing that one page
contains memory that should not belong to this process.

There are some other page->_refcount related problems that were recently
fixed: [2], [3] which potentially could also lead to illegal sharing.

In addition to hardening refcount [4] itself, this work is an attempt to
prevent this class of memory corruption issues.

It uses a simple state machine that is independent from regular MM logic
to check for illegal sharing at time pages are inserted and removed
from page tables.

[1] https://lore.kernel.org/all/xr9335nxwc5y.fsf@gthelen2.svl.corp.google.com
[2] https://lore.kernel.org/all/1582661774-30925-2-git-send-email-akaher@vmware.com
[3] https://lore.kernel.org/all/20210622021423.154662-3-mike.kravetz@oracle.com
[4] https://lore.kernel.org/all/20211026173822.502506-1-pasha.tatashin@soleen.com

Previous versions:
RFC: https://lore.kernel.org/all/20211116220038.116484-1-pasha.tatashin@soleen.com

Pasha Tatashin (3):
  mm: ptep_clear() page table helper
  mm: page table check
  x86: mm: add x86_64 support for page table check

 Documentation/vm/arch_pgtable_helpers.rst |   6 +-
 Documentation/vm/index.rst                |   1 +
 Documentation/vm/page_table_check.rst     |  56 +++++
 MAINTAINERS                               |   9 +
 arch/Kconfig                              |   3 +
 arch/x86/Kconfig                          |   1 +
 arch/x86/include/asm/pgtable.h            |  29 ++-
 include/linux/page_table_check.h          | 147 ++++++++++++
 include/linux/pgtable.h                   |   8 +
 mm/Kconfig.debug                          |  24 ++
 mm/Makefile                               |   1 +
 mm/debug_vm_pgtable.c                     |   2 +-
 mm/khugepaged.c                           |  12 +-
 mm/page_alloc.c                           |   4 +
 mm/page_ext.c                             |   4 +
 mm/page_table_check.c                     | 261 ++++++++++++++++++++++
 16 files changed, 553 insertions(+), 15 deletions(-)
 create mode 100644 Documentation/vm/page_table_check.rst
 create mode 100644 include/linux/page_table_check.h
 create mode 100644 mm/page_table_check.c

-- 
2.34.0.rc2.393.gf8c9666880-goog

[PATCH 1/3] mm: ptep_clear() page table helper

[Pasha Tatashin]

We have ptep_get_and_clear() and ptep_get_and_clear_full() helpers to
clear PTE from user page tables, but there is no variant for simple
clear of a present PTE from user page tables without using a low level
pte_clear() which can be either native or para-virtualised.

Add a new ptep_clear() that can be used in common code to clear PTEs
from page table. We will need this call later in order to add a hook
for page table check.

Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
 Documentation/vm/arch_pgtable_helpers.rst |  6 ++++--
 include/linux/pgtable.h                   |  8 ++++++++
 mm/debug_vm_pgtable.c                     |  2 +-
 mm/khugepaged.c                           | 12 ++----------
 4 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/Documentation/vm/arch_pgtable_helpers.rst b/Documentation/vm/arch_pgtable_helpers.rst
index 552567d863b8..fbe06ec75370 100644
--- a/Documentation/vm/arch_pgtable_helpers.rst
+++ b/Documentation/vm/arch_pgtable_helpers.rst
@@ -66,9 +66,11 @@ PTE Page Table Helpers
 +---------------------------+--------------------------------------------------+
 | pte_mknotpresent          | Invalidates a mapped PTE                         |
 +---------------------------+--------------------------------------------------+
-| ptep_get_and_clear        | Clears a PTE                                     |
+| ptep_clear                | Clears a PTE                                     |
 +---------------------------+--------------------------------------------------+
-| ptep_get_and_clear_full   | Clears a PTE                                     |
+| ptep_get_and_clear        | Clears and returns PTE                           |
++---------------------------+--------------------------------------------------+
+| ptep_get_and_clear_full   | Clears and returns PTE (batched PTE unmap)       |
 +---------------------------+--------------------------------------------------+
 | ptep_test_and_clear_young | Clears young from a PTE                          |
 +---------------------------+--------------------------------------------------+
diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
index e24d2c992b11..bc8713a76e03 100644
--- a/include/linux/pgtable.h
+++ b/include/linux/pgtable.h
@@ -258,6 +258,14 @@ static inline int pmdp_clear_flush_young(struct vm_area_struct *vma,
 #endif /* CONFIG_TRANSPARENT_HUGEPAGE */
 #endif
 
+#ifndef __HAVE_ARCH_PTEP_CLEAR
+static inline void ptep_clear(struct mm_struct *mm, unsigned long addr,
+			      pte_t *ptep)
+{
+	pte_clear(mm, addr, ptep);
+}
+#endif
+
 #ifndef __HAVE_ARCH_PTEP_GET_AND_CLEAR
 static inline pte_t ptep_get_and_clear(struct mm_struct *mm,
 				       unsigned long address,
diff --git a/mm/debug_vm_pgtable.c b/mm/debug_vm_pgtable.c
index 228e3954b90c..cd48a34c87a4 100644
--- a/mm/debug_vm_pgtable.c
+++ b/mm/debug_vm_pgtable.c
@@ -652,7 +652,7 @@ static void __init pte_clear_tests(struct pgtable_debug_args *args)
 	set_pte_at(args->mm, args->vaddr, args->ptep, pte);
 	flush_dcache_page(page);
 	barrier();
-	pte_clear(args->mm, args->vaddr, args->ptep);
+	ptep_clear(args->mm, args->vaddr, args->ptep);
 	pte = ptep_get(args->ptep);
 	WARN_ON(!pte_none(pte));
 }
diff --git a/mm/khugepaged.c b/mm/khugepaged.c
index dd807261ed9f..c78242d15406 100644
--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -756,11 +756,7 @@ static void __collapse_huge_page_copy(pte_t *pte, struct page *page,
 				 * ptl mostly unnecessary.
 				 */
 				spin_lock(ptl);
-				/*
-				 * paravirt calls inside pte_clear here are
-				 * superfluous.
-				 */
-				pte_clear(vma->vm_mm, address, _pte);
+				ptep_clear(vma->vm_mm, address, _pte);
 				spin_unlock(ptl);
 			}
 		} else {
@@ -774,11 +770,7 @@ static void __collapse_huge_page_copy(pte_t *pte, struct page *page,
 			 * inside page_remove_rmap().
 			 */
 			spin_lock(ptl);
-			/*
-			 * paravirt calls inside pte_clear here are
-			 * superfluous.
-			 */
-			pte_clear(vma->vm_mm, address, _pte);
+			ptep_clear(vma->vm_mm, address, _pte);
 			page_remove_rmap(src_page, false);
 			spin_unlock(ptl);
 			free_page_and_swap_cache(src_page);
-- 
2.34.0.rc2.393.gf8c9666880-goog

[PATCH 2/3] mm: page table check

[Pasha Tatashin]

Check user page table entries at the time they are added and removed.

Allows to synchronously catch memory corruption issues related to
double mapping.

When a pte for an anonymous page is added into page table, we verify
that this pte does not already point to a file backed page, and vice
versa if this is a file backed page that is being added we verify that
this page does not have an anonymous mapping

We also enforce that read-only sharing for anonymous pages is allowed
(i.e. cow after fork). All other sharing must be for file pages.

Page table check allows to protect and debug cases where "struct page"
metadata became corrupted for some reason. For example, when refcnt or
mapcount become invalid.

Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
 Documentation/vm/index.rst            |   1 +
 Documentation/vm/page_table_check.rst |  56 ++++++
 MAINTAINERS                           |   9 +
 arch/Kconfig                          |   3 +
 include/linux/page_table_check.h      | 147 +++++++++++++++
 mm/Kconfig.debug                      |  24 +++
 mm/Makefile                           |   1 +
 mm/page_alloc.c                       |   4 +
 mm/page_ext.c                         |   4 +
 mm/page_table_check.c                 | 261 ++++++++++++++++++++++++++
 10 files changed, 510 insertions(+)
 create mode 100644 Documentation/vm/page_table_check.rst
 create mode 100644 include/linux/page_table_check.h
 create mode 100644 mm/page_table_check.c

diff --git a/Documentation/vm/index.rst b/Documentation/vm/index.rst
index 6f5ffef4b716..43bb54d897d9 100644
--- a/Documentation/vm/index.rst
+++ b/Documentation/vm/index.rst
@@ -31,6 +31,7 @@ algorithms.  If you are looking for advice on simply allocating memory, see the
    page_migration
    page_frags
    page_owner
+   page_table_check
    remap_file_pages
    slub
    split_page_table_lock
diff --git a/Documentation/vm/page_table_check.rst b/Documentation/vm/page_table_check.rst
new file mode 100644
index 000000000000..51d2e273d345
--- /dev/null
+++ b/Documentation/vm/page_table_check.rst
@@ -0,0 +1,56 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+.. _page_table_check:
+
+================
+Page Table Check
+================
+
+Introduction
+============
+
+Page table check allows to hardern the kernel by ensuring that some types of
+the memory corruptions are prevented.
+
+Page table check performs extra verifications at the time when new pages become
+accessible from the userspace by getting their page table entries (PTEs PMDs
+etc.) added into the table.
+
+In case of detected corruption, the kernel is crashed. There is a small
+performance and memory overhead associated with the page table check. Therefore,
+it is disabled by default, but can be optionally be enabled on systems where
+the extra hardening outweighs the performance costs. Also, because page table
+check is synchronous, it can help with debugging double map memory corruption
+issues, by crashing kernel at the time wrong mapping occurs instead of later
+which is often the case with memory corruptions bugs.
+
+Double mapping detection logic
+==============================
+
++-------------------+-------------------+-------------------+------------------+
+| Current Mapping   | New mapping       | Permissions       | Rule             |
++===================+===================+===================+==================+
+| Anonymous         | Anonymous         | Read              | Allow            |
++-------------------+-------------------+-------------------+------------------+
+| Anonymous         | Anonymous         | Read / Write      | Prohibit         |
++-------------------+-------------------+-------------------+------------------+
+| Anonymous         | Named             | Any               | Prohibit         |
++-------------------+-------------------+-------------------+------------------+
+| Named             | Anonymous         | Any               | Prohibit         |
++-------------------+-------------------+-------------------+------------------+
+| Named             | Named             | Any               | Allow            |
++-------------------+-------------------+-------------------+------------------+
+
+Enabling Page Table Check
+=========================
+
+Build kernel with:
+
+- PAGE_TABLE_CHECK=y
+  Note, it can only be enabled on platforms where ARCH_SUPPORTS_PAGE_TABLE_CHECK
+  is available.
+
+- Boot with 'page_table_check=on' kernel parameter.
+
+Optionally, build kernel with PAGE_TABLE_CHECK_ENFORCED in order to have page
+table support without extra kernel parameter.
diff --git a/MAINTAINERS b/MAINTAINERS
index ab0d25f01ee3..69cc753799d6 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -14421,6 +14421,15 @@ F:	include/net/page_pool.h
 F:	include/trace/events/page_pool.h
 F:	net/core/page_pool.c
 
+PAGE TABLE CHECK
+M:	Pasha Tatashin <pasha.tatashin@soleen.com>
+M:	Andrew Morton <akpm@linux-foundation.org>
+L:	linux-mm@kvack.org
+S:	Maintained
+F:	Documentation/vm/page_table_check.rst
+F:	include/linux/page_table_check.h
+F:	mm/page_table_check.c
+
 PANASONIC LAPTOP ACPI EXTRAS DRIVER
 M:	Kenneth Chan <kenneth.t.chan@gmail.com>
 L:	platform-driver-x86@vger.kernel.org
diff --git a/arch/Kconfig b/arch/Kconfig
index 26b8ed11639d..c5b03b3bd62d 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -1287,6 +1287,9 @@ config HAVE_ARCH_PFN_VALID
 config ARCH_SUPPORTS_DEBUG_PAGEALLOC
 	bool
 
+config ARCH_SUPPORTS_PAGE_TABLE_CHECK
+	bool
+
 config ARCH_SPLIT_ARG64
 	bool
 	help
diff --git a/include/linux/page_table_check.h b/include/linux/page_table_check.h
new file mode 100644
index 000000000000..38cace1da7b6
--- /dev/null
+++ b/include/linux/page_table_check.h
@@ -0,0 +1,147 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * Copyright (c) 2021, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+#ifndef __LINUX_PAGE_TABLE_CHECK_H
+#define __LINUX_PAGE_TABLE_CHECK_H
+
+#ifdef CONFIG_PAGE_TABLE_CHECK
+#include <linux/jump_label.h>
+
+extern struct static_key_true page_table_check_disabled;
+extern struct page_ext_operations page_table_check_ops;
+
+void __page_table_check_zero(struct page *page, unsigned int order);
+void __page_table_check_pte_clear(struct mm_struct *mm, unsigned long addr,
+				  pte_t pte);
+void __page_table_check_pmd_clear(struct mm_struct *mm, unsigned long addr,
+				  pmd_t pmd);
+void __page_table_check_pud_clear(struct mm_struct *mm, unsigned long addr,
+				  pud_t pud);
+void __page_table_check_pte_set(struct mm_struct *mm, unsigned long addr,
+				pte_t *ptep, pte_t pte);
+void __page_table_check_pmd_set(struct mm_struct *mm, unsigned long addr,
+				pmd_t *pmdp, pmd_t pmd);
+void __page_table_check_pud_set(struct mm_struct *mm, unsigned long addr,
+				pud_t *pudp, pud_t pud);
+
+static inline void page_table_check_alloc(struct page *page, unsigned int order)
+{
+	if (static_branch_likely(&page_table_check_disabled))
+		return;
+
+	__page_table_check_zero(page, order);
+}
+
+static inline void page_table_check_free(struct page *page, unsigned int order)
+{
+	if (static_branch_likely(&page_table_check_disabled))
+		return;
+
+	__page_table_check_zero(page, order);
+}
+
+static inline void page_table_check_pte_clear(struct mm_struct *mm,
+					      unsigned long addr, pte_t pte)
+{
+	if (static_branch_likely(&page_table_check_disabled))
+		return;
+
+	__page_table_check_pte_clear(mm, addr, pte);
+}
+
+static inline void page_table_check_pmd_clear(struct mm_struct *mm,
+					      unsigned long addr, pmd_t pmd)
+{
+	if (static_branch_likely(&page_table_check_disabled))
+		return;
+
+	__page_table_check_pmd_clear(mm, addr, pmd);
+}
+
+static inline void page_table_check_pud_clear(struct mm_struct *mm,
+					      unsigned long addr, pud_t pud)
+{
+	if (static_branch_likely(&page_table_check_disabled))
+		return;
+
+	__page_table_check_pud_clear(mm, addr, pud);
+}
+
+static inline void page_table_check_pte_set(struct mm_struct *mm,
+					    unsigned long addr, pte_t *ptep,
+					    pte_t pte)
+{
+	if (static_branch_likely(&page_table_check_disabled))
+		return;
+
+	__page_table_check_pte_set(mm, addr, ptep, pte);
+}
+
+static inline void page_table_check_pmd_set(struct mm_struct *mm,
+					    unsigned long addr, pmd_t *pmdp,
+					    pmd_t pmd)
+{
+	if (static_branch_likely(&page_table_check_disabled))
+		return;
+
+	__page_table_check_pmd_set(mm, addr, pmdp, pmd);
+}
+
+static inline void page_table_check_pud_set(struct mm_struct *mm,
+					    unsigned long addr, pud_t *pudp,
+					    pud_t pud)
+{
+	if (static_branch_likely(&page_table_check_disabled))
+		return;
+
+	__page_table_check_pud_set(mm, addr, pudp, pud);
+}
+
+#else
+
+static inline void page_table_check_alloc(struct page *page, unsigned int order)
+{
+}
+
+static inline void page_table_check_free(struct page *page, unsigned int order)
+{
+}
+
+static inline void page_table_check_pte_clear(struct mm_struct *mm,
+					      unsigned long addr, pte_t pte)
+{
+}
+
+static inline void page_table_check_pmd_clear(struct mm_struct *mm,
+					      unsigned long addr, pmd_t pmd)
+{
+}
+
+static inline void page_table_check_pud_clear(struct mm_struct *mm,
+					      unsigned long addr, pud_t pud)
+{
+}
+
+static inline void page_table_check_pte_set(struct mm_struct *mm,
+					    unsigned long addr, pte_t *ptep,
+					    pte_t pte)
+{
+}
+
+static inline void page_table_check_pmd_set(struct mm_struct *mm,
+					    unsigned long addr, pmd_t *pmdp,
+					    pmd_t pmd)
+{
+}
+
+static inline void page_table_check_pud_set(struct mm_struct *mm,
+					    unsigned long addr, pud_t *pudp,
+					    pud_t pud)
+{
+}
+
+#endif /* CONFIG_PAGE_TABLE_CHECK */
+#endif /* __LINUX_PAGE_TABLE_CHECK_H */
diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
index 1e73717802f8..e5724cd6946b 100644
--- a/mm/Kconfig.debug
+++ b/mm/Kconfig.debug
@@ -62,6 +62,30 @@ config PAGE_OWNER
 
 	  If unsure, say N.
 
+config PAGE_TABLE_CHECK
+	bool "Check for invalid mappings in user page tables"
+	depends on ARCH_SUPPORTS_PAGE_TABLE_CHECK
+	select PAGE_EXTENSION
+	help
+	  Check that anonymous page is not being mapped twice with read write
+	  permissions. Check that anonymous and file pages are not being
+	  erroneously shared. Since the checking is performed at the time
+	  entries are added and removed to user page tables, leaking, corruption
+	  and double mapping problems are detected synchronously.
+
+	  If unsure say "n".
+
+config PAGE_TABLE_CHECK_ENFORCED
+	bool "Enforce the page table checking by defauled"
+	depends on PAGE_TABLE_CHECK
+	help
+	  Always enable page table checking.  By default the page table checking
+	  is disabled, and can be optionally enabled via page_table_check=on
+	  kernel parameter. This config enforces that page table check is always
+	  enabled.
+
+	  If unsure say "n".
+
 config PAGE_POISONING
 	bool "Poison pages after freeing"
 	help
diff --git a/mm/Makefile b/mm/Makefile
index d6c0042e3aa0..5c5a3a480fa6 100644
--- a/mm/Makefile
+++ b/mm/Makefile
@@ -112,6 +112,7 @@ obj-$(CONFIG_GENERIC_EARLY_IOREMAP) += early_ioremap.o
 obj-$(CONFIG_CMA)	+= cma.o
 obj-$(CONFIG_MEMORY_BALLOON) += balloon_compaction.o
 obj-$(CONFIG_PAGE_EXTENSION) += page_ext.o
+obj-$(CONFIG_PAGE_TABLE_CHECK) += page_table_check.o
 obj-$(CONFIG_CMA_DEBUGFS) += cma_debug.o
 obj-$(CONFIG_SECRETMEM) += secretmem.o
 obj-$(CONFIG_CMA_SYSFS) += cma_sysfs.o
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 58490fa8948d..1a90a3cf8ef9 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -64,6 +64,7 @@
 #include <linux/sched/rt.h>
 #include <linux/sched/mm.h>
 #include <linux/page_owner.h>
+#include <linux/page_table_check.h>
 #include <linux/kthread.h>
 #include <linux/memcontrol.h>
 #include <linux/ftrace.h>
@@ -1298,6 +1299,7 @@ static __always_inline bool free_pages_prepare(struct page *page,
 		if (memcg_kmem_enabled() && PageMemcgKmem(page))
 			__memcg_kmem_uncharge_page(page, order);
 		reset_page_owner(page, order);
+		page_table_check_free(page, order);
 		return false;
 	}
 
@@ -1337,6 +1339,7 @@ static __always_inline bool free_pages_prepare(struct page *page,
 	page_cpupid_reset_last(page);
 	page->flags &= ~PAGE_FLAGS_CHECK_AT_PREP;
 	reset_page_owner(page, order);
+	page_table_check_free(page, order);
 
 	if (!PageHighMem(page)) {
 		debug_check_no_locks_freed(page_address(page),
@@ -2411,6 +2414,7 @@ inline void post_alloc_hook(struct page *page, unsigned int order,
 	}
 
 	set_page_owner(page, order, gfp_flags);
+	page_table_check_alloc(page, order);
 }
 
 static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags,
diff --git a/mm/page_ext.c b/mm/page_ext.c
index 6242afb24d84..bee3240604dc 100644
--- a/mm/page_ext.c
+++ b/mm/page_ext.c
@@ -8,6 +8,7 @@
 #include <linux/kmemleak.h>
 #include <linux/page_owner.h>
 #include <linux/page_idle.h>
+#include <linux/page_table_check.h>
 
 /*
  * struct page extension
@@ -75,6 +76,9 @@ static struct page_ext_operations *page_ext_ops[] = {
 #if defined(CONFIG_PAGE_IDLE_FLAG) && !defined(CONFIG_64BIT)
 	&page_idle_ops,
 #endif
+#ifdef CONFIG_PAGE_TABLE_CHECK
+	&page_table_check_ops,
+#endif
 };
 
 unsigned long page_ext_size = sizeof(struct page_ext);
diff --git a/mm/page_table_check.c b/mm/page_table_check.c
new file mode 100644
index 000000000000..06f1c9e0a62a
--- /dev/null
+++ b/mm/page_table_check.c
@@ -0,0 +1,261 @@
+// SPDX-License-Identifier: GPL-2.0
+
+/*
+ * Copyright (c) 2021, Google LLC.
+ * Pasha Tatashin <pasha.tatashin@soleen.com>
+ */
+#include <linux/mm.h>
+#include <linux/page_table_check.h>
+
+#undef pr_fmt
+#define pr_fmt(fmt)	"page_table_check: " fmt
+
+struct page_table_check {
+	atomic_t anon_map_count;
+	atomic_t file_map_count;
+};
+
+static bool __page_table_check_enabled __initdata =
+				IS_ENABLED(CONFIG_PAGE_TABLE_CHECK_ENFORCED);
+
+DEFINE_STATIC_KEY_TRUE_RO(page_table_check_disabled);
+
+static int __init early_page_table_check_param(char *buf)
+{
+	if (!buf)
+		return -EINVAL;
+
+	if (strcmp(buf, "on") == 0)
+		__page_table_check_enabled = true;
+
+	return 0;
+}
+
+early_param("page_table_check", early_page_table_check_param);
+
+static bool __init need_page_table_check(void)
+{
+	return __page_table_check_enabled;
+}
+
+static void __init init_page_table_check(void)
+{
+	if (!__page_table_check_enabled)
+		return;
+	static_branch_disable(&page_table_check_disabled);
+}
+
+struct page_ext_operations page_table_check_ops = {
+	.size = sizeof(struct page_table_check),
+	.need = need_page_table_check,
+	.init = init_page_table_check,
+};
+
+static struct page_table_check *get_page_table_check(struct page_ext *page_ext)
+{
+	BUG_ON(!page_ext);
+	return (void *)(page_ext) + page_table_check_ops.offset;
+}
+
+static inline bool pte_user_accessible_page(pte_t pte)
+{
+	return (pte_val(pte) & _PAGE_PRESENT) && (pte_val(pte) & _PAGE_USER);
+}
+
+static inline bool pmd_user_accessible_page(pmd_t pmd)
+{
+	return pmd_leaf(pmd) && (pmd_val(pmd) & _PAGE_PRESENT) &&
+		(pmd_val(pmd) & _PAGE_USER);
+}
+
+static inline bool pud_user_accessible_page(pud_t pud)
+{
+	return pud_leaf(pud) && (pud_val(pud) & _PAGE_PRESENT) &&
+		(pud_val(pud) & _PAGE_USER);
+}
+
+/*
+ * An enty is removed from the page table, decrement the counters for that page
+ * verify that it is of correct type and counters do not become negative.
+ */
+static void page_table_check_clear(struct mm_struct *mm, unsigned long addr,
+				   unsigned long pfn, unsigned int pgcnt)
+{
+	struct page_ext *page_ext;
+	struct page *page;
+	bool anon;
+	int i;
+
+	if (!pfn_valid(pfn))
+		return;
+
+	page = pfn_to_page(pfn);
+	page_ext = lookup_page_ext(page);
+	anon = PageAnon(page);
+
+	for (i = 0; i < pgcnt; i++) {
+		struct page_table_check *ptc = get_page_table_check(page_ext);
+
+		if (anon) {
+			BUG_ON(atomic_read(&ptc->file_map_count));
+			BUG_ON(atomic_dec_return(&ptc->anon_map_count) < 0);
+		} else {
+			BUG_ON(atomic_read(&ptc->anon_map_count));
+			BUG_ON(atomic_dec_return(&ptc->file_map_count) < 0);
+		}
+		page_ext = page_ext_next(page_ext);
+	}
+}
+
+/*
+ * A new enty is added to the page table, increment the counters for that page
+ * verify that it is of correct type and is not being mapped with a different
+ * type to a different process.
+ */
+static void page_table_check_set(struct mm_struct *mm, unsigned long addr,
+				 unsigned long pfn, unsigned long pgcnt,
+				 bool rw)
+{
+	struct page_ext *page_ext;
+	struct page *page;
+	bool anon;
+	int i;
+
+	if (!pfn_valid(pfn))
+		return;
+
+	page = pfn_to_page(pfn);
+	page_ext = lookup_page_ext(page);
+	anon = PageAnon(page);
+
+	for (i = 0; i < pgcnt; i++) {
+		struct page_table_check *ptc = get_page_table_check(page_ext);
+
+		if (anon) {
+			BUG_ON(atomic_read(&ptc->file_map_count));
+			BUG_ON(atomic_inc_return(&ptc->anon_map_count) > 1 && rw);
+		} else {
+			BUG_ON(atomic_read(&ptc->anon_map_count));
+			BUG_ON(atomic_inc_return(&ptc->file_map_count) < 0);
+		}
+		page_ext = page_ext_next(page_ext);
+	}
+}
+
+/*
+ * page is on free list, or is being allocated, verify that counters are zeroes
+ * crash if they are not.
+ */
+void __page_table_check_zero(struct page *page, unsigned int order)
+{
+	struct page_ext *page_ext = lookup_page_ext(page);
+	int i;
+
+	BUG_ON(!page_ext);
+	for (i = 0; i < (1 << order); i++) {
+		struct page_table_check *ptc = get_page_table_check(page_ext);
+
+		BUG_ON(atomic_read(&ptc->anon_map_count));
+		BUG_ON(atomic_read(&ptc->file_map_count));
+		page_ext = page_ext_next(page_ext);
+	}
+}
+
+void __page_table_check_pte_clear(struct mm_struct *mm, unsigned long addr,
+				  pte_t pte)
+{
+	if (&init_mm == mm)
+		return;
+
+	if (pte_user_accessible_page(pte)) {
+		page_table_check_clear(mm, addr, pte_pfn(pte),
+				       PAGE_SIZE >> PAGE_SHIFT);
+	}
+}
+
+void __page_table_check_pmd_clear(struct mm_struct *mm, unsigned long addr,
+				  pmd_t pmd)
+{
+	if (&init_mm == mm)
+		return;
+
+	if (pmd_user_accessible_page(pmd)) {
+		page_table_check_clear(mm, addr, pmd_pfn(pmd),
+				       PMD_PAGE_SIZE >> PAGE_SHIFT);
+	}
+}
+
+void __page_table_check_pud_clear(struct mm_struct *mm, unsigned long addr,
+				  pud_t pud)
+{
+	if (&init_mm == mm)
+		return;
+
+	if (pud_user_accessible_page(pud)) {
+		page_table_check_clear(mm, addr, pud_pfn(pud),
+				       PUD_PAGE_SIZE >> PAGE_SHIFT);
+	}
+}
+
+void __page_table_check_pte_set(struct mm_struct *mm, unsigned long addr,
+				pte_t *ptep, pte_t pte)
+{
+	pte_t old_pte;
+
+	if (&init_mm == mm)
+		return;
+
+	old_pte = *ptep;
+	if (pte_user_accessible_page(old_pte)) {
+		page_table_check_clear(mm, addr, pte_pfn(old_pte),
+				       PAGE_SIZE >> PAGE_SHIFT);
+	}
+
+	if (pte_user_accessible_page(pte)) {
+		page_table_check_set(mm, addr, pte_pfn(pte),
+				     PAGE_SIZE >> PAGE_SHIFT,
+				     pte_write(pte));
+	}
+}
+
+void __page_table_check_pmd_set(struct mm_struct *mm, unsigned long addr,
+				pmd_t *pmdp, pmd_t pmd)
+{
+	pmd_t old_pmd;
+
+	if (&init_mm == mm)
+		return;
+
+	old_pmd = *pmdp;
+	if (pmd_user_accessible_page(old_pmd)) {
+		page_table_check_clear(mm, addr, pmd_pfn(old_pmd),
+				       PMD_PAGE_SIZE >> PAGE_SHIFT);
+	}
+
+	if (pmd_user_accessible_page(pmd)) {
+		page_table_check_set(mm, addr, pmd_pfn(pmd),
+				     PMD_PAGE_SIZE >> PAGE_SHIFT,
+				     pmd_write(pmd));
+	}
+}
+
+void __page_table_check_pud_set(struct mm_struct *mm, unsigned long addr,
+				pud_t *pudp, pud_t pud)
+{
+	pud_t old_pud;
+
+	if (&init_mm == mm)
+		return;
+
+	old_pud = *pudp;
+	if (pud_user_accessible_page(old_pud)) {
+		page_table_check_clear(mm, addr, pud_pfn(old_pud),
+				       PUD_PAGE_SIZE >> PAGE_SHIFT);
+	}
+
+	if (pud_user_accessible_page(pud)) {
+		page_table_check_set(mm, addr, pud_pfn(pud),
+				     PUD_PAGE_SIZE >> PAGE_SHIFT,
+				     pud_write(pud));
+	}
+}
-- 
2.34.0.rc2.393.gf8c9666880-goog

Re: [PATCH 2/3] mm: page table check

[Fusion Future]

It seems after updating to linux-next-20211125, my system is crashing 
frequently due to "kernel BUG at mm/page_table_check.c:101".

linux-next-20211124 does not have the issue.

A bug was also reported on
https://bugzilla.opensuse.org/show_bug.cgi?id=1193125

journactl output before sysrq reboot:

```
11月 27 15:13:10 ZHAN66 kernel: ------------[ cut here ]------------
11月 27 15:13:10 ZHAN66 kernel: kernel BUG at mm/page_table_check.c:101!
11月 27 15:13:10 ZHAN66 kernel: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
11月 27 15:13:10 ZHAN66 kernel: CPU: 0 PID: 75 Comm: kcompactd0 Not 
tainted 5.16.0-rc2-next-20211125-1.ga5a7188-vanilla #1 
3000d4f4dc38a6eb529f948e10865da4957e57dc
11月 27 15:13:10 ZHAN66 kernel: Hardware name: HP HP ZHAN 66 Pro A 14 
G3/876B, BIOS S81 Ver. 01.03.01 10/23/2020
11月 27 15:13:10 ZHAN66 kernel: RIP: 
0010:page_table_check_clear.part.0+0xbb/0xd0
11月 27 15:13:10 ZHAN66 kernel: Code: d8 0f 0b f7 c3 ff 0f 00 00 75 97 48 
8b 13 f7 c2 00 00 01 00 74 8c 48 8b 53 48 4c 8d 62 ff 83 e2 01 4c 0f 44 
e3 e9 78 ff ff ff <0f> 0b 0f 0b 0f 0b 5b 5d 41 5c c3 66 2e 0f 1f 84 00 
00 00 00 00 0f
11月 27 15:13:10 ZHAN66 kernel: RSP: 0018:ffffb784403e7a80 EFLAGS: 00010202
11月 27 15:13:10 ZHAN66 kernel: RAX: ffff987f419362e0 RBX: 
fffff1cf842d8b80 RCX: 0000000000000000
11月 27 15:13:10 ZHAN66 kernel: RDX: ffff987f419362e8 RSI: 
0000000000000001 RDI: 0000000000000001
11月 27 15:13:10 ZHAN66 kernel: RBP: 0000000000000001 R08: 
00000000ffffffff R09: 0000000000000825
11月 27 15:13:10 ZHAN66 kernel: R10: 0000000000000067 R11: 
000000000003a878 R12: fffff1cf842d8b80
11月 27 15:13:10 ZHAN66 kernel: R13: ffff987f468e9100 R14: 
ffff98801df1e960 R15: 03ffffffffffffff
11月 27 15:13:10 ZHAN66 kernel: FS:  0000000000000000(0000) 
GS:ffff98823f400000(0000) knlGS:0000000000000000
11月 27 15:13:10 ZHAN66 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
11月 27 15:13:10 ZHAN66 kernel: CR2: 00007f9b8591bd20 CR3: 
0000000161d0c000 CR4: 0000000000350ef0
11月 27 15:13:10 ZHAN66 kernel: Call Trace:
11月 27 15:13:10 ZHAN66 kernel:  <TASK>
11月 27 15:13:10 ZHAN66 kernel:  ptep_clear_flush+0x7e/0x80
11月 27 15:13:10 ZHAN66 kernel:  try_to_migrate_one+0x1b5/0x9e0
11月 27 15:13:10 ZHAN66 kernel:  ? __mod_memcg_lruvec_state+0x41/0x80
11月 27 15:13:10 ZHAN66 kernel:  rmap_walk_anon+0x121/0x270
11月 27 15:13:10 ZHAN66 kernel:  try_to_migrate+0x129/0x1c0
11月 27 15:13:10 ZHAN66 kernel:  ? try_to_unmap_one+0x1010/0x1010
11月 27 15:13:10 ZHAN66 kernel:  ? anon_vma_ctor+0x40/0x40
11月 27 15:13:10 ZHAN66 kernel:  ? page_get_anon_vma+0xc0/0xc0
11月 27 15:13:10 ZHAN66 kernel:  ? invalid_mkclean_vma+0x20/0x20
11月 27 15:13:10 ZHAN66 kernel:  migrate_pages+0x10f3/0x16e0
11月 27 15:13:10 ZHAN66 kernel:  ? isolate_freepages_block+0x460/0x460
11月 27 15:13:10 ZHAN66 kernel:  ? move_freelist_tail+0xc0/0xc0
11月 27 15:13:10 ZHAN66 kernel:  ? migrate_page+0xe0/0xe0
11月 27 15:13:10 ZHAN66 kernel:  compact_zone+0x5ec/0xe70
11月 27 15:13:10 ZHAN66 kernel:  ? finish_task_switch.isra.0+0xb4/0x2c0
11月 27 15:13:10 ZHAN66 kernel:  proactive_compact_node+0x88/0xc0
11月 27 15:13:10 ZHAN66 kernel:  kcompactd+0x1c4/0x410
11月 27 15:13:10 ZHAN66 kernel:  ? wait_woken+0x70/0x70
11月 27 15:13:10 ZHAN66 kernel:  ? kcompactd_do_work+0x290/0x290
11月 27 15:13:10 ZHAN66 kernel:  kthread+0x15a/0x180
11月 27 15:13:10 ZHAN66 kernel:  ? set_kthread_struct+0x40/0x40
11月 27 15:13:10 ZHAN66 kernel:  ret_from_fork+0x1f/0x30
11月 27 15:13:10 ZHAN66 kernel:  </TASK>
11月 27 15:13:10 ZHAN66 kernel: Modules linked in: uinput rfcomm 
snd_seq_dummy snd_hrtimer snd_seq snd_seq_device af_packet r8153_ecm 
cdc_ether usbnet cmac algif_hash algif_skcipher af_alg nft_fib_inet 
nft_fib_ipv4 nft_fib_ipv6 nft_fib r8152 mii nft_reject_inet nf_reje>
11月 27 15:13:10 ZHAN66 kernel:  snd_hda_core snd_compress 
snd_pcm_dmaengine snd_pci_acp6x snd_hwdep snd_pcm cfg80211 r8169 
snd_timer ucsi_acpi snd realtek typec_ucsi snd_pci_acp5x mdio_devres 
snd_rn_pci_acp3x typec soundcore snd_pci_acp3x libphy roles rfkill 
nls_iso88>
11月 27 15:13:10 ZHAN66 kernel: ---[ end trace 7dff3b4592ed7de0 ]---
11月 27 15:13:10 ZHAN66 kernel: RIP: 
0010:page_table_check_clear.part.0+0xbb/0xd0
11月 27 15:13:10 ZHAN66 kernel: Code: d8 0f 0b f7 c3 ff 0f 00 00 75 97 48 
8b 13 f7 c2 00 00 01 00 74 8c 48 8b 53 48 4c 8d 62 ff 83 e2 01 4c 0f 44 
e3 e9 78 ff ff ff <0f> 0b 0f 0b 0f 0b 5b 5d 41 5c c3 66 2e 0f 1f 84 00 
00 00 00 00 0f
11月 27 15:13:10 ZHAN66 kernel: RSP: 0018:ffffb784403e7a80 EFLAGS: 00010202
11月 27 15:13:10 ZHAN66 kernel: RAX: ffff987f419362e0 RBX: 
fffff1cf842d8b80 RCX: 0000000000000000
11月 27 15:13:10 ZHAN66 kernel: RDX: ffff987f419362e8 RSI: 
0000000000000001 RDI: 0000000000000001
11月 27 15:13:10 ZHAN66 kernel: RBP: 0000000000000001 R08: 
00000000ffffffff R09: 0000000000000825
11月 27 15:13:10 ZHAN66 kernel: R10: 0000000000000067 R11: 
000000000003a878 R12: fffff1cf842d8b80
11月 27 15:13:10 ZHAN66 kernel: R13: ffff987f468e9100 R14: 
ffff98801df1e960 R15: 03ffffffffffffff
11月 27 15:13:10 ZHAN66 kernel: FS:  0000000000000000(0000) 
GS:ffff98823f400000(0000) knlGS:0000000000000000
11月 27 15:13:10 ZHAN66 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
11月 27 15:13:10 ZHAN66 kernel: CR2: 00007f9b8591bd20 CR3: 
0000000161d0c000 CR4: 0000000000350ef0
11月 27 15:13:10 ZHAN66 kernel: note: kcompactd0[75] exited with 
preempt_count 1
11月 27 15:13:13 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:13 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:13 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-contrast-client-protocol.h"
11月 27 15:13:15 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:15 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:15 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-blur-server-protocol.h"
11月 27 15:13:22 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:22 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:22 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-slide-client-protocol.h"
11月 27 15:13:30 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:30 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:30 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-shadow-client-protocol.h"
11月 27 15:13:33 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:33 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:33 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-fake-input-server-protocol.h"
11月 27 15:13:36 ZHAN66 kernel: watchdog: BUG: soft lockup - CPU#4 stuck 
for 22s! [plasmashell:6294]
11月 27 15:13:36 ZHAN66 kernel: Modules linked in: uinput rfcomm 
snd_seq_dummy snd_hrtimer snd_seq snd_seq_device af_packet r8153_ecm 
cdc_ether usbnet cmac algif_hash algif_skcipher af_alg nft_fib_inet 
nft_fib_ipv4 nft_fib_ipv6 nft_fib r8152 mii nft_reject_inet nf_reje>
11月 27 15:13:36 ZHAN66 kernel:  snd_hda_core snd_compress 
snd_pcm_dmaengine snd_pci_acp6x snd_hwdep snd_pcm cfg80211 r8169 
snd_timer ucsi_acpi snd realtek typec_ucsi snd_pci_acp5x mdio_devres 
snd_rn_pci_acp3x typec soundcore snd_pci_acp3x libphy roles rfkill 
nls_iso88>
11月 27 15:13:36 ZHAN66 kernel: CPU: 4 PID: 6294 Comm: plasmashell 
Tainted: G      D           5.16.0-rc2-next-20211125-1.ga5a7188-vanilla 
#1 3000d4f4dc38a6eb529f948e10865da4957e57dc
11月 27 15:13:36 ZHAN66 kernel: Hardware name: HP HP ZHAN 66 Pro A 14 
G3/876B, BIOS S81 Ver. 01.03.01 10/23/2020
11月 27 15:13:36 ZHAN66 kernel: RIP: 
0010:native_queued_spin_lock_slowpath+0x5c/0x1d0
11月 27 15:13:36 ZHAN66 kernel: Code: 0f ba 2a 08 0f 92 c1 8b 02 0f b6 c9 
c1 e1 08 30 e4 09 c8 a9 00 01 ff ff 0f 85 11 01 00 00 85 c0 74 0e 8b 02 
84 c0 74 08 f3 90 <8b> 02 84 c0 75 f8 b8 01 00 00 00 66 89 02 c3 8b 37 
b9 00 02 00 00
11月 27 15:13:36 ZHAN66 kernel: RSP: 0000:ffffb78441ca3d48 EFLAGS: 00000202
11月 27 15:13:36 ZHAN66 kernel: RAX: 0000000000000101 RBX: 
0000000000000028 RCX: 0000000000000000
11月 27 15:13:36 ZHAN66 kernel: RDX: fffff1cf88a25ca8 RSI: 
0000000000000000 RDI: fffff1cf88a25ca8
11月 27 15:13:36 ZHAN66 kernel: RBP: ffffb78441ca3e00 R08: 
0000000000000028 R09: fffff1cf88a25ca8
11月 27 15:13:36 ZHAN66 kernel: R10: 0000000000000000 R11: 
0000000000000000 R12: 00007fac2d8f0000
11月 27 15:13:36 ZHAN66 kernel: R13: 0000000000000000 R14: 
fffff1cf8a86d200 R15: ffff987f48994af0
11月 27 15:13:36 ZHAN66 kernel: FS:  00007fac28a23e40(0000) 
GS:ffff98823f500000(0000) knlGS:0000000000000000
11月 27 15:13:36 ZHAN66 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
11月 27 15:13:36 ZHAN66 kernel: CR2: 00007fac2d8f0c60 CR3: 
000000010b950000 CR4: 0000000000350ee0
11月 27 15:13:36 ZHAN66 kernel: Call Trace:
11月 27 15:13:36 ZHAN66 kernel:  <TASK>
11月 27 15:13:36 ZHAN66 kernel:  _raw_spin_lock+0x21/0x30
11月 27 15:13:36 ZHAN66 kernel:  filemap_map_pages+0x2f6/0x690
11月 27 15:13:36 ZHAN66 kernel:  __handle_mm_fault+0xcbd/0x1550
11月 27 15:13:10 ZHAN66 kernel:  compact_zone+0x5ec/0xe70
11月 27 15:13:10 ZHAN66 kernel:  ? finish_task_switch.isra.0+0xb4/0x2c0
11月 27 15:13:10 ZHAN66 kernel:  proactive_compact_node+0x88/0xc0
11月 27 15:13:10 ZHAN66 kernel:  kcompactd+0x1c4/0x410
11月 27 15:13:10 ZHAN66 kernel:  ? wait_woken+0x70/0x70
11月 27 15:13:10 ZHAN66 kernel:  ? kcompactd_do_work+0x290/0x290
11月 27 15:13:10 ZHAN66 kernel:  kthread+0x15a/0x180
11月 27 15:13:10 ZHAN66 kernel:  ? set_kthread_struct+0x40/0x40
11月 27 15:13:10 ZHAN66 kernel:  ret_from_fork+0x1f/0x30
11月 27 15:13:10 ZHAN66 kernel:  </TASK>
11月 27 15:13:10 ZHAN66 kernel: Modules linked in: uinput rfcomm 
snd_seq_dummy snd_hrtimer snd_seq snd_seq_device af_packet r8153_ecm 
cdc_ether usbnet cmac algif_hash algif_skcipher af_alg nft_fib_inet 
nft_fib_ipv4 nft_fib_ipv6 nft_fib r8152 mii nft_reject_inet nf_reje>
11月 27 15:13:10 ZHAN66 kernel:  snd_hda_core snd_compress 
snd_pcm_dmaengine snd_pci_acp6x snd_hwdep snd_pcm cfg80211 r8169 
snd_timer ucsi_acpi snd realtek typec_ucsi snd_pci_acp5x mdio_devres 
snd_rn_pci_acp3x typec soundcore snd_pci_acp3x libphy roles rfkill 
nls_iso88>
11月 27 15:13:10 ZHAN66 kernel: ---[ end trace 7dff3b4592ed7de0 ]---
11月 27 15:13:10 ZHAN66 kernel: RIP: 
0010:page_table_check_clear.part.0+0xbb/0xd0
11月 27 15:13:10 ZHAN66 kernel: Code: d8 0f 0b f7 c3 ff 0f 00 00 75 97 48 
8b 13 f7 c2 00 00 01 00 74 8c 48 8b 53 48 4c 8d 62 ff 83 e2 01 4c 0f 44 
e3 e9 78 ff ff ff <0f> 0b 0f 0b 0f 0b 5b 5d 41 5c c3 66 2e 0f 1f 84 00 
00 00 00 00 0f
11月 27 15:13:10 ZHAN66 kernel: RSP: 0018:ffffb784403e7a80 EFLAGS: 00010202
11月 27 15:13:10 ZHAN66 kernel: RAX: ffff987f419362e0 RBX: 
fffff1cf842d8b80 RCX: 0000000000000000
11月 27 15:13:10 ZHAN66 kernel: RDX: ffff987f419362e8 RSI: 
0000000000000001 RDI: 0000000000000001
11月 27 15:13:10 ZHAN66 kernel: RBP: 0000000000000001 R08: 
00000000ffffffff R09: 0000000000000825
11月 27 15:13:10 ZHAN66 kernel: R10: 0000000000000067 R11: 
000000000003a878 R12: fffff1cf842d8b80
11月 27 15:13:10 ZHAN66 kernel: R13: ffff987f468e9100 R14: 
ffff98801df1e960 R15: 03ffffffffffffff
11月 27 15:13:10 ZHAN66 kernel: FS:  0000000000000000(0000) 
GS:ffff98823f400000(0000) knlGS:0000000000000000
11月 27 15:13:10 ZHAN66 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
11月 27 15:13:10 ZHAN66 kernel: CR2: 00007f9b8591bd20 CR3: 
0000000161d0c000 CR4: 0000000000350ef0
11月 27 15:13:10 ZHAN66 kernel: note: kcompactd0[75] exited with 
preempt_count 1
11月 27 15:13:13 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:13 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:13 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-contrast-client-protocol.h"
11月 27 15:13:15 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:15 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:15 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-blur-server-protocol.h"
11月 27 15:13:22 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:22 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:22 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-slide-client-protocol.h"
11月 27 15:13:30 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:30 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:30 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-shadow-client-protocol.h"
11月 27 15:13:33 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:33 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:33 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-fake-input-server-protocol.h"
11月 27 15:13:36 ZHAN66 kernel: watchdog: BUG: soft lockup - CPU#4 stuck 
for 22s! [plasmashell:6294]
11月 27 15:13:36 ZHAN66 kernel: Modules linked in: uinput rfcomm 
snd_seq_dummy snd_hrtimer snd_seq snd_seq_device af_packet r8153_ecm 
cdc_ether usbnet cmac algif_hash algif_skcipher af_alg nft_fib_inet 
nft_fib_ipv4 nft_fib_ipv6 nft_fib r8152 mii nft_reject_inet nf_reje>
11月 27 15:13:36 ZHAN66 kernel:  snd_hda_core snd_compress 
snd_pcm_dmaengine snd_pci_acp6x snd_hwdep snd_pcm cfg80211 r8169 
snd_timer ucsi_acpi snd realtek typec_ucsi snd_pci_acp5x mdio_devres 
snd_rn_pci_acp3x typec soundcore snd_pci_acp3x libphy roles rfkill 
nls_iso88>
11月 27 15:13:36 ZHAN66 kernel: CPU: 4 PID: 6294 Comm: plasmashell 
Tainted: G      D           5.16.0-rc2-next-20211125-1.ga5a7188-vanilla 
#1 3000d4f4dc38a6eb529f948e10865da4957e57dc
11月 27 15:13:36 ZHAN66 kernel: Hardware name: HP HP ZHAN 66 Pro A 14 
G3/876B, BIOS S81 Ver. 01.03.01 10/23/2020
11月 27 15:13:36 ZHAN66 kernel: RIP: 
0010:native_queued_spin_lock_slowpath+0x5c/0x1d0
11月 27 15:13:36 ZHAN66 kernel: Code: 0f ba 2a 08 0f 92 c1 8b 02 0f b6 c9 
c1 e1 08 30 e4 09 c8 a9 00 01 ff ff 0f 85 11 01 00 00 85 c0 74 0e 8b 02 
84 c0 74 08 f3 90 <8b> 02 84 c0 75 f8 b8 01 00 00 00 66 89 02 c3 8b 37 
b9 00 02 00 00
11月 27 15:13:36 ZHAN66 kernel: RSP: 0000:ffffb78441ca3d48 EFLAGS: 00000202
11月 27 15:13:36 ZHAN66 kernel: RAX: 0000000000000101 RBX: 
0000000000000028 RCX: 0000000000000000
11月 27 15:13:36 ZHAN66 kernel: RDX: fffff1cf88a25ca8 RSI: 
0000000000000000 RDI: fffff1cf88a25ca8
11月 27 15:13:36 ZHAN66 kernel: RBP: ffffb78441ca3e00 R08: 
0000000000000028 R09: fffff1cf88a25ca8
11月 27 15:13:36 ZHAN66 kernel: R10: 0000000000000000 R11: 
0000000000000000 R12: 00007fac2d8f0000
11月 27 15:13:36 ZHAN66 kernel: R13: 0000000000000000 R14: 
fffff1cf8a86d200 R15: ffff987f48994af0
11月 27 15:13:36 ZHAN66 kernel: FS:  00007fac28a23e40(0000) 
GS:ffff98823f500000(0000) knlGS:0000000000000000
11月 27 15:13:36 ZHAN66 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
11月 27 15:13:36 ZHAN66 kernel: CR2: 00007fac2d8f0c60 CR3: 
000000010b950000 CR4: 0000000000350ee0
11月 27 15:13:36 ZHAN66 kernel: Call Trace:
11月 27 15:13:36 ZHAN66 kernel:  <TASK>
11月 27 15:13:36 ZHAN66 kernel:  _raw_spin_lock+0x21/0x30
11月 27 15:13:36 ZHAN66 kernel:  filemap_map_pages+0x2f6/0x690
11月 27 15:13:36 ZHAN66 kernel:  __handle_mm_fault+0xcbd/0x1550
11月 27 15:13:36 ZHAN66 kernel:  ? _copy_to_user+0x1c/0x30
11月 27 15:13:36 ZHAN66 kernel:  handle_mm_fault+0xb2/0x280
11月 27 15:13:36 ZHAN66 kernel:  do_user_addr_fault+0x1ba/0x690
11月 27 15:13:36 ZHAN66 kernel:  ? do_syscall_64+0x69/0x80
11月 27 15:13:36 ZHAN66 kernel:  exc_page_fault+0x68/0x150
11月 27 15:13:36 ZHAN66 kernel:  ? asm_exc_page_fault+0x8/0x30
11月 27 15:13:36 ZHAN66 kernel:  asm_exc_page_fault+0x1e/0x30
11月 27 15:13:36 ZHAN66 kernel: RIP: 0033:0x7fac2d8f0c60
11月 27 15:13:36 ZHAN66 kernel: Code: Unable to access opcode bytes at 
RIP 0x7fac2d8f0c36.
11月 27 15:13:36 ZHAN66 kernel: RSP: 002b:00007fff1c421988 EFLAGS: 00010206
11月 27 15:13:36 ZHAN66 kernel: RAX: 0000000000000001 RBX: 
000055bed54aecb8 RCX: 000055bed54ce290
11月 27 15:13:36 ZHAN66 kernel: RDX: 000055bed54ce290 RSI: 
000055bed7361ca8 RDI: 000055bed7315ba0
11月 27 15:13:36 ZHAN66 kernel: RBP: 000055bed7315ba0 R08: 
0000000000000000 R09: 00007fac2b71f620
11月 27 15:13:36 ZHAN66 kernel: R10: 00007fff1c4a7080 R11: 
9a5279bc9b9622a2 R12: 000055bed54aecc8
11月 27 15:13:36 ZHAN66 kernel: R13: 000055bed75d6980 R14: 
000055bed55d58b0 R15: 00007fff1c421a40
11月 27 15:13:36 ZHAN66 kernel:  </TASK>
11月 27 15:13:39 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:39 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:39 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-fake-input-client-protocol.h"
11月 27 15:13:43 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:43 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:43 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-blur-client-protocol.h"
11月 27 15:13:46 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: 
clang_parseTranslationUnit2 return with error code 4
11月 27 15:13:46 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang:   (start 
KDevelop with `KDEV_CLANG_DISPLAY_DIAGS=1 kdevelop` to see more diagnostics)
11月 27 15:13:46 ZHAN66 kdevelop[3039]: kdevelop.plugins.clang: Failed to 
parse translation unit: 
"/home/qydw/文档/osc/KDE/kwayland/build/src/server/wayland-dpms-server-protocol.h"
-- Boot 2c685d4adc43478f9350816f24a67c6d --

```

Re: [PATCH 2/3] mm: page table check

[Pasha Tatashin]

On Sat, Nov 27, 2021 at 3:41 AM Fusion Future <qydwhotmail@gmail.com> wrote:
>
> It seems after updating to linux-next-20211125, my system is crashing
> frequently due to "kernel BUG at mm/page_table_check.c:101".

Thank you for reporting this issue:

 99                 if (anon) {
100                         BUG_ON(atomic_read(&ptc->file_map_count));
101                         BUG_ON(atomic_dec_return(&ptc->anon_map_count) < 0);

This BUG_ON checks that during unmap anon map counter (cleared in
ptep_clear_flush()) does not become negative. If it becomes negative
it means that we missed accounting for this anon mapping during
set_pte(). Is there a config and environment that I could use to repro
this problem?

Thank you,
Pasha

Re: [PATCH 2/3] mm: page table check

[Fusion Future]

Here is the config:

https://pastebin.com/AsLukrbE

I can't stably reproduce the bug, but it seems it's likely to happen 
when a music is playing in the background or there is a file operation.

I encountered it again on linux-next-20211126 when I was trying to 
extract a rar file, and the sound is constantly repeating when my system 
freezes, but nothing useful in journalctl.

Re: [PATCH 2/3] mm: page table check

[Fusion]

I ran journalctl -kf to see what happened when my system freezed.

There are "IPV6 table full" error messages and khugepaged constantly reporting RIPs.

So it could be when memory consumption is over a certain percent, the bug will be triggered.

Re: [PATCH 2/3] mm: page table check

[Fusion Future]

> So it could be when memory consumption is over a certain percent, the bug will be triggered.

Bisected and at the commit "[04ce8955fbe4d84376b92b875c42942489fcf3c5] 
mm: page table check", the system still doesn't encounter any freezes. 
So it's not this commit that introduces the bug. Sorry for bothering.

Re: [PATCH 2/3] mm: page table check

[Pasha Tatashin]

On Sun, Nov 28, 2021 at 11:54 AM Fusion Future <qydwhotmail@gmail.com> wrote:
>
> > So it could be when memory consumption is over a certain percent, the bug will be triggered.
>
> Bisected and at the commit "[04ce8955fbe4d84376b92b875c42942489fcf3c5]
> mm: page table check", the system still doesn't encounter any freezes.
> So it's not this commit that introduces the bug. Sorry for bothering.

This commit by itself would not cause the freeze or BUG_ON(), but the
next commit which enables it on x86 arch might.

Pasha

Re: [PATCH 2/3] mm: page table check

[Fusion Future]

On 2021/11/29 00:57, Pasha Tatashin wrote:
> This commit by itself would not cause the freeze or BUG_ON(), but the
> next commit which enables it on x86 arch might.

Yes, you are right. At the commit 
"[1e67abff1820489435aad3fcf258708c21c283ef] x86: mm: add x86_64 support 
for page table check" my system starts to experience the freeze.

I can now reproduce the freeze by following the steps below:

1. Open 20 YouTube video pages, and a YouTube Music page.
2. Play music in the background. (The step can be omitted)
3. Run `git clone 
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git ln`

git will never successfully clone the repo because the system will 
freeze during the operation.

I also tried adding `page_table_check=off` to the boot option but still 
experienced the freeze. Perhaps the option is of no use.

Re: [PATCH 2/3] mm: page table check

[Pasha Tatashin]

On Sun, Nov 28, 2021 at 9:57 PM Fusion Future <qydwhotmail@gmail.com> wrote:
>
> On 2021/11/29 00:57, Pasha Tatashin wrote:
> > This commit by itself would not cause the freeze or BUG_ON(), but the
> > next commit which enables it on x86 arch might.
>
> Yes, you are right. At the commit
> "[1e67abff1820489435aad3fcf258708c21c283ef] x86: mm: add x86_64 support
> for page table check" my system starts to experience the freeze.
>
> I can now reproduce the freeze by following the steps below:
>
> 1. Open 20 YouTube video pages, and a YouTube Music page.
> 2. Play music in the background. (The step can be omitted)
> 3. Run `git clone
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git ln`

Thanks, I found a reliable way to reproduce this problem on my workstation:
reduce the amount of physical memory to 4G via memmap kernel
parameter,  and use a script that starts chrome browser with 20 tabs
each pointing to a youtube.com page.

I will send an update after root cause.

> git will never successfully clone the repo because the system will
> freeze during the operation.
>
> I also tried adding `page_table_check=off` to the boot option but still

I will add support for page_table_check=off even when
CONFIG_PAGE_TABLE_CHECK_ENFORCED is set

Thanks,
Pasha

Re: [PATCH 2/3] mm: page table check

[Jiri Slaby]

On 23. 11. 21, 22:48, Pasha Tatashin wrote:
> Check user page table entries at the time they are added and removed.
> 
> Allows to synchronously catch memory corruption issues related to
> double mapping.
> 
> When a pte for an anonymous page is added into page table, we verify
> that this pte does not already point to a file backed page, and vice
> versa if this is a file backed page that is being added we verify that
> this page does not have an anonymous mapping
> 
> We also enforce that read-only sharing for anonymous pages is allowed
> (i.e. cow after fork). All other sharing must be for file pages.
> 
> Page table check allows to protect and debug cases where "struct page"
> metadata became corrupted for some reason. For example, when refcnt or
> mapcount become invalid.
> 
> Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
...
> --- a/mm/Kconfig.debug
> +++ b/mm/Kconfig.debug
> @@ -62,6 +62,30 @@ config PAGE_OWNER
>   
>   	  If unsure, say N.
>   
> +config PAGE_TABLE_CHECK
> +	bool "Check for invalid mappings in user page tables"
> +	depends on ARCH_SUPPORTS_PAGE_TABLE_CHECK
> +	select PAGE_EXTENSION
> +	help
> +	  Check that anonymous page is not being mapped twice with read write
> +	  permissions. Check that anonymous and file pages are not being
> +	  erroneously shared. Since the checking is performed at the time
> +	  entries are added and removed to user page tables, leaking, corruption
> +	  and double mapping problems are detected synchronously.
> +
> +	  If unsure say "n".
> +
> +config PAGE_TABLE_CHECK_ENFORCED
> +	bool "Enforce the page table checking by defauled"

s/defauled/default/

regards,
-- 
js
suse labs

[PATCH 3/3] x86: mm: add x86_64 support for page table check

[Pasha Tatashin]

Add page table check hooks into routines that modify user page tables.

Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
---
 arch/x86/Kconfig               |  1 +
 arch/x86/include/asm/pgtable.h | 29 +++++++++++++++++++++++++++--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 5e16393d9988..7636ea400a71 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -104,6 +104,7 @@ config X86
 	select ARCH_SUPPORTS_ACPI
 	select ARCH_SUPPORTS_ATOMIC_RMW
 	select ARCH_SUPPORTS_DEBUG_PAGEALLOC
+	select ARCH_SUPPORTS_PAGE_TABLE_CHECK	if X86_64
 	select ARCH_SUPPORTS_NUMA_BALANCING	if X86_64
 	select ARCH_SUPPORTS_KMAP_LOCAL_FORCE_MAP	if NR_CPUS <= 4096
 	select ARCH_SUPPORTS_LTO_CLANG
diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
index 448cd01eb3ec..ae34614b7e8d 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -26,6 +26,7 @@
 #include <asm/pkru.h>
 #include <asm/fpu/api.h>
 #include <asm-generic/pgtable_uffd.h>
+#include <linux/page_table_check.h>
 
 extern pgd_t early_top_pgt[PTRS_PER_PGD];
 bool __init __early_make_pgtable(unsigned long address, pmdval_t pmd);
@@ -1006,18 +1007,21 @@ static inline pud_t native_local_pudp_get_and_clear(pud_t *pudp)
 static inline void set_pte_at(struct mm_struct *mm, unsigned long addr,
 			      pte_t *ptep, pte_t pte)
 {
+	page_table_check_pte_set(mm, addr, ptep, pte);
 	set_pte(ptep, pte);
 }
 
 static inline void set_pmd_at(struct mm_struct *mm, unsigned long addr,
 			      pmd_t *pmdp, pmd_t pmd)
 {
+	page_table_check_pmd_set(mm, addr, pmdp, pmd);
 	set_pmd(pmdp, pmd);
 }
 
 static inline void set_pud_at(struct mm_struct *mm, unsigned long addr,
 			      pud_t *pudp, pud_t pud)
 {
+	page_table_check_pud_set(mm, addr, pudp, pud);
 	native_set_pud(pudp, pud);
 }
 
@@ -1048,6 +1052,7 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr,
 				       pte_t *ptep)
 {
 	pte_t pte = native_ptep_get_and_clear(ptep);
+	page_table_check_pte_clear(mm, addr, pte);
 	return pte;
 }
 
@@ -1063,12 +1068,23 @@ static inline pte_t ptep_get_and_clear_full(struct mm_struct *mm,
 		 * care about updates and native needs no locking
 		 */
 		pte = native_local_ptep_get_and_clear(ptep);
+		page_table_check_pte_clear(mm, addr, pte);
 	} else {
 		pte = ptep_get_and_clear(mm, addr, ptep);
 	}
 	return pte;
 }
 
+#define __HAVE_ARCH_PTEP_CLEAR
+static inline void ptep_clear(struct mm_struct *mm, unsigned long addr,
+			      pte_t *ptep)
+{
+	if (IS_ENABLED(CONFIG_PAGE_TABLE_CHECK))
+		ptep_get_and_clear(mm, addr, ptep);
+	else
+		pte_clear(mm, addr, ptep);
+}
+
 #define __HAVE_ARCH_PTEP_SET_WRPROTECT
 static inline void ptep_set_wrprotect(struct mm_struct *mm,
 				      unsigned long addr, pte_t *ptep)
@@ -1109,14 +1125,22 @@ static inline int pmd_write(pmd_t pmd)
 static inline pmd_t pmdp_huge_get_and_clear(struct mm_struct *mm, unsigned long addr,
 				       pmd_t *pmdp)
 {
-	return native_pmdp_get_and_clear(pmdp);
+	pmd_t pmd = native_pmdp_get_and_clear(pmdp);
+
+	page_table_check_pmd_clear(mm, addr, pmd);
+
+	return pmd;
 }
 
 #define __HAVE_ARCH_PUDP_HUGE_GET_AND_CLEAR
 static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
 					unsigned long addr, pud_t *pudp)
 {
-	return native_pudp_get_and_clear(pudp);
+	pud_t pud = native_pudp_get_and_clear(pudp);
+
+	page_table_check_pud_clear(mm, addr, pud);
+
+	return pud;
 }
 
 #define __HAVE_ARCH_PMDP_SET_WRPROTECT
@@ -1137,6 +1161,7 @@ static inline int pud_write(pud_t pud)
 static inline pmd_t pmdp_establish(struct vm_area_struct *vma,
 		unsigned long address, pmd_t *pmdp, pmd_t pmd)
 {
+	page_table_check_pmd_set(vma->vm_mm, address, pmdp, pmd);
 	if (IS_ENABLED(CONFIG_SMP)) {
 		return xchg(pmdp, pmd);
 	} else {
-- 
2.34.0.rc2.393.gf8c9666880-goog

Re: [PATCH 3/3] x86: mm: add x86_64 support for page table check

[Jiri Slaby]

On 23. 11. 21, 22:48, Pasha Tatashin wrote:
> Add page table check hooks into routines that modify user page tables.

Hi,

I bisected to this as this causes crashes during modules load:
#PF: supervisor write access in kernel mode
#PF: error_code(0x0003) - permissions violation
PGD 6d615067 P4D 6d615067 PUD 6d616063 PMD 800000006d2001e1
Oops: 0003 [#1] PREEMPT SMP PTI
CPU: 0 PID: 6189 Comm: modprobe Kdump: loaded Tainted: G          I E 
   5.16.0-rc2-next-20211129-vanilla #3 
83846a405f0e3937f5c8dfbc7d449622b8f46369
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be 
filled by O.E.M., BIOS SDBLI944.86P 05/08/2007
RIP: 0010:jump_label_module_notify (kernel/jump_label.c:370 
kernel/jump_label.c:670 kernel/jump_label.c:748)
Code: 00 48 8b 43 08 a8 02 0f 85 e9 00 00 00 48 83 e0 fc 48 c7 02 00 00 
00 00 48 89 42 08 48 8b 43 08 83 e0 03 48 09 c2 48 83 ca 02 <48> 89 53 
08 4d 89 66 10 49 89 6e 08 48 8b 43 08 a8 02 0f 84 98 00
All code
========
    0:	00 48 8b             	add    %cl,-0x75(%rax)
    3:	43 08 a8 02 0f 85 e9 	rex.XB or %bpl,-0x167af0fe(%r8)
    a:	00 00                	add    %al,(%rax)
    c:	00 48 83             	add    %cl,-0x7d(%rax)
    f:	e0 fc                	loopne 0xd
   11:	48 c7 02 00 00 00 00 	movq   $0x0,(%rdx)
   18:	48 89 42 08          	mov    %rax,0x8(%rdx)
   1c:	48 8b 43 08          	mov    0x8(%rbx),%rax
   20:	83 e0 03             	and    $0x3,%eax
   23:	48 09 c2             	or     %rax,%rdx
   26:	48 83 ca 02          	or     $0x2,%rdx
   2a:*	48 89 53 08          	mov    %rdx,0x8(%rbx)		<-- trapping 
instruction
   2e:	4d 89 66 10          	mov    %r12,0x10(%r14)
   32:	49 89 6e 08          	mov    %rbp,0x8(%r14)
   36:	48 8b 43 08          	mov    0x8(%rbx),%rax
   3a:	a8 02                	test   $0x2,%al
   3c:	0f                   	.byte 0xf
   3d:	84                   	.byte 0x84
   3e:	98                   	cwtl
	...

Code starting with the faulting instruction
===========================================
    0:	48 89 53 08          	mov    %rdx,0x8(%rbx)
    4:	4d 89 66 10          	mov    %r12,0x10(%r14)
    8:	49 89 6e 08          	mov    %rbp,0x8(%r14)
    c:	48 8b 43 08          	mov    0x8(%rbx),%rax
   10:	a8 02                	test   $0x2,%al
   12:	0f                   	.byte 0xf
   13:	84                   	.byte 0x84
   14:	98                   	cwtl
	...
RSP: 0018:ffffaf4dc051fbe8 EFLAGS: 00010282
RAX: 0000000000000001 RBX: ffffffff931ee760 RCX: 0000000000000001
RDX: ffff9d1aa7d43883 RSI: ffffffff91c50aa0 RDI: ffffffff931ee760
RBP: ffffffffc0782000 R08: 0000000000000020 R09: 0000000000000000
R10: ffff9d1aa7d43880 R11: 0000000000000000 R12: ffffffffc079a980
R13: ffffffffc0784080 R14: ffff9d1aa7d43ca0 R15: ffffffffc0782008
FS:  00007f87104b8740(0000) GS:ffff9d1b45c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff931ee768 CR3: 000000010fdce000 CR4: 00000000000006f0
Call Trace:
  <TASK>
blocking_notifier_call_chain_robust (kernel/notifier.c:83 
kernel/notifier.c:118 kernel/notifier.c:283 kernel/notifier.c:271)
load_module (./include/linux/notifier.h:198 kernel/module.c:3923 
kernel/module.c:4100)
__do_sys_finit_module (kernel/module.c:4224)
do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113)

> Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
> ---
>   arch/x86/Kconfig               |  1 +
>   arch/x86/include/asm/pgtable.h | 29 +++++++++++++++++++++++++++--
>   2 files changed, 28 insertions(+), 2 deletions(-)
> 

regards,
-- 
js
suse labs

Re: [PATCH 3/3] x86: mm: add x86_64 support for page table check

[Jiri Slaby]

On 01. 12. 21, 9:00, Jiri Slaby wrote:
> On 23. 11. 21, 22:48, Pasha Tatashin wrote:
>> Add page table check hooks into routines that modify user page tables.
> 
> Hi,
> 
> I bisected to this as this causes crashes during modules load:

And it's not enough to unset CONFIG_PAGE_TABLE_CHECK_ENFORCED. I had to 
unset CONFIG_PAGE_TABLE_CHECK completely to get rid of this.

> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0003) - permissions violation
> PGD 6d615067 P4D 6d615067 PUD 6d616063 PMD 800000006d2001e1
> Oops: 0003 [#1] PREEMPT SMP PTI
> CPU: 0 PID: 6189 Comm: modprobe Kdump: loaded Tainted: G          I E   
> 5.16.0-rc2-next-20211129-vanilla #3 
> 83846a405f0e3937f5c8dfbc7d449622b8f46369
> Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be 
> filled by O.E.M., BIOS SDBLI944.86P 05/08/2007
> RIP: 0010:jump_label_module_notify (kernel/jump_label.c:370 
> kernel/jump_label.c:670 kernel/jump_label.c:748)
> Code: 00 48 8b 43 08 a8 02 0f 85 e9 00 00 00 48 83 e0 fc 48 c7 02 00 00 
> 00 00 48 89 42 08 48 8b 43 08 83 e0 03 48 09 c2 48 83 ca 02 <48> 89 53 
> 08 4d 89 66 10 49 89 6e 08 48 8b 43 08 a8 02 0f 84 98 00
> All code
> ========
>     0:    00 48 8b                 add    %cl,-0x75(%rax)
>     3:    43 08 a8 02 0f 85 e9     rex.XB or %bpl,-0x167af0fe(%r8)
>     a:    00 00                    add    %al,(%rax)
>     c:    00 48 83                 add    %cl,-0x7d(%rax)
>     f:    e0 fc                    loopne 0xd
>    11:    48 c7 02 00 00 00 00     movq   $0x0,(%rdx)
>    18:    48 89 42 08              mov    %rax,0x8(%rdx)
>    1c:    48 8b 43 08              mov    0x8(%rbx),%rax
>    20:    83 e0 03                 and    $0x3,%eax
>    23:    48 09 c2                 or     %rax,%rdx
>    26:    48 83 ca 02              or     $0x2,%rdx
>    2a:*    48 89 53 08              mov    %rdx,0x8(%rbx)        <-- 
> trapping instruction
>    2e:    4d 89 66 10              mov    %r12,0x10(%r14)
>    32:    49 89 6e 08              mov    %rbp,0x8(%r14)
>    36:    48 8b 43 08              mov    0x8(%rbx),%rax
>    3a:    a8 02                    test   $0x2,%al
>    3c:    0f                       .byte 0xf
>    3d:    84                       .byte 0x84
>    3e:    98                       cwtl
>      ...
> 
> Code starting with the faulting instruction
> ===========================================
>     0:    48 89 53 08              mov    %rdx,0x8(%rbx)
>     4:    4d 89 66 10              mov    %r12,0x10(%r14)
>     8:    49 89 6e 08              mov    %rbp,0x8(%r14)
>     c:    48 8b 43 08              mov    0x8(%rbx),%rax
>    10:    a8 02                    test   $0x2,%al
>    12:    0f                       .byte 0xf
>    13:    84                       .byte 0x84
>    14:    98                       cwtl
>      ...
> RSP: 0018:ffffaf4dc051fbe8 EFLAGS: 00010282
> RAX: 0000000000000001 RBX: ffffffff931ee760 RCX: 0000000000000001
> RDX: ffff9d1aa7d43883 RSI: ffffffff91c50aa0 RDI: ffffffff931ee760
> RBP: ffffffffc0782000 R08: 0000000000000020 R09: 0000000000000000
> R10: ffff9d1aa7d43880 R11: 0000000000000000 R12: ffffffffc079a980
> R13: ffffffffc0784080 R14: ffff9d1aa7d43ca0 R15: ffffffffc0782008
> FS:  00007f87104b8740(0000) GS:ffff9d1b45c00000(0000) 
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffffff931ee768 CR3: 000000010fdce000 CR4: 00000000000006f0
> Call Trace:
>   <TASK>
> blocking_notifier_call_chain_robust (kernel/notifier.c:83 
> kernel/notifier.c:118 kernel/notifier.c:283 kernel/notifier.c:271)
> load_module (./include/linux/notifier.h:198 kernel/module.c:3923 
> kernel/module.c:4100)
> __do_sys_finit_module (kernel/module.c:4224)
> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113)
> 
>> Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
>> ---
>>   arch/x86/Kconfig               |  1 +
>>   arch/x86/include/asm/pgtable.h | 29 +++++++++++++++++++++++++++--
>>   2 files changed, 28 insertions(+), 2 deletions(-)
>>
> 
> regards,


-- 
js
suse labs

Re: [PATCH 3/3] x86: mm: add x86_64 support for page table check

[Pasha Tatashin]

On Wed, Dec 1, 2021 at 3:44 AM Jiri Slaby <jirislaby@kernel.org> wrote:
>
> On 01. 12. 21, 9:00, Jiri Slaby wrote:
> > On 23. 11. 21, 22:48, Pasha Tatashin wrote:
> >> Add page table check hooks into routines that modify user page tables.
> >
> > Hi,
> >
> > I bisected to this as this causes crashes during modules load:
>
> And it's not enough to unset CONFIG_PAGE_TABLE_CHECK_ENFORCED. I had to
> unset CONFIG_PAGE_TABLE_CHECK completely to get rid of this.

Hi,

Thanks for reporting this. Seems like module load for some reasons
does not like the static branches. However, I was not able to repro
this. Could you please share your config and the module that you were
loading?

Thank you,
Pasha

>
> > #PF: supervisor write access in kernel mode
> > #PF: error_code(0x0003) - permissions violation
> > PGD 6d615067 P4D 6d615067 PUD 6d616063 PMD 800000006d2001e1
> > Oops: 0003 [#1] PREEMPT SMP PTI
> > CPU: 0 PID: 6189 Comm: modprobe Kdump: loaded Tainted: G          I E
> > 5.16.0-rc2-next-20211129-vanilla #3
> > 83846a405f0e3937f5c8dfbc7d449622b8f46369
> > Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be
> > filled by O.E.M., BIOS SDBLI944.86P 05/08/2007
> > RIP: 0010:jump_label_module_notify (kernel/jump_label.c:370
> > kernel/jump_label.c:670 kernel/jump_label.c:748)
> > Code: 00 48 8b 43 08 a8 02 0f 85 e9 00 00 00 48 83 e0 fc 48 c7 02 00 00
> > 00 00 48 89 42 08 48 8b 43 08 83 e0 03 48 09 c2 48 83 ca 02 <48> 89 53
> > 08 4d 89 66 10 49 89 6e 08 48 8b 43 08 a8 02 0f 84 98 00
> > All code
> > ========
> >     0:    00 48 8b                 add    %cl,-0x75(%rax)
> >     3:    43 08 a8 02 0f 85 e9     rex.XB or %bpl,-0x167af0fe(%r8)
> >     a:    00 00                    add    %al,(%rax)
> >     c:    00 48 83                 add    %cl,-0x7d(%rax)
> >     f:    e0 fc                    loopne 0xd
> >    11:    48 c7 02 00 00 00 00     movq   $0x0,(%rdx)
> >    18:    48 89 42 08              mov    %rax,0x8(%rdx)
> >    1c:    48 8b 43 08              mov    0x8(%rbx),%rax
> >    20:    83 e0 03                 and    $0x3,%eax
> >    23:    48 09 c2                 or     %rax,%rdx
> >    26:    48 83 ca 02              or     $0x2,%rdx
> >    2a:*    48 89 53 08              mov    %rdx,0x8(%rbx)        <--
> > trapping instruction
> >    2e:    4d 89 66 10              mov    %r12,0x10(%r14)
> >    32:    49 89 6e 08              mov    %rbp,0x8(%r14)
> >    36:    48 8b 43 08              mov    0x8(%rbx),%rax
> >    3a:    a8 02                    test   $0x2,%al
> >    3c:    0f                       .byte 0xf
> >    3d:    84                       .byte 0x84
> >    3e:    98                       cwtl
> >      ...
> >
> > Code starting with the faulting instruction
> > ===========================================
> >     0:    48 89 53 08              mov    %rdx,0x8(%rbx)
> >     4:    4d 89 66 10              mov    %r12,0x10(%r14)
> >     8:    49 89 6e 08              mov    %rbp,0x8(%r14)
> >     c:    48 8b 43 08              mov    0x8(%rbx),%rax
> >    10:    a8 02                    test   $0x2,%al
> >    12:    0f                       .byte 0xf
> >    13:    84                       .byte 0x84
> >    14:    98                       cwtl
> >      ...
> > RSP: 0018:ffffaf4dc051fbe8 EFLAGS: 00010282
> > RAX: 0000000000000001 RBX: ffffffff931ee760 RCX: 0000000000000001
> > RDX: ffff9d1aa7d43883 RSI: ffffffff91c50aa0 RDI: ffffffff931ee760
> > RBP: ffffffffc0782000 R08: 0000000000000020 R09: 0000000000000000
> > R10: ffff9d1aa7d43880 R11: 0000000000000000 R12: ffffffffc079a980
> > R13: ffffffffc0784080 R14: ffff9d1aa7d43ca0 R15: ffffffffc0782008
> > FS:  00007f87104b8740(0000) GS:ffff9d1b45c00000(0000)
> > knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: ffffffff931ee768 CR3: 000000010fdce000 CR4: 00000000000006f0
> > Call Trace:
> >   <TASK>
> > blocking_notifier_call_chain_robust (kernel/notifier.c:83
> > kernel/notifier.c:118 kernel/notifier.c:283 kernel/notifier.c:271)
> > load_module (./include/linux/notifier.h:198 kernel/module.c:3923
> > kernel/module.c:4100)
> > __do_sys_finit_module (kernel/module.c:4224)
> > do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> > entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113)
> >
> >> Signed-off-by: Pasha Tatashin <pasha.tatashin@soleen.com>
> >> ---
> >>   arch/x86/Kconfig               |  1 +
> >>   arch/x86/include/asm/pgtable.h | 29 +++++++++++++++++++++++++++--
> >>   2 files changed, 28 insertions(+), 2 deletions(-)
> >>
> >
> > regards,
>
>
> --
> js
> suse labs

Re: [PATCH 3/3] x86: mm: add x86_64 support for page table check

[Jiri Slaby]

On 01. 12. 21, 14:55, Pasha Tatashin wrote:
> On Wed, Dec 1, 2021 at 3:44 AM Jiri Slaby <jirislaby@kernel.org> wrote:
>>
>> On 01. 12. 21, 9:00, Jiri Slaby wrote:
>>> On 23. 11. 21, 22:48, Pasha Tatashin wrote:
>>>> Add page table check hooks into routines that modify user page tables.
>>>
>>> Hi,
>>>
>>> I bisected to this as this causes crashes during modules load:
>>
>> And it's not enough to unset CONFIG_PAGE_TABLE_CHECK_ENFORCED. I had to
>> unset CONFIG_PAGE_TABLE_CHECK completely to get rid of this.
> 
> Hi,
> 
> Thanks for reporting this. Seems like module load for some reasons
> does not like the static branches. However, I was not able to repro
> this. Could you please share your config and the module that you were
> loading?

It's the openSUSE's -next config:
https://raw.githubusercontent.com/openSUSE/kernel-source/linux-next/config/x86_64/vanilla

But with CONFIG_IWLMEI=n (as that fails to link).

One has to load i915, other modules (71 on my system) are apparently fine.

i915 tries to patch your `page_table_check_disabled' which is defined as 
`DEFINE_STATIC_KEY_TRUE_RO':
 > jump_label_add_module: key=__tracepoint_mmap_lock_released 
(ffffffff93f36d88) mod=0000000000000000
 > jump_label_add_module: key=hugetlb_free_vmemmap_enabled_key 
(ffffffff94873560) mod=0000000000000000
 > jump_label_add_module: key=devmap_managed_key (ffffffff94902700) 
mod=0000000000000000
 > jump_label_add_module: key=page_table_check_disabled 
(ffffffff939da760) mod=0000000000000000
 > BUG: unable to handle page fault for address: ffffffff939da768

regards,
-- 
js
suse labs

Re: [PATCH 3/3] x86: mm: add x86_64 support for page table check

[Jiri Slaby]

On 02. 12. 21, 10:59, Jiri Slaby wrote:
> On 01. 12. 21, 14:55, Pasha Tatashin wrote:
>> On Wed, Dec 1, 2021 at 3:44 AM Jiri Slaby <jirislaby@kernel.org> wrote:
>>>
>>> On 01. 12. 21, 9:00, Jiri Slaby wrote:
>>>> On 23. 11. 21, 22:48, Pasha Tatashin wrote:
>>>>> Add page table check hooks into routines that modify user page tables.
>>>>
>>>> Hi,
>>>>
>>>> I bisected to this as this causes crashes during modules load:
>>>
>>> And it's not enough to unset CONFIG_PAGE_TABLE_CHECK_ENFORCED. I had to
>>> unset CONFIG_PAGE_TABLE_CHECK completely to get rid of this.
>>
>> Hi,
>>
>> Thanks for reporting this. Seems like module load for some reasons
>> does not like the static branches. However, I was not able to repro
>> this. Could you please share your config and the module that you were
>> loading?
> 
> It's the openSUSE's -next config:
> https://raw.githubusercontent.com/openSUSE/kernel-source/linux-next/config/x86_64/vanilla 
> 
> 
> But with CONFIG_IWLMEI=n (as that fails to link).
> 
> One has to load i915, other modules (71 on my system) are apparently fine.
> 
> i915 tries to patch your `page_table_check_disabled' which is defined as 
> `DEFINE_STATIC_KEY_TRUE_RO':
>  > jump_label_add_module: key=__tracepoint_mmap_lock_released 
> (ffffffff93f36d88) mod=0000000000000000
>  > jump_label_add_module: key=hugetlb_free_vmemmap_enabled_key 
> (ffffffff94873560) mod=0000000000000000
>  > jump_label_add_module: key=devmap_managed_key (ffffffff94902700) 
> mod=0000000000000000
>  > jump_label_add_module: key=page_table_check_disabled 
> (ffffffff939da760) mod=0000000000000000
>  > BUG: unable to handle page fault for address: ffffffff939da768

Provided you EXPORT page_table_check_disabled and it can be used from 
modules, it can be barely marked as RO. So the below indeed fixes the 
problem for me:

--- a/mm/page_table_check.c
+++ b/mm/page_table_check.c
@@ -18,7 +18,7 @@ struct page_table_check {
  static bool __page_table_check_enabled __initdata =
 
IS_ENABLED(CONFIG_PAGE_TABLE_CHECK_ENFORCED);

-DEFINE_STATIC_KEY_TRUE_RO(page_table_check_disabled);
+DEFINE_STATIC_KEY_TRUE(page_table_check_disabled);
  EXPORT_SYMBOL(page_table_check_disabled);

  static int __init early_page_table_check_param(char *buf)

> 
> regards,


-- 
js
suse labs

Re: [PATCH 3/3] x86: mm: add x86_64 support for page table check

[Muchun Song]

On Thu, Dec 2, 2021 at 6:06 PM Jiri Slaby <jirislaby@kernel.org> wrote:
>
> On 02. 12. 21, 10:59, Jiri Slaby wrote:
> > On 01. 12. 21, 14:55, Pasha Tatashin wrote:
> >> On Wed, Dec 1, 2021 at 3:44 AM Jiri Slaby <jirislaby@kernel.org> wrote:
> >>>
> >>> On 01. 12. 21, 9:00, Jiri Slaby wrote:
> >>>> On 23. 11. 21, 22:48, Pasha Tatashin wrote:
> >>>>> Add page table check hooks into routines that modify user page tables.
> >>>>
> >>>> Hi,
> >>>>
> >>>> I bisected to this as this causes crashes during modules load:
> >>>
> >>> And it's not enough to unset CONFIG_PAGE_TABLE_CHECK_ENFORCED. I had to
> >>> unset CONFIG_PAGE_TABLE_CHECK completely to get rid of this.
> >>
> >> Hi,
> >>
> >> Thanks for reporting this. Seems like module load for some reasons
> >> does not like the static branches. However, I was not able to repro
> >> this. Could you please share your config and the module that you were
> >> loading?
> >
> > It's the openSUSE's -next config:
> > https://raw.githubusercontent.com/openSUSE/kernel-source/linux-next/config/x86_64/vanilla
> >
> >
> > But with CONFIG_IWLMEI=n (as that fails to link).
> >
> > One has to load i915, other modules (71 on my system) are apparently fine.
> >
> > i915 tries to patch your `page_table_check_disabled' which is defined as
> > `DEFINE_STATIC_KEY_TRUE_RO':
> >  > jump_label_add_module: key=__tracepoint_mmap_lock_released
> > (ffffffff93f36d88) mod=0000000000000000
> >  > jump_label_add_module: key=hugetlb_free_vmemmap_enabled_key
> > (ffffffff94873560) mod=0000000000000000
> >  > jump_label_add_module: key=devmap_managed_key (ffffffff94902700)
> > mod=0000000000000000
> >  > jump_label_add_module: key=page_table_check_disabled
> > (ffffffff939da760) mod=0000000000000000
> >  > BUG: unable to handle page fault for address: ffffffff939da768
>
> Provided you EXPORT page_table_check_disabled and it can be used from
> modules, it can be barely marked as RO. So the below indeed fixes the
> problem for me:

Agree. I had encountered a similar problem some months ago. In one
word, DEFINE_STATIC_KEY_TRUE_RO() and EXPORT_SYMBOL()
are mutually exclusive.

Thanks.

>
> --- a/mm/page_table_check.c
> +++ b/mm/page_table_check.c
> @@ -18,7 +18,7 @@ struct page_table_check {
>   static bool __page_table_check_enabled __initdata =
>
> IS_ENABLED(CONFIG_PAGE_TABLE_CHECK_ENFORCED);
>
> -DEFINE_STATIC_KEY_TRUE_RO(page_table_check_disabled);
> +DEFINE_STATIC_KEY_TRUE(page_table_check_disabled);
>   EXPORT_SYMBOL(page_table_check_disabled);
>
>   static int __init early_page_table_check_param(char *buf)
>
> >
> > regards,
>
>
> --
> js
> suse labs

Re: [PATCH 3/3] x86: mm: add x86_64 support for page table check

[Pasha Tatashin]

On Thu, Dec 2, 2021 at 5:05 AM Jiri Slaby <jirislaby@kernel.org> wrote:
>
> On 02. 12. 21, 10:59, Jiri Slaby wrote:
> > On 01. 12. 21, 14:55, Pasha Tatashin wrote:
> >> On Wed, Dec 1, 2021 at 3:44 AM Jiri Slaby <jirislaby@kernel.org> wrote:
> >>>
> >>> On 01. 12. 21, 9:00, Jiri Slaby wrote:
> >>>> On 23. 11. 21, 22:48, Pasha Tatashin wrote:
> >>>>> Add page table check hooks into routines that modify user page tables.
> >>>>
> >>>> Hi,
> >>>>
> >>>> I bisected to this as this causes crashes during modules load:
> >>>
> >>> And it's not enough to unset CONFIG_PAGE_TABLE_CHECK_ENFORCED. I had to
> >>> unset CONFIG_PAGE_TABLE_CHECK completely to get rid of this.
> >>
> >> Hi,
> >>
> >> Thanks for reporting this. Seems like module load for some reasons
> >> does not like the static branches. However, I was not able to repro
> >> this. Could you please share your config and the module that you were
> >> loading?
> >
> > It's the openSUSE's -next config:
> > https://raw.githubusercontent.com/openSUSE/kernel-source/linux-next/config/x86_64/vanilla
> >
> >
> > But with CONFIG_IWLMEI=n (as that fails to link).
> >
> > One has to load i915, other modules (71 on my system) are apparently fine.
> >
> > i915 tries to patch your `page_table_check_disabled' which is defined as
> > `DEFINE_STATIC_KEY_TRUE_RO':
> >  > jump_label_add_module: key=__tracepoint_mmap_lock_released
> > (ffffffff93f36d88) mod=0000000000000000
> >  > jump_label_add_module: key=hugetlb_free_vmemmap_enabled_key
> > (ffffffff94873560) mod=0000000000000000
> >  > jump_label_add_module: key=devmap_managed_key (ffffffff94902700)
> > mod=0000000000000000
> >  > jump_label_add_module: key=page_table_check_disabled
> > (ffffffff939da760) mod=0000000000000000
> >  > BUG: unable to handle page fault for address: ffffffff939da768
>
> Provided you EXPORT page_table_check_disabled and it can be used from
> modules, it can be barely marked as RO. So the below indeed fixes the
> problem for me:
>
> --- a/mm/page_table_check.c
> +++ b/mm/page_table_check.c
> @@ -18,7 +18,7 @@ struct page_table_check {
>   static bool __page_table_check_enabled __initdata =
>
> IS_ENABLED(CONFIG_PAGE_TABLE_CHECK_ENFORCED);
>
> -DEFINE_STATIC_KEY_TRUE_RO(page_table_check_disabled);
> +DEFINE_STATIC_KEY_TRUE(page_table_check_disabled);

Makes sense, thanks! I will remove _RO in the next version.

Pasha