syzbot

unknown

map[Benign:true Explanation:The KCSAN report describes a data race between a read-write access in `copy_page_range` and a read access in `dup_mm`.

The report is **consistent**:
1.  **Concurrent Execution**: Two tasks are calling `dup_mm` (likely via `fork`/`clone`) concurrently using the same source `mm_struct` (`oldmm`). This happens when multiple threads in a process fork concurrently, or if a process shares its `mm` with another process that forks.
2.  **Locations**:
    *   Task 14023 is in `dup_mm` -> `dup_mmap` -> `copy_page_range` and performs `do_raw_write_seqcount_begin`. This writes to `oldmm->write_protect_seq`.
    *   Task 14028 is at the beginning of `dup_mm` and performs `memcpy(mm, oldmm, sizeof(*mm))`. This reads the entire `oldmm` structure, including `write_protect_seq`.
3.  **Locking**: `dup_mmap` holds `mmap_write_lock` on `oldmm`, ensuring that only one thread can be executing `dup_mmap` for a given `mm` at a time. However, the `memcpy` in `dup_mm` happens *before* `dup_mmap` is called (and thus before the lock is acquired). Therefore, Task 14028 can read `oldmm` (via `memcpy`) while Task 14023 is modifying it (inside `dup_mmap`).

The data race is **benign**:
*   The race is specifically on the `write_protect_seq` field of `mm_struct`.
*   Task 14028 copies the `write_protect_seq` value from `oldmm` to the new `mm` via `memcpy`.
*   However, immediately after `memcpy`, `dup_mm` calls `mm_init(mm, ...)` (line 1484 in `kernel/fork.c`).
*   `mm_init` calls `seqcount_init(&mm->write_protect_seq)` (line 1036 in `kernel/fork.c`), which unconditionally re-initializes the sequence counter in the new `mm` to 0.
*   Because the value copied by `memcpy` is overwritten before the new `mm` is exposed or used, the fact that `memcpy` might have read a modified or torn value is irrelevant. The copied value is dead data.
*   Other fields that might be modified concurrently (like `total_vm` statistics) are also explicitly re-copied or re-initialized under the `mmap_write_lock` later in `dup_mmap`.

Thus, the race does not affect the correctness of the kernel.]

unknown

map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/773f0f847f2ee2b95e8c9b7e937cfe071156b037]

unknown

map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/d5455ab8c819dec6fe6856ef3468dbf2d09c4ad5]

unknown

map[Index:codesearch-index]

unknown

map[Benign:true]

You are an experienced Linux kernel developer tasked with determining if the given kernel bug
report is actionable or not. Actionable means that it contains enough info to root cause
the underlying bug, and that the report is self-consistent and makes sense, rather than
a one-off nonsensical crash induced by a previous memory corruption.

Use the provided tools to confirm any assumptions, what variables/fields being accessed, etc.
In particular, don't make assumptions about the kernel source code,
use codesearch tools to read the actual source code.

The bug report is a data race report from KCSAN tool.
It contains 2 stack traces of the memory accesses that constitute a data race.
The report would be inconsistent, if the stacks point to different subsystems,
or if they access different fields.
The report would be non-actionable, if the underlysing data race is "benign".
That is, the race is on a simple int/bool or similar field, and the accesses
are not supposed to be protected by any mutual exclusion primitives.
Common examples of such "benign" data races are accesses to various flags fields,
statistics counters, and similar.
An actionable race is "harmful", that is can lead to corruption/crash even with
a conservative compiler that compiles memory accesses to primitive types
effectively as atomic. A common example of a "harmful" data races is race on
a complex container (list/hashmap/etc), where accesses are supposed to be protected
by a mutual exclusion primitive.
In the final reply explain why you think the report is consistent and the data race is harmful.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

The bug report is:

==================================================================
BUG: KCSAN: data-race in copy_mm / copy_page_range

read-write to 0xffff88810cbbeee0 of 4 bytes by task 14023 on cpu 0:
 do_raw_write_seqcount_begin include/linux/seqlock.h:431 [inline]
 copy_page_range+0x25e/0x3be0 mm/memory.c:1529
 dup_mmap+0x885/0xf20 mm/mmap.c:1834
 dup_mm kernel/fork.c:1489 [inline]
 copy_mm+0x11a/0x370 kernel/fork.c:1541
 copy_process+0xd08/0x2000 kernel/fork.c:2181
 kernel_clone+0x16c/0x5c0 kernel/fork.c:2609
 __do_sys_clone kernel/fork.c:2750 [inline]
 __se_sys_clone kernel/fork.c:2734 [inline]
 __x64_sys_clone+0xe6/0x120 kernel/fork.c:2734
 x64_sys_call+0x119c/0x3000 arch/x86/include/generated/asm/syscalls_64.h:57
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff88810cbbed40 of 1408 bytes by task 14028 on cpu 1:
 dup_mm kernel/fork.c:1483 [inline]
 copy_mm+0xe2/0x370 kernel/fork.c:1541
 copy_process+0xd08/0x2000 kernel/fork.c:2181
 kernel_clone+0x16c/0x5c0 kernel/fork.c:2609
 __do_sys_clone kernel/fork.c:2750 [inline]
 __se_sys_clone kernel/fork.c:2734 [inline]
 __x64_sys_clone+0xe6/0x120 kernel/fork.c:2734
 x64_sys_call+0x119c/0x3000 arch/x86/include/generated/asm/syscalls_64.h:57
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xd2/0x200 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 14028 Comm: syz.0.3794 Tainted: G        W           syzkaller #0 PREEMPT(voluntary) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
==================================================================

The KCSAN report describes a data race between a read-write access in `copy_page_range` and a read access in `dup_mm`.

The report is **consistent**:
1.  **Concurrent Execution**: Two tasks are calling `dup_mm` (likely via `fork`/`clone`) concurrently using the same source `mm_struct` (`oldmm`). This happens when multiple threads in a process fork concurrently, or if a process shares its `mm` with another process that forks.
2.  **Locations**:
    *   Task 14023 is in `dup_mm` -> `dup_mmap` -> `copy_page_range` and performs `do_raw_write_seqcount_begin`. This writes to `oldmm->write_protect_seq`.
    *   Task 14028 is at the beginning of `dup_mm` and performs `memcpy(mm, oldmm, sizeof(*mm))`. This reads the entire `oldmm` structure, including `write_protect_seq`.
3.  **Locking**: `dup_mmap` holds `mmap_write_lock` on `oldmm`, ensuring that only one thread can be executing `dup_mmap` for a given `mm` at a time. However, the `memcpy` in `dup_mm` happens *before* `dup_mmap` is called (and thus before the lock is acquired). Therefore, Task 14028 can read `oldmm` (via `memcpy`) while Task 14023 is modifying it (inside `dup_mmap`).

The data race is **benign**:
*   The race is specifically on the `write_protect_seq` field of `mm_struct`.
*   Task 14028 copies the `write_protect_seq` value from `oldmm` to the new `mm` via `memcpy`.
*   However, immediately after `memcpy`, `dup_mm` calls `mm_init(mm, ...)` (line 1484 in `kernel/fork.c`).
*   `mm_init` calls `seqcount_init(&mm->write_protect_seq)` (line 1036 in `kernel/fork.c`), which unconditionally re-initializes the sequence counter in the new `mm` to 0.
*   Because the value copied by `memcpy` is overwritten before the new `mm` is exposed or used, the fact that `memcpy` might have read a modified or torn value is irrelevant. The copied value is dead data.
*   Other fields that might be modified concurrently (like `total_vm` statistics) are also explicitly re-copied or re-initialized under the `mmap_write_lock` later in `dup_mmap`.

Thus, the race does not affect the correctness of the kernel.

unknown

unknown

map[SourceFile:kernel/fork.c]

map[Entities:[map[Kind:function Name:__cleanup_sighand] map[Kind:function Name:__delayed_free_task] map[Kind:function Name:__do_sys_clone] map[Kind:function Name:__do_sys_clone] map[Kind:function Name:__do_sys_clone3] map[Kind:function Name:__do_sys_clone3] map[Kind:function Name:__do_sys_fork] map[Kind:function Name:__do_sys_fork] map[Kind:function Name:__do_sys_set_tid_address] map[Kind:function Name:__do_sys_set_tid_address] map[Kind:function Name:__do_sys_unshare] map[Kind:function Name:__do_sys_unshare] map[Kind:function Name:__do_sys_vfork] map[Kind:function Name:__do_sys_vfork] map[Kind:function Name:__ia32_sys_clone] map[Kind:function Name:__ia32_sys_clone3] map[Kind:function Name:__ia32_sys_set_tid_address] map[Kind:function Name:__ia32_sys_unshare] map[Kind:function Name:__mmdrop] map[Kind:function Name:__mmdrop] map[Kind:function Name:__mmput] map[Kind:function Name:__put_task_struct] map[Kind:function Name:__put_task_struct] map[Kind:function Name:__put_task_struct_rcu_cb] map[Kind:function Name:__put_task_struct_rcu_cb] map[Kind:function Name:__se_sys_clone] map[Kind:function Name:__se_sys_clone3] map[Kind:function Name:__se_sys_set_tid_address] map[Kind:function Name:__se_sys_unshare] map[Kind:function Name:__x64_sys_clone] map[Kind:function Name:__x64_sys_clone3] map[Kind:function Name:__x64_sys_set_tid_address] map[Kind:function Name:__x64_sys_unshare] map[Kind:function Name:account_kernel_stack] map[Kind:function Name:alloc_task_struct_node] map[Kind:function Name:alloc_thread_stack_node] map[Kind:function Name:arch_dup_task_struct] map[Kind:function Name:arch_release_task_struct] map[Kind:function Name:arch_task_cache_init] map[Kind:function Name:check_mm] map[Kind:function Name:check_unshare_flags] map[Kind:function Name:cleanup_lazy_tlbs] map[Kind:function Name:clone3_args_valid] map[Kind:function Name:clone3_stack_valid] map[Kind:function Name:complete_vfork_done] map[Kind:function Name:copy_clone_args_from_user] map[Kind:function Name:copy_files] map[Kind:function Name:copy_fs] map[Kind:function Name:copy_mm] map[Kind:function Name:copy_oom_score_adj] map[Kind:function Name:copy_process] map[Kind:function Name:copy_seccomp] map[Kind:function Name:copy_sighand] map[Kind:function Name:copy_signal] map[Kind:function Name:coredump_filter_setup] map[Kind:function Name:create_io_thread] map[Kind:function Name:delayed_free_task] map[Kind:function Name:do_check_lazy_tlb] map[Kind:function Name:do_shoot_lazy_tlb] map[Kind:function Name:dup_mm] map[Kind:function Name:dup_mm_exe_file] map[Kind:function Name:dup_task_struct] map[Kind:function Name:exec_mm_release] map[Kind:function Name:exit_mm_release] map[Kind:function Name:exit_task_stack_account] map[Kind:function Name:fork_idle] map[Kind:function Name:fork_init] map[Kind:function Name:free_signal_struct] map[Kind:function Name:free_task] map[Kind:function Name:free_task] map[Kind:function Name:free_task_struct] map[Kind:function Name:free_thread_stack] map[Kind:function Name:free_vm_stack_cache] map[Kind:function Name:get_mm_exe_file] map[Kind:function Name:get_task_exe_file] map[Kind:function Name:get_task_mm] map[Kind:function Name:get_task_mm] map[Kind:function Name:idle_dummy] map[Kind:function Name:init_fork_sysctl] map[Kind:function Name:init_idle_pids] map[Kind:function Name:init_task_pid] map[Kind:function Name:init_task_pid_links] map[Kind:function Name:kernel_clone] map[Kind:function Name:kernel_thread] map[Kind:function Name:ksys_unshare] map[Kind:function Name:may_access_mm] map[Kind:function Name:memcg_charge_kernel_stack] map[Kind:function Name:mm_access] map[Kind:function Name:mm_alloc] map[Kind:function Name:mm_alloc_id] map[Kind:function Name:mm_alloc_pgd] map[Kind:function Name:mm_cache_init] map[Kind:function Name:mm_clear_owner] map[Kind:function Name:mm_free_id] map[Kind:function Name:mm_free_pgd] map[Kind:function Name:mm_init] map[Kind:function Name:mm_init_aio] map[Kind:function Name:mm_init_owner] map[Kind:function Name:mm_init_uprobes_state] map[Kind:function Name:mm_release] map[Kind:function Name:mmap_init_lock] map[Kind:function Name:mmdrop_async] map[Kind:function Name:mmdrop_async_fn] map[Kind:function Name:mmput] map[Kind:function Name:mmput] map[Kind:function Name:mmput_async] map[Kind:function Name:mmput_async] map[Kind:function Name:mmput_async_fn] map[Kind:function Name:need_futex_hash_allocate_default] map[Kind:function Name:nr_processes] map[Kind:function Name:pidfd_prepare] map[Kind:function Name:posix_cpu_timers_init_group] map[Kind:function Name:proc_caches_init] map[Kind:function Name:put_signal_struct] map[Kind:function Name:put_task_stack] map[Kind:function Name:rcu_copy_process] map[Kind:function Name:release_task_stack] map[Kind:function Name:replace_mm_exe_file] map[Kind:function Name:rt_mutex_init_task] map[Kind:function Name:set_max_threads] map[Kind:function Name:set_mm_exe_file] map[Kind:function Name:set_task_stack_end_magic] map[Kind:function Name:sighand_ctor] map[Kind:function Name:sysctl_max_threads] map[Kind:function Name:task_struct_whitelist] map[Kind:function Name:thread_stack_delayed_free] map[Kind:function Name:thread_stack_free_rcu] map[Kind:function Name:try_release_thread_stack_to_cache] map[Kind:function Name:unshare_fd] map[Kind:function Name:unshare_files] map[Kind:function Name:unshare_fs] map[Kind:function Name:user_mode_thread] map[Kind:function Name:wait_for_vfork_done] map[Kind:function Name:walk_process_tree]] Missing:false]

unknown

unknown

map[IncludeLines:true Name:dup_mm SourceFile:kernel/fork.c]

map[Missing:false SourceCode:1462:	/**
1463:	 * dup_mm() - duplicates an existing mm structure
1464:	 * @tsk: the task_struct with which the new mm will be associated.
1465:	 * @oldmm: the mm to duplicate.
1466:	 *
1467:	 * Allocates a new mm structure and duplicates the provided @oldmm structure
1468:	 * content into it.
1469:	 *
1470:	 * Return: the duplicated mm or NULL on failure.
1471:	 */
1472:	static struct mm_struct *dup_mm(struct task_struct *tsk,
1473:					struct mm_struct *oldmm)
1474:	{
1475:		struct mm_struct *mm;
1476:		int err;
1477:	
1478:		mm = allocate_mm();
1479:		if (!mm)
1480:			goto fail_nomem;
1481:	
1482:		memcpy(mm, oldmm, sizeof(*mm));
1483:	
1484:		if (!mm_init(mm, tsk, mm->user_ns))
1485:			goto fail_nomem;
1486:	
1487:		uprobe_start_dup_mmap();
1488:		err = dup_mmap(mm, oldmm);
1489:		if (err)
1490:			goto free_pt;
1491:		uprobe_end_dup_mmap();
1492:	
1493:		mm->hiwater_rss = get_mm_rss(mm);
1494:		mm->hiwater_vm = mm->total_vm;
1495:	
1496:		if (mm->binfmt && !try_module_get(mm->binfmt->module))
1497:			goto free_pt;
1498:	
1499:		return mm;
1500:	
1501:	free_pt:
1502:		/* don't put binfmt in mmput, we haven't got module yet */
1503:		mm->binfmt = NULL;
1504:		mm_init_owner(mm, NULL);
1505:		mmput(mm);
1506:		if (err)
1507:			uprobe_end_dup_mmap();
1508:	
1509:	fail_nomem:
1510:		return NULL;
1511:	}
 SourceFile:kernel/fork.c]

unknown

unknown

map[IncludeLines:true Name:dup_mmap SourceFile:mm/mmap.c]

map[Missing:false SourceCode:1718:	__latent_entropy int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
1719:	{
1720:		struct vm_area_struct *mpnt, *tmp;
1721:		int retval;
1722:		unsigned long charge = 0;
1723:		LIST_HEAD(uf);
1724:		VMA_ITERATOR(vmi, mm, 0);
1725:	
1726:		if (mmap_write_lock_killable(oldmm))
1727:			return -EINTR;
1728:		flush_cache_dup_mm(oldmm);
1729:		uprobe_dup_mmap(oldmm, mm);
1730:		/*
1731:		 * Not linked in yet - no deadlock potential:
1732:		 */
1733:		mmap_write_lock_nested(mm, SINGLE_DEPTH_NESTING);
1734:	
1735:		/* No ordering required: file already has been exposed. */
1736:		dup_mm_exe_file(mm, oldmm);
1737:	
1738:		mm->total_vm = oldmm->total_vm;
1739:		mm->data_vm = oldmm->data_vm;
1740:		mm->exec_vm = oldmm->exec_vm;
1741:		mm->stack_vm = oldmm->stack_vm;
1742:	
1743:		/* Use __mt_dup() to efficiently build an identical maple tree. */
1744:		retval = __mt_dup(&oldmm->mm_mt, &mm->mm_mt, GFP_KERNEL);
1745:		if (unlikely(retval))
1746:			goto out;
1747:	
1748:		mt_clear_in_rcu(vmi.mas.tree);
1749:		for_each_vma(vmi, mpnt) {
1750:			struct file *file;
1751:	
1752:			vma_start_write(mpnt);
1753:			if (mpnt->vm_flags & VM_DONTCOPY) {
1754:				retval = vma_iter_clear_gfp(&vmi, mpnt->vm_start,
1755:							    mpnt->vm_end, GFP_KERNEL);
1756:				if (retval)
1757:					goto loop_out;
1758:	
1759:				vm_stat_account(mm, mpnt->vm_flags, -vma_pages(mpnt));
1760:				continue;
1761:			}
1762:			charge = 0;
1763:			/*
1764:			 * Don't duplicate many vmas if we've been oom-killed (for
1765:			 * example)
1766:			 */
1767:			if (fatal_signal_pending(current)) {
1768:				retval = -EINTR;
1769:				goto loop_out;
1770:			}
1771:			if (mpnt->vm_flags & VM_ACCOUNT) {
1772:				unsigned long len = vma_pages(mpnt);
1773:	
1774:				if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
1775:					goto fail_nomem;
1776:				charge = len;
1777:			}
1778:	
1779:			tmp = vm_area_dup(mpnt);
1780:			if (!tmp)
1781:				goto fail_nomem;
1782:			retval = vma_dup_policy(mpnt, tmp);
1783:			if (retval)
1784:				goto fail_nomem_policy;
1785:			tmp->vm_mm = mm;
1786:			retval = dup_userfaultfd(tmp, &uf);
1787:			if (retval)
1788:				goto fail_nomem_anon_vma_fork;
1789:			if (tmp->vm_flags & VM_WIPEONFORK) {
1790:				/*
1791:				 * VM_WIPEONFORK gets a clean slate in the child.
1792:				 * Don't prepare anon_vma until fault since we don't
1793:				 * copy page for current vma.
1794:				 */
1795:				tmp->anon_vma = NULL;
1796:			} else if (anon_vma_fork(tmp, mpnt))
1797:				goto fail_nomem_anon_vma_fork;
1798:			vm_flags_clear(tmp, VM_LOCKED_MASK);
1799:			/*
1800:			 * Copy/update hugetlb private vma information.
1801:			 */
1802:			if (is_vm_hugetlb_page(tmp))
1803:				hugetlb_dup_vma_private(tmp);
1804:	
1805:			/*
1806:			 * Link the vma into the MT. After using __mt_dup(), memory
1807:			 * allocation is not necessary here, so it cannot fail.
1808:			 */
1809:			vma_iter_bulk_store(&vmi, tmp);
1810:	
1811:			mm->map_count++;
1812:	
1813:			if (tmp->vm_ops && tmp->vm_ops->open)
1814:				tmp->vm_ops->open(tmp);
1815:	
1816:			file = tmp->vm_file;
1817:			if (file) {
1818:				struct address_space *mapping = file->f_mapping;
1819:	
1820:				get_file(file);
1821:				i_mmap_lock_write(mapping);
1822:				if (vma_is_shared_maywrite(tmp))
1823:					mapping_allow_writable(mapping);
1824:				flush_dcache_mmap_lock(mapping);
1825:				/* insert tmp into the share list, just after mpnt */
1826:				vma_interval_tree_insert_after(tmp, mpnt,
1827:						&mapping->i_mmap);
1828:				flush_dcache_mmap_unlock(mapping);
1829:				i_mmap_unlock_write(mapping);
1830:			}
1831:	
1832:			if (!(tmp->vm_flags & VM_WIPEONFORK))
1833:				retval = copy_page_range(tmp, mpnt);
1834:	
1835:			if (retval) {
1836:				mpnt = vma_next(&vmi);
1837:				goto loop_out;
1838:			}
1839:		}
1840:		/* a new mm has just been created */
1841:		retval = arch_dup_mmap(oldmm, mm);
1842:	loop_out:
1843:		vma_iter_free(&vmi);
1844:		if (!retval) {
1845:			mt_set_in_rcu(vmi.mas.tree);
1846:			ksm_fork(mm, oldmm);
1847:			khugepaged_fork(mm, oldmm);
1848:		} else {
1849:	
1850:			/*
1851:			 * The entire maple tree has already been duplicated. If the
1852:			 * mmap duplication fails, mark the failure point with
1853:			 * XA_ZERO_ENTRY. In exit_mmap(), if this marker is encountered,
1854:			 * stop releasing VMAs that have not been duplicated after this
1855:			 * point.
1856:			 */
1857:			if (mpnt) {
1858:				mas_set_range(&vmi.mas, mpnt->vm_start, mpnt->vm_end - 1);
1859:				mas_store(&vmi.mas, XA_ZERO_ENTRY);
1860:				/* Avoid OOM iterating a broken tree */
1861:				mm_flags_set(MMF_OOM_SKIP, mm);
1862:			}
1863:			/*
1864:			 * The mm_struct is going to exit, but the locks will be dropped
1865:			 * first.  Set the mm_struct as unstable is advisable as it is
1866:			 * not fully initialised.
1867:			 */
1868:			mm_flags_set(MMF_UNSTABLE, mm);
1869:		}
1870:	out:
1871:		mmap_write_unlock(mm);
1872:		flush_tlb_mm(oldmm);
1873:		mmap_write_unlock(oldmm);
1874:		if (!retval)
1875:			dup_userfaultfd_complete(&uf);
1876:		else
1877:			dup_userfaultfd_fail(&uf);
1878:		return retval;
1879:	
1880:	fail_nomem_anon_vma_fork:
1881:		mpol_put(vma_policy(tmp));
1882:	fail_nomem_policy:
1883:		vm_area_free(tmp);
1884:	fail_nomem:
1885:		retval = -ENOMEM;
1886:		vm_unacct_memory(charge);
1887:		goto loop_out;
1888:	}
 SourceFile:mm/mmap.c]

unknown

unknown

map[IncludeLines:true Name:copy_page_range SourceFile:mm/memory.c]

map[Missing:false SourceCode:1489:	int
1490:	copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma)
1491:	{
1492:		pgd_t *src_pgd, *dst_pgd;
1493:		unsigned long addr = src_vma->vm_start;
1494:		unsigned long end = src_vma->vm_end;
1495:		struct mm_struct *dst_mm = dst_vma->vm_mm;
1496:		struct mm_struct *src_mm = src_vma->vm_mm;
1497:		struct mmu_notifier_range range;
1498:		unsigned long next;
1499:		bool is_cow;
1500:		int ret;
1501:	
1502:		if (!vma_needs_copy(dst_vma, src_vma))
1503:			return 0;
1504:	
1505:		if (is_vm_hugetlb_page(src_vma))
1506:			return copy_hugetlb_page_range(dst_mm, src_mm, dst_vma, src_vma);
1507:	
1508:		/*
1509:		 * We need to invalidate the secondary MMU mappings only when
1510:		 * there could be a permission downgrade on the ptes of the
1511:		 * parent mm. And a permission downgrade will only happen if
1512:		 * is_cow_mapping() returns true.
1513:		 */
1514:		is_cow = is_cow_mapping(src_vma->vm_flags);
1515:	
1516:		if (is_cow) {
1517:			mmu_notifier_range_init(&range, MMU_NOTIFY_PROTECTION_PAGE,
1518:						0, src_mm, addr, end);
1519:			mmu_notifier_invalidate_range_start(&range);
1520:			/*
1521:			 * Disabling preemption is not needed for the write side, as
1522:			 * the read side doesn't spin, but goes to the mmap_lock.
1523:			 *
1524:			 * Use the raw variant of the seqcount_t write API to avoid
1525:			 * lockdep complaining about preemptibility.
1526:			 */
1527:			vma_assert_write_locked(src_vma);
1528:			raw_write_seqcount_begin(&src_mm->write_protect_seq);
1529:		}
1530:	
1531:		ret = 0;
1532:		dst_pgd = pgd_offset(dst_mm, addr);
1533:		src_pgd = pgd_offset(src_mm, addr);
1534:		do {
1535:			next = pgd_addr_end(addr, end);
1536:			if (pgd_none_or_clear_bad(src_pgd))
1537:				continue;
1538:			if (unlikely(copy_p4d_range(dst_vma, src_vma, dst_pgd, src_pgd,
1539:						    addr, next))) {
1540:				ret = -ENOMEM;
1541:				break;
1542:			}
1543:		} while (dst_pgd++, src_pgd++, addr = next, addr != end);
1544:	
1545:		if (is_cow) {
1546:			raw_write_seqcount_end(&src_mm->write_protect_seq);
1547:			mmu_notifier_invalidate_range_end(&range);
1548:		}
1549:		return ret;
1550:	}
 SourceFile:mm/memory.c]

unknown

unknown

map[IncludeLines:true Name:mm_init SourceFile:kernel/fork.c]

map[Missing:false SourceCode:1029:	static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
1030:		struct user_namespace *user_ns)
1031:	{
1032:		mt_init_flags(&mm->mm_mt, MM_MT_FLAGS);
1033:		mt_set_external_lock(&mm->mm_mt, &mm->mmap_lock);
1034:		atomic_set(&mm->mm_users, 1);
1035:		atomic_set(&mm->mm_count, 1);
1036:		seqcount_init(&mm->write_protect_seq);
1037:		mmap_init_lock(mm);
1038:		INIT_LIST_HEAD(&mm->mmlist);
1039:		mm_pgtables_bytes_init(mm);
1040:		mm->map_count = 0;
1041:		mm->locked_vm = 0;
1042:		atomic64_set(&mm->pinned_vm, 0);
1043:		memset(&mm->rss_stat, 0, sizeof(mm->rss_stat));
1044:		spin_lock_init(&mm->page_table_lock);
1045:		spin_lock_init(&mm->arg_lock);
1046:		mm_init_cpumask(mm);
1047:		mm_init_aio(mm);
1048:		mm_init_owner(mm, p);
1049:		mm_pasid_init(mm);
1050:		RCU_INIT_POINTER(mm->exe_file, NULL);
1051:		mmu_notifier_subscriptions_init(mm);
1052:		init_tlb_flush_pending(mm);
1053:	#if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !defined(CONFIG_SPLIT_PMD_PTLOCKS)
1054:		mm->pmd_huge_pte = NULL;
1055:	#endif
1056:		mm_init_uprobes_state(mm);
1057:		hugetlb_count_init(mm);
1058:	
1059:		mm_flags_clear_all(mm);
1060:		if (current->mm) {
1061:			unsigned long flags = __mm_flags_get_word(current->mm);
1062:	
1063:			__mm_flags_set_word(mm, mmf_init_legacy_flags(flags));
1064:			mm->def_flags = current->mm->def_flags & VM_INIT_DEF_MASK;
1065:		} else {
1066:			__mm_flags_set_word(mm, default_dump_filter);
1067:			mm->def_flags = 0;
1068:		}
1069:	
1070:		if (futex_mm_init(mm))
1071:			goto fail_mm_init;
1072:	
1073:		if (mm_alloc_pgd(mm))
1074:			goto fail_nopgd;
1075:	
1076:		if (mm_alloc_id(mm))
1077:			goto fail_noid;
1078:	
1079:		if (init_new_context(p, mm))
1080:			goto fail_nocontext;
1081:	
1082:		if (mm_alloc_cid(mm, p))
1083:			goto fail_cid;
1084:	
1085:		if (percpu_counter_init_many(mm->rss_stat, 0, GFP_KERNEL_ACCOUNT,
1086:					     NR_MM_COUNTERS))
1087:			goto fail_pcpu;
1088:	
1089:		mm->user_ns = get_user_ns(user_ns);
1090:		lru_gen_init_mm(mm);
1091:		return mm;
1092:	
1093:	fail_pcpu:
1094:		mm_destroy_cid(mm);
1095:	fail_cid:
1096:		destroy_context(mm);
1097:	fail_nocontext:
1098:		mm_free_id(mm);
1099:	fail_noid:
1100:		mm_free_pgd(mm);
1101:	fail_nopgd:
1102:		futex_hash_free(mm);
1103:	fail_mm_init:
1104:		free_mm(mm);
1105:		return NULL;
1106:	}
 SourceFile:kernel/fork.c]

unknown

unknown

map[IncludeLines:true Name:mm_struct SourceFile:include/linux/mm_types.h]

map[Missing:true SourceCode: SourceFile:]

unknown

unknown

map[SourceFile:include/linux/mm_types.h]

map[Entities:[map[Kind:function Name:__mm_flags_get_bitmap] map[Kind:function Name:__mm_flags_get_word] map[Kind:function Name:__mm_flags_set_mask_bits_word] map[Kind:function Name:__mm_flags_set_word] map[Kind:function Name:anon_vma_name] map[Kind:function Name:anon_vma_name_alloc] map[Kind:function Name:encode_nr_pages] map[Kind:function Name:encode_page] map[Kind:function Name:encoded_nr_pages] map[Kind:function Name:encoded_page_flags] map[Kind:function Name:encoded_page_ptr] map[Kind:function Name:folio_get_private] map[Kind:function Name:lru_gen_add_mm] map[Kind:function Name:lru_gen_del_mm] map[Kind:function Name:lru_gen_init_mm] map[Kind:function Name:lru_gen_migrate_mm] map[Kind:function Name:lru_gen_use_mm] map[Kind:function Name:mm_alloc_cid_noprof] map[Kind:function Name:mm_cid_clear_lazy_put] map[Kind:function Name:mm_cid_is_lazy_put] map[Kind:function Name:mm_cid_is_unset] map[Kind:function Name:mm_cid_is_valid] map[Kind:function Name:mm_cid_set_lazy_put] map[Kind:function Name:mm_cid_size] map[Kind:function Name:mm_cidmask] map[Kind:function Name:mm_cpumask] map[Kind:function Name:mm_cpus_allowed] map[Kind:function Name:mm_destroy_cid] map[Kind:function Name:mm_init_cid] map[Kind:function Name:mm_init_cpumask] map[Kind:function Name:mm_set_cpus_allowed] map[Kind:function Name:mmf_init_legacy_flags] map[Kind:function Name:ptdesc_pmd_is_shared] map[Kind:function Name:ptdesc_pmd_pts_count] map[Kind:function Name:ptdesc_pmd_pts_dec] map[Kind:function Name:ptdesc_pmd_pts_inc] map[Kind:function Name:ptdesc_pmd_pts_init] map[Kind:function Name:set_page_private] map[Kind:function Name:tlb_finish_mmu] map[Kind:function Name:tlb_gather_mmu] map[Kind:function Name:tlb_gather_mmu_fullmm] map[Kind:function Name:vma_iter_init]] Missing:false]

unknown

unknown

map[Benign:true]

map[Benign:true]

unknown