From: "Lorenzo Stoakes (Oracle)" <ljs@kernel•org>
To: Andrew Morton <akpm@linux-foundation•org>
Cc: Jonathan Corbet <corbet@lwn•net>,
Clemens Ladisch <clemens@ladisch•de>,
Arnd Bergmann <arnd@arndb•de>,
Greg Kroah-Hartman <gregkh@linuxfoundation•org>,
"K . Y . Srinivasan" <kys@microsoft•com>,
Haiyang Zhang <haiyangz@microsoft•com>,
Wei Liu <wei.liu@kernel•org>, Dexuan Cui <decui@microsoft•com>,
Long Li <longli@microsoft•com>,
Alexander Shishkin <alexander.shishkin@linux•intel.com>,
Maxime Coquelin <mcoquelin.stm32@gmail•com>,
Alexandre Torgue <alexandre.torgue@foss•st.com>,
Miquel Raynal <miquel.raynal@bootlin•com>,
Richard Weinberger <richard@nod•at>,
Vignesh Raghavendra <vigneshr@ti•com>,
Bodo Stroesser <bostroesser@gmail•com>,
"Martin K . Petersen" <martin.petersen@oracle•com>,
David Howells <dhowells@redhat•com>,
Marc Dionne <marc.dionne@auristor•com>,
Alexander Viro <viro@zeniv•linux.org.uk>,
Christian Brauner <brauner@kernel•org>, Jan Kara <jack@suse•cz>,
David Hildenbrand <david@kernel•org>,
"Liam R . Howlett" <Liam.Howlett@oracle•com>,
Vlastimil Babka <vbabka@kernel•org>,
Mike Rapoport <rppt@kernel•org>,
Suren Baghdasaryan <surenb@google•com>,
Michal Hocko <mhocko@suse•com>, Jann Horn <jannh@google•com>,
Pedro Falcato <pfalcato@suse•de>,
linux-kernel@vger•kernel.org, linux-doc@vger•kernel.org,
linux-hyperv@vger•kernel.org,
linux-stm32@st-md-mailman•stormreply.com,
linux-arm-kernel@lists•infradead.org,
linux-mtd@lists•infradead.org, linux-staging@lists•linux.dev,
linux-scsi@vger•kernel.org, target-devel@vger•kernel.org,
linux-afs@lists•infradead.org, linux-fsdevel@vger•kernel.org,
linux-mm@kvack•org, Ryan Roberts <ryan.roberts@arm•com>
Subject: [PATCH v4 00/21] mm: expand mmap_prepare functionality and usage
Date: Fri, 20 Mar 2026 22:39:26 +0000 [thread overview]
Message-ID: <cover.1774045440.git.ljs@kernel.org> (raw)
This series expands the mmap_prepare functionality, which is intended to
replace the deprecated f_op->mmap hook which has been the source of bugs
and security issues for some time.
This series starts with some cleanup of existing mmap_prepare logic, then
adds documentation for the mmap_prepare call to make it easier for
filesystem and driver writers to understand how it works.
It then importantly adds a vm_ops->mapped hook, a key feature that was
missing from mmap_prepare previously - this is invoked when a driver which
specifies mmap_prepare has successfully been mapped but not merged with
another VMA.
mmap_prepare is invoked prior to a merge being attempted, so you cannot
manipulate state such as reference counts as if it were a new mapping.
The vm_ops->mapped hook allows a driver to perform tasks required at this
stage, and provides symmetry against subsequent vm_ops->open,close calls.
The series uses this to correct the afs implementation which wrongly
manipulated reference count at mmap_prepare time.
It then adds an mmap_prepare equivalent of vm_iomap_memory() -
mmap_action_simple_ioremap(), then uses this to update a number of drivers.
It then splits out the mmap_prepare compatibility layer (which allows for
invocation of mmap_prepare hooks in an mmap() hook) in such a way as to
allow for more incremental implementation of mmap_prepare hooks.
It then uses this to extend mmap_prepare usage in drivers.
Finally it adds an mmap_prepare equivalent of vm_map_pages(), which lays
the foundation for future work which will extend mmap_prepare to DMA
coherent mappings.
v4:
* Added partial revert of AFS as per Vlasta. Labelled as hotfix.
* Updated subsequent afs patch to apply against this version of AFS.
* Reverted rmap_lock_held changes to util.c, mm.h mmap_action_complete()
etc. as per Vlasta.
* Added hotfix to fix issue with rmap lock held over munmap() as per
Vlasta. Labelled as hotfix.
* Force-disable the rmap lock hold feature in the compatbility layer
because being run under the mmap hook eliminates the need for it.
* Removed superfluous map->hold_file_rmap_lock field.
* Moved handling of rmap lock and unmapping to mmap_action_complete().
* Removed unmap_vma_locked() as previous added patches render it
unnecessary.
* Removed __compat_vma_mapped() from compatibility layer and
call_vma_mapped() from VMA layer and made it part of mmap_action_finish()
for all callers.
* Propagated changes to VMA tests.
* Updated mmap_action_map_kernel_pages[_full]() patch to add missing
mmap_complete() noop switch enum value as per Nathan.
* Fixed a doc issue in the mmap_prepare docs - reference
vma_desc_test_flags() rather than _any().
* Rearranged logic so the vm_ops->mapped hook is called before the success
hook, but this should have no impact.
v3:
* Propagated tags (thanks Suren, Richard!)
* Updated 12/16 to correctly clear the vm_area_desc data structure in
set_desc_from_vma() as per Joshua Hahn (thanks! :)
* Fixed type in 12/16 as per Suren (cheers!)
* Fixed up 6/16 to use mmap_action_ioremap_full() in simple_ioremap_prepare() as
suggested by Suren.
* Also fixed up 6/16 to call io_remap_pfn_range_prepare() direct rather than
mmap_action_prepare() as per Suren.
* Also fixed up 6/16 to pass vm_len rather than vm_[start, end] to
__simple_ioremap_prep() as per Suren (thanks for all the above! :)
* Fixed issue in rmap lock being held - we were referencing a vma->vm_file after
the VMA was unmapped, so UAF. Avoid that. Also do_munmap() relies on rmap lock
NOT being held or may deadlock, so extend functionality to ensure we drop it
when it is held on error paths.
* Updated 'area' -> 'vma' variable in 3/16 in VMA test dup.h.
* Fixed up reference to __compat_vma_mmap() in 12/16 commit message.
* Updated 1/16 to no longer duplicatively apply io_remap_pfn_range_pfn().
* Updated 1/16 to delegate I/O remap complete to remap complete logic.
* Fixed various typos in 12/16.
* Fixed stale comment typos in 13/16.
* Fixed commit msg and comment typos in 14/16.
* Removed accidental sneak peak to future functionality in 15/16 commit message
:).
* Fixed up field names to be identical in VMA tests + mm_types.h in 6/16,
15/16.
https://lore.kernel.org/all/cover.1773944114.git.ljs@kernel.org/
v2:
* Rebased on
https://lore.kernel.org/all/cover.1773665966.git.ljs@kernel.org/ to make
Andrew's life easier :)
* Folded all interim fixes into series (thanks Randy for many doc fixes!))
* As per Suren, removed a comment about allocations too small to fail.
* As per Randy, fixed up typo in documentation for vm_area_desc.
* Fixed mmap_action_prepare() not returning if invalid action->type
specified, as updated from Andrew's interim fix (thanks!) and also
reported by kernel test bot.
* Updated mmap_action_prepare() and specific prepare functions to only
pass vm_area_desc parameter as per Suren.
* Fixed up whitespace as per Suren.
* Updated vm_op->open comment in vm_operations_struct to reference forking
as per Suren.
* Added a commit to check that input range is within VMA on remap as per
Suren (this also covers I/O remap and all other cases already asserted).
* Updated AFS to not incorrectly reference count on mmap prepare as per
Usama.
* Also updated various static AFS functions to be consistent with each
other.
* Updated AFS commit message to reflect mmap_prepare being before any VMA
merging as per Suren.
* Updated __compat_vma_mapped() to check for NULL vm_ops as per Usama.
* Updated __compat_vma_mapped() to not reference an unmapped VMA's fields
as per Usama.
* Updated __vma_check_mmap_hook() to check for NULL vm_ops as per Usama.
* Dropped comment about preferring mmap_prepare as seems overly confusing,
as per Suren.
* Updated the mmap lock assert in unmap_vma_locked() to a write lock assert
as per Suren.
* Copied vm_ops->open comment over to VMA tests in appropriate patch as per
Suren.
* Updated mmap_prepare documentation to reflect the fact that no resources
should be allocated upon mmap_prepare.
* Updated mmap_prepare documentation to reference the vm_ops->mapped
callback.
* Fixed stray markdown '## How to use' in documentation.
* Fixed bug reported by kernel test bot re: overlooked
vma_desc_test_flags() -> vma_desc_test() in MTD driver for nommu.
https://lore.kernel.org/linux-mm/cover.1773695307.git.ljs@kernel.org/
v1:
https://lore.kernel.org/linux-mm/cover.1773346620.git.ljs@kernel.org/
Lorenzo Stoakes (Oracle) (21):
mm: various small mmap_prepare cleanups
mm: add documentation for the mmap_prepare file operation callback
mm: document vm_operations_struct->open the same as close()
mm: avoid deadlock when holding rmap on mmap_prepare error
mm: switch the rmap lock held option off in compat layer
mm/vma: remove superfluous map->hold_file_rmap_lock
mm: have mmap_action_complete() handle the rmap lock and unmap
mm: add vm_ops->mapped hook
fs: afs: revert mmap_prepare() change
fs: afs: restore mmap_prepare implementation
mm: add mmap_action_simple_ioremap()
misc: open-dice: replace deprecated mmap hook with mmap_prepare
hpet: replace deprecated mmap hook with mmap_prepare
mtdchar: replace deprecated mmap hook with mmap_prepare, clean up
stm: replace deprecated mmap hook with mmap_prepare
staging: vme_user: replace deprecated mmap hook with mmap_prepare
mm: allow handling of stacked mmap_prepare hooks in more drivers
drivers: hv: vmbus: replace deprecated mmap hook with mmap_prepare
uio: replace deprecated mmap hook with mmap_prepare in uio_info
mm: add mmap_action_map_kernel_pages[_full]()
mm: on remap assert that input range within the proposed VMA
Documentation/driver-api/vme.rst | 2 +-
Documentation/filesystems/index.rst | 1 +
Documentation/filesystems/mmap_prepare.rst | 168 ++++++++++++++
drivers/char/hpet.c | 12 +-
drivers/hv/hyperv_vmbus.h | 4 +-
drivers/hv/vmbus_drv.c | 31 ++-
drivers/hwtracing/stm/core.c | 31 ++-
drivers/misc/open-dice.c | 19 +-
drivers/mtd/mtdchar.c | 21 +-
drivers/staging/vme_user/vme.c | 20 +-
drivers/staging/vme_user/vme.h | 2 +-
drivers/staging/vme_user/vme_user.c | 51 +++--
drivers/target/target_core_user.c | 26 ++-
drivers/uio/uio.c | 10 +-
drivers/uio/uio_hv_generic.c | 11 +-
fs/afs/file.c | 36 ++-
include/linux/fs.h | 14 +-
include/linux/hyperv.h | 4 +-
include/linux/mm.h | 158 ++++++++++++-
include/linux/mm_types.h | 17 +-
include/linux/uio_driver.h | 4 +-
mm/internal.h | 46 +++-
mm/memory.c | 175 ++++++++++----
mm/util.c | 251 ++++++++++++++-------
mm/vma.c | 48 ++--
mm/vma.h | 2 +-
tools/testing/vma/include/dup.h | 134 +++++++----
tools/testing/vma/include/stubs.h | 8 +-
28 files changed, 956 insertions(+), 350 deletions(-)
create mode 100644 Documentation/filesystems/mmap_prepare.rst
--
2.53.0
next reply other threads:[~2026-03-20 22:40 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-20 22:39 Lorenzo Stoakes (Oracle) [this message]
2026-03-20 22:39 ` [PATCH v4 01/21] mm: various small mmap_prepare cleanups Lorenzo Stoakes (Oracle)
2026-03-24 10:46 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 02/21] mm: add documentation for the mmap_prepare file operation callback Lorenzo Stoakes (Oracle)
2026-03-20 22:39 ` [PATCH v4 03/21] mm: document vm_operations_struct->open the same as close() Lorenzo Stoakes (Oracle)
2026-03-20 22:39 ` [PATCH v4 04/21] mm: avoid deadlock when holding rmap on mmap_prepare error Lorenzo Stoakes (Oracle)
2026-03-24 10:55 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 05/21] mm: switch the rmap lock held option off in compat layer Lorenzo Stoakes (Oracle)
2026-03-24 14:26 ` Vlastimil Babka (SUSE)
2026-03-24 16:35 ` Lorenzo Stoakes (Oracle)
2026-03-20 22:39 ` [PATCH v4 06/21] mm/vma: remove superfluous map->hold_file_rmap_lock Lorenzo Stoakes (Oracle)
2026-03-24 14:31 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 07/21] mm: have mmap_action_complete() handle the rmap lock and unmap Lorenzo Stoakes (Oracle)
2026-03-24 14:38 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 08/21] mm: add vm_ops->mapped hook Lorenzo Stoakes (Oracle)
2026-03-24 15:32 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 09/21] fs: afs: revert mmap_prepare() change Lorenzo Stoakes (Oracle)
2026-03-25 9:06 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 10/21] fs: afs: restore mmap_prepare implementation Lorenzo Stoakes (Oracle)
2026-03-25 9:47 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 11/21] mm: add mmap_action_simple_ioremap() Lorenzo Stoakes (Oracle)
2026-03-25 9:58 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 12/21] misc: open-dice: replace deprecated mmap hook with mmap_prepare Lorenzo Stoakes (Oracle)
2026-03-25 10:04 ` Vlastimil Babka (SUSE)
2026-03-25 10:14 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 13/21] hpet: " Lorenzo Stoakes (Oracle)
2026-03-25 10:17 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 14/21] mtdchar: replace deprecated mmap hook with mmap_prepare, clean up Lorenzo Stoakes (Oracle)
2026-03-25 10:20 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 15/21] stm: replace deprecated mmap hook with mmap_prepare Lorenzo Stoakes (Oracle)
2026-03-25 10:24 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 16/21] staging: vme_user: " Lorenzo Stoakes (Oracle)
2026-03-25 10:34 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 17/21] mm: allow handling of stacked mmap_prepare hooks in more drivers Lorenzo Stoakes (Oracle)
2026-03-25 13:43 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 18/21] drivers: hv: vmbus: replace deprecated mmap hook with mmap_prepare Lorenzo Stoakes (Oracle)
2026-03-23 4:16 ` Michael Kelley
2026-03-23 9:13 ` Lorenzo Stoakes (Oracle)
2026-03-25 13:57 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 19/21] uio: replace deprecated mmap hook with mmap_prepare in uio_info Lorenzo Stoakes (Oracle)
2026-03-25 14:13 ` Vlastimil Babka (SUSE)
2026-04-13 5:14 ` Shinichiro Kawasaki
2026-04-13 5:37 ` Lorenzo Stoakes
2026-03-20 22:39 ` [PATCH v4 20/21] mm: add mmap_action_map_kernel_pages[_full]() Lorenzo Stoakes (Oracle)
2026-03-26 10:44 ` Vlastimil Babka (SUSE)
2026-03-20 22:39 ` [PATCH v4 21/21] mm: on remap assert that input range within the proposed VMA Lorenzo Stoakes (Oracle)
2026-03-26 10:46 ` Vlastimil Babka (SUSE)
2026-03-21 2:42 ` [PATCH v4 00/21] mm: expand mmap_prepare functionality and usage Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1774045440.git.ljs@kernel.org \
--to=ljs@kernel$(echo .)org \
--cc=Liam.Howlett@oracle$(echo .)com \
--cc=akpm@linux-foundation$(echo .)org \
--cc=alexander.shishkin@linux$(echo .)intel.com \
--cc=alexandre.torgue@foss$(echo .)st.com \
--cc=arnd@arndb$(echo .)de \
--cc=bostroesser@gmail$(echo .)com \
--cc=brauner@kernel$(echo .)org \
--cc=clemens@ladisch$(echo .)de \
--cc=corbet@lwn$(echo .)net \
--cc=david@kernel$(echo .)org \
--cc=decui@microsoft$(echo .)com \
--cc=dhowells@redhat$(echo .)com \
--cc=gregkh@linuxfoundation$(echo .)org \
--cc=haiyangz@microsoft$(echo .)com \
--cc=jack@suse$(echo .)cz \
--cc=jannh@google$(echo .)com \
--cc=kys@microsoft$(echo .)com \
--cc=linux-afs@lists$(echo .)infradead.org \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
--cc=linux-doc@vger$(echo .)kernel.org \
--cc=linux-fsdevel@vger$(echo .)kernel.org \
--cc=linux-hyperv@vger$(echo .)kernel.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-mm@kvack$(echo .)org \
--cc=linux-mtd@lists$(echo .)infradead.org \
--cc=linux-scsi@vger$(echo .)kernel.org \
--cc=linux-staging@lists$(echo .)linux.dev \
--cc=linux-stm32@st-md-mailman$(echo .)stormreply.com \
--cc=longli@microsoft$(echo .)com \
--cc=marc.dionne@auristor$(echo .)com \
--cc=martin.petersen@oracle$(echo .)com \
--cc=mcoquelin.stm32@gmail$(echo .)com \
--cc=mhocko@suse$(echo .)com \
--cc=miquel.raynal@bootlin$(echo .)com \
--cc=pfalcato@suse$(echo .)de \
--cc=richard@nod$(echo .)at \
--cc=rppt@kernel$(echo .)org \
--cc=ryan.roberts@arm$(echo .)com \
--cc=surenb@google$(echo .)com \
--cc=target-devel@vger$(echo .)kernel.org \
--cc=vbabka@kernel$(echo .)org \
--cc=vigneshr@ti$(echo .)com \
--cc=viro@zeniv$(echo .)linux.org.uk \
--cc=wei.liu@kernel$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox