| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250827150330.280399-1-max.kellermann@ionos.com>
Date: Wed, 27 Aug 2025 17:03:30 +0200
From: Max Kellermann <max.kellermann@...os.com>
To: akpm@...ux-foundation.org,
david@...hat.com,
lorenzo.stoakes@...cle.com,
ziy@...dia.com,
baolin.wang@...ux.alibaba.com,
Liam.Howlett@...cle.com,
npache@...hat.com,
ryan.roberts@....com,
dev.jain@....com,
baohua@...nel.org,
shikemeng@...weicloud.com,
kasong@...cent.com,
nphamcs@...il.com,
bhe@...hat.com,
chrisl@...nel.org,
linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Cc: Max Kellermann <max.kellermann@...os.com>
Subject: [PATCH v2] huge_mm.h: disallow is_huge_zero_folio(NULL)
Calling is_huge_zero_folio(NULL) should not be legal - it makes no
sense, and a different (theoretical) implementation may dereference
the pointer. But currently, lacking any explicit documentation, this
call is possible.
But if somebody really passes NULL, the function should not return
true - this isn't the huge zero folio after all! However, if the
`huge_zero_folio` hasn't been allocated yet, it's NULL, and
is_huge_zero_folio(NULL) just happens to return true, which is a lie.
This weird side effect prevented me from reproducing a kernel crash
that occurred when the elements of a folio_batch were NULL - since
folios_put_refs() skips huge zero folios, this sometimes causes a
crash, but sometimes does not. For debugging, it is better to reveal
such bugs reliably and not hide them behind random preconditions like
"has the huge zero folio already been created?"
To improve detection of such bugs, David Hildenbrand suggested adding
a VM_WARN_ON_ONCE().
Signed-off-by: Max Kellermann <max.kellermann@...os.com>
---
include/linux/huge_mm.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
index 7748489fde1b..bc9ca7798f2e 100644
--- a/include/linux/huge_mm.h
+++ b/include/linux/huge_mm.h
@@ -2,6 +2,7 @@
#ifndef _LINUX_HUGE_MM_H
#define _LINUX_HUGE_MM_H
+#include <linux/mmdebug.h> // for VM_WARN_ON_ONCE()
#include <linux/mm_types.h>
#include <linux/fs.h> /* only for vma_is_dax() */
@@ -479,6 +480,8 @@ extern unsigned long huge_zero_pfn;
static inline bool is_huge_zero_folio(const struct folio *folio)
{
+ VM_WARN_ON_ONCE(folio == NULL);
+
return READ_ONCE(huge_zero_folio) == folio;
}
--
2.47.2
Powered by blists - more mailing lists