lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250905230421.GT616306@nvidia.com>
Date: Fri, 5 Sep 2025 20:04:21 -0300
From: Jason Gunthorpe <jgg@...dia.com>
To: Dave Hansen <dave.hansen@...el.com>
Cc: Lu Baolu <baolu.lu@...ux.intel.com>, Joerg Roedel <joro@...tes.org>,
	Will Deacon <will@...nel.org>, Robin Murphy <robin.murphy@....com>,
	Kevin Tian <kevin.tian@...el.com>, Jann Horn <jannh@...gle.com>,
	Vasant Hegde <vasant.hegde@....com>,
	Alistair Popple <apopple@...dia.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Uladzislau Rezki <urezki@...il.com>,
	Jean-Philippe Brucker <jean-philippe@...aro.org>,
	Andy Lutomirski <luto@...nel.org>, Yi Lai <yi1.lai@...el.com>,
	iommu@...ts.linux.dev, security@...nel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 5/8] x86/mm: Use pagetable_free()

On Fri, Sep 05, 2025 at 01:11:15PM -0700, Dave Hansen wrote:
> On 9/5/25 11:41, Jason Gunthorpe wrote:
> >> --- a/arch/x86/mm/init_64.c
> >> +++ b/arch/x86/mm/init_64.c
> >> @@ -1013,7 +1013,7 @@ static void __meminit free_pagetable(struct page *page, int order)
> >>  		free_reserved_pages(page, nr_pages);
> >>  #endif
> >>  	} else {
> >> -		free_pages((unsigned long)page_address(page), order);
> >> +		pagetable_free(page_ptdesc(page));
> >>  	}
> >>  }
> > Er.. So if bootmem happens to be under the table and we happen to free
> > it due to memory hotplug we don't go through the SVA fixing path?
> > 
> > Seems wrong??
> 
> On second thought...
> 
> Yes, freeing bootmem with no SVA fixing is wrong. It should be fixed.
> Period. But, it's wrong one time for something super rare: memory unplug
> of memory that was present at boot. It also can't be triggered by
> unprivileged users.
> 
> As-is, this series fixes vfree(). That path is not nearly rare, can
> happen an arbitrary number of times on each boot, and might even be
> triggered by folks that are less than root.
> 
> So I kinda think we should just make clear that this series leaves
> _some_ holes, but I do think it should go in mostly as-is.

That's reasonable, but also your suggested change is pretty
simple. I'd put an arch hook:

static inline void pagetable_free_kernel(struct ptdesc *pt)
{
       struct page *page = ptdesc_page(pt);

       ptdesc_clear_kernel(pt);
       if (!arch_pagetable_free_kernel(pt))
              return;
       __pagetable_free((page);
}

With what you showed

Also, probably need to ensure whatever allocates the bootmem in the
first place calls ptdesc_set_kernel()..

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ