| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <debdccdd-1a4a-4039-bdc3-64b68525d03c@arm.com> Date: Thu, 16 Oct 2025 11:45:00 +0530 From: Dev Jain <dev.jain@....com> To: Lance Yang <lance.yang@...ux.dev> Cc: ziy@...dia.com, baolin.wang@...ux.alibaba.com, Liam.Howlett@...cle.com, npache@...hat.com, ryan.roberts@....com, baohua@...nel.org, ioworker0@...il.com, linux-kernel@...r.kernel.org, linux-mm@...ck.org, lorenzo.stoakes@...cle.com, akpm@...ux-foundation.org, david@...hat.com Subject: Re: [PATCH mm-new 1/1] mm/khugepaged: guard is_zero_pfn() calls with pte_present() On 16/10/25 11:29 am, Lance Yang wrote: > > > On 2025/10/16 13:34, Dev Jain wrote: >> >> On 16/10/25 9:06 am, Lance Yang wrote: >>> From: Lance Yang <lance.yang@...ux.dev> >>> >>> A non-present entry, like a swap PTE, contains completely different >>> data >>> (swap type and offset). pte_pfn() doesn't know this, so if we feed it a >>> non-present entry, it will spit out a junk PFN. >>> >>> What if that junk PFN happens to match the zeropage's PFN by sheer >>> chance? While really unlikely, this would be really bad if it did. >>> >>> So, let's fix this potential bug by ensuring all calls to is_zero_pfn() >>> in khugepaged.c are properly guarded by a pte_present() check. >>> >>> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes@...cle.com> >>> Signed-off-by: Lance Yang <lance.yang@...ux.dev> >>> --- >> >> Thanks, I missed this. > > Me too ... > >> >>> mm/khugepaged.c | 13 ++++++++----- >>> 1 file changed, 8 insertions(+), 5 deletions(-) >>> >>> diff --git a/mm/khugepaged.c b/mm/khugepaged.c >>> index d635d821f611..0341c3d13e9e 100644 >>> --- a/mm/khugepaged.c >>> +++ b/mm/khugepaged.c >>> @@ -516,7 +516,7 @@ static void release_pte_pages(pte_t *pte, pte_t >>> *_pte, >>> pte_t pteval = ptep_get(_pte); >>> unsigned long pfn; >>> - if (pte_none(pteval)) >>> + if (!pte_present(pteval)) >> >> There should be no chance that we end up with a pteval which is not >> none *and* >> not present, if you look at the callers of release_pte_pages. So >> perhaps we >> should keep this either the same, or, after "if(pte_none(pteval))", do a >> WARN_ON_ONCE(!pte_present(pteval))? > > Good catch! Yeah, but I'd rather not rely on the callers ... > > Wouldn't it just be simpler and safer to always have is_zero_pfn() > guarded > by pte_present()? > > I don't have a strong opinon here, though ;p Yeah same, I think we can leave it to what you have done. > > Dev, Thanks! >
Powered by blists - more mailing lists