| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ab724372-8efa-4642-8240-2f28d090d1c0@linux.dev>
Date: Fri, 17 Oct 2025 23:04:05 +0800
From: Lance Yang <lance.yang@...ux.dev>
To: David Hildenbrand <david@...hat.com>, akpm@...ux-foundation.org,
lorenzo.stoakes@...cle.com
Cc: ziy@...dia.com, baolin.wang@...ux.alibaba.com, Liam.Howlett@...cle.com,
npache@...hat.com, ryan.roberts@....com, dev.jain@....com,
baohua@...nel.org, ioworker0@...il.com, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, Wei Yang <richard.weiyang@...il.com>
Subject: Re: [PATCH mm-new v2 1/1] mm/khugepaged: guard is_zero_pfn() calls
with pte_present()
On 2025/10/17 22:51, David Hildenbrand wrote:
> On 17.10.25 11:38, Lance Yang wrote:
>> From: Lance Yang <lance.yang@...ux.dev>
>>
>> A non-present entry, like a swap PTE, contains completely different data
>> (swap type and offset). pte_pfn() doesn't know this, so if we feed it a
>> non-present entry, it will spit out a junk PFN.
>>
>> What if that junk PFN happens to match the zeropage's PFN by sheer
>> chance? While really unlikely, this would be really bad if it did.
>>
>> So, let's fix this potential bug by ensuring all calls to is_zero_pfn()
>> in khugepaged.c are properly guarded by a pte_present() check.
>>
>> Suggested-by: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
>> Reviewed-by: Dev Jain <dev.jain@....com>
>> Reviewed-by: Baolin Wang <baolin.wang@...ux.alibaba.com>
>> Reviewed-by: Wei Yang <richard.weiyang@...il.com>
>> Signed-off-by: Lance Yang <lance.yang@...ux.dev>
>> ---
>> Applies against commit 0f22abd9096e in mm-new.
>>
>> v1 -> v2:
>> - Collect Reviewed-by from Dev, Wei and Baolin - thanks!
>> - Reduce a level of indentation (per Dev)
>> - https://lore.kernel.org/linux-mm/20251016033643.10848-1-
>> lance.yang@...ux.dev/
>>
>> mm/khugepaged.c | 29 ++++++++++++++++-------------
>> 1 file changed, 16 insertions(+), 13 deletions(-)
>>
>> diff --git a/mm/khugepaged.c b/mm/khugepaged.c
>> index d635d821f611..648d9335de00 100644
>> --- a/mm/khugepaged.c
>> +++ b/mm/khugepaged.c
>> @@ -516,7 +516,7 @@ static void release_pte_pages(pte_t *pte, pte_t
>> *_pte,
>> pte_t pteval = ptep_get(_pte);
>> unsigned long pfn;
>> - if (pte_none(pteval))
>> + if (!pte_present(pteval))
>> continue;
>
>
> Isn't it rather that if we would ever get a !pte_none() && !
> pte_present() here, something would be deeply flawed?
>
> I'd much rather spell that out and do here
>
> VM_WARN_ON_ONCE(!pte_present(pteval));
>
> keeping the original check.
Right, it's much better to be loud with a VM_WARN if we see
a weird PTE, as Dev also suggested :)
>
>
>> pfn = pte_pfn(pteval);
>> if (is_zero_pfn(pfn))
>> @@ -690,17 +690,18 @@ static void
>> __collapse_huge_page_copy_succeeded(pte_t *pte,
>> address += nr_ptes * PAGE_SIZE) {
>> nr_ptes = 1;
>> pteval = ptep_get(_pte);
>> - if (pte_none(pteval) || is_zero_pfn(pte_pfn(pteval))) {
>> + if (pte_none(pteval) ||
>> + (pte_present(pteval) && is_zero_pfn(pte_pfn(pteval)))) {
>
> This now seems to be a common pattern now :)
>
>
> Should we have a simple helper
>
> static inline void pte_none_or_zero(pte_t pte)
> {
> if (pte_none(pte))
> return true;
> return pte_present(pte) && is_zero_pfn(pte_pfn(pte)
> }
>
> initially maybe local to this file?
And yeah, that logic is crying out for a new helper.
Thanks!
Powered by blists - more mailing lists