lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAEvNRgEO3gB6Oee2C-+8Pu=+3KY0C98yrmesKO2SMVSvs3anfA@mail.gmail.com>
Date: Sun, 8 Feb 2026 09:34:20 -0800
From: Ackerley Tng <ackerleytng@...gle.com>
To: "David Hildenbrand (arm)" <david@...nel.org>, Sean Christopherson <seanjc@...gle.com>
Cc: syzbot+33a04338019ac7e43a44@...kaller.appspotmail.com, kvm@...r.kernel.org, 
	linux-kernel@...r.kernel.org, pbonzini@...hat.com, 
	syzkaller-bugs@...glegroups.com, michael.roth@....com, vannapurve@...gle.com, 
	kartikey406@...il.com
Subject: Re: [PATCH] KVM: guest_memfd: Disable VMA merging with VM_DONTEXPAND

Ackerley Tng <ackerleytng@...gle.com> writes:

>
> [...snip...]
>
>> !thp_vma_allowable_order() must take care of that somehow down in
>> __thp_vma_allowable_orders(), by checking the file).
>>
>> Likely the file_thp_enabled() check is the culprit with
>> CONFIG_READ_ONLY_THP_FOR_FS?
>>
>> Maybe we need a flag to say "even not CONFIG_READ_ONLY_THP_FOR_FS".
>>
>> I wonder how we handle that for secretmem. Too late for me, going to bed :)
>>
>
> Let me look deeper into this. Thanks!
>

I trimmed the repro to this:

static void test_guest_memfd_repro(void)
{
	struct kvm_vcpu *vcpu;
	uint8_t *unaligned_mem;
	struct kvm_vm *vm;
	uint8_t *mem;
	int fd;

	vm = __vm_create_shape_with_one_vcpu(VM_SHAPE_DEFAULT, &vcpu, 1, guest_code);

	fd = vm_create_guest_memfd(vm, SZ_2M * 2, GUEST_MEMFD_FLAG_MMAP |
GUEST_MEMFD_FLAG_INIT_SHARED);

	unaligned_mem = mmap(NULL, SZ_2M + SZ_2M, PROT_READ | PROT_WRITE,
MAP_FIXED | MAP_SHARED, fd, 0);
	mem = align_ptr_up(unaligned_mem, SZ_2M);
	TEST_ASSERT(((unsigned long)mem & (SZ_2M - 1)) == 0, "returned
address must be aligned to SZ_2M");

	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_HUGEPAGE), 0);

	for (int i = 0; i < SZ_2M; i += SZ_4K)
		READ_ONCE(mem[i]);

	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_COLLAPSE), 0);

	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_DONTNEED), 0);

	/* This triggers the WARNing. */
	READ_ONCE(mem[0]);

	munmap(unaligned_mem, SZ_2M * 2);

	close(fd);
	kvm_vm_free(vm);
}

And tried to replace the fd creation the secretmem equivalent

	fd = syscall(__NR_memfd_secret, 0);
	TEST_ASSERT(fd >= 0, "Couldn't create secretmem fd.");
	TEST_ASSERT_EQ(ftruncate(fd, SZ_2M * 2), 0);

Should a guest_memfd selftest be added to cover this?

MADV_COLLAPSE fails with EINVAL, but it does go through to
hpage_collapse_scan_file() -> collapse_file(), before failing because
when collapsing the page, copy_mc_highpage() returns > 0.

Not super familiar with copy_mc_highpage() - I haven't looked into why
copy_mc_highpage() failed, but looks like it would have caused
memory_failure_queue() which would be inappropriate.

Since this also affects secretmem, I think thp_vma_allowable_order() is
the best place to intercept the collapsing flow for both secretmem and
guest_memfd.

Let me know if you have any ideas!

>> --
>> Cheers,
>>
>> David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ