| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <546b200d-5b70-4db4-99f1-f50f6a343c10@kernel.org>
Date: Mon, 9 Feb 2026 18:36:32 +0100
From: "David Hildenbrand (Arm)" <david@...nel.org>
To: Zi Yan <ziy@...dia.com>
Cc: Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>, linux-mm@...ck.org,
akpm@...ux-foundation.org, vbabka@...e.cz, surenb@...gle.com,
mhocko@...e.com, jackmanb@...gle.com, hannes@...xchg.org, npiggin@...il.com,
linux-kernel@...r.kernel.org, kasong@...cent.com, hughd@...gle.com,
chrisl@...nel.org, ryncsn@...il.com, stable@...r.kernel.org,
willy@...radead.org
Subject: Re: [PATCH v3] mm/page_alloc: clear page->private in
free_pages_prepare()
On 2/9/26 17:33, Zi Yan wrote:
> On 9 Feb 2026, at 11:20, David Hildenbrand (Arm) wrote:
>
>> On 2/9/26 17:16, David Hildenbrand (Arm) wrote:
>>>
>>> Right. Or someone could use page->private on tail pages and free non- zero ->private that way.
>>>
>>> [...]
>>>
>>>
>>> Thanks.
>>>
>>>
>>> Right.
>>>
>>>
>>> Right. And whether it is okay to have any tail->private be non-zero.
>>>
>>>
>>> Ideally, I guess, we would minimize the clearing of the ->private fields.
>>>
>>> If we could guarantee that *any* pages in the buddy have ->private clear, maybe
>>> prep_compound_tail() could stop clearing it (and check instead).
>>>
>>> So similar to what Vlasta said, maybe we want to (not check but actually clear):
>>>
>>>
>>> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
>>> index e4104973e22f..4960a36145fe 100644
>>> --- a/mm/page_alloc.c
>>> +++ b/mm/page_alloc.c
>>> @@ -1410,6 +1410,7 @@ __always_inline bool free_pages_prepare(struct page *page,
>>> }
>>> }
>>> (page + i)->flags.f &= ~PAGE_FLAGS_CHECK_AT_PREP;
>>> + set_page_private(page + i, 0);
>>> }
>>> }
>>
>> Thinking again, maybe it is indeed better to rework the code to not allow freeing pages with ->private on any page. Then, we only have to zero it out where we actually used it and could check here that all
>> ->private is 0.
>>
>> I guess that's a bit more work, and any temporary fix would likely just do.
>
> I agree. Silently fixing non zero ->private just moves the work/responsibility
> from users to core mm. They could do better. :)
>
> We can have a patch or multiple patches to fix users do not zero ->private
> when freeing a page and add the patch below.
Do we know roughly which ones don't zero it out?
> The hassle would be that
> catching all, especially non mm users might not be easy, but we could merge
> the patch below (and obviously fixes) after next merge window is closed and
> let rc tests tell us the remaining one. WDYT?
LGTM, then we can look into stopping to zero for compound pages.
>
>
> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
> index 24ac34199f95..0c5d117a251e 100644
> --- a/mm/page_alloc.c
> +++ b/mm/page_alloc.c
> @@ -1411,6 +1411,7 @@ __always_inline bool free_pages_prepare(struct page *page,
> }
> }
> (page + i)->flags.f &= ~PAGE_FLAGS_CHECK_AT_PREP;
> + VM_WARN_ON_ONCE((page + i)->private);
> }
> }
> if (folio_test_anon(folio)) {
> @@ -1430,6 +1431,7 @@ __always_inline bool free_pages_prepare(struct page *page,
>
> page_cpupid_reset_last(page);
> page->flags.f &= ~PAGE_FLAGS_CHECK_AT_PREP;
> + VM_WARN_ON_ONCE(page->private);
> page->private = 0;
> reset_page_owner(page, order);
> page_table_check_free(page, order);
>
>
> Best Regards,
> Yan, Zi
--
Cheers,
David
Powered by blists - more mailing lists