lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAEvNRgGjcMY-DMLu1ZaCRXA8uCeueBD9a-a1gh-UEB7nqpfTfg@mail.gmail.com>
Date: Mon, 9 Feb 2026 10:24:25 -0800
From: Ackerley Tng <ackerleytng@...gle.com>
To: "David Hildenbrand (Arm)" <david@...nel.org>, Sean Christopherson <seanjc@...gle.com>
Cc: syzbot+33a04338019ac7e43a44@...kaller.appspotmail.com, kvm@...r.kernel.org, 
	linux-kernel@...r.kernel.org, pbonzini@...hat.com, 
	syzkaller-bugs@...glegroups.com, michael.roth@....com, vannapurve@...gle.com, 
	kartikey406@...il.com
Subject: Re: [PATCH] KVM: guest_memfd: Disable VMA merging with VM_DONTEXPAND

"David Hildenbrand (Arm)" <david@...nel.org> writes:

> On 2/8/26 18:34, Ackerley Tng wrote:
>> Ackerley Tng <ackerleytng@...gle.com> writes:
>>
>>>
>>> [...snip...]
>>>
>>>> !thp_vma_allowable_order() must take care of that somehow down in
>>>> __thp_vma_allowable_orders(), by checking the file).
>>>>
>>>> Likely the file_thp_enabled() check is the culprit with
>>>> CONFIG_READ_ONLY_THP_FOR_FS?
>>>>
>>>> Maybe we need a flag to say "even not CONFIG_READ_ONLY_THP_FOR_FS".
>>>>
>>>> I wonder how we handle that for secretmem. Too late for me, going to bed :)
>>>>
>>>
>>> Let me look deeper into this. Thanks!
>>>
>>
>> I trimmed the repro to this:
>>
>> static void test_guest_memfd_repro(void)
>> {
>> 	struct kvm_vcpu *vcpu;
>> 	uint8_t *unaligned_mem;
>> 	struct kvm_vm *vm;
>> 	uint8_t *mem;
>> 	int fd;
>>
>> 	vm = __vm_create_shape_with_one_vcpu(VM_SHAPE_DEFAULT, &vcpu, 1, guest_code);
>>
>> 	fd = vm_create_guest_memfd(vm, SZ_2M * 2, GUEST_MEMFD_FLAG_MMAP |
>> GUEST_MEMFD_FLAG_INIT_SHARED);
>>
>> 	unaligned_mem = mmap(NULL, SZ_2M + SZ_2M, PROT_READ | PROT_WRITE,
>> MAP_FIXED | MAP_SHARED, fd, 0);
>> 	mem = align_ptr_up(unaligned_mem, SZ_2M);
>> 	TEST_ASSERT(((unsigned long)mem & (SZ_2M - 1)) == 0, "returned
>> address must be aligned to SZ_2M");
>>
>> 	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_HUGEPAGE), 0);
>>
>> 	for (int i = 0; i < SZ_2M; i += SZ_4K)
>> 		READ_ONCE(mem[i]);
>>
>> 	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_COLLAPSE), 0);
>>
>> 	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_DONTNEED), 0);
>>
>> 	/* This triggers the WARNing. */
>> 	READ_ONCE(mem[0]);
>>
>> 	munmap(unaligned_mem, SZ_2M * 2);
>>
>> 	close(fd);
>> 	kvm_vm_free(vm);
>> }
>>
>> And tried to replace the fd creation the secretmem equivalent
>>
>> 	fd = syscall(__NR_memfd_secret, 0);
>> 	TEST_ASSERT(fd >= 0, "Couldn't create secretmem fd.");
>> 	TEST_ASSERT_EQ(ftruncate(fd, SZ_2M * 2), 0);
>>
>> Should a guest_memfd selftest be added to cover this?
>>
>> MADV_COLLAPSE fails with EINVAL, but it does go through to
>> hpage_collapse_scan_file() -> collapse_file(), before failing because
>> when collapsing the page, copy_mc_highpage() returns > 0.
>
> Just what I suspected. :)
>
> Thanks for digging into the details!
>

Happy to help :)

In general, do we want the reproducers added as selftests? Should this
be added as part of tools/testing/selftests/kvm/guest_memfd_test.c or a
separate file?

> --
> Cheers,
>
> David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ