lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <d3df9637-18f6-4143-befd-1550320b4dc8@kernel.org>
Date: Mon, 9 Feb 2026 20:38:06 +0100
From: "David Hildenbrand (Arm)" <david@...nel.org>
To: Ackerley Tng <ackerleytng@...gle.com>,
 Sean Christopherson <seanjc@...gle.com>
Cc: syzbot+33a04338019ac7e43a44@...kaller.appspotmail.com,
 kvm@...r.kernel.org, linux-kernel@...r.kernel.org, pbonzini@...hat.com,
 syzkaller-bugs@...glegroups.com, michael.roth@....com,
 vannapurve@...gle.com, kartikey406@...il.com
Subject: Re: [PATCH] KVM: guest_memfd: Disable VMA merging with VM_DONTEXPAND

On 2/9/26 19:24, Ackerley Tng wrote:
> "David Hildenbrand (Arm)" <david@...nel.org> writes:
> 
>> On 2/8/26 18:34, Ackerley Tng wrote:
>>> Ackerley Tng <ackerleytng@...gle.com> writes:
>>>
>>>
>>> I trimmed the repro to this:
>>>
>>> static void test_guest_memfd_repro(void)
>>> {
>>> 	struct kvm_vcpu *vcpu;
>>> 	uint8_t *unaligned_mem;
>>> 	struct kvm_vm *vm;
>>> 	uint8_t *mem;
>>> 	int fd;
>>>
>>> 	vm = __vm_create_shape_with_one_vcpu(VM_SHAPE_DEFAULT, &vcpu, 1, guest_code);
>>>
>>> 	fd = vm_create_guest_memfd(vm, SZ_2M * 2, GUEST_MEMFD_FLAG_MMAP |
>>> GUEST_MEMFD_FLAG_INIT_SHARED);
>>>
>>> 	unaligned_mem = mmap(NULL, SZ_2M + SZ_2M, PROT_READ | PROT_WRITE,
>>> MAP_FIXED | MAP_SHARED, fd, 0);
>>> 	mem = align_ptr_up(unaligned_mem, SZ_2M);
>>> 	TEST_ASSERT(((unsigned long)mem & (SZ_2M - 1)) == 0, "returned
>>> address must be aligned to SZ_2M");
>>>
>>> 	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_HUGEPAGE), 0);
>>>
>>> 	for (int i = 0; i < SZ_2M; i += SZ_4K)
>>> 		READ_ONCE(mem[i]);
>>>
>>> 	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_COLLAPSE), 0);
>>>
>>> 	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_DONTNEED), 0);
>>>
>>> 	/* This triggers the WARNing. */
>>> 	READ_ONCE(mem[0]);
>>>
>>> 	munmap(unaligned_mem, SZ_2M * 2);
>>>
>>> 	close(fd);
>>> 	kvm_vm_free(vm);
>>> }
>>>
>>> And tried to replace the fd creation the secretmem equivalent
>>>
>>> 	fd = syscall(__NR_memfd_secret, 0);
>>> 	TEST_ASSERT(fd >= 0, "Couldn't create secretmem fd.");
>>> 	TEST_ASSERT_EQ(ftruncate(fd, SZ_2M * 2), 0);
>>>
>>> Should a guest_memfd selftest be added to cover this?
>>>
>>> MADV_COLLAPSE fails with EINVAL, but it does go through to
>>> hpage_collapse_scan_file() -> collapse_file(), before failing because
>>> when collapsing the page, copy_mc_highpage() returns > 0.
>>
>> Just what I suspected. :)
>>
>> Thanks for digging into the details!
>>
> 
> Happy to help :)
> 
> In general, do we want the reproducers added as selftests? Should this
> be added as part of tools/testing/selftests/kvm/guest_memfd_test.c

I guess adding it to guest_memfd_test.c and asserting that MADV_COLLAPSE 
fails as expected could be a reasonable test case. It's not a lot of 
code and easy to verify.

-- 
Cheers,

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ