lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <442d7ce8-0de3-4f5a-95ed-3be9bdaa7e47@kernel.org>
Date: Mon, 9 Feb 2026 11:38:14 +0100
From: "David Hildenbrand (Arm)" <david@...nel.org>
To: Ackerley Tng <ackerleytng@...gle.com>,
 Sean Christopherson <seanjc@...gle.com>
Cc: syzbot+33a04338019ac7e43a44@...kaller.appspotmail.com,
 kvm@...r.kernel.org, linux-kernel@...r.kernel.org, pbonzini@...hat.com,
 syzkaller-bugs@...glegroups.com, michael.roth@....com,
 vannapurve@...gle.com, kartikey406@...il.com
Subject: Re: [PATCH] KVM: guest_memfd: Disable VMA merging with VM_DONTEXPAND

On 2/8/26 18:34, Ackerley Tng wrote:
> Ackerley Tng <ackerleytng@...gle.com> writes:
> 
>>
>> [...snip...]
>>
>>> !thp_vma_allowable_order() must take care of that somehow down in
>>> __thp_vma_allowable_orders(), by checking the file).
>>>
>>> Likely the file_thp_enabled() check is the culprit with
>>> CONFIG_READ_ONLY_THP_FOR_FS?
>>>
>>> Maybe we need a flag to say "even not CONFIG_READ_ONLY_THP_FOR_FS".
>>>
>>> I wonder how we handle that for secretmem. Too late for me, going to bed :)
>>>
>>
>> Let me look deeper into this. Thanks!
>>
> 
> I trimmed the repro to this:
> 
> static void test_guest_memfd_repro(void)
> {
> 	struct kvm_vcpu *vcpu;
> 	uint8_t *unaligned_mem;
> 	struct kvm_vm *vm;
> 	uint8_t *mem;
> 	int fd;
> 
> 	vm = __vm_create_shape_with_one_vcpu(VM_SHAPE_DEFAULT, &vcpu, 1, guest_code);
> 
> 	fd = vm_create_guest_memfd(vm, SZ_2M * 2, GUEST_MEMFD_FLAG_MMAP |
> GUEST_MEMFD_FLAG_INIT_SHARED);
> 
> 	unaligned_mem = mmap(NULL, SZ_2M + SZ_2M, PROT_READ | PROT_WRITE,
> MAP_FIXED | MAP_SHARED, fd, 0);
> 	mem = align_ptr_up(unaligned_mem, SZ_2M);
> 	TEST_ASSERT(((unsigned long)mem & (SZ_2M - 1)) == 0, "returned
> address must be aligned to SZ_2M");
> 
> 	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_HUGEPAGE), 0);
> 
> 	for (int i = 0; i < SZ_2M; i += SZ_4K)
> 		READ_ONCE(mem[i]);
> 
> 	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_COLLAPSE), 0);
> 
> 	TEST_ASSERT_EQ(madvise(mem, SZ_2M, MADV_DONTNEED), 0);
> 
> 	/* This triggers the WARNing. */
> 	READ_ONCE(mem[0]);
> 
> 	munmap(unaligned_mem, SZ_2M * 2);
> 
> 	close(fd);
> 	kvm_vm_free(vm);
> }
> 
> And tried to replace the fd creation the secretmem equivalent
> 
> 	fd = syscall(__NR_memfd_secret, 0);
> 	TEST_ASSERT(fd >= 0, "Couldn't create secretmem fd.");
> 	TEST_ASSERT_EQ(ftruncate(fd, SZ_2M * 2), 0);
> 
> Should a guest_memfd selftest be added to cover this?
> 
> MADV_COLLAPSE fails with EINVAL, but it does go through to
> hpage_collapse_scan_file() -> collapse_file(), before failing because
> when collapsing the page, copy_mc_highpage() returns > 0.

Just what I suspected. :)

Thanks for digging into the details!

-- 
Cheers,

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ