From: Dev Jain <dev.jain@arm.com>
To: muchun.song@linux.dev, osalvador@suse.de,
akpm@linux-foundation.org, ljs@kernel.org, david@kernel.org,
liam@infradead.org
Cc: Dev Jain <dev.jain@arm.com>,
riel@surriel.com, vbabka@kernel.org, harry@kernel.org,
jannh@google.com, lance.yang@linux.dev, kas@kernel.org,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
rcampbell@nvidia.com, apopple@nvidia.com, ziy@nvidia.com,
matthew.brost@intel.com, joshua.hahnjy@gmail.com,
rakie.kim@sk.com, byungchul@sk.com, gourry@gourry.net,
ying.huang@linux.alibaba.com, mel@csn.ul.ie,
nao.horiguchi@gmail.com, ak@linux.intel.com,
j-nomura@ce.jp.nec.com, pfalcato@suse.de, dave.hansen@intel.com,
tglx@kernel.org, jpoimboe@kernel.org, ryan.roberts@arm.com,
anshuman.khandual@arm.com
Subject: [PATCH 5/5] mm/mprotect: use huge_ptep_get() for hugetlb
Date: Thu, 25 Jun 2026 11:29:54 +0000 [thread overview]
Message-ID: <20260625112955.3254283-6-dev.jain@arm.com> (raw)
In-Reply-To: <20260625112955.3254283-1-dev.jain@arm.com>
prot_none_hugetlb_entry() is the hugetlb callback for the early
mprotect(PROT_NONE) PFN permission walk on x86.
The callback passes the decoded PFN to pfn_modify_allowed(). For a
hugetlb callback, the pte pointer refers to a hugetlb entry. On
architectures where hugetlb entries need huge_ptep_get(), reading that
entry with ptep_get() can make the permission check use the wrong PFN.
Use huge_ptep_get() before decoding the hugetlb PFN.
Currently there is no path which can trigger a bug: huge_ptep_get() is a
simple ptep_get() for x86, and the prot_none walk occurs only for x86.
But use the correct helper anyways.
Fixes: 42e4089c7890 ("x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings")
Signed-off-by: Dev Jain <dev.jain@arm.com>
---
mm/mprotect.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/mm/mprotect.c b/mm/mprotect.c
index 9cbf932b028cf..23779632d18bf 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -699,14 +699,20 @@ static int prot_none_pte_entry(pte_t *pte, unsigned long addr,
0 : -EACCES;
}
+#ifdef CONFIG_HUGETLB_PAGE
static int prot_none_hugetlb_entry(pte_t *pte, unsigned long hmask,
unsigned long addr, unsigned long next,
struct mm_walk *walk)
{
- return pfn_modify_allowed(pte_pfn(ptep_get(pte)),
+ pte_t entry = huge_ptep_get(walk->mm, addr, pte);
+
+ return pfn_modify_allowed(pte_pfn(entry),
*(pgprot_t *)(walk->private)) ?
0 : -EACCES;
}
+#else
+#define prot_none_hugetlb_entry NULL
+#endif
static int prot_none_test(unsigned long addr, unsigned long next,
struct mm_walk *walk)
--
2.43.0
next prev parent reply other threads:[~2026-06-25 11:31 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 11:29 [PATCH 0/5] Fix incorrect access of hugetlb pte entries Dev Jain
2026-06-25 11:29 ` [PATCH 1/5] mm/rmap: use huge_ptep_get() in try_to_unmap_one() Dev Jain
2026-06-26 3:17 ` Muchun Song
2026-06-26 4:03 ` Dev Jain
2026-06-26 4:16 ` Muchun Song
2026-06-25 11:29 ` [PATCH 2/5] mm/rmap: use huge_ptep_get() in try_to_migrate_one() Dev Jain
2026-06-26 3:24 ` Muchun Song
2026-06-25 11:29 ` [PATCH 3/5] mm/migrate: use huge_ptep_get() in remove_migration_pte() Dev Jain
2026-06-26 3:32 ` Muchun Song
2026-06-25 11:29 ` [PATCH 4/5] mm/page_vma_mapped: use huge_ptep_get() for hugetlb Dev Jain
2026-06-26 2:31 ` Lance Yang
2026-06-26 4:06 ` Dev Jain
2026-06-26 7:48 ` Lance Yang
2026-06-26 9:14 ` Lance Yang
2026-06-26 13:23 ` Dev Jain
2026-06-26 14:10 ` Lance Yang
2026-06-26 15:26 ` Dev Jain
2026-06-26 16:46 ` Lance Yang
2026-06-25 11:29 ` Dev Jain [this message]
2026-06-26 3:40 ` [PATCH 5/5] mm/mprotect: " Muchun Song
2026-06-26 4:08 ` Dev Jain
2026-06-26 4:21 ` Muchun Song
2026-06-26 4:42 ` Dev Jain
2026-06-25 13:59 ` [PATCH 0/5] Fix incorrect access of hugetlb pte entries Zi Yan
2026-06-26 4:09 ` Dev Jain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260625112955.3254283-6-dev.jain@arm.com \
--to=dev.jain@arm.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=anshuman.khandual@arm.com \
--cc=apopple@nvidia.com \
--cc=byungchul@sk.com \
--cc=dave.hansen@intel.com \
--cc=david@kernel.org \
--cc=gourry@gourry.net \
--cc=harry@kernel.org \
--cc=j-nomura@ce.jp.nec.com \
--cc=jannh@google.com \
--cc=joshua.hahnjy@gmail.com \
--cc=jpoimboe@kernel.org \
--cc=kas@kernel.org \
--cc=lance.yang@linux.dev \
--cc=liam@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=matthew.brost@intel.com \
--cc=mel@csn.ul.ie \
--cc=muchun.song@linux.dev \
--cc=nao.horiguchi@gmail.com \
--cc=osalvador@suse.de \
--cc=pfalcato@suse.de \
--cc=rakie.kim@sk.com \
--cc=rcampbell@nvidia.com \
--cc=riel@surriel.com \
--cc=ryan.roberts@arm.com \
--cc=tglx@kernel.org \
--cc=vbabka@kernel.org \
--cc=ying.huang@linux.alibaba.com \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.