Linux-mm Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: "David Hildenbrand (Arm)" <david@kernel.org>
To: Mike Rapoport <rppt@kernel.org>,
	Brendan Jackman <brendan.jackman@linux.dev>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Brendan Jackman <jackmanb@google.com>,
	Lorenzo Stoakes <ljs@kernel.org>,
	"Liam R. Howlett" <liam@infradead.org>,
	Vlastimil Babka <vbabka@kernel.org>,
	Suren Baghdasaryan <surenb@google.com>,
	Michal Hocko <mhocko@suse.com>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm/secretmem: disable under HIGHMEM
Date: Mon, 6 Jul 2026 10:42:46 +0200	[thread overview]
Message-ID: <503aee9e-97fc-4889-a379-3c0a5d140554@kernel.org> (raw)
In-Reply-To: <akpBWmnujSnj1ZEE@kernel.org>

On 7/5/26 13:34, Mike Rapoport wrote:
> On Sun, Jul 05, 2026 at 10:46:19AM +0000, Brendan Jackman wrote:
>> On Sun Jul 5, 2026 at 2:26 AM UTC, Andrew Morton wrote:
>>>
>>> Well OK, but the secretmem code is still wrong.  The patch protects
>>> people from hitting the bug but leaves the bug in place.  Surely it would be
>>> better to fix the bug?
>>
>> I don't think the code is wrong if highmem is disabled. Certainly
>> there is an implicit coupling between the .c file and the Kconfig file,
>> but we could always add a BUILD_BUG_ON(IS_ENABLED(CONFIG_SECRETMEM)) to
>> the relevant bit of code to make it explicit.
>>
>>> Is that as simple as adding the folio_test_highmem() test?  
>>
>> This would fix the WARN+SIGBUS but I don't think it resolves the fact
>> that this configuration is completely untested - there are likely other
>> functional bugs? But more importantly, I am not sure if secretmem
>> actually does its security job if kmap_local_page() isn't a NOP. I
>> think shipping a "security feature" that doesn't do what it says would
>> be really terrible. (It might work totally fine, I dunno, but it would
>> require some research and deep thinking that I don't really want to do
>> for a configuration with no users).
>>
>>> Or switching to GFP_KERNEL?  
>>
>> ... Oh, that's a nice idea though :)
> 
> GFP_USER if anything :)

Right.

> 
> But still with kmap() and friends not being an NOP the promise "kernel does
> not map this memory" does not hold.
> 
> I think that keeping SECRETMEM and HIGHMEM mutually exclusive is
> conceptually correct.

We could even limit it to 64BIT ;)

-- 
Cheers,

David


      reply	other threads:[~2026-07-06  8:42 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 14:48 [PATCH] mm/secretmem: disable under HIGHMEM Brendan Jackman
2026-07-04  6:42 ` Mike Rapoport
2026-07-05  2:26 ` Andrew Morton
2026-07-05 10:46   ` Brendan Jackman
2026-07-05 11:34     ` Mike Rapoport
2026-07-06  8:42       ` David Hildenbrand (Arm) [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=503aee9e-97fc-4889-a379-3c0a5d140554@kernel.org \
    --to=david@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=brendan.jackman@linux.dev \
    --cc=jackmanb@google.com \
    --cc=liam@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=ljs@kernel.org \
    --cc=mhocko@suse.com \
    --cc=rppt@kernel.org \
    --cc=surenb@google.com \
    --cc=vbabka@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox