From: linuxtestproject.agent@gmail.com
To: Jan Polensky <japo@linux.ibm.com>
Cc: ltp@lists.linux.it
Subject: Re: [LTP] thp04: Fix PTRACE mode for CONFIG_PROC_MEM_FORCE_PTRACE=y
Date: Fri, 12 Jun 2026 19:21:42 +0000 [thread overview]
Message-ID: <20260612192142.4221-1-linuxtestproject.agent@gmail.com> (raw)
In-Reply-To: <20260612171712.324175-1-japo@linux.ibm.com>
Hi Jan,
On Fri, 12 Jun 2026 19:17:07 +0200, Jan Polensky wrote:
> thp04: Fix PTRACE mode for CONFIG_PROC_MEM_FORCE_PTRACE=y
> - fzsync_pair.exec_loops = 100000;
> - tst_fzsync_pair_init(&fzsync_pair);
> + child->readfd = SAFE_OPEN("/proc/self/mem", O_RDWR);
> + child->fzsync_pair.exec_loops = 1000;
> + tst_fzsync_pair_init(&child->fzsync_pair);
> + /* In PROC_MEM_ALWAYS mode, child does writes itself */
> + if (proc_mem_mode == PROC_MEM_ALWAYS) {
> +
> + /* Simplified test loop without thread */
> + for (i = 0; i < 1000; i++) {
> + /* Write via /proc/self/mem */
> + SAFE_LSEEK(child->writefd, (off_t)child->write_ptr, SEEK_SET);
> + SAFE_WRITE(SAFE_WRITE_ALL, child->writefd, &c, sizeof(int));
> +
> + /* Call madvise on write page */
> + madvise(child->write_thp, child->thp_size, MADV_DONTNEED);
> +
> + /* Call madvise on read page */
> + madvise(child->read_thp, child->thp_size, MADV_DONTNEED);
> +
> + /* Check if read page was polluted */
> + if (*child->read_ptr != 0) {
> + tst_res(TFAIL, "Huge zero page was polluted");
> + return;
> + }
> +
> + usleep(100);
> + }
The original test used tst_fzsync to race the /proc/self/mem write
against madvise(MADV_DONTNEED) in a separate thread. That race is
the mechanism that triggers CVE-2017-1000405: the kernel must
handle the COW fault concurrently with page reclaim to corrupt
the huge zero page.
This replacement runs write, madvise, and check sequentially in a
single thread with no concurrency. The vulnerability cannot be
triggered without the race, so the test becomes a no-op for
detecting the bug in PROC_MEM_ALWAYS mode (the default on most
systems).
The fzsync_pair is still initialized and cleaned up but never
actually used for racing (no tst_fzsync_run_a/b calls), and
readfd is opened but never read from. These are dead remnants of
the removed race mechanism.
Could the fuzzy sync race be preserved for the PROC_MEM_ALWAYS
path while adding the new write-stop-continue cycle only for the
PROC_MEM_PTRACE path?
> + proc_mem_mode = PROC_MEM_ALWAYS;
> + child_setup();
> +
> + TEST(lseek(child->writefd, (off_t)child->write_ptr, SEEK_SET));
> + if (TST_RET == -1)
> + tst_brk(TBROK | TTERRNO, "lseek on /proc/self/mem failed");
> +
> + TEST(write(child->writefd, &test_val, sizeof(test_val)));
> +
> + if (TST_RET == sizeof(test_val)) {
> + proc_mem_mode = PROC_MEM_ALWAYS;
> + return;
> + }
> +
> + if (TST_RET == -1 && TST_ERR != EIO)
> + tst_brk(TBROK | TTERRNO, "test write to /proc/self/mem failed");
> +
> + /* /proc/self/mem write failed, cleanup and try ptrace mode */
> + child_cleanup();
> + SAFE_MUNMAP(child, sizeof(*child));
> + child = NULL;
> +
> + if (explicit_mode && proc_mem_mode == PROC_MEM_ALWAYS)
> + tst_brk(TCONF,
> + "Writes to /proc/self/mem disabled despite always mode");
The unconditional assignment `proc_mem_mode = PROC_MEM_ALWAYS`
before the probe destroys the value parsed from the kernel command
line. When the user explicitly sets proc_mem.force_override=ptrace,
this sequence occurs:
1. Kernel cmdline parsing sets proc_mem_mode = PROC_MEM_PTRACE
and explicit_mode = 1.
2. Line 294 overwrites proc_mem_mode = PROC_MEM_ALWAYS.
3. The probe write to /proc/self/mem fails (expected in ptrace
mode).
4. The check `explicit_mode && proc_mem_mode == PROC_MEM_ALWAYS`
evaluates to true because the overwrite at step 2 lost the
original choice.
5. The test exits with TCONF "disabled despite always mode"
instead of falling through to the ptrace path.
The user's explicit ptrace choice is silently discarded. One fix
would be to save the parsed mode in a separate variable (e.g.
`user_mode`) before the probe and test that at line 316 instead
of proc_mem_mode.
Verdict - Needs revision
---
Note:
The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.
Regards,
LTP AI Reviewer
--
Mailing list info: https://lists.linux.it/listinfo/ltp
prev parent reply other threads:[~2026-06-12 19:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 17:17 [LTP] [PATCH v2 1/1] thp04: Fix PTRACE mode for CONFIG_PROC_MEM_FORCE_PTRACE=y Jan Polensky
2026-06-12 19:21 ` linuxtestproject.agent [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612192142.4221-1-linuxtestproject.agent@gmail.com \
--to=linuxtestproject.agent@gmail.com \
--cc=japo@linux.ibm.com \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox