* Re: [PATCH 1/1] mm/secretmem: fix use-after-free race in fault handler
2025-10-31 9:59 ` Mike Rapoport
@ 2025-10-31 10:19 ` David Hildenbrand
2025-10-31 10:35 ` Lance Yang
2025-10-31 10:24 ` Lorenzo Stoakes
2025-10-31 10:34 ` Lance Yang
2 siblings, 1 reply; 7+ messages in thread
From: David Hildenbrand @ 2025-10-31 10:19 UTC (permalink / raw)
To: Mike Rapoport, Lance Yang
Cc: akpm, big-sleep-vuln-reports, linux-kernel, linux-mm,
lorenzo.stoakes, willy, stable
On 31.10.25 10:59, Mike Rapoport wrote:
> On Fri, Oct 31, 2025 at 05:18:18PM +0800, Lance Yang wrote:
>> From: Lance Yang <lance.yang@linux.dev>
>>
>> The error path in secretmem_fault() frees a folio before restoring its
>> direct map status, which is a race leading to a panic.
>
> Let's use the issue description from the report:
>
> When a page fault occurs in a secret memory file created with
> `memfd_secret(2)`, the kernel will allocate a new folio for it, mark
> the underlying page as not-present in the direct map, and add it to
> the file mapping.
>
> If two tasks cause a fault in the same page concurrently, both could
> end up allocating a folio and removing the page from the direct map,
> but only one would succeed in adding the folio to the file
> mapping. The task that failed undoes the effects of its attempt by (a)
> freeing the folio again and (b) putting the page back into the direct
> map. However, by doing these two operations in this order, the page
> becomes available to the allocator again before it is placed back in
> the direct mapping.
>
> If another task attempts to allocate the page between (a) and (b), and
> the kernel tries to access it via the direct map, it would result in a
> supervisor not-present page fault.
>
>> Fix the ordering to restore the map before the folio is freed.
>
> ... restore the direct map
>
> With these changes
>
> Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Fully agreed
Acked-by: David Hildenbrand <david@redhat.com>
--
Cheers
David / dhildenb
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] mm/secretmem: fix use-after-free race in fault handler
2025-10-31 10:19 ` David Hildenbrand
@ 2025-10-31 10:35 ` Lance Yang
0 siblings, 0 replies; 7+ messages in thread
From: Lance Yang @ 2025-10-31 10:35 UTC (permalink / raw)
To: David Hildenbrand
Cc: akpm, big-sleep-vuln-reports, linux-kernel, linux-mm,
lorenzo.stoakes, willy, stable, Mike Rapoport
On 2025/10/31 18:19, David Hildenbrand wrote:
> On 31.10.25 10:59, Mike Rapoport wrote:
>> On Fri, Oct 31, 2025 at 05:18:18PM +0800, Lance Yang wrote:
>>> From: Lance Yang <lance.yang@linux.dev>
>>>
>>> The error path in secretmem_fault() frees a folio before restoring its
>>> direct map status, which is a race leading to a panic.
>>
>> Let's use the issue description from the report:
>>
>> When a page fault occurs in a secret memory file created with
>> `memfd_secret(2)`, the kernel will allocate a new folio for it, mark
>> the underlying page as not-present in the direct map, and add it to
>> the file mapping.
>>
>> If two tasks cause a fault in the same page concurrently, both could
>> end up allocating a folio and removing the page from the direct map,
>> but only one would succeed in adding the folio to the file
>> mapping. The task that failed undoes the effects of its attempt by (a)
>> freeing the folio again and (b) putting the page back into the direct
>> map. However, by doing these two operations in this order, the page
>> becomes available to the allocator again before it is placed back in
>> the direct mapping.
>>
>> If another task attempts to allocate the page between (a) and (b), and
>> the kernel tries to access it via the direct map, it would result in a
>> supervisor not-present page fault.
>>> Fix the ordering to restore the map before the folio is freed.
>>
>> ... restore the direct map
>>
>> With these changes
>>
>> Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
>
> Fully agreed
>
> Acked-by: David Hildenbrand <david@redhat.com>
Cheers!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] mm/secretmem: fix use-after-free race in fault handler
2025-10-31 9:59 ` Mike Rapoport
2025-10-31 10:19 ` David Hildenbrand
@ 2025-10-31 10:24 ` Lorenzo Stoakes
2025-10-31 10:34 ` Lance Yang
2025-10-31 10:34 ` Lance Yang
2 siblings, 1 reply; 7+ messages in thread
From: Lorenzo Stoakes @ 2025-10-31 10:24 UTC (permalink / raw)
To: Mike Rapoport
Cc: Lance Yang, akpm, big-sleep-vuln-reports, linux-kernel, linux-mm,
willy, david, stable
Small thing, sorry to be a pain buuuut could we please not send patches
in-reply to another mail, it makes it harder for people to see :)
On Fri, Oct 31, 2025 at 11:59:16AM +0200, Mike Rapoport wrote:
> On Fri, Oct 31, 2025 at 05:18:18PM +0800, Lance Yang wrote:
> > From: Lance Yang <lance.yang@linux.dev>
> >
> > The error path in secretmem_fault() frees a folio before restoring its
> > direct map status, which is a race leading to a panic.
>
> Let's use the issue description from the report:
>
> When a page fault occurs in a secret memory file created with
> `memfd_secret(2)`, the kernel will allocate a new folio for it, mark
> the underlying page as not-present in the direct map, and add it to
> the file mapping.
>
> If two tasks cause a fault in the same page concurrently, both could
> end up allocating a folio and removing the page from the direct map,
> but only one would succeed in adding the folio to the file
> mapping. The task that failed undoes the effects of its attempt by (a)
> freeing the folio again and (b) putting the page back into the direct
> map. However, by doing these two operations in this order, the page
> becomes available to the allocator again before it is placed back in
> the direct mapping.
>
> If another task attempts to allocate the page between (a) and (b), and
> the kernel tries to access it via the direct map, it would result in a
> supervisor not-present page fault.
>
> > Fix the ordering to restore the map before the folio is freed.
>
> ... restore the direct map
>
> With these changes
>
> Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Agree with David, Mike this looks 'obviously correct' thanks for addressing
it.
But also as per Mike, please update message accordingly and send v2
not-in-reply-to-anything :P
With that said:
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
>
> >
> > Cc: <stable@vger.kernel.org>
> > Reported-by: Google Big Sleep <big-sleep-vuln-reports@google.com>
> > Closes: https://lore.kernel.org/linux-mm/CAEXGt5QeDpiHTu3K9tvjUTPqo+d-=wuCNYPa+6sWKrdQJ-ATdg@mail.gmail.com/
> > Signed-off-by: Lance Yang <lance.yang@linux.dev>
> > ---
> > mm/secretmem.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/mm/secretmem.c b/mm/secretmem.c
> > index c1bd9a4b663d..37f6d1097853 100644
> > --- a/mm/secretmem.c
> > +++ b/mm/secretmem.c
> > @@ -82,13 +82,13 @@ static vm_fault_t secretmem_fault(struct vm_fault *vmf)
> > __folio_mark_uptodate(folio);
> > err = filemap_add_folio(mapping, folio, offset, gfp);
> > if (unlikely(err)) {
> > - folio_put(folio);
> > /*
> > * If a split of large page was required, it
> > * already happened when we marked the page invalid
> > * which guarantees that this call won't fail
> > */
> > set_direct_map_default_noflush(folio_page(folio, 0));
> > + folio_put(folio);
> > if (err == -EEXIST)
> > goto retry;
> >
> > --
> > 2.49.0
> >
>
> --
> Sincerely yours,
> Mike.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH 1/1] mm/secretmem: fix use-after-free race in fault handler
2025-10-31 10:24 ` Lorenzo Stoakes
@ 2025-10-31 10:34 ` Lance Yang
0 siblings, 0 replies; 7+ messages in thread
From: Lance Yang @ 2025-10-31 10:34 UTC (permalink / raw)
To: Lorenzo Stoakes
Cc: akpm, big-sleep-vuln-reports, linux-kernel, linux-mm, willy,
david, stable, Mike Rapoport
On 2025/10/31 18:24, Lorenzo Stoakes wrote:
> Small thing, sorry to be a pain buuuut could we please not send patches
> in-reply to another mail, it makes it harder for people to see :)
>
> On Fri, Oct 31, 2025 at 11:59:16AM +0200, Mike Rapoport wrote:
>> On Fri, Oct 31, 2025 at 05:18:18PM +0800, Lance Yang wrote:
>>> From: Lance Yang <lance.yang@linux.dev>
>>>
>>> The error path in secretmem_fault() frees a folio before restoring its
>>> direct map status, which is a race leading to a panic.
>>
>> Let's use the issue description from the report:
>>
>> When a page fault occurs in a secret memory file created with
>> `memfd_secret(2)`, the kernel will allocate a new folio for it, mark
>> the underlying page as not-present in the direct map, and add it to
>> the file mapping.
>>
>> If two tasks cause a fault in the same page concurrently, both could
>> end up allocating a folio and removing the page from the direct map,
>> but only one would succeed in adding the folio to the file
>> mapping. The task that failed undoes the effects of its attempt by (a)
>> freeing the folio again and (b) putting the page back into the direct
>> map. However, by doing these two operations in this order, the page
>> becomes available to the allocator again before it is placed back in
>> the direct mapping.
>>
>> If another task attempts to allocate the page between (a) and (b), and
>> the kernel tries to access it via the direct map, it would result in a
>> supervisor not-present page fault.
>>
>>> Fix the ordering to restore the map before the folio is freed.
>>
>> ... restore the direct map
>>
>> With these changes
>>
>> Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
>
> Agree with David, Mike this looks 'obviously correct' thanks for addressing
> it.
>
> But also as per Mike, please update message accordingly and send v2
> not-in-reply-to-anything :P
Sure. V2 is on the way ;)
>
> With that said:
>
> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Thanks!
Lance
>
>>
>>>
>>> Cc: <stable@vger.kernel.org>
>>> Reported-by: Google Big Sleep <big-sleep-vuln-reports@google.com>
>>> Closes: https://lore.kernel.org/linux-mm/CAEXGt5QeDpiHTu3K9tvjUTPqo+d-=wuCNYPa+6sWKrdQJ-ATdg@mail.gmail.com/
>>> Signed-off-by: Lance Yang <lance.yang@linux.dev>
>>> ---
>>> mm/secretmem.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/mm/secretmem.c b/mm/secretmem.c
>>> index c1bd9a4b663d..37f6d1097853 100644
>>> --- a/mm/secretmem.c
>>> +++ b/mm/secretmem.c
>>> @@ -82,13 +82,13 @@ static vm_fault_t secretmem_fault(struct vm_fault *vmf)
>>> __folio_mark_uptodate(folio);
>>> err = filemap_add_folio(mapping, folio, offset, gfp);
>>> if (unlikely(err)) {
>>> - folio_put(folio);
>>> /*
>>> * If a split of large page was required, it
>>> * already happened when we marked the page invalid
>>> * which guarantees that this call won't fail
>>> */
>>> set_direct_map_default_noflush(folio_page(folio, 0));
>>> + folio_put(folio);
>>> if (err == -EEXIST)
>>> goto retry;
>>>
>>> --
>>> 2.49.0
>>>
>>
>> --
>> Sincerely yours,
>> Mike.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] mm/secretmem: fix use-after-free race in fault handler
2025-10-31 9:59 ` Mike Rapoport
2025-10-31 10:19 ` David Hildenbrand
2025-10-31 10:24 ` Lorenzo Stoakes
@ 2025-10-31 10:34 ` Lance Yang
2 siblings, 0 replies; 7+ messages in thread
From: Lance Yang @ 2025-10-31 10:34 UTC (permalink / raw)
To: Mike Rapoport
Cc: akpm, big-sleep-vuln-reports, linux-kernel, linux-mm,
lorenzo.stoakes, willy, david, stable
On 2025/10/31 17:59, Mike Rapoport wrote:
> On Fri, Oct 31, 2025 at 05:18:18PM +0800, Lance Yang wrote:
>> From: Lance Yang <lance.yang@linux.dev>
>>
>> The error path in secretmem_fault() frees a folio before restoring its
>> direct map status, which is a race leading to a panic.
>
> Let's use the issue description from the report:
Will do. I'll also add the missing Fixes: tag.
>
> When a page fault occurs in a secret memory file created with
> `memfd_secret(2)`, the kernel will allocate a new folio for it, mark
> the underlying page as not-present in the direct map, and add it to
> the file mapping.
>
> If two tasks cause a fault in the same page concurrently, both could
> end up allocating a folio and removing the page from the direct map,
> but only one would succeed in adding the folio to the file
> mapping. The task that failed undoes the effects of its attempt by (a)
> freeing the folio again and (b) putting the page back into the direct
> map. However, by doing these two operations in this order, the page
> becomes available to the allocator again before it is placed back in
> the direct mapping.
>
> If another task attempts to allocate the page between (a) and (b), and
> the kernel tries to access it via the direct map, it would result in a
> supervisor not-present page fault.
>
>> Fix the ordering to restore the map before the folio is freed.
>
> ... restore the direct map
>
> With these changes
>
> Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Thanks!
Lance
>
>>
>> Cc: <stable@vger.kernel.org>
>> Reported-by: Google Big Sleep <big-sleep-vuln-reports@google.com>
>> Closes: https://lore.kernel.org/linux-mm/CAEXGt5QeDpiHTu3K9tvjUTPqo+d-=wuCNYPa+6sWKrdQJ-ATdg@mail.gmail.com/
>> Signed-off-by: Lance Yang <lance.yang@linux.dev>
>> ---
>> mm/secretmem.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/mm/secretmem.c b/mm/secretmem.c
>> index c1bd9a4b663d..37f6d1097853 100644
>> --- a/mm/secretmem.c
>> +++ b/mm/secretmem.c
>> @@ -82,13 +82,13 @@ static vm_fault_t secretmem_fault(struct vm_fault *vmf)
>> __folio_mark_uptodate(folio);
>> err = filemap_add_folio(mapping, folio, offset, gfp);
>> if (unlikely(err)) {
>> - folio_put(folio);
>> /*
>> * If a split of large page was required, it
>> * already happened when we marked the page invalid
>> * which guarantees that this call won't fail
>> */
>> set_direct_map_default_noflush(folio_page(folio, 0));
>> + folio_put(folio);
>> if (err == -EEXIST)
>> goto retry;
>>
>> --
>> 2.49.0
>>
>
^ permalink raw reply [flat|nested] 7+ messages in thread