On Wed, Apr 12, 2023 at 03:29:53PM -0600, Henry Willard wrote: > In the special case where > > p = mmap(NULL, ALLOC_SIZE, PROT_READ, > MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE, -1, 0); > > is followed by > > rc = mprotect(p, ALLOC_SIZE, PROT_NONE); > > the _PAGE_SPECIAL bit in the page tables will be cleared by > mistake and the later unmapped operations will incorrectly > modify the struct page for the the zero page. This sequence > occurs in the madvise05 test of the Linux Test Project > suite of tests. > > This was discovered while testing an older version of the kernel > (5.4.17) on a MIPS device. Unfortunately, support for this device > is not available in newer kernels, so I can't test this with the > latest Linux kernel code. It looks like the problem exists in > newer kernels, but I can't verify it. Except for the LTP test, > this sequence of calls is probably not common. > > Passing it along in the hope it will be useful to someone. > > Signed-off-by: Henry Willard <henry.willard@xxxxxxxxxx> > --- > arch/mips/include/asm/pgtable-bits.h | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/arch/mips/include/asm/pgtable-bits.h b/arch/mips/include/asm/pgtable-bits.h > index 2362842ee2b5..1c576679aa87 100644 > --- a/arch/mips/include/asm/pgtable-bits.h > +++ b/arch/mips/include/asm/pgtable-bits.h > @@ -280,6 +280,7 @@ static inline uint64_t pte_to_entrylo(unsigned long pte_val) > #define __WRITEABLE (_PAGE_SILENT_WRITE | _PAGE_WRITE | _PAGE_MODIFIED) > > #define _PAGE_CHG_MASK (_PAGE_ACCESSED | _PAGE_MODIFIED | \ > - _PAGE_SOFT_DIRTY | _PFN_MASK | _CACHE_MASK) > + _PAGE_SOFT_DIRTY | _PFN_MASK | \ > + _CACHE_MASK | _PAGE_SPECIAL) > > #endif /* _ASM_PGTABLE_BITS_H */ > -- > 2.31.1 applied to mips-next. Thomas. -- Crap can work. Given enough thrust pigs will fly, but it's not necessarily a good idea. [ RFC1925, 2.3 ]
