From nobody Mon Jun 15 09:36:35 2026 Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com [209.85.167.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5EB6F3AC0F2 for ; Thu, 9 Apr 2026 09:12:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725933; cv=none; b=ZQx7PQUjRd/sDUqewFazbKCCTlynUzAR3d1gD9JCCFg3mxi5hi2W0goik7yLqGqwdO4p9GU76LKfQxSY8ByXPTcJTclCPCsnEmP7nYJWkNWIitHeBAUb31sOuCxZb0wQPE8SVm8yYZxpSU0EuQwCnTEVb5dqkEO0h5kkkcVGlDs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725933; c=relaxed/simple; bh=3nYEoR3njFXYbGnD/D+iRLk/2Dx7uSadcxKD859IaBI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pkaTKG8Uk8dF9HjknCmgyO2WF2PQxiRIjAy6E5Kr5j84fSw8sLPUY7P6MVxID89YooRaIE4bmQ7ivWYvVwyDccqm6NTTjk6l7HfrCHX7ADhZXHQZdokWtExgThRzOs65rlJ5cQj6wJij7hWAxZj9SR2fJAlTTP0WEbQyAP0lbqQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hhkpXv56; arc=none smtp.client-ip=209.85.167.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hhkpXv56" Received: by mail-oi1-f177.google.com with SMTP id 5614622812f47-476448429dfso340797b6e.0 for ; Thu, 09 Apr 2026 02:12:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775725925; x=1776330725; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=e0TfCPcFn0APG45qaJoDyRX3fMbDdNDBQ++SYAh1Ies=; b=hhkpXv56Ex3hwmKxtcAoCB7ZdwU3MFff9zepGpDa7lq7zWz0Kyj/Uvb+OFQcIMEM9P I7bC2f1m01V4MzjFwrbVxEJZSrNB17rLBA/YyrkwNRwnYtci6QpNI092qoiecNqLQiNT U3gSWOKFWkUB5xz3IUZA5vUt/pq2xm7aFAjizMick1F025XgXh1HCGyiKNmCoD0Gqsnr ZfS4b6tx2bT4b9HmjBl7Qi01V5AujCgYPEG8Ok4XsIalL8lpbQsukweBhFGibUw/qskn VlWs3FazrljGtdKytTBWO9tqde2+QBni7vxsuPi2FQGtGXFqoROZCd3lWQIbnOqMBs4f DDJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775725925; x=1776330725; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=e0TfCPcFn0APG45qaJoDyRX3fMbDdNDBQ++SYAh1Ies=; b=LkFLLW52X3+TqdKlZdYyxPZsaKnJFy3Wb9RPDEDNDwWS3urH6dcS8WBo84XYjNqzv1 iJJa/T8KfLRNlKqHgS+CV5akHNWLFBWcadjjOAmag7K99ZmEufP8K6UYg9vE4KtDBKMP sJnnh+YhPacPMVxazA8gA2JFuXwrhAG5KzFJxatIl+3I/0uFVuVYDti7G6P9Akj3Z2o2 nXozQQeNuXyu1G6YjjaxMMOVyI6ettj5cNYZ24shcMqlMPtCV6QSKlPgtd8HqOKsT4fJ VUW56Kd0XdS98ZEoW1r63gV9z4nKK/SYahVIZe++A04sLUECN4uGaZKExky/hxjDZxP1 wvMw== X-Forwarded-Encrypted: i=1; AJvYcCVWg4CRgN1C3EO54cil+Zm9n6ebOAPOdu4kfyEmq3hocSyKQskT3vhe+G9129IFQTV38mH2RXbVcNMRz4Y=@vger.kernel.org X-Gm-Message-State: AOJu0Yzx1GxB77TqIiV3DqOvI9IUNZLSI5DbYeBoLmobXgYbMQtZOkIf 7YkPBU4Bx8azeoW7j4QX5pztl506VZApjLXtMiVlGQ8sDzPL0k+lnEIZ X-Gm-Gg: AeBDieuf6N2hKFXg2rGhxxNgmvroXyMMfiMyT6X3JBH2+ZDsZjS0Ehfg67M8urEEciP 31A86gZGck0Hr67twLorJzZVWmeuMXEEZ0odK4v4DBfTIG7uqSUWLnadnYML4nS3RZa+qvoboUd LbjigeHKcp49NkQnH6wvjIP4D6G2pm3RWLM4pUlwnfcq1uBwgcKoeRJPSagN6yDiRC7BAA57TJ7 r6PhjGbG64Bo72UhbMNGB7d1VBKGjFNGSSfOzRKnnS4mUZkFuUilntxVJHG9Od7/ItC9p/F/rVM FlXQ3YO/Ntpke02aKhPcZkDX5dOLgOl9MNCLyXDCgd6e1TAyDU/mjB1J64NYVtqbVZ2m/cDJtS0 YBIjWaask4ucuIMqBL3IGBa6MvdCyA4uE8iCmEFeE+HQAqNPZeT2wHWq2bDJegot822A4AgDWff CfKJswWn8El/jCDkG7dSgTPsZ01SycNRwmhA== X-Received: by 2002:a05:6808:1813:b0:467:880:7441 with SMTP id 5614622812f47-46ef99704dbmr12221280b6e.18.1775725925491; Thu, 09 Apr 2026 02:12:05 -0700 (PDT) Received: from ird-aus2.tenstorrent.com ([38.104.49.66]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7dba7184e14sm15585364a34.11.2026.04.09.02.12.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 02:12:04 -0700 (PDT) Sender: Michael Neuling From: Michael Neuling To: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , "Mike Rapoport (Microsoft)" , "Vishal Moola (Oracle)" , Albert Ou , Aleksa Paunovic , Aleksandar Rikalo , Alexandre Ghiti , Andrew Jones , Andrew Morton , Arnd Bergmann , David Hildenbrand , Djordje Todorovic , Guo Ren , Junhui Liu , Kevin Brodsky , Lorenzo Stoakes , Nam Cao , Oleg Nesterov , Oscar Salvador , Palmer Dabbelt , Paul Walmsley , Qinglin Pan , Raj Vishwanathan4 , linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Cc: Michael Neuling Subject: [PATCH 1/5] riscv: errata: Fix bitwise vs logical AND in MIPS errata patching Date: Thu, 9 Apr 2026 09:11:39 +0000 Message-ID: <20260409091143.1348853-2-mikey@neuling.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260409091143.1348853-1-mikey@neuling.org> References: <20260409091143.1348853-1-mikey@neuling.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The condition checking whether a specific errata needs patching uses logical AND (&&) instead of bitwise AND (&). Since logical AND only checks that both operands are non-zero, this causes all errata patches to be applied whenever any single errata is detected, rather than only applying the matching one. The SiFive errata implementation correctly uses bitwise AND for the same check. Fixes: 0b0ca959d2 ("riscv: errata: Fix the PAUSE Opcode for MIPS P8700") Signed-off-by: Michael Neuling Assisted-by: Cursor:claude-4.6-opus-high-thinking --- arch/riscv/errata/mips/errata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/riscv/errata/mips/errata.c b/arch/riscv/errata/mips/errat= a.c index e984a81522..2c3dc2259e 100644 --- a/arch/riscv/errata/mips/errata.c +++ b/arch/riscv/errata/mips/errata.c @@ -57,7 +57,7 @@ void mips_errata_patch_func(struct alt_entry *begin, stru= ct alt_entry *end, } =20 tmp =3D (1U << alt->patch_id); - if (cpu_req_errata && tmp) { + if (cpu_req_errata & tmp) { mutex_lock(&text_mutex); patch_text_nosync(ALT_OLD_PTR(alt), ALT_ALT_PTR(alt), alt->alt_len); --=20 2.43.0 From nobody Mon Jun 15 09:36:35 2026 Received: from mail-ot1-f54.google.com (mail-ot1-f54.google.com [209.85.210.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 946933ACA7F for ; Thu, 9 Apr 2026 09:12:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725934; cv=none; b=pT35ip4zNBhT+Qa0sQJ9OSLjCeyghqsO3cMhZ8rMzPZtgUcb+lsxETtkC5EJV0jrzc136eDTUp8/Or1Vsd4N7l8YAyITl0jkr/vngzN09XeUxUjd2b7IlJC3TkOghNBrLK6l83UooTnMekyZw9BZmjbxalf9nFdCFod9mFKwzVU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725934; c=relaxed/simple; bh=eh0U5q2Xjb8t6eacxGro5RRhgpW8U9QsV9Age3B5alI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tYSMbvBxGy5jJKN7gURuMo3nDsLfjH2OpoMCM3cmfuPjad2tZwZxhV/JMU3XP4XRTwB8e5rIgWclU/h8aKJ47QXorsUF1wEX+2aTbjqk/1e0AaFeO5gVvlkpjGUOly/cRs/eS52KGJ74JhwGEFcxa8PxxJ1xJ7ArC47Z+WhLwrU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=evkSzgxq; arc=none smtp.client-ip=209.85.210.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="evkSzgxq" Received: by mail-ot1-f54.google.com with SMTP id 46e09a7af769-7dbdcb85067so527050a34.1 for ; Thu, 09 Apr 2026 02:12:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775725927; x=1776330727; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=WyxHgyHjCm/uTWwOl6rmyK8Qxl1Q6KEXWj/8SSG15mg=; b=evkSzgxqjT/n+TiQuAaT5PU/LJJbRPTlVwoi6n1pDzFiVTXCkRUTPsKz9RAAuM8Sol lLQZNl29btCu/oIupOydyPhCWUk9CFEVupHVL2+pF6XCSaRfLQG5ExVmnooRZOaMl6Vl ovqbAVEIX4dXY/VJFTVXRgIuZjYR5PMlkvpWkQke+1MQbZFfcikbiqCFqg3KnKVtsCX/ tpZIP/UAPMDpr80Pi0+rRv13pRBaf1YgctZpIjwQfGVGjPayC0aIpvmcjE+i2f3+6PLc tWs3a+lesgV7cq197CK8zxY/LR6Cv0L6//JJy1L13KCUASQHK6++aFBJqJUZJr3MUB3O ifVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775725927; x=1776330727; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WyxHgyHjCm/uTWwOl6rmyK8Qxl1Q6KEXWj/8SSG15mg=; b=dYaeI2rOS1VzfT+aGDC4CjO4ArbUFGacHP5Ckh1L5NEMbeqe7KWMr4jB7kzvVhmw1L C1CnYPNrQiLqTAg6FXnBPSrb+vxokQZgwa/MtsT2TLVN0/mYFkeNymA9QQTu1swo9jbf zERYSEAti28QdaR86FA2HndyNV5S3wPYr6Rh/TXT42RYUEME0GJ9jFlF9Zxf/Ow9US5Y TCg8gaa5PWXHFWB9SrpHxX7PC8P/tQ3uC1BEqU3luCGCR/LjFCThJh43jxbMtdEBlrjU CjTLTBAddloFgd4IKqI2wHLCoal11Dvha2+7aNUR6oS9ISTjCL8PHEkPQG5mjyD5vUNp pREg== X-Forwarded-Encrypted: i=1; AJvYcCXXRVMdk5o9NAdJfoOcIgxMG7N0iTYAJLQF3KT2g3/eRdktLUC8Yucoe+CDCutKjAoTsoG2b+i7KtWkUXc=@vger.kernel.org X-Gm-Message-State: AOJu0Yywz8sSNPfVn1UucBPbqvXhXFmOkb4ojUbx7lCBa4bUsAX2LBCN L4hE3MPhT33Jgb0cX7bHvFnh6rns5km0ArjTiYNHiwvQdWqw0oUWDvG6 X-Gm-Gg: AeBDiet/u1J6pD6wVXJoBxXn/Z7AitUDPQF+IKTjtvrBDkyGlw2bvftz44XuYXn5nM5 czWJ58LPwPYHTVvYcMCYd+oVGKFXsI4phiAWpmiKcpqTMG/aZZgtmf7j+vn9iyNFSs+3uVV9sAP MVGakRo+cyZXeycoRPbPDNgAD58U77zGymhJ52UGjIwv0tNeQXVCF1TaYkh6nDaHyFloeb+kof6 RLdiTGkl0YZViicV6NTPERpHKBj3VC3iw2YFaidza5SsjP0W/3TxtUU/pNsbUU2kA+55ExZgKEr hULKkNC0M0MP4hz1+xt7BI/ziP2vRxnXPyrafUHtGlYm9l7m5GRUtIRxnde4GND1QUUfGRUSNtF RyM1NNt77dh2LzgsxfedendrqUZUBD+jxCAB9DIrGf5CjF9OHenV/gCu9bMPMKOClSpdmWthPM5 ClBznrSY9RqVhy2uexb2C8Dgi0D7qWS1X2nSlBrT4c1Cmm X-Received: by 2002:a05:6830:6f8f:b0:7dc:18e:b5b4 with SMTP id 46e09a7af769-7dc16e1f176mr1747445a34.10.1775725927295; Thu, 09 Apr 2026 02:12:07 -0700 (PDT) Received: from ird-aus2.tenstorrent.com ([38.104.49.66]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7dba7184e14sm15585364a34.11.2026.04.09.02.12.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 02:12:06 -0700 (PDT) Sender: Michael Neuling From: Michael Neuling To: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , "Mike Rapoport (Microsoft)" , "Vishal Moola (Oracle)" , Albert Ou , Aleksa Paunovic , Aleksandar Rikalo , Alexandre Ghiti , Andrew Jones , Andrew Morton , Arnd Bergmann , David Hildenbrand , Djordje Todorovic , Guo Ren , Junhui Liu , Kevin Brodsky , Lorenzo Stoakes , Nam Cao , Oleg Nesterov , Oscar Salvador , Palmer Dabbelt , Paul Walmsley , Qinglin Pan , Raj Vishwanathan4 , linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Cc: Michael Neuling Subject: [PATCH 2/5] riscv: ptrace: Fix register corruption in compat_riscv_gpr_set on error Date: Thu, 9 Apr 2026 09:11:40 +0000 Message-ID: <20260409091143.1348853-3-mikey@neuling.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260409091143.1348853-1-mikey@neuling.org> References: <20260409091143.1348853-1-mikey@neuling.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" compat_riscv_gpr_set() calls cregs_to_regs() unconditionally, even when user_regset_copyin() fails. Since cregs is an uninitialized stack variable, a copyin failure causes uninitialized stack data to be written into the target task's pt_regs, corrupting its register state and potentially leaking kernel stack contents. Only call cregs_to_regs() when user_regset_copyin() succeeds. Fixes: 4608c15959 ("riscv: compat: ptrace: Add compat_arch_ptrace implement= ") Signed-off-by: Michael Neuling Assisted-by: Cursor:claude-4.6-opus-high-thinking --- arch/riscv/kernel/ptrace.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kernel/ptrace.c b/arch/riscv/kernel/ptrace.c index 93de2e7a30..793bcee461 100644 --- a/arch/riscv/kernel/ptrace.c +++ b/arch/riscv/kernel/ptrace.c @@ -577,8 +577,8 @@ static int compat_riscv_gpr_set(struct task_struct *tar= get, struct compat_user_regs_struct cregs; =20 ret =3D user_regset_copyin(&pos, &count, &kbuf, &ubuf, &cregs, 0, -1); - - cregs_to_regs(&cregs, task_pt_regs(target)); + if (!ret) + cregs_to_regs(&cregs, task_pt_regs(target)); =20 return ret; } --=20 2.43.0 From nobody Mon Jun 15 09:36:35 2026 Received: from mail-ot1-f41.google.com (mail-ot1-f41.google.com [209.85.210.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 19C443AD52F for ; Thu, 9 Apr 2026 09:12:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725937; cv=none; b=Twf0vbnS61cLPqOIcV0kl9MKhnnJ8CLPQXrZIhsRQkT+zCQiWivrIDttQHTIwWHOEf0VW98O0OeN2CTKTUHHcICJGwxeZjjJrbRTIK8Ti6lV9ErzX0tLz9lhG8t6OUYkaPzi/NS4SEKspUgl99dHS/1CijbaxQ/wZDFyI5YOsSc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725937; c=relaxed/simple; bh=KEDo4Pjr0IN3FkhSekZ94kp9g3LdLPJ7f8RzH9S1DIs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Qg/ca94DxjTpQrJLt2zdqhcbpzXCgGUmSp49Cp+K04HDG0Mjgn5km5Fuix41SAlJ31V14XEppt8ByQ7lcJEIk3js3RJMwEHNIIo2goYdhG5DDn4H97/9mIA9XskqR6Mx6PXt4/5g4brqMmWlDkQ59VqaJNHIYSqr/xhtWYgzJ8Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=d+OBI65y; arc=none smtp.client-ip=209.85.210.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="d+OBI65y" Received: by mail-ot1-f41.google.com with SMTP id 46e09a7af769-7d4c383f2fcso505741a34.0 for ; Thu, 09 Apr 2026 02:12:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775725929; x=1776330729; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=xG5rOEE7q2/QsMF7xOjPBwhp3322th365MiqXC7VApY=; b=d+OBI65yfwJ45ZHhyfIANCsexZrMTVvdAXJ7Scp+Mr8JDMxHT3xT0uQObv5YJlEdbb kpvwEGleQ855WHmi2UJFc3zQUJQ7q8GART9Rt0nR4Tdo7q2wipk1Dk0VjjSeJWrIdJlm i7D4BXK326KxisQTi3g0EuJPTb9ojZrgpGuJ+HFl9IjqdbmCwRcwuWjCH5PnmKURw1YK obBYamR0247dhF+X1gjUzhh6T6QALS0VsAzJXh2v0p5bk24mDXPmtbeTfvViAUYbsCWB 3fMe3/N5pYdUwsQQgk/KRY/Vle9F2gpYfo0L+UJFszhAF4bJt8zb6GIBPep0FMYNVqfl EZvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775725929; x=1776330729; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xG5rOEE7q2/QsMF7xOjPBwhp3322th365MiqXC7VApY=; b=pBpJ9wD+HVGjR6GtgOIjkEbEqBHLSYZ/A7QlTNfDcmGcbfDb3YnjL9BZkwE9+gXDS4 F1kHD+knsLDIvCcGRubB19iqh6YRcw4LAKzL0VDkzYhtNjEoBePZFP0OtHSnUV308ukL U7qKk2h6VI/3jG0YHlC8fXOTC30x4WhZKBddMdNDqmoX+i0vtFLV/k7Rudp1xoXx/PTl 1luOvUTCCJSPi+xA785w4PPoxr76llSqwQdCcWpUPNrXx5ahMr8LQQDzrfqiZAhTeg5+ ZQWLIJ/EAJcXn3PZa9MghiTHE563BIrWAl6ADbB1TUtRpdSYq3SnpoDhc5B2+Nz2+nrD QnBw== X-Forwarded-Encrypted: i=1; AJvYcCXmtDFC8YgW1bkk4vij47zIkSPT/HJFRJeopfXYoYQzjItyGn7fLQxFGs/gekq7K1rO5ySzoV4W5008oW0=@vger.kernel.org X-Gm-Message-State: AOJu0YyJAAMnqAziNxxBqM0y31lRyh2Bz8nD6aTLbEtEvonqJpfReN+P 3ufWnTbMEMZjOZC0W51NSZFZ3d8x4I9hka69pjYkcdPsvsl57eJaIztI X-Gm-Gg: AeBDieuAdMMD34YW6ARdUSbGUREqPD1BgBMbXnaHNSOfkeP3rkKCXUQwePtYWpGYPZL dM3kj517GCGnk9IPOwfaFkrCwSkHwZqtTtkV/O+EO3/lIfLfxmJd8Nh1uP408rWmBQH8V5QeXwi /gwyiNOGyKCfAqLKip+blkWg9WfelYH5JxF3Li0RaTm942ZII9U/OXTErr3u3p4TNRrACKnMGDO pXxDVc0TBRKUVI2QVDUvTa0KSQjqy+GjxLTvY8+DJEIOWlILc2VBFcCnrk5irRWwflkunCGj3yc 2g+PR3mcWZcAVfzxWfaWHqwmRL12ZzGUnllblTDQ3UaPBjBWAIa8dnJIYgi0AgkWeBTmJ1nTc1y lRc3oX30hRQOKLIhmFsEtl62TGyZvkTeey7PwFzpJgCAd3SkhV4gOVH4byxu4Z2Zto3+NDk9aPz FT8rb4ntGpcQfIxWYsDqDbTku/wawnbH+/lQ== X-Received: by 2002:a05:6830:d09:b0:7d7:e565:a4f7 with SMTP id 46e09a7af769-7dbb7518062mr14958706a34.18.1775725929011; Thu, 09 Apr 2026 02:12:09 -0700 (PDT) Received: from ird-aus2.tenstorrent.com ([38.104.49.66]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7dba7184e14sm15585364a34.11.2026.04.09.02.12.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 02:12:08 -0700 (PDT) Sender: Michael Neuling From: Michael Neuling To: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , "Mike Rapoport (Microsoft)" , "Vishal Moola (Oracle)" , Albert Ou , Aleksa Paunovic , Aleksandar Rikalo , Alexandre Ghiti , Andrew Jones , Andrew Morton , Arnd Bergmann , David Hildenbrand , Djordje Todorovic , Guo Ren , Junhui Liu , Kevin Brodsky , Lorenzo Stoakes , Nam Cao , Oleg Nesterov , Oscar Salvador , Palmer Dabbelt , Paul Walmsley , Qinglin Pan , Raj Vishwanathan4 , linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Cc: Michael Neuling Subject: [PATCH 3/5] riscv: mm: Fix NULL pointer dereference in __set_memory Date: Thu, 9 Apr 2026 09:11:41 +0000 Message-ID: <20260409091143.1348853-4-mikey@neuling.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260409091143.1348853-1-mikey@neuling.org> References: <20260409091143.1348853-1-mikey@neuling.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" find_vm_area() can return NULL if no vm_struct covers the given address. The code immediately dereferences area->addr without a NULL check. While is_vmalloc_or_module_addr() confirms the address falls within the vmalloc/module address range, it does not guarantee the address belongs to an active allocation, so find_vm_area() may still return NULL. Add the missing NULL check. Fixes: 311cd2f6e2 ("riscv: Fix set_memory_XX() and set_direct_map_XX() by s= plitting huge linear mappings") Signed-off-by: Michael Neuling Assisted-by: Cursor:claude-4.6-opus-high-thinking --- arch/riscv/mm/pageattr.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/riscv/mm/pageattr.c b/arch/riscv/mm/pageattr.c index 3f76db3d27..46a999c86b 100644 --- a/arch/riscv/mm/pageattr.c +++ b/arch/riscv/mm/pageattr.c @@ -289,6 +289,10 @@ static int __set_memory(unsigned long addr, int numpag= es, pgprot_t set_mask, int i, page_start; =20 area =3D find_vm_area((void *)start); + if (!area) { + ret =3D -EINVAL; + goto unlock; + } page_start =3D (start - (unsigned long)area->addr) >> PAGE_SHIFT; =20 for (i =3D page_start; i < page_start + numpages; ++i) { --=20 2.43.0 From nobody Mon Jun 15 09:36:35 2026 Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2B833AA514 for ; Thu, 9 Apr 2026 09:12:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725938; cv=none; b=P03lCqTwrcBOJwr+76DI0VO4ZcBV/COAUJzZ+1n4gdj1z2rhkugdumegZUtMTJMbN81EU1tE0wUY4jfqvlaVWnvtcTBmvvm0tnXGMbh0PWqlAEJyMu7KZ8crUcpch9XQHVmTy8oIG/1v9uTqI6Erj4fnanRHELDUUDyV/VU/2DE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725938; c=relaxed/simple; bh=bel4ovVWOw6s7lJavRV2NK465coWeJPfcm+s9okQ+rw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dKlB35SdIiq589mRKkZiUCwOJdIWZX0Y6kOJYHeuaHg2UgHyYCUqQ3kDXfqnpcRzE0bndyCvtSzNbpxCO7F8MtSW1dHggAq3etnR21/PGq0smgXs7nQby5HxnnqY2hq3D5H5I4lPbDC8ACuKk2VE5CCcXO5FtAXp+DzJ/bS3Q/M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=j9CzjxYX; arc=none smtp.client-ip=209.85.210.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="j9CzjxYX" Received: by mail-ot1-f50.google.com with SMTP id 46e09a7af769-7dbd1458a77so486339a34.2 for ; Thu, 09 Apr 2026 02:12:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775725931; x=1776330731; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=dBV+/zzkdPHLgFysmifTqJCsNQYHfiRTnr5GUqLTC5E=; b=j9CzjxYXenOkrnzWPZ8o1a8rQtx5Cq0i9dGCXbmviKYi4FiW8wr0JAZyXsfALqh0Pv e/yRvVimQpRCQgG2hbcP/qJrriFHp+3hnVdWYzbdRXf3mWDuOs8+IOMMuxlFTvyIVIJV 0kv4nI1Yo4SGBlmx+3x4/n/ReKrh2Gez5whYenj+3WvRfowK50g1ntvNySj7yq7c0ZBc CiGC3m/iaH0rDLjLKD7B2RN38GRZ1RCTlWw3vw0ZvsM019FmSgZlcwRSktrdaOAqJkY4 sjrAj6z4Yk4j+u2v9NYbW+/zBFuR8uRe9gXB4lEYk2TVYLGWDCN3wyYmzrpd3fBw+a39 zYmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775725931; x=1776330731; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dBV+/zzkdPHLgFysmifTqJCsNQYHfiRTnr5GUqLTC5E=; b=ciUodk9DpQupwiIDn7qcT1MtpgmEIwcY7TXRQFNqCVXVhD4uq3VcK4AhfArdDvmYYB b5BOVEkkmpZtMyddQN+IrXqNwemyEigbLEHdVs2yIUtvoMdylgoN07mnngTxrY5Z3CEr Vta5eLKTK6490pRWTsj9VaZoLCOVzrO2WuD8MUVmYvHw1ZKmd7YqIEXSsTUVL8c0vNkK L5qW6t+WvTe4go63so7tBcY4xnK8MLpMFycrKq1K5TYRP0MmduR4KCDAknC+FdeU80px PLLPx58w/7EF7QNMuKGCMMOYVZgCffMcW7FLU/zPndP62brr0Qf8lPJKaM+ZVWbCpV2l p/vA== X-Forwarded-Encrypted: i=1; AJvYcCU62tDT2PPl89lglwLv0h0w6tiFBegSjEAWeI8fYlZudZCqHHj7keT4Mp8hcGX7NRrsbh8u8IAnvIx4DEM=@vger.kernel.org X-Gm-Message-State: AOJu0Yw8DuOTUpWh09fXHxB1wnZ8uOFCOE9PxxHTrGiX8Ia7bTjMBmSr 7FxZnSIq7NOT91mvP/dNgYyO4uNv67QFUSsjbk6ozgI3QDvPMohdzf3F X-Gm-Gg: AeBDievumSpvXVp6z4m0wLx9RaV6jdn0qmMg1X+Ac78giboot105SjUmZ9pui31+j8g 8DhqflMS/Dem1eWv97TbjaILTN1ydjHzI2ssitMcLf7KfphkoGDyVRM7xPFzQ0kKDv4kleMB9gI iTB9bt+0hCVWABex21NzYjR8ujd9iqbLV4ncBVyxBjIXSxDoM+gL+szDb9reZZ1lKADd+IoFhG5 lINxhOCpwvctfINKSHVIYu8f4XB7zK5tRTXAe90jjEFA8pPaIsj5aErdL2T3tE5yqJ6Na6yPJ9X lBkqdyJuvyU32baiPv40W4iRGRh7gafllOF0X+hVTqaJX3kh7RYS01OcO6FMoylEPo/upTn2NP2 ij3u5Hyo6Dro15g0NRk1CHK3xzKpzHfXAkGWtZh7s8B+4M1KOv+6JjHtN29DYWV97bpSvc1UwOM ZTRPw8FJBcnvGwfqXN2QAjphq9nJPgZsTSmQ== X-Received: by 2002:a05:6830:2546:b0:7d7:fada:89ca with SMTP id 46e09a7af769-7dbb70cf2aemr15358771a34.15.1775725930696; Thu, 09 Apr 2026 02:12:10 -0700 (PDT) Received: from ird-aus2.tenstorrent.com ([38.104.49.66]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7dba7184e14sm15585364a34.11.2026.04.09.02.12.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 02:12:10 -0700 (PDT) Sender: Michael Neuling From: Michael Neuling To: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , "Mike Rapoport (Microsoft)" , "Vishal Moola (Oracle)" , Albert Ou , Aleksa Paunovic , Aleksandar Rikalo , Alexandre Ghiti , Andrew Jones , Andrew Morton , Arnd Bergmann , David Hildenbrand , Djordje Todorovic , Guo Ren , Junhui Liu , Kevin Brodsky , Lorenzo Stoakes , Nam Cao , Oleg Nesterov , Oscar Salvador , Palmer Dabbelt , Paul Walmsley , Qinglin Pan , Raj Vishwanathan4 , linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Cc: Michael Neuling Subject: [PATCH 4/5] riscv: mm: Fix NULL dereferences in napot hugetlb functions Date: Thu, 9 Apr 2026 09:11:42 +0000 Message-ID: <20260409091143.1348853-5-mikey@neuling.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260409091143.1348853-1-mikey@neuling.org> References: <20260409091143.1348853-1-mikey@neuling.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" huge_pte_offset() can return NULL when any level of the page table walk encounters a non-present entry. Both huge_ptep_set_access_flags() and huge_ptep_set_wrprotect() re-derive ptep via huge_pte_offset() in the napot path but use the result without a NULL check, leading to NULL pointer dereferences in get_clear_contig_flush() and set_pte_at(). Add NULL checks after huge_pte_offset() in both functions. Fixes: 82a1a1f3bf ("riscv: mm: support Svnapot in hugetlb page") Signed-off-by: Michael Neuling Assisted-by: Cursor:claude-4.6-opus-high-thinking --- arch/riscv/mm/hugetlbpage.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/riscv/mm/hugetlbpage.c b/arch/riscv/mm/hugetlbpage.c index a6d217112c..7d155341cf 100644 --- a/arch/riscv/mm/hugetlbpage.c +++ b/arch/riscv/mm/hugetlbpage.c @@ -288,6 +288,8 @@ int huge_ptep_set_access_flags(struct vm_area_struct *v= ma, order =3D napot_cont_order(pte); pte_num =3D napot_pte_num(order); ptep =3D huge_pte_offset(mm, addr, napot_cont_size(order)); + if (!ptep) + return 0; orig_pte =3D get_clear_contig_flush(mm, addr, ptep, pte_num); =20 if (pte_dirty(orig_pte)) @@ -335,6 +337,8 @@ void huge_ptep_set_wrprotect(struct mm_struct *mm, order =3D napot_cont_order(pte); pte_num =3D napot_pte_num(order); ptep =3D huge_pte_offset(mm, addr, napot_cont_size(order)); + if (!ptep) + return; orig_pte =3D get_clear_contig_flush(mm, addr, ptep, pte_num); =20 orig_pte =3D pte_wrprotect(orig_pte); --=20 2.43.0 From nobody Mon Jun 15 09:36:35 2026 Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com [209.85.210.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C92E3ACA78 for ; Thu, 9 Apr 2026 09:12:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725940; cv=none; b=ZTnToQkfC89T1C2vDNvvwHpXqHmgRaLD/Z4rDhZjfJgQlRLFBe0G3VhfuPreFeQ+e/Db0CD9a7S1d50YOwTeOEskQ2xbpJ9raqJvFVzGWNgRlqrXnKkOzLCphEGwsro2T66EQVpRmmJmsU5/5j7Oh8k6IUICEXXg8C/JDE5SAwU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725940; c=relaxed/simple; bh=cAysdxbyNZua0KA03wB6Jz28Qk2ilVwvmD4l5VFYanM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ATnR6oi49z/fuy/3VFY36RGQq1oXEqj4AOfqeenz/xCx8C6ITtoQdgmbgewGRbKYYVMesdpwxPwVmLTDf6a7FtAGGEIXVfE1RPl1iaXr2TAbjeJtDRpkm0lgCqOMEMpOfka8ag0w5RapMhQuHw9tqUtUsr0fsoeEsVTQkaWw2GM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=sRyWxPY6; arc=none smtp.client-ip=209.85.210.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=neuling.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="sRyWxPY6" Received: by mail-ot1-f45.google.com with SMTP id 46e09a7af769-7d9e22176a7so305642a34.1 for ; Thu, 09 Apr 2026 02:12:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775725932; x=1776330732; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:from:to:cc:subject:date :message-id:reply-to; bh=Cr6MPICWE4ldIw4rSWIw16hWgUVZbK29NpUO6VS3GiA=; b=sRyWxPY64yEbBnCjnGywa6WumMZCjCRpeq3Jbwv+EDdmZCLoT0pl5b4IgQDturSvCd eGSHFu5/9XO+w9Fmsi3yqI/4zs23su17Kg4SLsc3SMQBe6RipF1hhO5wsb4la34YKyTh PJR1L/PJZXZiUUK1mSYFa/gsn5ge4PvOQXfDMXt+jPK3U8PPpcvTRGyIqlqhFRzUQ2L9 e1h+kCSRG5JgGV5QgeOxPzF0Rio7/0D0qf8+OL503D77sXydlbUJI5hae2NusBux3x2d bxbDmyfBj/XdXOWkIC37xB6kS2eK7+R5GcBtMQv7dju88DiQhfcey0+VMFXMGAKzb+rx DGJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775725932; x=1776330732; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Cr6MPICWE4ldIw4rSWIw16hWgUVZbK29NpUO6VS3GiA=; b=ErE83Nm8aAL7d0mlFoyQbwoDcva7KwX7rzWLgxpnU6PptPWgbXyfzcKUAmC5R5nF0i q5KeNT3Hex/VXmGh8LM5jTecffI+SFm7/kHD3a841NWKJuzmS9bT0Qik9xnEdGEHsHtQ jOeG63kd63HSokgALNHZOii360lofPXL+MY1zsGZuJOn10JhjAdU7z5uYvDvM7NoHDhv tpVsJUZTvvSOhTOXsrHJwjdltQtzYJwjMtOPAf/IFjqEsp9lsQTav9aqeVNNvSPpZRBg Z0wMeU/UTPxoHDBjjtMmqDTHoZ+ttTuXgWdHJRn1TIt/BiOtm7UO8e6bibVw8BqYcDcq PneQ== X-Forwarded-Encrypted: i=1; AJvYcCXcrcXvH9rYe0yBZh8c/5UTbnU8pBbp2XD+w8hOCWjJ0J+M0V+W1pjgicKyXABvE/amkX3O4n33rDNyZYI=@vger.kernel.org X-Gm-Message-State: AOJu0Yyl4qS1RwwQcxyAsSPMd0bR36Fa1DexLj2aa3x6pnwUL1WNtQ2R nUB9DpCFhVgVe7z3/Mm5z+jB0fmBJzXTFJLxgd2XzYTwNWNTK06fR0IS X-Gm-Gg: AeBDieuMwtljorLlXdnUA8zxh4y9pciJuGJFc1fV4eJ4D4cljNVJHlhGw+qknqSfsK9 aMhUepQpBrAlC2pppuDrvxKUyGdwEW2RMRO9yFXkHBlEC0D0rIlRXxePUfncrrHsghAvOj0wXLP o8oqnEQ3Oge8f9ClVZqSwSYH0bIpcFlUBlX2Nf/ExZdLC3sijn1AUORhHzBwp+XVvt7B5bzplop 8fcF8CJE30OUTL0gntlfcjK63IbKGFz35OS2ivI4pMWkhDtdjcgL31QIMkbLSvIaOumKgX2uChZ 1al62RVSeQdne413eECSF6/uvI4loOp5RMUZERrWFPgsw/WePZlrIGvCkl3aaVkKo52sVQWwoZ2 uw1rEbQXtXZiyFOhWOV+7HNcYpp9Y+IcNAAXdWnifYGbfzkjSo5Q/ZJjiJ0S2KkqW8/v7qoscou vTeYOr22/E3Ey/+Yvsg7WWOo5Oq8HUk4fOHQ== X-Received: by 2002:a05:6830:6086:b0:7d7:d2f5:1d61 with SMTP id 46e09a7af769-7dbb73279a0mr15272729a34.4.1775725932508; Thu, 09 Apr 2026 02:12:12 -0700 (PDT) Received: from ird-aus2.tenstorrent.com ([38.104.49.66]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7dba7184e14sm15585364a34.11.2026.04.09.02.12.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 02:12:11 -0700 (PDT) Sender: Michael Neuling From: Michael Neuling To: =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , "Mike Rapoport (Microsoft)" , "Vishal Moola (Oracle)" , Albert Ou , Aleksa Paunovic , Aleksandar Rikalo , Alexandre Ghiti , Andrew Jones , Andrew Morton , Arnd Bergmann , David Hildenbrand , Djordje Todorovic , Guo Ren , Junhui Liu , Kevin Brodsky , Lorenzo Stoakes , Nam Cao , Oleg Nesterov , Oscar Salvador , Palmer Dabbelt , Paul Walmsley , Qinglin Pan , Raj Vishwanathan4 , linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Cc: Michael Neuling Subject: [PATCH 5/5] riscv: mm: Fix TOCTOU race in remove_pte_mapping Date: Thu, 9 Apr 2026 09:11:43 +0000 Message-ID: <20260409091143.1348853-6-mikey@neuling.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260409091143.1348853-1-mikey@neuling.org> References: <20260409091143.1348853-1-mikey@neuling.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" remove_pte_mapping() reads the PTE via ptep_get() (a READ_ONCE) into a local variable, but then checks pte_present(*ptep) by dereferencing the pointer directly, reading the PTE a second time. If another CPU modifies the PTE between the two reads, pte_present may check a different value than what was captured, and the subsequent pte_page() could derive the wrong page to free. Use the already-captured local pte variable for the pte_present check. Fixes: c75a74f4ba ("riscv: mm: Add memory hotplugging support") Signed-off-by: Michael Neuling Assisted-by: Cursor:claude-4.6-opus-high-thinking --- arch/riscv/mm/init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c index 23cc1b81fa..873cc860a1 100644 --- a/arch/riscv/mm/init.c +++ b/arch/riscv/mm/init.c @@ -1562,7 +1562,7 @@ static void __meminit remove_pte_mapping(pte_t *pte_b= ase, unsigned long addr, un =20 ptep =3D pte_base + pte_index(addr); pte =3D ptep_get(ptep); - if (!pte_present(*ptep)) + if (!pte_present(pte)) continue; =20 pte_clear(&init_mm, addr, ptep); --=20 2.43.0