On Mon, May 11, 2026 at 8:45 PM Kees Cook <[email protected]> wrote: > On Fri, May 08, 2026 at 07:02:51PM +0200, Jann Horn wrote: > > On Mon, Apr 27, 2026 at 5:44 PM Ard Biesheuvel <[email protected]> wrote: > > > The empty zero page is used to back any kernel or user space mapping > > > that is supposed to remain cleared, and so the page itself is never > > > supposed to be modified. > > > > > > So make it __ro_after_init rather than __page_aligned_bss: on most > > > architectures, this ensures that both the kernel's mapping of it and any > > > aliases that are accessible via the kernel direct (linear) map are > > > mapped read-only, and cannot be used (inadvertently or maliciously) to > > > corrupt the contents of the zero page. > > > > > > Signed-off-by: Ard Biesheuvel <[email protected]> > > > > Reviewed-by: Jann Horn <[email protected]> > > > > Sorry, I should have looked at this properly earlier instead of ending > > up duplicating this patch with > > <https://lore.kernel.org/all/[email protected]/>. > > As you mention in your testing of the patch, could we add an LKDTM test > that does the same to catch any regressions?
Shouldn't be too hard - LKDTM crashtypes don't accept arguments, so we couldn't easily pass in a userspace pointer, I think, but we could make a crashtype that allocates anon memory with do_mmap() (under mmap_lock), then GUP on the allocated userspace address, then writes into the obtained address with something like atomic_add(0, <pointer from kmap(page)>) to trigger a write access without actually changing memory contents...
