[PATCH 5/5] riscv: mm: Fix TOCTOU race in remove_pte_mapping

Next message: Javier Martinez Canillas: "Re: [PATCH 09/19] drm/panel: himax-hx8394: simplify hx8394_enable()"
Previous message: Michael Neuling: "[PATCH 4/5] riscv: mm: Fix NULL dereferences in napot hugetlb functions"
In reply to: David Hildenbrand (Arm): "Re: [PATCH 4/5] riscv: mm: Fix NULL dereferences in napot hugetlb functions"
Next in thread: David Hildenbrand (Arm): "Re: [PATCH 5/5] riscv: mm: Fix TOCTOU race in remove_pte_mapping"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Neuling

Date: Thu Apr 09 2026 - 05:20:39 EST

remove_pte_mapping() reads the PTE via ptep_get() (a READ_ONCE) into a
local variable, but then checks pte_present(*ptep) by dereferencing the
pointer directly, reading the PTE a second time. If another CPU modifies
the PTE between the two reads, pte_present may check a different value
than what was captured, and the subsequent pte_page() could derive the
wrong page to free.

Use the already-captured local pte variable for the pte_present check.

Fixes: c75a74f4ba ("riscv: mm: Add memory hotplugging support")
Signed-off-by: Michael Neuling <mikey@xxxxxxxxxxx>
Assisted-by: Cursor:claude-4.6-opus-high-thinking
---
arch/riscv/mm/init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index 23cc1b81fa..873cc860a1 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -1562,7 +1562,7 @@ static void __meminit remove_pte_mapping(pte_t *pte_base, unsigned long addr, un

ptep = pte_base + pte_index(addr);
pte = ptep_get(ptep);
- if (!pte_present(*ptep))
+ if (!pte_present(pte))
continue;

pte_clear(&init_mm, addr, ptep);
--
2.43.0