Re: [PATCH v7 00/15] arm64: Unmap linear alias of kernel data/bss

[PATCH v7 00/15] arm64: Unmap linear alias of kernel data/bss · Ard Biesheuvel <hidden> · 2026-05-29
[PATCH v7 01/15] arm64: mm: Remove bogus stop condition from map_mem() loop · Ard Biesheuvel <hidden> · 2026-05-29
[PATCH v7 03/15] arm64: mm: Check for pud_/pmd_set_huge() failures on kernel mappings · Ard Biesheuvel <hidden> · 2026-05-29
[PATCH v7 07/15] arm64: kfence: Avoid NOMAP tricks when mapping the early pool · Ard Biesheuvel <hidden> · 2026-05-29
Re: [PATCH v7 07/15] arm64: kfence: Avoid NOMAP tricks when mapping the early pool · Kevin Brodsky <hidden> · 2026-06-01
[PATCH v7 05/15] arm64: mm: Preserve non-contiguous descriptors when mapping DRAM · Ard Biesheuvel <hidden> · 2026-05-29
[PATCH v7 06/15] arm64: mm: Permit contiguous descriptors to be manipulated · Ard Biesheuvel <hidden> · 2026-05-29
[PATCH v7 11/15] powerpc/code-patching: Avoid r/w mapping of the zero page · Ard Biesheuvel <hidden> · 2026-05-29
Re: [PATCH v7 11/15] powerpc/code-patching: Avoid r/w mapping of the zero page · Mukesh Kumar Chaurasiya <hidden> · 2026-06-03
Re: [PATCH v7 11/15] powerpc/code-patching: Avoid r/w mapping of the zero page · "Christophe Leroy (CS GROUP)" <chleroy@kernel.org> · 2026-06-04
[PATCH v7 10/15] arm64: mm: Don't abuse memblock NOMAP to check for overlaps · Ard Biesheuvel <hidden> · 2026-05-29
Re: [PATCH v7 10/15] arm64: mm: Don't abuse memblock NOMAP to check for overlaps · Kevin Brodsky <hidden> · 2026-06-01
[PATCH v7 02/15] arm64: mm: Drop redundant pgd_t* argument from map_mem() · Ard Biesheuvel <hidden> · 2026-05-29
[PATCH v7 04/15] arm64: mm: Preserve existing table mappings when mapping DRAM · Ard Biesheuvel <hidden> · 2026-05-29
[PATCH v7 08/15] arm64: mm: Permit contiguous attribute for preliminary mappings · Ard Biesheuvel <hidden> · 2026-05-29
[PATCH v7 13/15] mm: Make empty_zero_page[] const · Ard Biesheuvel <hidden> · 2026-05-29
[PATCH v7 12/15] sh: Drop cache flush of the zero page at boot · Ard Biesheuvel <hidden> · 2026-05-29
Re: [PATCH v7 12/15] sh: Drop cache flush of the zero page at boot · Mike Rapoport <rppt@kernel.org> · 2026-05-30
Re: [PATCH v7 12/15] sh: Drop cache flush of the zero page at boot · Geert Uytterhoeven <geert@linux-m68k.org> · 2026-06-01
[PATCH v7 09/15] arm64: Move fixmap and kasan page tables to end of kernel image · Ard Biesheuvel <hidden> · 2026-05-29
[PATCH v7 15/15] arm64: mm: Unmap kernel data/bss entirely from the linear map · Ard Biesheuvel <hidden> · 2026-05-29
Re: [PATCH v7 15/15] arm64: mm: Unmap kernel data/bss entirely from the linear map · Kevin Brodsky <hidden> · 2026-06-01
Re: [PATCH v7 15/15] arm64: mm: Unmap kernel data/bss entirely from the linear map · Marek Szyprowski <m.szyprowski@samsung.com> · 2026-06-09
Re: [PATCH v7 15/15] arm64: mm: Unmap kernel data/bss entirely from the linear map · Marek Szyprowski <m.szyprowski@samsung.com> · 2026-06-09
Re: [PATCH v7 15/15] arm64: mm: Unmap kernel data/bss entirely from the linear map · "Ard Biesheuvel" <ardb@kernel.org> · 2026-06-09
Re: [PATCH v7 15/15] arm64: mm: Unmap kernel data/bss entirely from the linear map · Vladimir Murzin <hidden> · 2026-06-09
Re: [PATCH v7 15/15] arm64: mm: Unmap kernel data/bss entirely from the linear map · Geert Uytterhoeven <geert@linux-m68k.org> · 2026-06-09
[PATCH v7 14/15] arm64: mm: Map the kernel data/bss read-only in the linear map · Ard Biesheuvel <hidden> · 2026-05-29
Re: [PATCH v7 00/15] arm64: Unmap linear alias of kernel data/bss · Will Deacon <will@kernel.org> · 2026-06-02
Re: [PATCH v7 00/15] arm64: Unmap linear alias of kernel data/bss · "Ard Biesheuvel" <ardb@kernel.org> · 2026-06-03
Re: [PATCH v7 00/15] arm64: Unmap linear alias of kernel data/bss · Will Deacon <will@kernel.org> · 2026-06-03
Re: [PATCH v7 00/15] arm64: Unmap linear alias of kernel data/bss · "Ard Biesheuvel" <ardb@kernel.org> · 2026-06-03

From: Will Deacon <will@kernel.org>
Date: 2026-06-03 11:22:29
Also in: linux-arm-kernel, linux-hardening, linux-mm, linux-sh, lkml

On Wed, Jun 03, 2026 at 10:57:49AM +0200, Ard Biesheuvel wrote:

(cc Marc)

On Tue, 2 Jun 2026, at 22:34, Will Deacon wrote:

quoted

On Fri, 29 May 2026 17:01:51 +0200, Ard Biesheuvel wrote:

quoted

One of the reasons the lack of randomization of the linear map on arm64
is considered problematic is the fact that bootloaders adhering to the
original arm64 boot protocol (i.e., a substantial fraction of all
Android phones) may place the kernel at the base of DRAM, and therefore
at the base of the non-randomized linear map. This puts a writable alias
of the kernel's data and bss regions at a predictable location, removing
the need for an attacker to guess where KASLR mapped the kernel.

[...]

It would've been nice to hear from the ppc folks on patch 11, but I've
picked it up on the assumption that they'll love the negative diff stat.
Worst case, we can drop/revert stuff if they have late objections.

Thanks.

There is a de facto ack from Michael Ellerman in the Link:, which is why
I included it.

Note that Sashiko found an issue with KVM+MTE, where a read-only mapping
of the zero page in the linear map may result in issues:

"""
Does moving the zero page to .rodata (or unmapping/read-only mapping its
linear alias) expose a guest-to-host denial of service with KVM and MTE?
When an MTE-enabled KVM guest reads an unmapped memory address, KVM handles
the stage-2 fault by mapping the host's shared zero page. KVM will then
call sanitise_mte_tags() in arch/arm64/kvm/mmu.c.
Since the PG_mte_tagged flag is never set on the zero page, KVM's
try_page_mte_tagging() succeeds, and it calls mte_clear_page_tags().
This executes the STGM instruction using the zero page's linear map alias.
If this alias is read-only or unmapped, won't the STGM instruction trigger
a synchronous permission fault or translation fault in EL1, causing a host
kernel panic?
"""

Marc seems to think it is legit, so I came up with the following (I'll send
it out separately with another pair of tweaks):

Thanks, it also looks like we're getting some early WARN_ON()s firing in
CI from split_kernel_leaf_mapping() after applying your changes:

https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/2571596185/test_aarch64/14662134813/artifacts/jobwatch/logs/recipes/21399931/tasks/219104268/results/1007729692/logs/journalctl.log

Will

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help