[PATCH 5/5] riscv: mm: Fix TOCTOU race in remove_pte_mapping
Michael Neuling
mikey at neuling.org
Thu Apr 9 02:11:43 PDT 2026
remove_pte_mapping() reads the PTE via ptep_get() (a READ_ONCE) into a
local variable, but then checks pte_present(*ptep) by dereferencing the
pointer directly, reading the PTE a second time. If another CPU modifies
the PTE between the two reads, pte_present may check a different value
than what was captured, and the subsequent pte_page() could derive the
wrong page to free.
Use the already-captured local pte variable for the pte_present check.
Fixes: c75a74f4ba ("riscv: mm: Add memory hotplugging support")
Signed-off-by: Michael Neuling <mikey at neuling.org>
Assisted-by: Cursor:claude-4.6-opus-high-thinking
---
arch/riscv/mm/init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index 23cc1b81fa..873cc860a1 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -1562,7 +1562,7 @@ static void __meminit remove_pte_mapping(pte_t *pte_base, unsigned long addr, un
ptep = pte_base + pte_index(addr);
pte = ptep_get(ptep);
- if (!pte_present(*ptep))
+ if (!pte_present(pte))
continue;
pte_clear(&init_mm, addr, ptep);
--
2.43.0
More information about the linux-riscv
mailing list