[PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[Dan Williams]

Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
is too narrow. ZONE_DEVICE, in general, lets any physical address be added
to the direct-map. I.e. not only ACPI hotplug ranges, CXL Memory Windows,
or EFI Specific Purpose Memory, but also any PCI MMIO range for the
CONFIG_DEVICE_PRIVATE and CONFIG_PCI_P2PDMA cases.

A potential path to recover entropy would be to walk ACPI and determine the
limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
smaller systems that could yield some KASLR address bits. This needs
additional investigation to determine if some limited ACPI table scanning
can happen this early without an open coded solution like
arch/x86/boot/compressed/acpi.c needs to deploy.

Cc: Balbir Singh <balbirs@nvidia.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Logan Gunthorpe <logang@deltatee.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: David Hildenbrand <david@redhat.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: "Yasunori Gotou (Fujitsu)" <y-goto@fujitsu.com>
Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 drivers/pci/Kconfig |  6 ------
 mm/Kconfig          | 12 ++++++++----
 arch/x86/mm/kaslr.c | 10 +++++-----
 3 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig
index f94f5d384362..47e466946bed 100644
--- a/drivers/pci/Kconfig
+++ b/drivers/pci/Kconfig
@@ -207,12 +207,6 @@ config PCI_P2PDMA
 	  P2P DMA transactions must be between devices behind the same root
 	  port.
 
-	  Enabling this option will reduce the entropy of x86 KASLR memory
-	  regions. For example - on a 46 bit system, the entropy goes down
-	  from 16 bits to 15 bits. The actual reduction in entropy depends
-	  on the physical address bits, on processor features, kernel config
-	  (5 level page table) and physical memory present on the system.
-
 	  If unsure, say N.
 
 config PCI_LABEL
diff --git a/mm/Kconfig b/mm/Kconfig
index 0e26f4fc8717..d17ebcc1a029 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -1128,10 +1128,14 @@ config ZONE_DEVICE
 	  Device memory hotplug support allows for establishing pmem,
 	  or other device driver discovered memory regions, in the
 	  memmap. This allows pfn_to_page() lookups of otherwise
-	  "device-physical" addresses which is needed for using a DAX
-	  mapping in an O_DIRECT operation, among other things.
-
-	  If FS_DAX is enabled, then say Y.
+	  "device-physical" addresses which is needed for DAX, PCI_P2PDMA, and
+	  DEVICE_PRIVATE features among others.
+
+	  Enabling this option will reduce the entropy of x86 KASLR memory
+	  regions. For example - on a 46 bit system, the entropy goes down
+	  from 16 bits to 15 bits. The actual reduction in entropy depends
+	  on the physical address bits, on processor features, kernel config
+	  (5 level page table) and physical memory present on the system.
 
 #
 # Helpers to mirror range of the CPU page tables of a process into device page
diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c
index 3c306de52fd4..834641c6049a 100644
--- a/arch/x86/mm/kaslr.c
+++ b/arch/x86/mm/kaslr.c
@@ -115,12 +115,12 @@ void __init kernel_randomize_memory(void)
 
 	/*
 	 * Adapt physical memory region size based on available memory,
-	 * except when CONFIG_PCI_P2PDMA is enabled. P2PDMA exposes the
-	 * device BAR space assuming the direct map space is large enough
-	 * for creating a ZONE_DEVICE mapping in the direct map corresponding
-	 * to the physical BAR address.
+	 * except when CONFIG_ZONE_DEVICE is enabled. ZONE_DEVICE wants to map
+	 * any physical address into the direct-map. KASLR wants to reliably
+	 * steal some physical address bits. Those design choices are in direct
+	 * conflict.
 	 */
-	if (!IS_ENABLED(CONFIG_PCI_P2PDMA) && (memory_tb < kaslr_regions[0].size_tb))
+	if (!IS_ENABLED(CONFIG_ZONE_DEVICE) && (memory_tb < kaslr_regions[0].size_tb))
 		kaslr_regions[0].size_tb = memory_tb;
 
 	/*

base-commit: 6146a0f1dfae5d37442a9ddcba012add260bceb0
-- 
2.51.0

Re: [PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[Balbir Singh]

On 11/8/25 13:32, Dan Williams wrote:
> Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
> is too narrow. ZONE_DEVICE, in general, lets any physical address be added
> to the direct-map. I.e. not only ACPI hotplug ranges, CXL Memory Windows,
> or EFI Specific Purpose Memory, but also any PCI MMIO range for the
> CONFIG_DEVICE_PRIVATE and CONFIG_PCI_P2PDMA cases.
> 
> A potential path to recover entropy would be to walk ACPI and determine the
> limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
> smaller systems that could yield some KASLR address bits. This needs
> additional investigation to determine if some limited ACPI table scanning
> can happen this early without an open coded solution like
> arch/x86/boot/compressed/acpi.c needs to deploy.
> 
> Cc: Balbir Singh <balbirs@nvidia.com>
> Cc: Ingo Molnar <mingo@kernel.org>
> Cc: Kees Cook <kees@kernel.org>
> Cc: Bjorn Helgaas <bhelgaas@google.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Logan Gunthorpe <logang@deltatee.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: David Hildenbrand <david@redhat.com>
> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Cc: Mike Rapoport <rppt@kernel.org>
> Cc: Suren Baghdasaryan <surenb@google.com>
> Cc: Michal Hocko <mhocko@suse.com>
> Cc: "Yasunori Gotou (Fujitsu)" <y-goto@fujitsu.com>
> Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>

P2PDMA requires ZONE_DEVICE, Most distros have P2PDMA enabled, you mention
smaller devices - are you referring to kernels/distros where P2PDMA is not
enabled and only ZONE_DEVICE is?

Balbir

Re: [PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[dan.j.williams]

Balbir Singh wrote:
> On 11/8/25 13:32, Dan Williams wrote:
> > Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
> > is too narrow. ZONE_DEVICE, in general, lets any physical address be added
> > to the direct-map. I.e. not only ACPI hotplug ranges, CXL Memory Windows,
> > or EFI Specific Purpose Memory, but also any PCI MMIO range for the
> > CONFIG_DEVICE_PRIVATE and CONFIG_PCI_P2PDMA cases.
> > 
> > A potential path to recover entropy would be to walk ACPI and determine the
> > limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
> > smaller systems that could yield some KASLR address bits. This needs
> > additional investigation to determine if some limited ACPI table scanning
> > can happen this early without an open coded solution like
> > arch/x86/boot/compressed/acpi.c needs to deploy.
> > 
> > Cc: Balbir Singh <balbirs@nvidia.com>
> > Cc: Ingo Molnar <mingo@kernel.org>
> > Cc: Kees Cook <kees@kernel.org>
> > Cc: Bjorn Helgaas <bhelgaas@google.com>
> > Cc: Peter Zijlstra <peterz@infradead.org>
> > Cc: Andy Lutomirski <luto@kernel.org>
> > Cc: Logan Gunthorpe <logang@deltatee.com>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Cc: David Hildenbrand <david@redhat.com>
> > Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> > Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
> > Cc: Vlastimil Babka <vbabka@suse.cz>
> > Cc: Mike Rapoport <rppt@kernel.org>
> > Cc: Suren Baghdasaryan <surenb@google.com>
> > Cc: Michal Hocko <mhocko@suse.com>
> > Cc: "Yasunori Gotou (Fujitsu)" <y-goto@fujitsu.com>
> > Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> 
> P2PDMA requires ZONE_DEVICE, Most distros have P2PDMA enabled, you mention
> smaller devices - are you referring to kernels/distros where P2PDMA is not
> enabled and only ZONE_DEVICE is?

There are 2 considerations

- Occasions where P2PDMA is disabled, but ZONE_DEVICE is enabled.

  I started looking at this after a report about CXL failures with KASLR.
  I do not have the kernel configuration for that end user report, but I
  can only a imagine it was indeed a case of CONFIG_PCI_P2PDMA=n and
  CONFIG_DEV_DAX_CXL=y

- Occasions where ZONE_DEVICE and memory hotplug are enabled, but ACPI
  does not publish any hotplug or CXL memory ranges, and BIOS did not
  find any large PCI devices at initial scan.

  In this case even the default 10 TB padding is overkill and more address
  bits could be consumed for KASLR entropy.

Re: [PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[Balbir Singh]

On 11/11/25 10:34, dan.j.williams@intel.com wrote:
> Balbir Singh wrote:
>> On 11/8/25 13:32, Dan Williams wrote:
>>> Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
>>> is too narrow. ZONE_DEVICE, in general, lets any physical address be added
>>> to the direct-map. I.e. not only ACPI hotplug ranges, CXL Memory Windows,
>>> or EFI Specific Purpose Memory, but also any PCI MMIO range for the
>>> CONFIG_DEVICE_PRIVATE and CONFIG_PCI_P2PDMA cases.
>>>
>>> A potential path to recover entropy would be to walk ACPI and determine the
>>> limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
>>> smaller systems that could yield some KASLR address bits. This needs
>>> additional investigation to determine if some limited ACPI table scanning
>>> can happen this early without an open coded solution like
>>> arch/x86/boot/compressed/acpi.c needs to deploy.
>>>
>>> Cc: Balbir Singh <balbirs@nvidia.com>
>>> Cc: Ingo Molnar <mingo@kernel.org>
>>> Cc: Kees Cook <kees@kernel.org>
>>> Cc: Bjorn Helgaas <bhelgaas@google.com>
>>> Cc: Peter Zijlstra <peterz@infradead.org>
>>> Cc: Andy Lutomirski <luto@kernel.org>
>>> Cc: Logan Gunthorpe <logang@deltatee.com>
>>> Cc: Andrew Morton <akpm@linux-foundation.org>
>>> Cc: David Hildenbrand <david@redhat.com>
>>> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
>>> Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
>>> Cc: Vlastimil Babka <vbabka@suse.cz>
>>> Cc: Mike Rapoport <rppt@kernel.org>
>>> Cc: Suren Baghdasaryan <surenb@google.com>
>>> Cc: Michal Hocko <mhocko@suse.com>
>>> Cc: "Yasunori Gotou (Fujitsu)" <y-goto@fujitsu.com>
>>> Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
>>> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>>
>> P2PDMA requires ZONE_DEVICE, Most distros have P2PDMA enabled, you mention
>> smaller devices - are you referring to kernels/distros where P2PDMA is not
>> enabled and only ZONE_DEVICE is?
> 
> There are 2 considerations
> 
> - Occasions where P2PDMA is disabled, but ZONE_DEVICE is enabled.
> 
>   I started looking at this after a report about CXL failures with KASLR.
>   I do not have the kernel configuration for that end user report, but I
>   can only a imagine it was indeed a case of CONFIG_PCI_P2PDMA=n and
>   CONFIG_DEV_DAX_CXL=y
> 
> - Occasions where ZONE_DEVICE and memory hotplug are enabled, but ACPI
>   does not publish any hotplug or CXL memory ranges, and BIOS did not
>   find any large PCI devices at initial scan.
> 
>   In this case even the default 10 TB padding is overkill and more address
>   bits could be consumed for KASLR entropy.

Makes sense!

Reviewed-by: Balbir Singh <balbirs@nvidia.com>

RE: [PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[Yasunori Gotou (Fujitsu)]

Hello,

> Balbir Singh wrote:
> > On 11/8/25 13:32, Dan Williams wrote:
> > > Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86
> > > systems") is too narrow. ZONE_DEVICE, in general, lets any physical
> > > address be added to the direct-map. I.e. not only ACPI hotplug
> > > ranges, CXL Memory Windows, or EFI Specific Purpose Memory, but also
> > > any PCI MMIO range for the CONFIG_DEVICE_PRIVATE and
> CONFIG_PCI_P2PDMA cases.
> > >
> > > A potential path to recover entropy would be to walk ACPI and
> > > determine the limits for hotplug and PCI MMIO before
> > > kernel_randomize_memory(). On smaller systems that could yield some
> > > KASLR address bits. This needs additional investigation to determine
> > > if some limited ACPI table scanning can happen this early without an
> > > open coded solution like arch/x86/boot/compressed/acpi.c needs to
> deploy.
> > >
> > > Cc: Balbir Singh <balbirs@nvidia.com>
> > > Cc: Ingo Molnar <mingo@kernel.org>
> > > Cc: Kees Cook <kees@kernel.org>
> > > Cc: Bjorn Helgaas <bhelgaas@google.com>
> > > Cc: Peter Zijlstra <peterz@infradead.org>
> > > Cc: Andy Lutomirski <luto@kernel.org>
> > > Cc: Logan Gunthorpe <logang@deltatee.com>
> > > Cc: Andrew Morton <akpm@linux-foundation.org>
> > > Cc: David Hildenbrand <david@redhat.com>
> > > Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> > > Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
> > > Cc: Vlastimil Babka <vbabka@suse.cz>
> > > Cc: Mike Rapoport <rppt@kernel.org>
> > > Cc: Suren Baghdasaryan <surenb@google.com>
> > > Cc: Michal Hocko <mhocko@suse.com>
> > > Cc: "Yasunori Gotou (Fujitsu)" <y-goto@fujitsu.com>
> > > Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86
> > > systems")
> > > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> >
> > P2PDMA requires ZONE_DEVICE, Most distros have P2PDMA enabled, you
> > mention smaller devices - are you referring to kernels/distros where
> > P2PDMA is not enabled and only ZONE_DEVICE is?
> 
> There are 2 considerations
> 
> - Occasions where P2PDMA is disabled, but ZONE_DEVICE is enabled.
> 
>   I started looking at this after a report about CXL failures with KASLR.
>   I do not have the kernel configuration for that end user report, but I
>   can only a imagine it was indeed a case of CONFIG_PCI_P2PDMA=n and
>   CONFIG_DEV_DAX_CXL=y

I believe I am the first to report CXL failures with KASLR.

To be honest, after checking this patch, I realized that the distribution I am using
hasn't applied commit 7ffb791423c7 yet.

Therefore, I tested both P2PDMA and ZONE_DEVICE patches, and both worked successfully
to allocate physical memory for CXL in my box

Tested-by: Yasunori Goto <y-goto@fujitsu.com>

Thanks a lot!
----
Yasunori Goto

Re: [PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[Mike Rapoport]

On Fri, Nov 07, 2025 at 06:32:15PM -0800, Dan Williams wrote:
> Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
> is too narrow. ZONE_DEVICE, in general, lets any physical address be added
> to the direct-map. I.e. not only ACPI hotplug ranges, CXL Memory Windows,
> or EFI Specific Purpose Memory, but also any PCI MMIO range for the
> CONFIG_DEVICE_PRIVATE and CONFIG_PCI_P2PDMA cases.
> 
> A potential path to recover entropy would be to walk ACPI and determine the
> limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
> smaller systems that could yield some KASLR address bits. This needs
> additional investigation to determine if some limited ACPI table scanning
> can happen this early without an open coded solution like
> arch/x86/boot/compressed/acpi.c needs to deploy.
> 
> Cc: Balbir Singh <balbirs@nvidia.com>
> Cc: Ingo Molnar <mingo@kernel.org>
> Cc: Kees Cook <kees@kernel.org>
> Cc: Bjorn Helgaas <bhelgaas@google.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Andy Lutomirski <luto@kernel.org>
> Cc: Logan Gunthorpe <logang@deltatee.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: David Hildenbrand <david@redhat.com>
> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Cc: Mike Rapoport <rppt@kernel.org>
> Cc: Suren Baghdasaryan <surenb@google.com>
> Cc: Michal Hocko <mhocko@suse.com>
> Cc: "Yasunori Gotou (Fujitsu)" <y-goto@fujitsu.com>
> Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  drivers/pci/Kconfig |  6 ------
>  mm/Kconfig          | 12 ++++++++----
>  arch/x86/mm/kaslr.c | 10 +++++-----
>  3 files changed, 13 insertions(+), 15 deletions(-)
> 
> diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig
> index f94f5d384362..47e466946bed 100644
> --- a/drivers/pci/Kconfig
> +++ b/drivers/pci/Kconfig
> @@ -207,12 +207,6 @@ config PCI_P2PDMA
>  	  P2P DMA transactions must be between devices behind the same root
>  	  port.
>  
> -	  Enabling this option will reduce the entropy of x86 KASLR memory
> -	  regions. For example - on a 46 bit system, the entropy goes down
> -	  from 16 bits to 15 bits. The actual reduction in entropy depends
> -	  on the physical address bits, on processor features, kernel config
> -	  (5 level page table) and physical memory present on the system.
> -
>  	  If unsure, say N.
>  
>  config PCI_LABEL
> diff --git a/mm/Kconfig b/mm/Kconfig
> index 0e26f4fc8717..d17ebcc1a029 100644
> --- a/mm/Kconfig
> +++ b/mm/Kconfig
> @@ -1128,10 +1128,14 @@ config ZONE_DEVICE
>  	  Device memory hotplug support allows for establishing pmem,
>  	  or other device driver discovered memory regions, in the
>  	  memmap. This allows pfn_to_page() lookups of otherwise
> -	  "device-physical" addresses which is needed for using a DAX
> -	  mapping in an O_DIRECT operation, among other things.
> -
> -	  If FS_DAX is enabled, then say Y.
> +	  "device-physical" addresses which is needed for DAX, PCI_P2PDMA, and
> +	  DEVICE_PRIVATE features among others.
> +
> +	  Enabling this option will reduce the entropy of x86 KASLR memory
> +	  regions. For example - on a 46 bit system, the entropy goes down
> +	  from 16 bits to 15 bits. The actual reduction in entropy depends
> +	  on the physical address bits, on processor features, kernel config
> +	  (5 level page table) and physical memory present on the system.
>  
>  #
>  # Helpers to mirror range of the CPU page tables of a process into device page
> diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c
> index 3c306de52fd4..834641c6049a 100644
> --- a/arch/x86/mm/kaslr.c
> +++ b/arch/x86/mm/kaslr.c
> @@ -115,12 +115,12 @@ void __init kernel_randomize_memory(void)
>  
>  	/*
>  	 * Adapt physical memory region size based on available memory,
> -	 * except when CONFIG_PCI_P2PDMA is enabled. P2PDMA exposes the
> -	 * device BAR space assuming the direct map space is large enough
> -	 * for creating a ZONE_DEVICE mapping in the direct map corresponding
> -	 * to the physical BAR address.
> +	 * except when CONFIG_ZONE_DEVICE is enabled. ZONE_DEVICE wants to map
> +	 * any physical address into the direct-map. KASLR wants to reliably
> +	 * steal some physical address bits. Those design choices are in direct
> +	 * conflict.
>  	 */
> -	if (!IS_ENABLED(CONFIG_PCI_P2PDMA) && (memory_tb < kaslr_regions[0].size_tb))
> +	if (!IS_ENABLED(CONFIG_ZONE_DEVICE) && (memory_tb < kaslr_regions[0].size_tb))
>  		kaslr_regions[0].size_tb = memory_tb;

A stupid question, why we adjust virtual kaslr to actual physical memory
size at all rather than always use maximal addressable size?
  
>  	/*
> 
> base-commit: 6146a0f1dfae5d37442a9ddcba012add260bceb0
> -- 
> 2.51.0
> 

-- 
Sincerely yours,
Mike.

Re: [PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[dan.j.williams]

Mike Rapoport wrote:
> On Fri, Nov 07, 2025 at 06:32:15PM -0800, Dan Williams wrote:
> > Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
> > is too narrow. ZONE_DEVICE, in general, lets any physical address be added
> > to the direct-map. I.e. not only ACPI hotplug ranges, CXL Memory Windows,
> > or EFI Specific Purpose Memory, but also any PCI MMIO range for the
> > CONFIG_DEVICE_PRIVATE and CONFIG_PCI_P2PDMA cases.
> > 
> > A potential path to recover entropy would be to walk ACPI and determine the
> > limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
> > smaller systems that could yield some KASLR address bits. This needs
> > additional investigation to determine if some limited ACPI table scanning
> > can happen this early without an open coded solution like
> > arch/x86/boot/compressed/acpi.c needs to deploy.
> > 
> > Cc: Balbir Singh <balbirs@nvidia.com>
> > Cc: Ingo Molnar <mingo@kernel.org>
> > Cc: Kees Cook <kees@kernel.org>
> > Cc: Bjorn Helgaas <bhelgaas@google.com>
> > Cc: Peter Zijlstra <peterz@infradead.org>
> > Cc: Andy Lutomirski <luto@kernel.org>
> > Cc: Logan Gunthorpe <logang@deltatee.com>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Cc: David Hildenbrand <david@redhat.com>
> > Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> > Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
> > Cc: Vlastimil Babka <vbabka@suse.cz>
> > Cc: Mike Rapoport <rppt@kernel.org>
> > Cc: Suren Baghdasaryan <surenb@google.com>
> > Cc: Michal Hocko <mhocko@suse.com>
> > Cc: "Yasunori Gotou (Fujitsu)" <y-goto@fujitsu.com>
> > Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
> > Signed-off-by: Dan Williams <dan.j.williams@intel.com>
[..]
> >  # Helpers to mirror range of the CPU page tables of a process into device page
> > diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c
> > index 3c306de52fd4..834641c6049a 100644
> > --- a/arch/x86/mm/kaslr.c
> > +++ b/arch/x86/mm/kaslr.c
> > @@ -115,12 +115,12 @@ void __init kernel_randomize_memory(void)
> >  
> >  	/*
> >  	 * Adapt physical memory region size based on available memory,
> > -	 * except when CONFIG_PCI_P2PDMA is enabled. P2PDMA exposes the
> > -	 * device BAR space assuming the direct map space is large enough
> > -	 * for creating a ZONE_DEVICE mapping in the direct map corresponding
> > -	 * to the physical BAR address.
> > +	 * except when CONFIG_ZONE_DEVICE is enabled. ZONE_DEVICE wants to map
> > +	 * any physical address into the direct-map. KASLR wants to reliably
> > +	 * steal some physical address bits. Those design choices are in direct
> > +	 * conflict.
> >  	 */
> > -	if (!IS_ENABLED(CONFIG_PCI_P2PDMA) && (memory_tb < kaslr_regions[0].size_tb))
> > +	if (!IS_ENABLED(CONFIG_ZONE_DEVICE) && (memory_tb < kaslr_regions[0].size_tb))
> >  		kaslr_regions[0].size_tb = memory_tb;
> 
> A stupid question, why we adjust virtual kaslr to actual physical memory
> size at all rather than always use maximal addressable size?

My understanding is that KASLR wants to maximize the known unused
portions of the physical address space to incresase entropy. So a policy
of always excludie max addressable size == minimum entropy. At least
that is my view from 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on
most x86 systems"), someone from the KASLR implementation side could
correct me.

Re: [PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[Balbir Singh]

On 11/9/25 17:51, Mike Rapoport wrote:
> On Fri, Nov 07, 2025 at 06:32:15PM -0800, Dan Williams wrote:
>> Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
>> is too narrow. ZONE_DEVICE, in general, lets any physical address be added
>> to the direct-map. I.e. not only ACPI hotplug ranges, CXL Memory Windows,
>> or EFI Specific Purpose Memory, but also any PCI MMIO range for the
>> CONFIG_DEVICE_PRIVATE and CONFIG_PCI_P2PDMA cases.
>>
>> A potential path to recover entropy would be to walk ACPI and determine the
>> limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
>> smaller systems that could yield some KASLR address bits. This needs
>> additional investigation to determine if some limited ACPI table scanning
>> can happen this early without an open coded solution like
>> arch/x86/boot/compressed/acpi.c needs to deploy.
>>
>> Cc: Balbir Singh <balbirs@nvidia.com>
>> Cc: Ingo Molnar <mingo@kernel.org>
>> Cc: Kees Cook <kees@kernel.org>
>> Cc: Bjorn Helgaas <bhelgaas@google.com>
>> Cc: Peter Zijlstra <peterz@infradead.org>
>> Cc: Andy Lutomirski <luto@kernel.org>
>> Cc: Logan Gunthorpe <logang@deltatee.com>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: David Hildenbrand <david@redhat.com>
>> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
>> Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
>> Cc: Vlastimil Babka <vbabka@suse.cz>
>> Cc: Mike Rapoport <rppt@kernel.org>
>> Cc: Suren Baghdasaryan <surenb@google.com>
>> Cc: Michal Hocko <mhocko@suse.com>
>> Cc: "Yasunori Gotou (Fujitsu)" <y-goto@fujitsu.com>
>> Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
>> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> ---
>>  drivers/pci/Kconfig |  6 ------
>>  mm/Kconfig          | 12 ++++++++----
>>  arch/x86/mm/kaslr.c | 10 +++++-----
>>  3 files changed, 13 insertions(+), 15 deletions(-)
>>
>> diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig
>> index f94f5d384362..47e466946bed 100644
>> --- a/drivers/pci/Kconfig
>> +++ b/drivers/pci/Kconfig
>> @@ -207,12 +207,6 @@ config PCI_P2PDMA
>>  	  P2P DMA transactions must be between devices behind the same root
>>  	  port.
>>  
>> -	  Enabling this option will reduce the entropy of x86 KASLR memory
>> -	  regions. For example - on a 46 bit system, the entropy goes down
>> -	  from 16 bits to 15 bits. The actual reduction in entropy depends
>> -	  on the physical address bits, on processor features, kernel config
>> -	  (5 level page table) and physical memory present on the system.
>> -
>>  	  If unsure, say N.
>>  
>>  config PCI_LABEL
>> diff --git a/mm/Kconfig b/mm/Kconfig
>> index 0e26f4fc8717..d17ebcc1a029 100644
>> --- a/mm/Kconfig
>> +++ b/mm/Kconfig
>> @@ -1128,10 +1128,14 @@ config ZONE_DEVICE
>>  	  Device memory hotplug support allows for establishing pmem,
>>  	  or other device driver discovered memory regions, in the
>>  	  memmap. This allows pfn_to_page() lookups of otherwise
>> -	  "device-physical" addresses which is needed for using a DAX
>> -	  mapping in an O_DIRECT operation, among other things.
>> -
>> -	  If FS_DAX is enabled, then say Y.
>> +	  "device-physical" addresses which is needed for DAX, PCI_P2PDMA, and
>> +	  DEVICE_PRIVATE features among others.
>> +
>> +	  Enabling this option will reduce the entropy of x86 KASLR memory
>> +	  regions. For example - on a 46 bit system, the entropy goes down
>> +	  from 16 bits to 15 bits. The actual reduction in entropy depends
>> +	  on the physical address bits, on processor features, kernel config
>> +	  (5 level page table) and physical memory present on the system.
>>  
>>  #
>>  # Helpers to mirror range of the CPU page tables of a process into device page
>> diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c
>> index 3c306de52fd4..834641c6049a 100644
>> --- a/arch/x86/mm/kaslr.c
>> +++ b/arch/x86/mm/kaslr.c
>> @@ -115,12 +115,12 @@ void __init kernel_randomize_memory(void)
>>  
>>  	/*
>>  	 * Adapt physical memory region size based on available memory,
>> -	 * except when CONFIG_PCI_P2PDMA is enabled. P2PDMA exposes the
>> -	 * device BAR space assuming the direct map space is large enough
>> -	 * for creating a ZONE_DEVICE mapping in the direct map corresponding
>> -	 * to the physical BAR address.
>> +	 * except when CONFIG_ZONE_DEVICE is enabled. ZONE_DEVICE wants to map
>> +	 * any physical address into the direct-map. KASLR wants to reliably
>> +	 * steal some physical address bits. Those design choices are in direct
>> +	 * conflict.
>>  	 */
>> -	if (!IS_ENABLED(CONFIG_PCI_P2PDMA) && (memory_tb < kaslr_regions[0].size_tb))
>> +	if (!IS_ENABLED(CONFIG_ZONE_DEVICE) && (memory_tb < kaslr_regions[0].size_tb))
>>  		kaslr_regions[0].size_tb = memory_tb;
> 
> A stupid question, why we adjust virtual kaslr to actual physical memory
> size at all rather than always use maximal addressable size?

The original changelog that introduced the changes has a detailed explanation, IIRC.

Balbir

Re: [PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[Dave Hansen]

The subject probably wants to be something along the lines of:

	x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers

On 11/7/25 18:32, Dan Williams wrote:
> Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
> is too narrow. ZONE_DEVICE, in general, lets any physical address be added
> to the direct-map. I.e. not only ACPI hotplug ranges, CXL Memory Windows,
> or EFI Specific Purpose Memory, but also any PCI MMIO range for the
> CONFIG_DEVICE_PRIVATE and CONFIG_PCI_P2PDMA cases.

This should probably also mention the fact that:

	config PCI_P2PDMA
		depends on ZONE_DEVICE

It would also be nice to point out how the "too narrow" check had an
impact on real ZONE_DEVICE but !PCI_P2PDMA users. This isn't just a
theoretical problem, right?

> A potential path to recover entropy would be to walk ACPI and determine the
> limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
> smaller systems that could yield some KASLR address bits. This needs
> additional investigation to determine if some limited ACPI table scanning
> can happen this early without an open coded solution like
> arch/x86/boot/compressed/acpi.c needs to deploy.

Yeah, a more flexible runtime solution would be highly preferred over
the existing solution built around config options. But this is really
orthogonal to the bug fix here.

With the changelog fixes above:

Acked-by: Dave Hansen <dave.hansen@linux.intel.com>

Oh, and does this need to be cc:stable@?

Re: [PATCH] x86/kaslr: P2PDMA is one of a class of ZONE_DEVICE-KASLR collisions

[dan.j.williams]

Dave Hansen wrote:
> The subject probably wants to be something along the lines of:
> 
> 	x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers

...works for me.

> 
> On 11/7/25 18:32, Dan Williams wrote:
> > Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
> > is too narrow. ZONE_DEVICE, in general, lets any physical address be added
> > to the direct-map. I.e. not only ACPI hotplug ranges, CXL Memory Windows,
> > or EFI Specific Purpose Memory, but also any PCI MMIO range for the
> > CONFIG_DEVICE_PRIVATE and CONFIG_PCI_P2PDMA cases.
> 
> This should probably also mention the fact that:
> 
> 	config PCI_P2PDMA
> 		depends on ZONE_DEVICE
> 
> It would also be nice to point out how the "too narrow" check had an
> impact on real ZONE_DEVICE but !PCI_P2PDMA users. This isn't just a
> theoretical problem, right?

Yasunori filled in a detail [1] that I did not have when creating the
patch, specifically that when he enountered the CXL collision with KASLR
he was running on a kernel before commit 7ffb791423c7 ("x86/kaslr:
Reduce KASLR entropy on most x86 systems").

Either way, a pre-7ffb791423c7 kernel and a kernel with
CONFIG_PCI_P2PDMA=n would fail the same way. Yasunori confirmed that
current kernel with CONFIG_PCI_P2PDMA=y, or this patch solved the
problem for him.

See below for a reworked patch with these changes.

[1]: http://lore.kernel.org/OS9PR01MB124215C4182B59D590049B99390CCA@OS9PR01MB12421.jpnprd01.prod.outlook.com
> 
> > A potential path to recover entropy would be to walk ACPI and determine the
> > limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
> > smaller systems that could yield some KASLR address bits. This needs
> > additional investigation to determine if some limited ACPI table scanning
> > can happen this early without an open coded solution like
> > arch/x86/boot/compressed/acpi.c needs to deploy.
> 
> Yeah, a more flexible runtime solution would be highly preferred over
> the existing solution built around config options. But this is really
> orthogonal to the bug fix here.
> 
> With the changelog fixes above:
> 
> Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
> 
> Oh, and does this need to be cc:stable@?

Yes, especially because it would create a dependency on 7ffb791423c7
also being backported and that would have helped Yasunori avoid this
problem (for CONFIG_PCI_P2PDMA=y builds at least).

-- >8 --
From d2f4b9ac915ce35e2ec842548ae1ccb4f1690b04 Mon Sep 17 00:00:00 2001
From: Dan Williams <dan.j.williams@intel.com>
Date: Thu, 6 Nov 2025 15:13:50 -0800
Subject: [PATCH v2] x86/kaslr: Recognize all ZONE_DEVICE users as physaddr
 consumers

Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
is too narrow. The effect being mitigated in that commit is caused by
ZONE_DEVICE which PCI_P2PDMA has a dependency. ZONE_DEVICE, in general,
lets any physical address be added to the direct-map. I.e. not only ACPI
hotplug ranges, CXL Memory Windows, or EFI Specific Purpose Memory, but
also any PCI MMIO range for the DEVICE_PRIVATE and PCI_P2PDMA cases. Update
the mitigation, limit KASLR entropy, to apply in all ZONE_DEVICE=y cases.

Distro kernels typically have PCI_P2PDMA=y, so the practical exposure of
this problem is limited to the PCI_P2PDMA=n case.

A potential path to recover entropy would be to walk ACPI and determine the
limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
smaller systems that could yield some KASLR address bits. This needs
additional investigation to determine if some limited ACPI table scanning
can happen this early without an open coded solution like
arch/x86/boot/compressed/acpi.c needs to deploy.

Cc: Ingo Molnar <mingo@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Logan Gunthorpe <logang@deltatee.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: David Hildenbrand <david@redhat.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Michal Hocko <mhocko@suse.com>
Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
Cc: <stable@vger.kernel.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Tested-by: Yasunori Goto <y-goto@fujitsu.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
---
 drivers/pci/Kconfig |  6 ------
 mm/Kconfig          | 12 ++++++++----
 arch/x86/mm/kaslr.c | 10 +++++-----
 3 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig
index f94f5d384362..47e466946bed 100644
--- a/drivers/pci/Kconfig
+++ b/drivers/pci/Kconfig
@@ -207,12 +207,6 @@ config PCI_P2PDMA
 	  P2P DMA transactions must be between devices behind the same root
 	  port.
 
-	  Enabling this option will reduce the entropy of x86 KASLR memory
-	  regions. For example - on a 46 bit system, the entropy goes down
-	  from 16 bits to 15 bits. The actual reduction in entropy depends
-	  on the physical address bits, on processor features, kernel config
-	  (5 level page table) and physical memory present on the system.
-
 	  If unsure, say N.
 
 config PCI_LABEL
diff --git a/mm/Kconfig b/mm/Kconfig
index 0e26f4fc8717..d17ebcc1a029 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -1128,10 +1128,14 @@ config ZONE_DEVICE
 	  Device memory hotplug support allows for establishing pmem,
 	  or other device driver discovered memory regions, in the
 	  memmap. This allows pfn_to_page() lookups of otherwise
-	  "device-physical" addresses which is needed for using a DAX
-	  mapping in an O_DIRECT operation, among other things.
-
-	  If FS_DAX is enabled, then say Y.
+	  "device-physical" addresses which is needed for DAX, PCI_P2PDMA, and
+	  DEVICE_PRIVATE features among others.
+
+	  Enabling this option will reduce the entropy of x86 KASLR memory
+	  regions. For example - on a 46 bit system, the entropy goes down
+	  from 16 bits to 15 bits. The actual reduction in entropy depends
+	  on the physical address bits, on processor features, kernel config
+	  (5 level page table) and physical memory present on the system.
 
 #
 # Helpers to mirror range of the CPU page tables of a process into device page
diff --git a/arch/x86/mm/kaslr.c b/arch/x86/mm/kaslr.c
index 3c306de52fd4..834641c6049a 100644
--- a/arch/x86/mm/kaslr.c
+++ b/arch/x86/mm/kaslr.c
@@ -115,12 +115,12 @@ void __init kernel_randomize_memory(void)
 
 	/*
 	 * Adapt physical memory region size based on available memory,
-	 * except when CONFIG_PCI_P2PDMA is enabled. P2PDMA exposes the
-	 * device BAR space assuming the direct map space is large enough
-	 * for creating a ZONE_DEVICE mapping in the direct map corresponding
-	 * to the physical BAR address.
+	 * except when CONFIG_ZONE_DEVICE is enabled. ZONE_DEVICE wants to map
+	 * any physical address into the direct-map. KASLR wants to reliably
+	 * steal some physical address bits. Those design choices are in direct
+	 * conflict.
 	 */
-	if (!IS_ENABLED(CONFIG_PCI_P2PDMA) && (memory_tb < kaslr_regions[0].size_tb))
+	if (!IS_ENABLED(CONFIG_ZONE_DEVICE) && (memory_tb < kaslr_regions[0].size_tb))
 		kaslr_regions[0].size_tb = memory_tb;
 
 	/*
-- 
2.51.1