From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
To: kernel test robot <oliver.sang@intel.com>
Cc: oe-lkp@lists.linux.dev, lkp@intel.com,
Andrew Morton <akpm@linux-foundation.org>,
Vlastimil Babka <vbabka@suse.cz>,
Al Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Jann Horn <jannh@google.com>,
Liam Howlett <liam.howlett@oracle.com>,
Peter Xu <peterx@redhat.com>, Rik van Riel <riel@surriel.com>,
linux-mm@kvack.org, ltp@lists.linux.it
Subject: Re: [linux-next:master] [mm/mremap] d9339d9c10: ltp.mseal01.fail
Date: Sun, 20 Jul 2025 11:31:55 +0100 [thread overview]
Message-ID: <10b9bb44-33a2-4138-9d35-c2587b8723a3@lucifer.local> (raw)
In-Reply-To: <202507201002.69144b74-lkp@intel.com>
TL; DR - there's undocumented mremap() behaviour on shrink that I accidentally
regressed. I will fix this (easy fix), document and add a self-test.
On Sun, Jul 20, 2025 at 04:30:52PM +0800, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "ltp.mseal01.fail" on:
OK, so I've looked into this, and it seems there's some undocumented mremap()
shrink behaviour even I wasn't aware of.
In mseal01.c, when you establish the mseal, you do it offset into the mapped VMA:
static void run(unsigned int n)
{
...
mem_addr = SAFE_MMAP(NULL, mem_size,
tc->prot,
MAP_ANONYMOUS | MAP_PRIVATE,
-1, 0);
...
TST_EXP_PASS(sys_mseal(mem_addr + mem_offset, mem_alignment));
...
}
This is splitting the originally mapped VMA to insert an mseal()'d region within
it:
|------------------------|
| A |
|------------------------|
Becomes:
mem_offset
<---------->
|----------|---|---------|
| B | C | D |
|----------|---|---------|
You then try to mremap() and shrink B, C, and D in test_mremap_resize():
static void test_mremap_resize(void)
{
void *new_addr;
size_t new_size = 2 * mem_alignment;
new_addr = SAFE_MMAP(NULL, mem_size,
PROT_READ,
MAP_ANONYMOUS | MAP_PRIVATE,
-1, 0);
TST_EXP_FAIL_PTR_VOID(mremap(mem_addr, mem_size, new_size,
MREMAP_MAYMOVE | MREMAP_FIXED,
new_addr),
EPERM);
...
}
(Note that in testing, I've found mem_size == 0x8000 and mem_alignment == 0x1000
so this is a shrink, also mem_offset == 0x2000).
So in ALL OTHER CASES you can't span multiple VMAs, let alone with gaps. But on
shrink hey you can!
So the operation becomes:
<- unmap this->
|----------|---|---------|
| B | C | D |
|----------|---|---------|
< move this>
|----------|
| B |
|----------|
Obviously with C mseal()'d the unmap fails and we get the expected -EPERM fail.
The commit bisected to disallows an MREMAP_FIXED that spans multiple VMAs, which
makes the logic consistent with _every other operation_.
The manpage also appears to contradict this behaviour. So it's understandable
this was overlooked.
The fix is quick, will send shortly. It will be folded into existing series so
unfortunately can't apply tags as per below.
Thanks, Lorenzo
>
> commit: d9339d9c10d2452ae4d0087a3127359de6c2ed0e ("mm/mremap: check remap conditions earlier")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>
> [test failed on linux-next/master d086c886ceb9f59dea6c3a9dae7eb89e780a20c9]
>
> in testcase: ltp
> version: ltp-x86_64-a5dad8bc3-1_20250712
> with following parameters:
>
> disk: 1HDD
> fs: xfs
> test: syscalls-02/mseal01
>
>
>
> config: x86_64-rhel-9.4-ltp
> compiler: gcc-12
> test machine: 8 threads Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz (Skylake) with 16G memory
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
>
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202507201002.69144b74-lkp@intel.com
>
>
> Running tests.......
> <<<test_start>>>
> tag=mseal01 stime=1752886519
> cmdline="mseal01"
> contacts=""
> analysis=exit
> <<<test_output>>>
> tst_test.c:1999: TINFO: LTP version: 20250530-76-ga5dad8bc3
> tst_test.c:2002: TINFO: Tested kernel: 6.16.0-rc5-00302-gd9339d9c10d2 #1 SMP PREEMPT_DYNAMIC Sat Jul 19 08:39:24 CST 2025 x86_64
> tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
> tst_kconfig.c:676: TINFO: CONFIG_KASAN kernel option detected which might slow the execution
> tst_test.c:1820: TINFO: Overall timeout per run is 0h 10m 00s
> mseal01.c:130: TINFO: Testing mprotect() availability
> mseal01.c:132: TPASS: sys_mseal(mem_addr + mem_offset, mem_alignment) passed
> mseal01.c:45: TPASS: mprotect(mem_addr, mem_size, PROT_NONE) : EPERM (1)
> mseal01.c:130: TINFO: Testing pkey_mprotect() availability
> mseal01.c:132: TPASS: sys_mseal(mem_addr + mem_offset, mem_alignment) passed
> ../../../../include/lapi/pkey.h:49: TCONF: pku is not supported on this CPU
> mseal01.c:130: TINFO: Testing madvise() availability
> mseal01.c:132: TPASS: sys_mseal(mem_addr + mem_offset, mem_alignment) passed
> mseal01.c:70: TPASS: madvise(mem_addr, mem_size, MADV_DONTNEED) : EPERM (1)
> mseal01.c:130: TINFO: Testing munmap() availability from child
> mseal01.c:132: TPASS: sys_mseal(mem_addr + mem_offset, mem_alignment) passed
> mseal01.c:75: TPASS: munmap(mem_addr, mem_size) : EPERM (1)
> mseal01.c:130: TINFO: Testing mremap() address move/resize
> mseal01.c:132: TPASS: sys_mseal(mem_addr + mem_offset, mem_alignment) passed
> mseal01.c:88: TFAIL: mremap(mem_addr, mem_size, new_size, MREMAP_MAYMOVE | MREMAP_FIXED, new_addr) expected EPERM: EFAULT (14)
> mseal01.c:130: TINFO: Testing mmap() protection change
> mseal01.c:132: TPASS: sys_mseal(mem_addr + mem_offset, mem_alignment) passed
> mseal01.c:98: TPASS: mmap(mem_addr, mem_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0) : EPERM (1)
>
> Summary:
> passed 10
> failed 1
> broken 0
> skipped 1
> warnings 0
> incrementing stop
> <<<execution_status>>>
> initiation_status="ok"
> duration=0 termination_type=exited termination_id=1 corefile=no
> cutime=0 cstime=1
> <<<test_end>>>
> INFO: ltp-pan reported some tests FAIL
> LTP Version: 20250530-76-ga5dad8bc3
>
> ###############################################################
>
> Done executing testcases.
> LTP Version: 20250530-76-ga5dad8bc3
> ###############################################################
>
>
>
>
> The kernel config and materials to reproduce are available at:
> https://download.01.org/0day-ci/archive/20250720/202507201002.69144b74-lkp@intel.com
>
>
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>
prev parent reply other threads:[~2025-07-20 10:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-20 8:30 kernel test robot
2025-07-20 10:31 ` Lorenzo Stoakes [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10b9bb44-33a2-4138-9d35-c2587b8723a3@lucifer.local \
--to=lorenzo.stoakes@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=liam.howlett@oracle.com \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=ltp@lists.linux.it \
--cc=oe-lkp@lists.linux.dev \
--cc=oliver.sang@intel.com \
--cc=peterx@redhat.com \
--cc=riel@surriel.com \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox