From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1268AC5AD49 for ; Fri, 6 Jun 2025 16:16:22 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9D5596B007B; Fri, 6 Jun 2025 12:16:21 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9AD5E6B0089; Fri, 6 Jun 2025 12:16:21 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8C3BA6B008C; Fri, 6 Jun 2025 12:16:21 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 6F6FE6B007B for ; Fri, 6 Jun 2025 12:16:21 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 19ACC1202BF for ; Fri, 6 Jun 2025 16:16:21 +0000 (UTC) X-FDA: 83525478162.04.9DD09E4 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf15.hostedemail.com (Postfix) with ESMTP id AD316A0008 for ; Fri, 6 Jun 2025 16:16:18 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=QlyJ72SN; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=meyKTMOF; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=QlyJ72SN; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=meyKTMOF; spf=pass (imf15.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1749226579; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=KmX6k6ykMpKa7Vw6PmwuNM7YaceN5+edcU5ngSZkNDU=; b=gmtDEWLucxrzZ9i4RQo14/4Uhv4ln+bswFee7adnR27bpW0qxHNLzgSNN86HPXt8OXSFAI VHVQJi1xUwNqiGDOgngkUEIcKJ7rYfU0PBlBt4XHtoPhnUKkDPVDAEOPjhrnSeXGEqshiK zdSKAWMlDutSY7O4XsHJTTWwYiKPRNc= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=QlyJ72SN; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=meyKTMOF; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=QlyJ72SN; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=meyKTMOF; spf=pass (imf15.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1749226579; a=rsa-sha256; cv=none; b=K5GaBkAv04K+cAmbNbBgRUHzrNcz774eYtJBF9tgHq2g1gl8lj9sX+IM0buKAkJdqQ69eg jtY/jcvm635OKTdNJyN8i+XMSwWEj0SD2pDHlRVXqf8/JM88Ndl66/V6Qp1gkIhp7k3ygo DCmThEmznFKIII/KP5yzmj6W9txkFE0= Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 3240522D41; Fri, 6 Jun 2025 16:16:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1749226577; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=KmX6k6ykMpKa7Vw6PmwuNM7YaceN5+edcU5ngSZkNDU=; b=QlyJ72SNoaD5AoknDntbBw0UFL67rxA/8cuyJKcaH+0SpTj94DjAePV0QXHeRrM2jbzFz+ x8j8HM/jp9QKXxIXQCuC+O6JGbVi3iWWnaiM8ciRnCbTS1rO5JawEKnz1m/yHNwm3mIYpD 8KWzyOtilnaHDOwH9h9km594opCwt20= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1749226577; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=KmX6k6ykMpKa7Vw6PmwuNM7YaceN5+edcU5ngSZkNDU=; b=meyKTMOFImRwBV7mLEYKpDqvYrQR9ntF1879lBHac0chi6OZZRqcY3y89ZPh/g9K4+fDZp +RUbwGOxlFhOeDBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1749226577; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=KmX6k6ykMpKa7Vw6PmwuNM7YaceN5+edcU5ngSZkNDU=; b=QlyJ72SNoaD5AoknDntbBw0UFL67rxA/8cuyJKcaH+0SpTj94DjAePV0QXHeRrM2jbzFz+ x8j8HM/jp9QKXxIXQCuC+O6JGbVi3iWWnaiM8ciRnCbTS1rO5JawEKnz1m/yHNwm3mIYpD 8KWzyOtilnaHDOwH9h9km594opCwt20= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1749226577; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=KmX6k6ykMpKa7Vw6PmwuNM7YaceN5+edcU5ngSZkNDU=; b=meyKTMOFImRwBV7mLEYKpDqvYrQR9ntF1879lBHac0chi6OZZRqcY3y89ZPh/g9K4+fDZp +RUbwGOxlFhOeDBQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 1864F1336F; Fri, 6 Jun 2025 16:16:17 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id u4tKBVEUQ2jpOgAAD6G6ig (envelope-from ); Fri, 06 Jun 2025 16:16:17 +0000 Message-ID: <10e36f9f-5318-40bf-9f64-e254c7ccfbb9@suse.cz> Date: Fri, 6 Jun 2025 18:16:16 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] mm/vma: reset VMA iterator on commit_merge() OOM failure Content-Language: en-US To: Lorenzo Stoakes , Andrew Morton Cc: "Liam R . Howlett" , Jann Horn , Pedro Falcato , linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20250606125032.164249-1-lorenzo.stoakes@oracle.com> From: Vlastimil Babka Autocrypt: addr=vbabka@suse.cz; keydata= xsFNBFZdmxYBEADsw/SiUSjB0dM+vSh95UkgcHjzEVBlby/Fg+g42O7LAEkCYXi/vvq31JTB KxRWDHX0R2tgpFDXHnzZcQywawu8eSq0LxzxFNYMvtB7sV1pxYwej2qx9B75qW2plBs+7+YB 87tMFA+u+L4Z5xAzIimfLD5EKC56kJ1CsXlM8S/LHcmdD9Ctkn3trYDNnat0eoAcfPIP2OZ+ 9oe9IF/R28zmh0ifLXyJQQz5ofdj4bPf8ecEW0rhcqHfTD8k4yK0xxt3xW+6Exqp9n9bydiy tcSAw/TahjW6yrA+6JhSBv1v2tIm+itQc073zjSX8OFL51qQVzRFr7H2UQG33lw2QrvHRXqD Ot7ViKam7v0Ho9wEWiQOOZlHItOOXFphWb2yq3nzrKe45oWoSgkxKb97MVsQ+q2SYjJRBBH4 8qKhphADYxkIP6yut/eaj9ImvRUZZRi0DTc8xfnvHGTjKbJzC2xpFcY0DQbZzuwsIZ8OPJCc LM4S7mT25NE5kUTG/TKQCk922vRdGVMoLA7dIQrgXnRXtyT61sg8PG4wcfOnuWf8577aXP1x 6mzw3/jh3F+oSBHb/GcLC7mvWreJifUL2gEdssGfXhGWBo6zLS3qhgtwjay0Jl+kza1lo+Cv BB2T79D4WGdDuVa4eOrQ02TxqGN7G0Biz5ZLRSFzQSQwLn8fbwARAQABzSBWbGFzdGltaWwg QmFia2EgPHZiYWJrYUBzdXNlLmN6PsLBlAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIe AQIXgBYhBKlA1DSZLC6OmRA9UCJPp+fMgqZkBQJnyBr8BQka0IFQAAoJECJPp+fMgqZkqmMQ AIbGN95ptUMUvo6aAdhxaOCHXp1DfIBuIOK/zpx8ylY4pOwu3GRe4dQ8u4XS9gaZ96Gj4bC+ jwWcSmn+TjtKW3rH1dRKopvC07tSJIGGVyw7ieV/5cbFffA8NL0ILowzVg8w1ipnz1VTkWDr 2zcfslxJsJ6vhXw5/npcY0ldeC1E8f6UUoa4eyoskd70vO0wOAoGd02ZkJoox3F5ODM0kjHu Y97VLOa3GG66lh+ZEelVZEujHfKceCw9G3PMvEzyLFbXvSOigZQMdKzQ8D/OChwqig8wFBmV QCPS4yDdmZP3oeDHRjJ9jvMUKoYODiNKsl2F+xXwyRM2qoKRqFlhCn4usVd1+wmv9iLV8nPs 2Db1ZIa49fJet3Sk3PN4bV1rAPuWvtbuTBN39Q/6MgkLTYHb84HyFKw14Rqe5YorrBLbF3rl M51Dpf6Egu1yTJDHCTEwePWug4XI11FT8lK0LNnHNpbhTCYRjX73iWOnFraJNcURld1jL1nV r/LRD+/e2gNtSTPK0Qkon6HcOBZnxRoqtazTU6YQRmGlT0v+rukj/cn5sToYibWLn+RoV1CE Qj6tApOiHBkpEsCzHGu+iDQ1WT0Idtdynst738f/uCeCMkdRu4WMZjteQaqvARFwCy3P/jpK uvzMtves5HvZw33ZwOtMCgbpce00DaET4y/UzsBNBFsZNTUBCACfQfpSsWJZyi+SHoRdVyX5 J6rI7okc4+b571a7RXD5UhS9dlVRVVAtrU9ANSLqPTQKGVxHrqD39XSw8hxK61pw8p90pg4G /N3iuWEvyt+t0SxDDkClnGsDyRhlUyEWYFEoBrrCizbmahOUwqkJbNMfzj5Y7n7OIJOxNRkB IBOjPdF26dMP69BwePQao1M8Acrrex9sAHYjQGyVmReRjVEtv9iG4DoTsnIR3amKVk6si4Ea X/mrapJqSCcBUVYUFH8M7bsm4CSxier5ofy8jTEa/CfvkqpKThTMCQPNZKY7hke5qEq1CBk2 wxhX48ZrJEFf1v3NuV3OimgsF2odzieNABEBAAHCwXwEGAEKACYCGwwWIQSpQNQ0mSwujpkQ PVAiT6fnzIKmZAUCZ8gcVAUJFhTonwAKCRAiT6fnzIKmZLY8D/9uo3Ut9yi2YCuASWxr7QQZ lJCViArjymbxYB5NdOeC50/0gnhK4pgdHlE2MdwF6o34x7TPFGpjNFvycZqccSQPJ/gibwNA zx3q9vJT4Vw+YbiyS53iSBLXMweeVV1Jd9IjAoL+EqB0cbxoFXvnjkvP1foiiF5r73jCd4PR rD+GoX5BZ7AZmFYmuJYBm28STM2NA6LhT0X+2su16f/HtummENKcMwom0hNu3MBNPUOrujtW khQrWcJNAAsy4yMoJ2Lw51T/5X5Hc7jQ9da9fyqu+phqlVtn70qpPvgWy4HRhr25fCAEXZDp xG4RNmTm+pqorHOqhBkI7wA7P/nyPo7ZEc3L+ZkQ37u0nlOyrjbNUniPGxPxv1imVq8IyycG AN5FaFxtiELK22gvudghLJaDiRBhn8/AhXc642/Z/yIpizE2xG4KU4AXzb6C+o7LX/WmmsWP Ly6jamSg6tvrdo4/e87lUedEqCtrp2o1xpn5zongf6cQkaLZKQcBQnPmgHO5OG8+50u88D9I rywqgzTUhHFKKF6/9L/lYtrNcHU8Z6Y4Ju/MLUiNYkmtrGIMnkjKCiRqlRrZE/v5YFHbayRD dJKXobXTtCBYpLJM4ZYRpGZXne/FAtWNe4KbNJJqxMvrTOrnIatPj8NhBVI0RSJRsbilh6TE m6M14QORSWTLRg== In-Reply-To: <20250606125032.164249-1-lorenzo.stoakes@oracle.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspam-User: X-Stat-Signature: ju78b1rz1gqexzrmj3oop8tkxtbwbd4m X-Rspamd-Queue-Id: AD316A0008 X-Rspamd-Server: rspam11 X-HE-Tag: 1749226578-242106 X-HE-Meta: U2FsdGVkX1+DHTnk7KhQ5aLj1vYyT7BMG6dXtXQIyF5pjmmg4PCuykyvmqeVlNlGL6uslP4PgFNA5gy8KySxOKZRJX9xAMb604VxjAdFS8GJ0sO4se6rNDOdmrA1jxTsgXkcaqnFTSGm3exSA6/1PfjLgx1t0AYbV5eIUUTU7GiwCQx4r59h1k5ImLWMlAckup7DTbzDuo7LueFb/6nIqIhE8QMYC+5Bi2np3hirWpZoIDVEWpcq9oNPIi3EsEww+UD4Saz/FRoLWw62dac60mBcelKyKlWcmo2YsloMdKuKyEuksS5eLTU5bbzgM35DZFGniKGhbg1zdSp0F8w63iTyUhqldvkg0FsHqzlNL+tjrgR7YRWKsw6WiLktKKw/cCAjpWdRDWcZZTFDcJgNArp6FwinloQITP6McjrOYWexU0/W//hIeDClmrRU/mhmoOi4MCr13R06ke6dsVKsTkahrT8i9B/vn2SUszGqXB/VdWBw7zL5bHYQnPl5dfWc/+FEqm0vpJssdFwzuN7/0OwdGhrR6QpQ0Dj+yLq2pQ0iGaCC4i8e8E5ZOzyUQPBnEjcfPcp6ZcMHYVQyR+u14UiWUHpO3DH0N/eKiSLRKt/uFXlpLvNfu92jxEL8EcP2mWGlIlWVJ20i9rKYDlvYELuAbHp0tl6XzEdhnYZVzfzjDS6SbSTwBMrenNgCzrMkXuu7nXgcw13ksM3V7JAQci4TlxVOcLy9rwOnBilssMzspT6f/xCf7Rb4dQwobOgPZTX/s8jcuwp1B/Q6rdkicP/6QP50PezP+nrq4m2BdWP4R578JaisKvnPVFwVW6zJ/5g5w9laVZ6GfTKRJJY5Ssl5vSF0oP6e2teREXkCul3yxdUM29Qj7O9wE/gNIPD/GkmXaHlxdg8LajLUqlQr2zzhY5GsLCmmIjHQByfR8Ylj1WJA7YqfQjnjPg4+j4y95Qd0pYCkGfwvm7R2mxG tnuNM0cr RAAPV3gfKl+3wRMA= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 6/6/25 14:50, Lorenzo Stoakes wrote: > While an OOM failure in commit_merge() isn't really feasible due to the > allocation which might fail (a maple tree pre-allocation) being 'too small > to fail', we do need to handle this case correctly regardless. > > In vma_merge_existing_range(), we can theoretically encounter failures > which result in an OOM error in two ways - firstly dup_anon_vma() might > fail with an OOM error, and secondly commit_merge() failing, ultimately, to > pre-allocate a maple tree node. > > The abort logic for dup_anon_vma() resets the VMA iterator to the initial > range, ensuring that any logic looping on this iterator will correctly > proceed to the next VMA. > > However the commit_merge() abort logic does not do the same thing. This > resulted in a syzbot report occurring because mlockall() iterates through > VMAs, is tolerant of errors, but ended up with an incorrect previous VMA > being specified due to incorrect iterator state. > > While making this change, it became apparent we are duplicating logic - the > logic introduced in commit 41e6ddcaa0f1 ("mm/vma: add give_up_on_oom option > on modify/merge, use in uffd release") duplicates the vmg->give_up_on_oom > check in both abort branches. > > Additionally, we observe that we can perform the anon_dup check safely on > dup_anon_vma() failure, as this will not be modified should this call fail. > > Finally, we need to reset the iterator in both cases, so now we can simply > use the exact same code to abort for both. > > We remove the VM_WARN_ON(err != -ENOMEM) as it would be silly for this to > be otherwise and it allows us to implement the abort check more neatly. > > Reported-by: syzbot+d16409ea9ecc16ed261a@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/linux-mm/6842cc67.a00a0220.29ac89.003b.GAE@google.com/ > Fixes: 47b16d0462a4 ("mm: abort vma_modify() on merge out of memory failure") > Cc: stable@vger.kernel.org > Signed-off-by: Lorenzo Stoakes Nice. Reviewed-by: Vlastimil Babka