From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=xNql=FF=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,NICE_REPLY_A,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A1FDCC64E7B
	for <linux-mm@archiver.kernel.org>; Tue,  1 Dec 2020 14:19:42 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 004CA20758
	for <linux-mm@archiver.kernel.org>; Tue,  1 Dec 2020 14:19:41 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="gLAuEaXX"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 004CA20758
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 4D9D28D0007; Tue,  1 Dec 2020 09:19:41 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 489EF8D0001; Tue,  1 Dec 2020 09:19:41 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3A02B8D0007; Tue,  1 Dec 2020 09:19:41 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0150.hostedemail.com [216.40.44.150])
	by kanga.kvack.org (Postfix) with ESMTP id 2474D8D0001
	for <linux-mm@kvack.org>; Tue,  1 Dec 2020 09:19:41 -0500 (EST)
Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id D97798249980
	for <linux-mm@kvack.org>; Tue,  1 Dec 2020 14:19:40 +0000 (UTC)
X-FDA: 77544921720.27.doll68_0e0be6d273ab
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin27.hostedemail.com (Postfix) with ESMTP id A843B3D663
	for <linux-mm@kvack.org>; Tue,  1 Dec 2020 14:19:40 +0000 (UTC)
X-HE-Tag: doll68_0e0be6d273ab
X-Filterd-Recvd-Size: 4095
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124])
	by imf28.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue,  1 Dec 2020 14:19:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1606832377;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=gE5X+zfMZPwVG/Mqltg19W0Rziqei0irFvs//m77dGo=;
	b=gLAuEaXXg2xN155MOSnKry4e5lkNlpXrx8kjISuhuJwW5tLLdZxWp6cL+Ij7zcA4miE9qw
	djL1AacNyAt/nlHJY4W15j7xB7anMFD/a8E+IYj+cPHe2WW8iiSYvCfK/a1OdxxrUC3WzS
	dHOTZPA6JsRaZ0K22i0OTb6LM3we7oE=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-80-NZun4JuMPcWOh_SnJMHLiw-1; Tue, 01 Dec 2020 09:19:33 -0500
X-MC-Unique: NZun4JuMPcWOh_SnJMHLiw-1
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1AA228144EA;
	Tue,  1 Dec 2020 14:19:32 +0000 (UTC)
Received: from [10.36.114.206] (ovpn-114-206.ams2.redhat.com [10.36.114.206])
	by smtp.corp.redhat.com (Postfix) with ESMTP id C97B860BD8;
	Tue,  1 Dec 2020 14:19:30 +0000 (UTC)
Subject: Re: [PATCH] fix mmap return value when vma is merged after
 call_mmap()
To: Liu Zixian <liuzixian4@huawei.com>, akpm@linux-foundation.org,
 linmiaohe@huawei.com, louhongxiang@huawei.com, linux-mm@kvack.org
Cc: hushiyuan@huawei.com
References: <20201201132755.5076-1-liuzixian4@huawei.com>
From: David Hildenbrand <david@redhat.com>
Organization: Red Hat GmbH
Message-ID: <40c802c5-ef94-ed3b-7932-45b02cec8527@redhat.com>
Date: Tue, 1 Dec 2020 15:19:29 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.4.0
MIME-Version: 1.0
In-Reply-To: <20201201132755.5076-1-liuzixian4@huawei.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=david@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On 01.12.20 14:27, Liu Zixian wrote:
> On success, mmap should return the begin address of newly mapped area,
> but patch "mm: mmap: merge vma after call_mmap() if possible" 
> set vm_start of newly merged vma to return value addr.
> Users of mmap will get wrong address if vma is merged after call_mmap().
> We fix this by moving the assignment to addr before merging vma.
> 
> Fixes: d70cec898324 ("mm: mmap: merge vma after call_mmap() if possible")
> 
> Signed-off-by: Liu Zixian <liuzixian4@huawei.com>
> ---
>  mm/mmap.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/mm/mmap.c b/mm/mmap.c
> index d91ecb00d38c..9199b5e8cc1e 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -1820,12 +1820,12 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
>  				 * and cause general protection fault ultimately.
>  				 */
>  				fput(vma->vm_file);
> -				vm_area_free(vma);
> -				vma = merge;
>  				/* Update vm_flags and possible addr to pick up the change. We don't
>  				 * warn here if addr changed as the vma is not linked by vma_link().
>  				 */
>  				addr = vma->vm_start;
> +				vm_area_free(vma);
> +				vma = merge;
>  				vm_flags = vma->vm_flags;
>  				goto unmap_writable;
>  			}
> 

I assume this is quite hard to trigger, right (having vm_flags change)?

"The vm_flags may be changed after call_mmap() because drivers may set
some flags for their own purpose."

Because how you describe it (returning wrong mmap address) this will
completely mess up userspace.

-- 
Thanks,

David / dhildenb