From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B4143C71155 for ; Tue, 17 Jun 2025 04:57:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 05DB46B007B; Tue, 17 Jun 2025 00:57:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 00EA86B0088; Tue, 17 Jun 2025 00:57:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E666E6B0089; Tue, 17 Jun 2025 00:57:44 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id D66646B007B for ; Tue, 17 Jun 2025 00:57:44 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id C5F8F5FEA8 for ; Tue, 17 Jun 2025 04:57:43 +0000 (UTC) X-FDA: 83563684806.25.B57CDE7 Received: from out-173.mta0.migadu.com (out-173.mta0.migadu.com [91.218.175.173]) by imf27.hostedemail.com (Postfix) with ESMTP id 6A34940007 for ; Tue, 17 Jun 2025 04:57:41 +0000 (UTC) Authentication-Results: imf27.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=Nnj3aTky; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf27.hostedemail.com: domain of lance.yang@linux.dev designates 91.218.175.173 as permitted sender) smtp.mailfrom=lance.yang@linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750136261; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Hil9x3SFzq0mA+kmRpahAqJWFan5rxRExJSxI+VuBQQ=; b=0Xi/Z6sSwuqlB6VmnR1mNriF0TzHlxAxJIhCm1PNWbgzP15aI+z4d4ZHfpa7Rfuk0P+uWn sLKMELGZhR6NtpQU2dn+6fucK53PoqbHu4ef8bVJB+6PXyKilXfcSzQ8hPRbt6vCnsoQrV 7gHqYH/6L9Qa7ig2SyksFZ169V9a3HE= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750136261; a=rsa-sha256; cv=none; b=FeioJ/+V9tEBE+1/qGweIhAil491EbU7M62GYt7kXvtSNKOqFGigryESNGxhqXgr2RNRvW etGC/U9GqQJhUXJ63lADmMhQ+zBsC1HpZzTr0DkspgVnHE+hhmU7RF7KZfPca4m/NK/jAE LFk/vPsshwJ9VNRwcjVJH5pKQ7ArMbU= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=Nnj3aTky; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf27.hostedemail.com: domain of lance.yang@linux.dev designates 91.218.175.173 as permitted sender) smtp.mailfrom=lance.yang@linux.dev Message-ID: <6fe09fdd-ff38-42cc-b101-520204213f82@linux.dev> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1750136259; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Hil9x3SFzq0mA+kmRpahAqJWFan5rxRExJSxI+VuBQQ=; b=Nnj3aTkyKFWn5UoeLEZXeEpKoUqzrDCgq+nvpHkVZfecwktvJRTRjwxzH2dL7SKT60cOMj OWHl1w7S+HvNNnEzayFg1BdLF5iuDIJv8VdTZTl+utRc6X9uguWdOu7QabZ9JQmSvzzT1a sjUn9TFaYj4zYj+sjWoUoirA4BNenAY= Date: Tue, 17 Jun 2025 12:57:29 +0800 MIME-Version: 1.0 Subject: Re: [PATCH 1/1] mm/madvise: initialize prev pointer in madvise_walk_vmas Content-Language: en-US To: Barry Song <21cnbao@gmail.com> Cc: akpm@linux-foundation.org, david@redhat.com, Liam.Howlett@oracle.com, vbabka@suse.cz, jannh@google.com, lorenzo.stoakes@oracle.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Lance Yang References: <20250617020544.57305-1-lance.yang@linux.dev> X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Lance Yang In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 6A34940007 X-Stat-Signature: z7aj6pw5miok4ri9dx8spx9bwneaktxa X-Rspam-User: X-HE-Tag: 1750136261-123642 X-HE-Meta: U2FsdGVkX18s/uq9iJfa7eaIb4o606HaGuNFERSSyKtNgtExs6/AO4YTHqh3dwOSD8Sr6nzLYlrKMoKUtekqWp7jzN3CNoZCBg9RPKaCJqgbQqxz2fLFrnqG4v60WjC2/cR+qUu9Mxk92VkQ5FklKOFQrOHYd7iixZSUPRipSlrzlUciu4yigxgX5D5L+6BUdimTwNBZVXM1TNWud4LxYaBkLNZOv7cbi7szwgcW4LcYMTIGFJDkYrkBWlwmwniY33L5vGz7bJysmHNZimhnpSPUzvVJ/elPboQ29JYNosv/JR/4k39r6plOmrixbqnL3iXX8Gdx1/fs/L1xdDCArxsKmnk7aP5q8n9qaHGKvj3KWqJaGghEcYGxV6khfGjRWLBGgsm+vgw/2QPjYA5lLVNunE75qTg+D7K48E8nLFXl6n8i5l1TVu4XYAkdr/8EUnWV1ddCKN1W0LF/elRIKTPr1jHHLm9t5n54RRu/V1zD13IdG2MLlY4c3d+HewLrMjL+9Vxt6MCy/1IiU6gekEYxieeKUg0WqxrCOIW2pZeltwceo9jlQZ49o6uKif24EayM4j2CpH6N7BCygRZH59l1rzicbW1abOtmjxExIWyoXsmkSN5RoVYsGa6RjSuHOdOsByIEoIN9qajpLXEw4JoCEU2dMRo+U6RkSBSPDr4nIGU5hlylV6OUF7A8OUE04I3fQ9gYGeLG+/kd/03Te9k7ydxIdQJkFYPqdV/swLYBVq6G2J/RywGlyCknFW1/OjcqAttFOxBaWn15VCnaVcRPdRXDgWNk6FuFsW1cC8MyMiBMpkAcY3Bp+uznPWWzmyX81I2iWuyjCt8oz08aX/YF0zLyXBa4W4UhZHNyv5b+9K5lShRhvPGUQyWkKdgEctEVhV0M+vElzaLmLN9iQ0sv29p1Z2xCUSu+zt0D3mHAzVLAS4J0hdYa2MEH9GB2j28S90x+teVCqpAWXQV EczE1ceg uZVI7R1HwVTkWj7VhqUuftZnG8QlrxMkm4nUGqR9D6f/+kr3zgUh0cnmWNOYssedld/Z0HaGv7fBZbu3wDik2YIVYd4i8LTN3DzDWmHXxKzQbdianMHV3BMZAGM8Vx0ubya0tyqHJ9/AdIZ9JO7Ofjflm5JZ3BL5ybZ0vWjaOg67qoG5x2rzvrssfGUj0sN4BBA48Mhh91nJwB9t2g0MuBRBvh/d9KO1wADwORknw6hzAO4BoDg9rRLhJmL56z2gnT9Qmgm5FYsDycvGNlW8QyqDFMO9TOqLcaJrO0wyCLlDFyxUL7CVTPqy3WK8o4jJaxGv1 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2025/6/17 10:24, Barry Song wrote: > On Tue, Jun 17, 2025 at 2:05 PM Lance Yang wrote: >> >> From: Lance Yang >> >> The prev pointer was uninitialized, which could lead to undefined behavior >> where its address is taken and passed to the visit() callback without being >> assigned a value. >> >> Initializing it to NULL makes the code safer and prevents potential bugs >> if a future callback function attempts to read from it. > > Is there any read-before-write case here? I haven't found one. It appears that the following is a call chain showing the read-before-write of prev: -> madvise_vma_anon_name(..., struct vm_area_struct **prev, ...) Receives the address of madvise_walk_vmas's prev. Passes this pointer directly to madvise_update_vma. Note that prev is not updated before visit() is called if !(start > vma->vm_start) in the slow path. -> madvise_update_vma(..., struct vm_area_struct **prev, ...) It calls the next function with *prev. -> vma_modify_flags_name(..., *prev, ...) Stores the value of madvise_walk_vmas's prev in vmg.prev using the VMG_VMA_STATE macro. -> vma_modify(struct vma_merge_struct *vmg) Receives the vmg struct. Passes vmg to vma_merge_existing_range. -> vma_merge_existing_range(struct vma_merge_struct *vmg) Retrieves the value: struct vm_area_struct *prev = vmg->prev; The value is now used in a conditional check: VM_WARN_ON_VMG(prev && start <= prev->vm_start, vmg) If prev was uninitialized, this would cause a crash. Thanks, Lance > > It also looks like we're assuming that *prev == NULL implies > a specific condition: > > *prev = NULL; /* tell sys_madvise we drop mmap_lock */ > > *prev = NULL; /* mmap_lock has been dropped, prev is stale */ > >> >> Signed-off-by: Lance Yang >> --- >> mm/madvise.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/mm/madvise.c b/mm/madvise.c >> index 267d8e4adf31..c87325000303 100644 >> --- a/mm/madvise.c >> +++ b/mm/madvise.c >> @@ -1536,10 +1536,10 @@ int madvise_walk_vmas(struct mm_struct *mm, unsigned long start, >> struct vm_area_struct **prev, unsigned long start, >> unsigned long end, void *arg)) >> { >> + struct vm_area_struct *prev = NULL; >> struct vm_area_struct *vma; >> - struct vm_area_struct *prev; >> - unsigned long tmp; >> int unmapped_error = 0; >> + unsigned long tmp; >> int error; >> >> /* >> -- >> 2.49.0 >> > > Thanks > Barry