From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3620C7114A for ; Tue, 17 Jun 2025 05:19:28 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7D9B96B007B; Tue, 17 Jun 2025 01:19:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 78B036B0088; Tue, 17 Jun 2025 01:19:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6A0376B0092; Tue, 17 Jun 2025 01:19:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 5859A6B007B for ; Tue, 17 Jun 2025 01:19:28 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 5ABE05AD55 for ; Tue, 17 Jun 2025 05:19:27 +0000 (UTC) X-FDA: 83563739574.17.22BB6AE Received: from mail-vs1-f49.google.com (mail-vs1-f49.google.com [209.85.217.49]) by imf24.hostedemail.com (Postfix) with ESMTP id 7A620180009 for ; Tue, 17 Jun 2025 05:19:25 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=lDhjmDNG; spf=pass (imf24.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.217.49 as permitted sender) smtp.mailfrom=21cnbao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1750137565; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=qwJutXyA1IzhcB8viebfRV1V9CeLMwQ1Jbtbo6wl7g8=; b=Pshi13ataApSZGS/pkX0CWYyuo9OVPTDSUFnAxPazqgUIfzlaGrp84d4smD/kxpslH2w4t BPJTcHCgzcQbaS4XDqqXawF9yD6Zsx0j4Ek6iEoKTe8WLL7+lIRejyWUC4848P4UqUhiqK Tq/qPWGd5JINOZIbq+RYyx4LB3NMOXQ= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750137565; a=rsa-sha256; cv=none; b=gUmdW8F6S+uwq9NUXW6e4QOnjeYe2MYkH1INxpzs/mj/aBO0Ovr0ckLVjznyfVjEgW4jKO UsVN6TpRZtQ6V5U3AxiIK5ISgo6gT7IkW8jdCsWJ3gSMo7MGzbPZZQ1ZcvYW2XboVk2xAd MobbrX2UZfM2D/gS/awlnZk66ibqOs4= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=lDhjmDNG; spf=pass (imf24.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.217.49 as permitted sender) smtp.mailfrom=21cnbao@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vs1-f49.google.com with SMTP id ada2fe7eead31-4e8088896b7so1907499137.1 for ; Mon, 16 Jun 2025 22:19:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1750137564; x=1750742364; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=qwJutXyA1IzhcB8viebfRV1V9CeLMwQ1Jbtbo6wl7g8=; b=lDhjmDNG3PCjISyiAjXaEMf+TargNHgA4MJReTOMrL+zgP44S+nBIJ+d3XGfBQJNis drQLAIoSkWW2nqImj6p6uu/QLZSrpSyE/ZKlRRWzlZaoUB5idL1YFCV7xKwQD0zM5ZAY 3gwts/dXxVPItRQadOTbun44I1qchlq3/btQfyJe+FAmpgEEdzd0ccnIRgkJTwALGZ9e mtTkmdF033mSj4w1CfayV4HTGZ4QPIweVxpiqB6sWI4HKCp2YcJDDTg26kfnQmLW/Z2n XG2eo1w6k7L/GqCn4s0aYrIe8+6VkG1qXVdbrqEWMfZ5Fg8Ds373MWHvnA5mCRhU6ujF e+rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750137564; x=1750742364; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qwJutXyA1IzhcB8viebfRV1V9CeLMwQ1Jbtbo6wl7g8=; b=qtzC5EhFuKynkA/3vMgXp0lNan2LOiSTF/tqvaecK5bcybLt5k8lrjE9k/cM9Rk0G5 7AbQYsGNbdZwIO6wB7TKvYuzEuzQ1FbkuDVWSWj33gNUfFM5QbDiAQyDiktZB0ali634 eZMWToaR+0ZKfRqle1Jy1EbappPXbcxkB5lWd5a6525U6bEtXv/Qet4PV2VmErqbRDBQ h4aaIp+qGjPCbcPyTkPiwxpV70Yr92/kk42tNlL3p8lZX3bsrn2dVxKancWtNjEPSMqF R5VU6gxcneDwGZvlJnRpjmcAO0NdE2ZogsyyMSyDisPaUQ1q7XaRIGITkTu29OmxbDcC DRkA== X-Forwarded-Encrypted: i=1; AJvYcCUZIdo5Bn3Q9v68Qcu3Grein+dTS8UsBxh3dNIJDJLZxSRZYaTbdsb5gkdSQNgFS6Qb/Ubu4N/nVA==@kvack.org X-Gm-Message-State: AOJu0Yx6jQPlUgITwSJfwC4B7VQ6CTqJEkQPAFFShcKms94qBAWeEsKL To/EIAPxB/mxktQBfp2ejDhCsEfMXws+InVzB2Uw6q9/hdDC3BUnLuCc+f013zBAwI6ZK6xRaB/ jdmjFKHKFkzeZpfPf1jQx+DlBlWSVRjk= X-Gm-Gg: ASbGncuOwaAR3U2/HJq29YgHxzKZz/+KG4mjzGhy4fkKsPKFRyUjOvTd3auES7H11qV UAulC8Rx9DyTAp+kv7wklhKi6YotauF2KH0vfVdTrxhrX22rJlWAOJMwgGjh4I5bebmsfPq5SwA +Oxn34LLiAZhdeaDnP7AJuPHE+s6rffwXmkj//5lyz37R/FyfzcCMhmQ== X-Google-Smtp-Source: AGHT+IHd+OOi28jgYXkdq6e9qbPeO05G0G5k9w2PooPI4AgItyNpsnCIbmrfsFHre7soWL3bZbpDdCpfuDkNiZtjJAA= X-Received: by 2002:a05:6102:3e0f:b0:4e5:5c14:5937 with SMTP id ada2fe7eead31-4e7f5cfa307mr9264663137.1.1750137564459; Mon, 16 Jun 2025 22:19:24 -0700 (PDT) MIME-Version: 1.0 References: <20250617020544.57305-1-lance.yang@linux.dev> <6fe09fdd-ff38-42cc-b101-520204213f82@linux.dev> In-Reply-To: <6fe09fdd-ff38-42cc-b101-520204213f82@linux.dev> From: Barry Song <21cnbao@gmail.com> Date: Tue, 17 Jun 2025 17:19:13 +1200 X-Gm-Features: AX0GCFs25ANrF8M1ewV9-5KcAYw5Fvm8VuiV6iGyycAMHer3b0LUSGEUf3M947E Message-ID: Subject: Re: [PATCH 1/1] mm/madvise: initialize prev pointer in madvise_walk_vmas To: Lance Yang Cc: akpm@linux-foundation.org, david@redhat.com, Liam.Howlett@oracle.com, vbabka@suse.cz, jannh@google.com, lorenzo.stoakes@oracle.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Lance Yang Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 7A620180009 X-Stat-Signature: xpinwsajg4tfe5rrqd5gcn6ckm3sqdbu X-HE-Tag: 1750137565-540622 X-HE-Meta: U2FsdGVkX1/fYCCC+R6Qn0MZ7AEppNrv1TetWQZtxMmL57x6Lkfl8nNRcqHrVUQCuoEuVmRsne8mBLd67yUxucGURAWXp5gRE//9sze87/MEbDp5tJf4NclRAzXaj9umsxWREElNUWhqXFQwWyvDSBWakcTk72Vn/QLVT6qbwkV9QjdFiAfHwc9avG4tYYsLT6olhi8NadVjAvW39FLsm7VA4DR69yz9Fcv1OmLrkoiw2c5iroTie0nFT90W6x9yz+z2dkFFi5pDQPpMp84S7RaSp+bNnu6PF4JbpJcU5GOPXBrsxOVIACXxDryYWsok3taElOL377oc7EeZtNTyfKcW2JwJ2T8DgqFQfggvpj5X+wHQOKKfs0QGJA+9tkv0PSnlc24uWLjqMVcVbzCeTK12APsUQEukvgmf2kcgaawzVWSHGXoNOzCFovR8xtwS2Z46OqxqZQX1l/aYbtjwl2OVQZJyYRnh+96GVpUIlDEPP7dZh0BSBevpgRkDI3O5Ui3GcuLczvdvn9DszeadoIaLIkolPlaps3SkGJ7fvNcoWXOC0cC7oI1mbgevYfXGiUW25d1mcOzzTH+8SXu5LPnKHeYdErvJVE66PFbWN8hGOy4BIvACkZPyjs259LNf9yH1eIBBCxYa4qfTKyGDairfFDEUvTpyNISkgXN7SMuXtj17rYmb/HEBAUIl6fQ468btrvcygCIha7oUQGI35VSG4mq317lfhrQ0HyAt3GzN6qHSiyRWLaEdwY5llW2Abxjdf91BD7+uSvnVtxtkB6ITssqKNv4DVQD7E4JYgkko7focvD+XZ8phgcrJ/u0YB+Ztyd0HH81NdIBDQBDL5goJTaiSD9ZQ4Ps3l23KsRdC/3tuhFe0dKn67zjT6KvqOukyK7TLzZP2KqYYRwTfqI/rk7jyTjfJoHXribHxls5Ce8pEA5jHS/7kUw3f7KIj/81+4qbjMfblqGnxt+0 AnMnLaGV K0SW2KC5i9gVxtte/mKw6YHFVgWZeOHDTryY1LfnyEL/OwHvdXJbfJ597hC3t9Mq2pOuxBQlhn+lr4sU5Qnar+uR7fYKLfl/1R+f9wSW5Hsnbw/eIAAa6fU3I5ZAEih4X3aDgr8dvy8oAZ+5mvnWoOROLsyfkeFzDeiwuZhpAvVtELysnKWE6JybztjiPlk5DjW9ebdFu38vACFr5HnjDPk6hAiLueH88vH7Q5arz5owgCdO1+7IUpFpjmpnLKW7jBgXblBa9qod4h5ivCnG9cxzgJ0NhSkeS8GY2gcANvv5xJblAniLDV7b5pnqjPGu6+CJ+5rg5EzfqbTypeD7+92gOC9o8yzvEZe6jDlRoHeAEk9CBYM23H0hhOOumBkBGJuEL0IRwdnIKF3rnDzmYUlq3ZeY+UEPUVRUSOWTmEcutKsQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Jun 17, 2025 at 4:57=E2=80=AFPM Lance Yang w= rote: > > > > On 2025/6/17 10:24, Barry Song wrote: > > On Tue, Jun 17, 2025 at 2:05=E2=80=AFPM Lance Yang wrote: > >> > >> From: Lance Yang > >> > >> The prev pointer was uninitialized, which could lead to undefined beha= vior > >> where its address is taken and passed to the visit() callback without = being > >> assigned a value. > >> > >> Initializing it to NULL makes the code safer and prevents potential bu= gs > >> if a future callback function attempts to read from it. > > > > Is there any read-before-write case here? I haven't found one. > > > It appears that the following is a call chain showing the read-before-wri= te > of prev: > > -> madvise_vma_anon_name(..., struct vm_area_struct **prev, ...) > Receives the address of madvise_walk_vmas's prev. > Passes this pointer directly to madvise_update_vma. > Note that prev is not updated before visit() is called > if !(start > vma->vm_start) in the slow path. > > -> madvise_update_vma(..., struct vm_area_struct **prev, ...) > It calls the next function with *prev. > > -> vma_modify_flags_name(..., *prev, ...) > Stores the value of madvise_walk_vmas's prev in > vmg.prev > using the VMG_VMA_STATE macro. > > -> vma_modify(struct vma_merge_struct *vmg) > Receives the vmg struct. > Passes vmg to vma_merge_existing_range. > > -> vma_merge_existing_range(struct > vma_merge_struct *vmg) > Retrieves the value: struct > vm_area_struct *prev =3D vmg->prev; > The value is now used in a > conditional check: > VM_WARN_ON_VMG(prev && start <= =3D > prev->vm_start, vmg) > If prev was uninitialized, this > would cause a crash. Thanks! Do you have a reproducer? I'd like to try. > > Thanks, > Lance > > > > > It also looks like we're assuming that *prev =3D=3D NULL implies > > a specific condition: > > > > *prev =3D NULL; /* tell sys_madvise we drop mmap_lock */ > > > > *prev =3D NULL; /* mmap_lock has been dropped, prev is stale */ > > > >> > >> Signed-off-by: Lance Yang > >> --- > >> mm/madvise.c | 4 ++-- > >> 1 file changed, 2 insertions(+), 2 deletions(-) > >> > >> diff --git a/mm/madvise.c b/mm/madvise.c > >> index 267d8e4adf31..c87325000303 100644 > >> --- a/mm/madvise.c > >> +++ b/mm/madvise.c > >> @@ -1536,10 +1536,10 @@ int madvise_walk_vmas(struct mm_struct *mm, un= signed long start, > >> struct vm_area_struct **prev, unsi= gned long start, > >> unsigned long end, void *arg)) > >> { > >> + struct vm_area_struct *prev =3D NULL; > >> struct vm_area_struct *vma; > >> - struct vm_area_struct *prev; > >> - unsigned long tmp; > >> int unmapped_error =3D 0; > >> + unsigned long tmp; > >> int error; > >> > >> /* > >> -- > >> 2.49.0 > >> > > Thanks Barry