From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: "Liam R . Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@suse.cz>, Jann Horn <jannh@google.com>,
Pedro Falcato <pfalcato@suse.de>,
David Hildenbrand <david@redhat.com>,
Mike Rapoport <rppt@kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Michal Hocko <mhocko@suse.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 6.17 2/3] mm/mremap: catch invalid multi VMA moves earlier
Date: Sat, 16 Aug 2025 08:52:45 +0100 [thread overview]
Message-ID: <b6dbda20-667e-4053-abae-8ed4fa84bb6c@lucifer.local> (raw)
In-Reply-To: <2b5aad5681573be85b5b8fac61399af6fb6b68b6.1754218667.git.lorenzo.stoakes@oracle.com>
Hi Andrew,
Fixing a silly issue that syzbot picked up, I reuse vma incorrectly, very easy
fix, fix-patch below.
(Vlastimil had a look at this off-list).
Cheers, Lorenzo
----8<----
From 87fc8e42946938688d637f694cd6e80552a26667 Mon Sep 17 00:00:00 2001
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Date: Sat, 16 Aug 2025 08:37:41 +0100
Subject: [PATCH] mm/mremap: do not incorrectly reference invalid VMA in
VM_WARN_ON_ONCE()
The VMA which is referenced here may have since been merged (which is the
entire point of the warning), and yet we still reference it.
Fix this by storing whether or not a multi move is permitted ahead of time
and have the VM_WARN_ON_ONCE() be predicated on this.
Reported-by: syzbot+4e221abf50259362f4f4@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-mm/689ff5f6.050a0220.e29e5.0030.GAE@google.com/
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
---
mm/mremap.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/mm/mremap.c b/mm/mremap.c
index 18aa0b3b828f..33b642076205 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -1837,6 +1837,7 @@ static unsigned long remap_move(struct vma_remap_struct *vrm)
unsigned long addr = max(vma->vm_start, start);
unsigned long len = min(end, vma->vm_end) - addr;
unsigned long offset, res_vma;
+ bool multi_allowed;
/* No gap permitted at the start of the range. */
if (!seen_vma && start < vma->vm_start)
@@ -1865,7 +1866,8 @@ static unsigned long remap_move(struct vma_remap_struct *vrm)
vrm->new_addr = target_addr + offset;
vrm->old_len = vrm->new_len = len;
- if (!vma_multi_allowed(vma)) {
+ multi_allowed = vma_multi_allowed(vma);
+ if (!multi_allowed) {
/* This is not the first VMA, abort immediately. */
if (seen_vma)
return -EFAULT;
@@ -1881,8 +1883,7 @@ static unsigned long remap_move(struct vma_remap_struct *vrm)
return res_vma;
if (!seen_vma) {
- VM_WARN_ON_ONCE(vma_multi_allowed(vma) &&
- res_vma != new_addr);
+ VM_WARN_ON_ONCE(multi_allowed && res_vma != new_addr);
res = res_vma;
}
--
2.50.1
next prev parent reply other threads:[~2025-08-16 7:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-03 11:11 [PATCH 6.17 0/3] mm/mremap: allow multi-VMA move for huge folio, find ineligible earlier Lorenzo Stoakes
2025-08-03 11:11 ` [PATCH 6.17 1/3] mm/mremap: allow multi-VMA move when filesystem uses thp_get_unmapped_area Lorenzo Stoakes
2025-08-08 13:38 ` Vlastimil Babka
2025-08-03 11:11 ` [PATCH 6.17 2/3] mm/mremap: catch invalid multi VMA moves earlier Lorenzo Stoakes
2025-08-08 14:19 ` Vlastimil Babka
2025-08-08 14:34 ` Lorenzo Stoakes
2025-08-08 14:46 ` Lorenzo Stoakes
2025-08-08 14:43 ` Lorenzo Stoakes
2025-08-08 17:17 ` Vlastimil Babka
2025-08-16 7:52 ` Lorenzo Stoakes [this message]
2025-08-03 11:11 ` [PATCH 6.17 3/3] selftests/mm: add test for invalid multi VMA operations Lorenzo Stoakes
2025-08-08 13:19 ` [PATCH 6.17 0/3] mm/mremap: allow multi-VMA move for huge folio, find ineligible earlier Lorenzo Stoakes
2025-08-12 4:01 ` Andrew Morton
2025-08-12 5:32 ` Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b6dbda20-667e-4053-abae-8ed4fa84bb6c@lucifer.local \
--to=lorenzo.stoakes@oracle.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=pfalcato@suse.de \
--cc=rppt@kernel.org \
--cc=surenb@google.com \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox