From patchwork Mon Feb 3 07:52:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ricardo_Ca=C3=B1uelo_Navarro?= X-Patchwork-Id: 13956871 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F517C02193 for ; Mon, 3 Feb 2025 07:52:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DB89C6B0082; Mon, 3 Feb 2025 02:52:37 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D691B6B0083; Mon, 3 Feb 2025 02:52:37 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C57316B0085; Mon, 3 Feb 2025 02:52:37 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id A6D476B0082 for ; Mon, 3 Feb 2025 02:52:37 -0500 (EST) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 51B9BC24A2 for ; Mon, 3 Feb 2025 07:52:37 +0000 (UTC) X-FDA: 83077866354.19.D4487B6 Received: from fanzine2.igalia.com (fanzine.igalia.com [178.60.130.6]) by imf08.hostedemail.com (Postfix) with ESMTP id 6BCEA160008 for ; Mon, 3 Feb 2025 07:52:35 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=igalia.com header.s=20170329 header.b=EZJPwN+e; spf=pass (imf08.hostedemail.com: domain of rcn@igalia.com designates 178.60.130.6 as permitted sender) smtp.mailfrom=rcn@igalia.com; dmarc=pass (policy=none) header.from=igalia.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738569155; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=OwE47YQ82DfnXYCXvF2rfYbD60DN/+HjtdW+a/PgLP4=; b=uKAboj/BCgHj1rFxtTPxOn+IsPRH2b9JZjz93IToulMjiJd/LNYjbIPJ7ZJSPPP5tl6Gfh qNsdt9HYxfFX7M6V940dlsSmZhOTj1mgTYTcnIB3/iDFq3DIZyxxfd1cqUYa+MtyRCVjOH u7B3WpVgMCwKmKEx2NJcQWkwZ7u8pdo= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=igalia.com header.s=20170329 header.b=EZJPwN+e; spf=pass (imf08.hostedemail.com: domain of rcn@igalia.com designates 178.60.130.6 as permitted sender) smtp.mailfrom=rcn@igalia.com; dmarc=pass (policy=none) header.from=igalia.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738569155; a=rsa-sha256; cv=none; b=TKmV4ez0kWJR0X1dm/F68RR/7rZRWrW9nxJbQVOwTfbepKZXM3nCA4qWXlwBgs+f34YPwo GI06kCARzlOQcGvemVCQA5Xze93e3Cq2wJ3grDXVKGsXADaLzrNBcfoH/hNG2+uYWfNZed uOPni7qcD2++rtaJkr/kJt/tuZA/LC8= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=OwE47YQ82DfnXYCXvF2rfYbD60DN/+HjtdW+a/PgLP4=; b=EZJPwN+eWLS6Mct7gMUuCnS5a+ 1khC3RdHoprFb3O/CmJZHHaTE2hDxCBZ9u37YPfpnmpWQqwIcNUhzHnOklC77DxFkuVQt82CcF6hd bksqgUK02TXZ4+MCqRBom1h8JT8/L73IViPqR1XPyKLrX8JZJSK61d2t4NFi3tj4Y5p5LtbglV5uA uAuKKYJmbxorKONp3J+OIzkJEy8V3nRaHIqLAfV9MgrhzNuwu4d3fomfi33KMLYJpYDimtUWsOrxQ wj6B6HwuyevO2KJn3bR+59QYbmecYCmsYx7efhVDRF/0R2h96tFinzU8lEGUPHomAtoRJW/EbwP5y OH8600CQ==; Received: from 253.red-79-144-234.dynamicip.rima-tde.net ([79.144.234.253] helo=localhost.localdomain) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim) id 1terFq-002w7Q-8X; Mon, 03 Feb 2025 08:52:32 +0100 From: =?utf-8?q?Ricardo_Ca=C3=B1uelo_Navarro?= To: akpm@linux-foundation.org, riel@surriel.com Cc: linux-mm@kvack.org, stable@vger.kernel.org, kernel-dev@igalia.com, revest@google.com Subject: [PATCH v2] mm,madvise,hugetlb: check for 0-length range after end address adjustment Date: Mon, 3 Feb 2025 08:52:06 +0100 Message-ID: <20250203075206.1452208-1-rcn@igalia.com> X-Mailer: git-send-email 2.48.1 MIME-Version: 1.0 X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 6BCEA160008 X-Stat-Signature: ng45b5ktc5qgoeccnextrbjufthb3yjp X-Rspam-User: X-HE-Tag: 1738569155-605226 X-HE-Meta: U2FsdGVkX18tXDv2ePg0XNuyvZs9lVNLXIjpsFNMm4J/wmVkQVZoi4nhhRzwcUX0CZ6R/T+XcsjHLghwyT8PYbKWt494HkwiXT51UWlKoB9zHPOZi1cV4QeH74NGxVDI9oojRgWzSrqt8q7yoHV/Obw5id1OsKSX2sSAA22U71VH4DcfvEctBTPtY23l/5FcXp8HSCXb1Pplma0tpFWKRxBa7YYrHNnfQJ1j8POAZHL6np8LB1Mt30vcl5F3ClBrc0EhUBEsF8bW1jgftYuTG+nVcMlbDK9wo9rShK/oM8NcuwhPz8B8REdhbJlLHErrEuWTzezL+sIXe6eA3gTnQy7udco8/6rCYoxM3s7rbc6Y+aO5PGMICN1CHACglyXWDeMy1BVn4fcOaWJWicrkJILFAbLjq+M++2/UoykCUE3MllAJaaCrcjZf/10IXq4O3l2iOjDLp26mLe8YyY65fWhYMCpZZDfQiHQoVDMice86R/nevbz8/DQ+eVHGWryax6Z1A3deP7f9Clu84aKr73IlvuyOnpwv/kAP+LrOu7uoWnbOv2Lj0i0VSPSkD3vgkO95iNUKOYz77LIW/UEXvqts0CKNuWVXzh4dvX5DPy/njDN6L09SHXfuvh48tCgHENLWQ7m3+iYfdOcXp0qtfAyDBPAZ0+piqKLAR6gFeHA9KKbzE8ih7TTU5v/OcNeQ6KKuNTcsXS8IIO6KXhDoWOFlURuwSly9lKstJJ+q8eviHgifzUd8D2Wr/rKHn63GXqYDspgyCfQcAG3KI49pCLfyt2FHry6+EnYdU/pms2t29qs0eMmc4B2pbecZwKJtQS/NfFyc/7zvjnH6XBExaEYo0arhuwx0+mNwC9ZAsmVmDlH/EES7gEnQEX4l3DjHbMCQdmFVuyv3j7D7aWvE3VmmlqRamFxjfimvh/4vuY5a9akDNq1NUNS/tv4ZJSg1V9fI8aGIrfoDbVpIbgF NirwZEWh hiX9mCiMbYrYBh3q6t1Sv0GhAk6xb7ttJhlFqR3AzyAbqIX0LDgUzlb0XcS5Gf1GDuvz6ojcXRjcvPf8L0Z5eNnr+pOxc/shxxvFDDZbj8qgoz2f3Wlg+RSn3IYqHgj5TMTNFxw6MPTZQz7l3NiOAvfSTygD2/Ibef3htRICPpXddcTH34+jrHjcoHT8vSJJmPFsnfscXGIVgPwOTZJH5ePOLbEPrE/R+b3tgigIXfyqOGKhth06ii6170a5wz3WTlRnaHhdWRGPPsSRH5o+HafEx+YIooAcHKzom/uANg5NOyKJShLOXenEFB5etmVcw0v24XqlCDwoModlVaEVLlRV28ZjfP4Xz2Vjq X-Bogosity: Ham, tests=bogofilter, spamicity=0.000158, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Add a sanity check to madvise_dontneed_free() to address a corner case in madvise where a race condition causes the current vma being processed to be backed by a different page size. During a madvise(MADV_DONTNEED) call on a memory region registered with a userfaultfd, there's a period of time where the process mm lock is temporarily released in order to send a UFFD_EVENT_REMOVE and let userspace handle the event. During this time, the vma covering the current address range may change due to an explicit mmap done concurrently by another thread. If, after that change, the memory region, which was originally backed by 4KB pages, is now backed by hugepages, the end address is rounded down to a hugepage boundary to avoid data loss (see "Fixes" below). This rounding may cause the end address to be truncated to the same address as the start. Make this corner case follow the same semantics as in other similar cases where the requested region has zero length (ie. return 0). This will make madvise_walk_vmas() continue to the next vma in the range (this time holding the process mm lock) which, due to the prev pointer becoming stale because of the vma change, will be the same hugepage-backed vma that was just checked before. The next time madvise_dontneed_free() runs for this vma, if the start address isn't aligned to a hugepage boundary, it'll return -EINVAL, which is also in line with the madvise api. From userspace perspective, madvise() will return EINVAL because the start address isn't aligned according to the new vma alignment requirements (hugepage), even though it was correctly page-aligned when the call was issued. Fixes: 8ebe0a5eaaeb ("mm,madvise,hugetlb: fix unexpected data loss with MADV_DONTNEED on hugetlbfs") Cc: stable@vger.kernel.org Signed-off-by: Ricardo CaƱuelo Navarro Reviewed-by: Oscar Salvador --- Changes in v2: - Added documentation in the code to tell the user how this situation can happen. (Andrew) --- mm/madvise.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/mm/madvise.c b/mm/madvise.c index 49f3a75046f6..08b207f8e61e 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -933,7 +933,16 @@ static long madvise_dontneed_free(struct vm_area_struct *vma, */ end = vma->vm_end; } - VM_WARN_ON(start >= end); + /* + * If the memory region between start and end was + * originally backed by 4kB pages and then remapped to + * be backed by hugepages while mmap_lock was dropped, + * the adjustment for hugetlb vma above may have rounded + * end down to the start address. + */ + if (start == end) + return 0; + VM_WARN_ON(start > end); } if (behavior == MADV_DONTNEED || behavior == MADV_DONTNEED_LOCKED)