Re: [PATCH 1/1] mm/madvise: initialize prev pointer in madvise_walk_vmas

[Lance Yang <lance.yang@linux.dev>]

On 2025/6/17 16:50, Lorenzo Stoakes wrote:
> Lace - To simplify and not get bogged down in sub-threads am replying at the top
> level.
> 
> TL;DR this fix is incorrect, but the issue is correct :)
> 
> So the patch at [0] introduced by Barry changed things in a way that _appears_
> broken but in fact aren't, however we should do something about this, obviously.
> 
> That patch added:
> 
> 	if (madv_behavior && madv_behavior->lock_mode == MADVISE_VMA_READ_LOCK) {
> 		vma = try_vma_read_lock(mm, madv_behavior, start, end);
> 		if (vma) {
> 			error = visit(vma, &prev, start, end, arg);
> 			vma_end_read(vma);
> 			return error;
> 		}
> 	}
> 
> And the problem is, in this case, we don't initialise prev.
> 
> In all other cases, we do (under mmap lock):
> 
> 	vma = find_vma_prev(mm, start, &prev);
> 	if (vma && start > vma->vm_start)
> 		prev = vma;
> 
> The reason this isn't a problem is that the only madvise operation that
> currently supports this, madvise_dontneed_free() will initialise *prev = vma.
> 
> BUT we really shouldn't be relying on this, so I attach a fixpatch.
> 
> Given Barry's patch isn't mainline yet, I think this should just be squashed
> into that as a fix?
> 
> It kind of sucks to do this, but it resolves any potential bug.
> 
> I think a follow up is needed, as there's an implicit assumption it seems that
> prev is updated immediately for most callers, but of course anon_vma_name is a
> special snowflake.
> 
> todos++;

Ah, please keep me in the loop ;)

> 
> Lance - I suggest you reply to Barry's series with the below fix, or I can if
> you prefer?

Sure, go ahead!

Thanks,
Lance

> 
> [0]: https://lore.kernel.org/linux-mm/20250607220150.2980-1-21cnbao@gmail.com/
> 
> Thanks!
> 
> On Tue, Jun 17, 2025 at 10:05:43AM +0800, Lance Yang wrote:
>> From: Lance Yang <lance.yang@linux.dev>
>>
>> The prev pointer was uninitialized, which could lead to undefined behavior
>> where its address is taken and passed to the visit() callback without being
>> assigned a value.
>>
>> Initializing it to NULL makes the code safer and prevents potential bugs
>> if a future callback function attempts to read from it.
>>
>> Signed-off-by: Lance Yang <lance.yang@linux.dev>
>> ---
>>   mm/madvise.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/mm/madvise.c b/mm/madvise.c
>> index 267d8e4adf31..c87325000303 100644
>> --- a/mm/madvise.c
>> +++ b/mm/madvise.c
>> @@ -1536,10 +1536,10 @@ int madvise_walk_vmas(struct mm_struct *mm, unsigned long start,
>>   				   struct vm_area_struct **prev, unsigned long start,
>>   				   unsigned long end, void *arg))
>>   {
>> +	struct vm_area_struct *prev = NULL;
>>   	struct vm_area_struct *vma;
>> -	struct vm_area_struct *prev;
>> -	unsigned long tmp;
>>   	int unmapped_error = 0;
>> +	unsigned long tmp;
>>   	int error;
>>
>>   	/*
>> --
>> 2.49.0
>>
> 
> ----8<----
>  From c8dc9f5b2929e389cac44b79201fff43e0ab8195 Mon Sep 17 00:00:00 2001
> From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> Date: Tue, 17 Jun 2025 09:46:27 +0100
> Subject: [PATCH] fix
> 
> Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> ---
>   mm/madvise.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/mm/madvise.c b/mm/madvise.c
> index 267d8e4adf31..45ea4588e34e 100644
> --- a/mm/madvise.c
> +++ b/mm/madvise.c
> @@ -1549,6 +1549,7 @@ int madvise_walk_vmas(struct mm_struct *mm, unsigned long start,
>   	if (madv_behavior && madv_behavior->lock_mode == MADVISE_VMA_READ_LOCK) {
>   		vma = try_vma_read_lock(mm, madv_behavior, start, end);
>   		if (vma) {
> +			*prev = vma;
>   			error = visit(vma, &prev, start, end, arg);
>   			vma_end_read(vma);
>   			return error;
> --
> 2.49.0