From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1E4F6385D81 for ; Wed, 13 May 2026 03:00:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778641218; cv=none; b=Vg36pnZTdHLIEUJbtbzfOyvEMFUL7fRUMmInktLTTBjJfNnj2/B86AqsgB9/ST9cIqvrcsdpkoGQNOQFzFjqGMh7JERxioJ+lpXBKI7oO8tyLRFgF+Cqrw8znanzjTLTKmA4W2fjM5lMMNcq2UzUGlrNUejZL19AmsmDB1wd1MY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778641218; c=relaxed/simple; bh=Epufn+6GnIExjx99Fj5wKC5cq5csBXyDVGoxSG5VWio=; h=Date:To:From:Subject:Message-Id; b=OpN/VLeZo1ExWhgHqrjH2uGjXwOdQbZEQIqg/lqzJm3Kq/DBXqRg9xh7vzK7UjYRoxgp7DmYUF96236lSjeNe3dUYk2hXlGzQYWqNbRK8799p21l+B2I5a4FVeAIaU07L1WE7oB8KMDYTdOt5DGtqZScUS5PFx+N+HeDiVBwm8k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b=hOTX/3dM; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="hOTX/3dM" Received: by smtp.kernel.org (Postfix) with ESMTPSA id DAD8CC2BCF5; Wed, 13 May 2026 03:00:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1778641217; bh=Epufn+6GnIExjx99Fj5wKC5cq5csBXyDVGoxSG5VWio=; h=Date:To:From:Subject:From; b=hOTX/3dMmBwEaIRrd4hCDDF3KzKkHK2342jTS6MeN17GdT7pYcaS/SKg/p49Qd+nX NiCl8YWGiLQ3Tp/mChYbqv0jSsVhrGPkAqJCUo11cP+konH3asKwxrDz+YGYUowPSy bVbDMlvSNqwCLSxt9dPSAMxpIr34UYO5eFEzRNkY= Date: Tue, 12 May 2026 20:00:17 -0700 To: mm-commits@vger.kernel.org,vbabka@kernel.org,surenb@google.com,sj@kernel.org,shuah@kernel.org,rppt@kernel.org,mhocko@suse.com,ljs@kernel.org,liam@infradead.org,jannh@google.com,david@kernel.org,brauner@kernel.org,fujunjie1@qq.com,akpm@linux-foundation.org From: Andrew Morton Subject: [to-be-updated] mm-madvise-reject-invalid-process_madvise-advice-for-zero-length-vectors.patch removed from -mm tree Message-Id: <20260513030017.DAD8CC2BCF5@smtp.kernel.org> Precedence: bulk X-Mailing-List: mm-commits@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: The quilt patch titled Subject: mm/madvise: reject invalid process_madvise() advice for zero-length vectors has been removed from the -mm tree. Its filename was mm-madvise-reject-invalid-process_madvise-advice-for-zero-length-vectors.patch This patch was dropped because an updated version will be issued ------------------------------------------------------ From: fujunjie Subject: mm/madvise: reject invalid process_madvise() advice for zero-length vectors Date: Mon, 27 Apr 2026 09:43:30 +0000 process_madvise() used to validate the advice while walking each imported iovec. If the vector has zero total length, vector_madvise() does not enter the loop and can return success without checking whether the advice value is valid. For a local mm, such as process_madvise(PIDFD_SELF, ...), the remote-only process_madvise_remote_valid() check is skipped. As a result, an invalid advice can be reported as success when the vector has zero total length. This differs from madvise(), which rejects an invalid advice before returning success for a zero-length range. Validate the generic madvise behavior at the syscall-facing entry points before any vector walk. In process_madvise(), do this before the remote-only advice restriction so unsupported advice is rejected with the same priority for local and remote mm. Then keep the per-range helper focused on address/length validation, avoiding repeated behavior checks for every iovec. Valid zero-length requests remain no-ops and continue to return 0. Add a selftest that covers invalid advice with a zero-length iovec and an empty vector, while also checking that a valid zero-length request still succeeds. Link: https://lore.kernel.org/tencent_BB588C2CDED859A873093DAF28B2CC1F7B0A@qq.com Fixes: 021781b01275 ("mm/madvise: unrestrict process_madvise() for current process") Signed-off-by: fujunjie Acked-by: David Hildenbrand (Arm) Reviewed-by: SeongJae Park Cc: Christian Brauner Cc: Jann Horn Cc: Liam Howlett Cc: Lorenzo Stoakes Cc: Michal Hocko Cc: Mike Rapoport Cc: Shuah Khan Cc: Suren Baghdasaryan Cc: Vlastimil Babka Signed-off-by: Andrew Morton --- mm/madvise.c | 29 +++++++++++--------- tools/testing/selftests/mm/process_madv.c | 29 ++++++++++++++++++++ 2 files changed, 45 insertions(+), 13 deletions(-) --- a/mm/madvise.c~mm-madvise-reject-invalid-process_madvise-advice-for-zero-length-vectors +++ a/mm/madvise.c @@ -1834,13 +1834,10 @@ static void madvise_finish_tlb(struct ma tlb_finish_mmu(madv_behavior->tlb); } -static bool is_valid_madvise(unsigned long start, size_t len_in, int behavior) +static bool is_valid_madvise_range(unsigned long start, size_t len_in) { size_t len; - if (!madvise_behavior_valid(behavior)) - return false; - if (!PAGE_ALIGNED(start)) return false; len = PAGE_ALIGN(len_in); @@ -1859,17 +1856,15 @@ static bool is_valid_madvise(unsigned lo * madvise_should_skip() - Return if the request is invalid or nothing. * @start: Start address of madvise-requested address range. * @len_in: Length of madvise-requested address range. - * @behavior: Requested madvise behavior. * @err: Pointer to store an error code from the check. * - * If the specified behaviour is invalid or nothing would occur, we skip the - * operation. This function returns true in the cases, otherwise false. In - * the former case we store an error on @err. + * If the specified range is invalid or nothing would occur, we skip the + * operation. This function returns true in these cases, otherwise false. In + * the former case we store an error in @err. */ -static bool madvise_should_skip(unsigned long start, size_t len_in, - int behavior, int *err) +static bool madvise_should_skip(unsigned long start, size_t len_in, int *err) { - if (!is_valid_madvise(start, len_in, behavior)) { + if (!is_valid_madvise_range(start, len_in)) { *err = -EINVAL; return true; } @@ -2013,7 +2008,10 @@ int do_madvise(struct mm_struct *mm, uns .tlb = &tlb, }; - if (madvise_should_skip(start, len_in, behavior, &error)) + if (!madvise_behavior_valid(behavior)) + return -EINVAL; + + if (madvise_should_skip(start, len_in, &error)) return error; error = madvise_lock(&madv_behavior); if (error) @@ -2056,7 +2054,7 @@ static ssize_t vector_madvise(struct mm_ size_t len_in = iter_iov_len(iter); int error; - if (madvise_should_skip(start, len_in, behavior, &error)) + if (madvise_should_skip(start, len_in, &error)) ret = error; else ret = madvise_do_behavior(start, len_in, &madv_behavior); @@ -2131,6 +2129,11 @@ SYSCALL_DEFINE5(process_madvise, int, pi goto release_task; } + if (!madvise_behavior_valid(behavior)) { + ret = -EINVAL; + goto release_mm; + } + /* * We need only perform this check if we are attempting to manipulate a * remote process's address space. --- a/tools/testing/selftests/mm/process_madv.c~mm-madvise-reject-invalid-process_madvise-advice-for-zero-length-vectors +++ a/tools/testing/selftests/mm/process_madv.c @@ -310,6 +310,35 @@ TEST_F(process_madvise, invalid_vlen) } /* + * Test that invalid advice is rejected even when the iovec has zero total + * length. A zero-length advice is a no-op for valid advice, but invalid + * advice should still fail with EINVAL. + */ +TEST_F(process_madvise, invalid_advice_zero_length) +{ + struct iovec vec = { + .iov_base = NULL, + .iov_len = 0, + }; + int pidfd = self->pidfd; + ssize_t ret; + + errno = 0; + ret = sys_process_madvise(pidfd, &vec, 1, -1, 0); + ASSERT_EQ(ret, -1); + ASSERT_EQ(errno, EINVAL); + + errno = 0; + ret = sys_process_madvise(pidfd, &vec, 1, MADV_DONTNEED, 0); + ASSERT_EQ(ret, 0); + + errno = 0; + ret = sys_process_madvise(pidfd, NULL, 0, -1, 0); + ASSERT_EQ(ret, -1); + ASSERT_EQ(errno, EINVAL); +} + +/* * Test process_madvise() with an invalid flag value. Currently, only a flag * value of 0 is supported. This test is reserved for the future, e.g., if * synchronous flags are added. _ Patches currently in -mm which might be from fujunjie1@qq.com are mm-filemap-count-only-the-faulting-address-as-a-mmap-hit.patch mm-filemap-do-not-count-fault_flag_tried-retries-as-mmap-hits.patch