Re: [PATCH 1/1] mm/madvise: initialize prev pointer in madvise_walk_vmas

[Lance Yang <lance.yang@linux.dev>]

On 2025/6/17 10:24, Barry Song wrote:
> On Tue, Jun 17, 2025 at 2:05 PM Lance Yang <ioworker0@gmail.com> wrote:
>>
>> From: Lance Yang <lance.yang@linux.dev>
>>
>> The prev pointer was uninitialized, which could lead to undefined behavior
>> where its address is taken and passed to the visit() callback without being
>> assigned a value.
>>
>> Initializing it to NULL makes the code safer and prevents potential bugs
>> if a future callback function attempts to read from it.
> 
> Is there any read-before-write case here? I haven't found one.


It appears that the following is a call chain showing the read-before-write
of prev:

-> madvise_vma_anon_name(..., struct vm_area_struct **prev, ...)
         Receives the address of madvise_walk_vmas's prev.
         Passes this pointer directly to madvise_update_vma.
         Note that prev is not updated before visit() is called
         if !(start > vma->vm_start) in the slow path.

         -> madvise_update_vma(..., struct vm_area_struct **prev, ...)
                 It calls the next function with *prev.

                 -> vma_modify_flags_name(..., *prev, ...)
                         Stores the value of madvise_walk_vmas's prev in 
vmg.prev
                         using the VMG_VMA_STATE macro.

                         -> vma_modify(struct vma_merge_struct *vmg)
                                 Receives the vmg struct.
                                 Passes vmg to vma_merge_existing_range.

                                 -> vma_merge_existing_range(struct 
vma_merge_struct *vmg)
                                         Retrieves the value: struct 
vm_area_struct *prev = vmg->prev;
                                         The value is now used in a 
conditional check:
                                         VM_WARN_ON_VMG(prev && start <= 
prev->vm_start, vmg)
                                         If prev was uninitialized, this 
would cause a crash.

Thanks,
Lance

> 
> It also looks like we're assuming that *prev == NULL implies
> a specific condition:
> 
> *prev = NULL;   /* tell sys_madvise we drop mmap_lock */
> 
> *prev = NULL; /* mmap_lock has been dropped, prev is stale */
> 
>>
>> Signed-off-by: Lance Yang <lance.yang@linux.dev>
>> ---
>>   mm/madvise.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/mm/madvise.c b/mm/madvise.c
>> index 267d8e4adf31..c87325000303 100644
>> --- a/mm/madvise.c
>> +++ b/mm/madvise.c
>> @@ -1536,10 +1536,10 @@ int madvise_walk_vmas(struct mm_struct *mm, unsigned long start,
>>                                     struct vm_area_struct **prev, unsigned long start,
>>                                     unsigned long end, void *arg))
>>   {
>> +       struct vm_area_struct *prev = NULL;
>>          struct vm_area_struct *vma;
>> -       struct vm_area_struct *prev;
>> -       unsigned long tmp;
>>          int unmapped_error = 0;
>> +       unsigned long tmp;
>>          int error;
>>
>>          /*
>> --
>> 2.49.0
>>
> 
> Thanks
> Barry