From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F28FC54E90 for ; Sun, 25 May 2025 10:00:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9CB066B007B; Sun, 25 May 2025 06:00:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 955516B0083; Sun, 25 May 2025 06:00:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 81C466B0085; Sun, 25 May 2025 06:00:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 6359D6B007B for ; Sun, 25 May 2025 06:00:28 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 649ABE5B4B for ; Sun, 25 May 2025 10:00:23 +0000 (UTC) X-FDA: 83480985126.04.F99E9F3 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf14.hostedemail.com (Postfix) with ESMTP id 6210F10000C for ; Sun, 25 May 2025 10:00:21 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=XUsYOu4U; spf=pass (imf14.hostedemail.com: domain of oleg@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=oleg@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1748167221; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=cx8Hk+YhW0dcI/wiCkLp/Kgb7M9NuEEhLnAN+AwvZqA=; b=TcNicnVTBwvueeMqhDeHKrosubbyQkp/dzNZnfDCu4nFzjsXu5IF5ZdS2Z7pPV6HysN4NR YeOEquP3akzgHNUKe7wlX3BaikpKGb5Ka2OpYF7nY9YNCqa/4F4UXrGY3Lch3pJIspXU6i mSvrxEFLQgLcnj8JHik7G0tqv4Cc1KU= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=XUsYOu4U; spf=pass (imf14.hostedemail.com: domain of oleg@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=oleg@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748167221; a=rsa-sha256; cv=none; b=sGIA/pc3B4GjPVcGpemkjrHLd0dF89Yn6jHrHXYLowaablIImsgxcF1yVsI8wxFm1Z6wcP JPkGaECwHqsEikF4GfisP+tn4CvHjMA0+4A7czYyvdX1V7W6KIFKtbAL+j2asiw0CS4UuZ GiaDAODZ3OudHVaog89UDZlxoGmxkZU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1748167220; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=cx8Hk+YhW0dcI/wiCkLp/Kgb7M9NuEEhLnAN+AwvZqA=; b=XUsYOu4UFjrhBGrkaBYc0IP9pMhnYYRn8pLXYRIn9NeJnMy3mhi+1h4DZYGjHlE4rnr82q ZEO72ByjZEjFrImM4Cridi9cbeE2UK6Rv7qquvRz84bHtJ8TUiPGSlRjGg3su7WY/aNC7M ELwZQZyycGQzujC7msMPyPRS9OFpHdg= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-411-NAkunapPOTuADtSfAGyKcA-1; Sun, 25 May 2025 06:00:18 -0400 X-MC-Unique: NAkunapPOTuADtSfAGyKcA-1 X-Mimecast-MFC-AGG-ID: NAkunapPOTuADtSfAGyKcA_1748167216 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D07781800446; Sun, 25 May 2025 10:00:15 +0000 (UTC) Received: from dhcp-27-174.brq.redhat.com (unknown [10.44.32.4]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with SMTP id 095E419560AF; Sun, 25 May 2025 10:00:09 +0000 (UTC) Received: by dhcp-27-174.brq.redhat.com (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Sun, 25 May 2025 11:59:35 +0200 (CEST) Date: Sun, 25 May 2025 11:59:27 +0200 From: Oleg Nesterov To: David Hildenbrand Cc: Pu Lehui , Lorenzo Stoakes , mhiramat@kernel.org, peterz@infradead.org, akpm@linux-foundation.org, Liam.Howlett@oracle.com, vbabka@suse.cz, jannh@google.com, pfalcato@suse.de, linux-mm@kvack.org, linux-kernel@vger.kernel.org, pulehui@huawei.com, Andrii Nakryiko , Jiri Olsa Subject: Re: [RFC PATCH] mm/mmap: Fix uprobe anon page be overwritten when expanding vma during mremap Message-ID: <20250525095926.GA5391@redhat.com> References: <20250521092503.3116340-1-pulehui@huaweicloud.com> <20250524164516.GA11642@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 X-Rspamd-Queue-Id: 6210F10000C X-Stat-Signature: 47mnfpdedhgwayp9k3t6gt4z5stf8gmy X-Rspam-User: X-Rspamd-Server: rspam07 X-HE-Tag: 1748167221-719490 X-HE-Meta: U2FsdGVkX19ujyMt/s76I9VWKCzEQs6eGxqQXIx4Wi0l7e3hpNQNfC0w6a4ZATqZLye+PRUNeaMvddF08bkmLstfbK7t8VQtrKfNuRZfIuL8klGogG7W8V7lPlZiodt9UqBfEJKBUr/c1TS6Nv5CBsp0asaN0aox3kpW2guPubsW20+0S8aIlbtez+Am5MiVgj3PfGfqg+ZspgVPpJAv79yv6boqesWe7OiJoyuSblQjCCeePb0p30TagzrrrMe34P85MaF4jM0/KcW0m20byDyvkLb3u4cc8fXT/YgZhM6awSk9se/Gr4Dm3wIlhyxuyxNVJAmnewAwxnBVSJ/Q3x85tpIx9Wds6j9eHaOEpP9E8aQFJnBlkj9/ioBfJmJApqbYnfXP2ATs/Go8iZoBuHwoogOanzs0yvCfQdgKB2ZYs0LPYDz3gYq7iE+n/omh8fe0su+jjWMb3Wls+MbVwXv55Ps0OPZAYT54lWujUKHjnkJhRVxZuQDKxYMrdujfCmd/zr1kUS6b60DEM6A7QaE68OApen5aOLWhxBj/C5E7T4HygDfMSSXHLxAI+qezN4z5LzoaseVLJFB2d/CDoaRQjOIN1o72c+G/NFUh/mBQ7L0/OV31KqWYiu2hQfMlHxDJ7Tu796svYeyww6iMR4yfpCKnf05ILe5XRmV76PFx85CMmNpyfpoHB8M+HAJklVSx4LQ37MYgA9sEKW0G4GCfiPqy7szkpwCyIeC9iWkpkUSsDzgE0k+d+rnZtV3Sr7DfRNk3rhPIMNBeGrspIvSrMkxfbJRbcXX7Vl0qtMQx4O3uDIABb7ooSoWJFYyQHlXBKyLHbe+JwSJTRZbg9OkQystmtjkuNgBJKB9yAsgWpL1uiUJas12vDi66Bbwn3UD1VCdxU6ILbPyN1ucI6RJOgCD2MMT4nmEV/i/1Oz5obQNdFrRYdV5jDgt2C4cdvcQAOdcV7cX2IcP/dGb coZ5wEg3 PRP2unypFcdWeRD/B4pre9ZIxsxTIdoXZ7rtGAfUCwYxgMlctpXL9be4Rc7KUOsc06KvSWrbjPUpAjgyX70kPwkVgdRoEbUf91AdPof4NSI49apWZPXetveMmpQELVamIrqbPvxK2RnHK9mDQ3WjamuyqENJNMawuhTwHt6ARxpp5suTSW909gmWKDYfuBrmwxx5nxGf8/ZX75h5AyoyOIO1ANfaokRZ2CGxW9+sEFl4PSrR1PJgFxCv36+gDIg968zTIyAwwIxMM7CiUkEC5jxqiv/dYvJxaVGKV6aliVWPiyxztht6VduXuThjSPh7F1Nh7 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 05/24, David Hildenbrand wrote: > > On 24.05.25 18:45, Oleg Nesterov wrote: > > > >To be honest, I can't even understand this part due to my ignorance. > >What does "the old uprobe anon page to be orphan" actually mean? > >How can the unnecessary uprobe_mmap() lead to an "unbalanced" > >inc_mm_counter(MM_ANONPAGES) ? Or what else can explain the > >"BUG: Bad rss-counter state" from check_mm() ? Or there are more problems? > > Essentially, we end up mapping an anonymous page (when install the uprobe) > after preparing the new VMA, but before moving over the pages from the old > VMA. > > So when we then move over the pages from the old VMA, we overwrite the PTE > mapping an anonymous page (due to uprobe). > > As we simply overwrite the PTE that is mapping an anonymous page, we run > into inconsistency later: RSS counter mismatch, memory leak, etc. Ah, I seem to start understand... move_ptes() doesn't even check *new_pte, I guess it assumes pte_none(ptep_get(new_pte), right? So the old anonymous page is simply leaked after set_pte_at(mm, new_addr, new_pte, pte)... Correct? > We should never be installing an anonymous page (due to uprobe) into a VMA > during mremap() before moving over the pages from the old VMA. OK. But do you see any reason why uprobe_mmap() should be ever called during mremap() ? not to mention munmap() ... Thanks! Oleg.