From: Richard Henderson <richard.henderson@linaro.org>
To: qemu-devel@nongnu.org
Subject: Re: [PATCH 3/4] linux-user: fix reserved_va page leak in do_munmap
Date: Tue, 21 Oct 2025 14:57:03 -0500 [thread overview]
Message-ID: <bc074822-a6bd-4cd0-8679-fbc68600bf15@linaro.org> (raw)
In-Reply-To: <20251011200337.30258-4-mlugg@mlugg.co.uk>
On 10/11/25 15:03, Matthew Lugg wrote:
> The previous logic here had an off-by-one error: assuming 4k pages on
> host and guest, if `len == 4097` (indicating to unmap 2 pages), then
> `last = start + 4096`, so `real_last = start + 4095`, so ultimately
> `real_len = 4096`. I do not believe this could cause any observable bugs
> in guests, because `target_munmap` page-aligns the length it passes in.
> However, calls to this function in `target_mremap` do not page-align the
> length, so those calls could "drop" pages, leading to a part of the
> reserved region becoming unmapped. At worst, a host allocation could get
> mapped into that hole, then clobbered by a new guest mapping.
>
> A simple fix didn't feel ideal here, because I think this function was
> not written as well as it could be. Instead, the logic is simpler if we
> use `end = start + len` instead of `last = start + len - 1` (overflow
> does not cause any problem here), and use offsets in the loops (avoiding
> overflows since the offset is never larger than the host page size).
No, it is not simpler with 'end', because end == 0 is 'valid' in the sense that the range
goes from [start, (abi_ptr)-1]. But having end <= start is awkward in the extreme.
Thus we prefer the inclusive range [start, last] to the exclusive range [start, end).
Not everything has been converted away from 'end', but we certainly should not regress
existing code.
r~
next prev parent reply other threads:[~2025-10-21 19:57 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-11 20:03 [PATCH 0/4] linux-user: fix several mremap bugs Matthew Lugg
2025-10-11 20:03 ` [PATCH 1/4] linux-user: fix mremap unmapping adjacent region Matthew Lugg
2025-10-20 15:08 ` Peter Maydell
2025-10-21 19:44 ` Richard Henderson
2025-10-11 20:03 ` [PATCH 2/4] linux-user: fix mremap errors for invalid ranges Matthew Lugg
2025-10-20 15:10 ` Peter Maydell
2025-10-21 19:50 ` Richard Henderson
2025-10-11 20:03 ` [PATCH 3/4] linux-user: fix reserved_va page leak in do_munmap Matthew Lugg
2025-10-20 16:00 ` Peter Maydell
2025-10-21 19:57 ` Richard Henderson [this message]
2025-10-11 20:03 ` [PATCH 4/4] tests: add tcg coverage for fixed mremap bugs Matthew Lugg
2025-10-11 20:15 ` Matthew Lugg
2025-10-20 15:26 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc074822-a6bd-4cd0-8679-fbc68600bf15@linaro.org \
--to=richard.henderson@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).