[I moved your reply to avoid top-posting] On 12/28/20 6:03 PM, Brian Geffon wrote: > On Mon, Oct 12, 2020 at 6:34 PM Dmitry Safonov <dima@xxxxxxxxxx> wrote: >> >> As kernel expect to see only one of such mappings, any further >> operations on the VMA-copy may be unexpected by the kernel. >> Maybe it's being on the safe side, but there doesn't seem to be any >> expected use-case for this, so restrict it now. >> >> Fixes: commit e346b3813067 ("mm/mremap: add MREMAP_DONTUNMAP to mremap()") >> Signed-off-by: Dmitry Safonov <dima@xxxxxxxxxx> > > I don't think this situation can ever happen MREMAP_DONTUNMAP is > already restricted to anonymous mappings (defined as not having > vm_ops) and vma_to_resize checks that the mapping is anonymous before > move_vma is called. I've looked again now, I think it is possible. One can call MREMAP_DONTUNMAP without MREMAP_FIXED and without resizing. So that the old VMA is copied at some free address. The calltrace would be: mremap()=>move_vma() [under if (flags & MREMAP_MAYMOVE)]. On the other side I agree with you that the fix could have been better if I realized the semantics that MREMAP_DONTUNMAP should only work with anonymous mappings. Probably, a better fix would be to move : if (flags & MREMAP_DONTUNMAP && (!vma_is_anonymous(vma) || : vma->vm_flags & VM_SHARED)) : return ERR_PTR(-EINVAL); from vma_to_resize() into the mremap() syscall directly. What do you think? -- Dima