On Mon, Dec 09, 2024 at 02:10:28PM -0800, Suren Baghdasaryan wrote:
> vma_copy() function for !CONFIG_PER_VMA_LOCK configuration copies all
> fields using memcpy() as opposed to CONFIG_PER_VMA_LOCK version which
> copies only required fields. anon_vma_chain field should not be copied
> and new vma should instead initialize it to an empty list. Fix this
> by initializing anon_vma_chain inside vma_copy() function. The version
> of vma_copy() for CONFIG_PER_VMA_LOCK is fine since it does not change
> that field and anon_vma_chain of any new vma is already initialized and
> empty.
Yeah ouch, good spot though.
This anon_vma stuff is landmine after landmine...
>
> Fixes: 85ad413389ae ("mm: make vma cache SLAB_TYPESAFE_BY_RCU")
> Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
> Closes: https://lore.kernel.org/oe-lkp/202412082208.db1fb2c9-lkp@xxxxxxxxx
> Reported-by: Klara Modin <klarasmodin@xxxxxxxxx>
> Closes: https://lore.kernel.org/all/d0ae7609-aca4-4497-9188-bb09e96e7768@xxxxxxxxx/
> Signed-off-by: Suren Baghdasaryan <surenb@xxxxxxxxxx>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@xxxxxxxxxx>
> ---
> Applies over mm-unstable
>
> kernel/fork.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/kernel/fork.c b/kernel/fork.c
> index fec32aa06135..d532f893e977 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
Unrelated to patch but it _really_ truly sucks to have this in
kernel/fork.c. Maybe unavoidable given we put a bunch of this kind of logic
there, but would be good to change this at some point...
> @@ -524,6 +524,7 @@ static void vma_copy(const struct vm_area_struct *src, struct vm_area_struct *de
> * will be reinitialized.
> */
> data_race(memcpy(dest, src, sizeof(*dest)));
> + INIT_LIST_HEAD(&dest->anon_vma_chain);
Nit, but might be worth a comment here. Though I suppose it's kind of implicit.
> }
>
> #endif /* CONFIG_PER_VMA_LOCK */
>
> base-commit: 6e165f54437931f329d09dca6c19d99af08a36e1
> --
> 2.47.0.338.g60cca15819-goog
>
