From nobody Sat Feb 7 05:01:37 2026 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 838B031D37B for ; Mon, 5 Jan 2026 20:13:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.165.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767644011; cv=fail; b=oBWFYBXKOGlaYoh4H3niyrAlEruw17L0hPR3i5HMFt9xQuu+E68ywNBiXoMNAyCV+g4bTuK2iHvcOxF468vxLcSJSK6MwEEHWaCi2nIn138k0oe2vSXHMxm1Q1ENQ8cCyH4CQjI5k49w67g4mZXrOWovJekgPlVSWKaZxs0lc6c= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767644011; c=relaxed/simple; bh=ngcrqqnofAGBqlROa7CfRjz8vGNrq5DaFG3rHOaAgus=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=Bi185Z6+jj8cfmP3+q0qT3Z0P5uLpPF1AgLMzBVYYHnsdNXqM5rqLOlOx2cUVEIBwpwVwvWhPUfpyp6vgHg7LIdevJ50zE+fkoHPahOYS2GcrJOH/cf5ret7xcSYIqMcFFTgldmEXAB815Fy2qmpD2k3b7ZIt5lMR7JVd2NIOwU= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=ia10IIwR; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=jN7I+EYJ; arc=fail smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="ia10IIwR"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="jN7I+EYJ" Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 605JpoYK1920794; Mon, 5 Jan 2026 20:12:11 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2025-04-25; bh=YxNjAp02nN0A7EXAOG4X+BjeL3/JDUB7pNilbHdihXc=; b= ia10IIwRKZ/IFF0kJOrqeP5GDQFhQTIjjfFI65WI6fXoma4exBltnJGUkaxGqqAN KkdZU3K1KnG/aFbJNXXQp6uIwTkcOLO6t2fGp5eRU24zzYsw3eBNdOF0OkDc2hfb q84Uwqi5hUbXSn+LsxBTSm51f78LPML74zcKd3H0g8rADf2umVCFgghGj3afnKn6 p7RjhAWrNo17GiTYRJWwirwcVvlSVWiqAZr0TqcFoo8RENnp5TFPnSh1hv2tE40/ 5edMBdZTwNZgTqIdQM+deYDdEz5o98DQZZeevtUtWYn9/KmzdlFAO1dJgriJ2ej3 bh8ynOu7ZuuZISYWfcQU6Q== Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 4bgktm80ww-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Jan 2026 20:12:11 +0000 (GMT) Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 605IcXSa026313; Mon, 5 Jan 2026 20:12:10 GMT Received: from sn4pr2101cu001.outbound.protection.outlook.com (mail-southcentralusazon11012015.outbound.protection.outlook.com [40.93.195.15]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 4besjj1t79-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Jan 2026 20:12:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HcRtOyTAGcZIt9He9tnXBmTgCmvspnmJIg72wDAsgMm9AbuGSCg7MWzy+60u/soqA4bF5J2AZefIK1oF+YiW8XLDNB8AysudFPM0K/d1fhewh3q6tGGti1avZIu7SapcXtMK9ibXhzfaUwOkf1IkS4In4lZFvNUp7osP6x6gsvA9uuWAJLuuGxvuon0fF8thLNlTj7l4F3gnOtwcOFJ3+emYBjKfm5j12mTO3Ras78dYdKUl3x+NiPaegKbXtXgGGxmeamaArQ+udlsnS2DwJRhZZPLjwdZIZlTiiAyWcp4lDoikBWtYdhf1p8pX8vOX1KMEKKkgRegpzWjk1zdiSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YxNjAp02nN0A7EXAOG4X+BjeL3/JDUB7pNilbHdihXc=; b=CVxan9OIyuATMBnIFVfw5wGFF9rQghL2qMZEVve68cEDPg3g1X1fyM2Go3ob75G1lJdi+S28hg0sXwtUW91dwHL34RSmaMiCZb+rv5UL7bbgWuk88ylb/+ruIdW4lAqjL82uzO0Uymfg96oqJTjJqf/J9l0W2vy8J7DmLBupZlZ13gQi6r9sWZYAeJDFLFqOGyy2pS/zAvUrbMWFOWEARaf+TRoyVLo8jdZcif2GJDASRsyLr/38h37TnVtOZpKM3N8jphyamcTkhAm95yvQM4bzqvrXCKZPWSzc5T9PmXmZBRDlyaaWg2K9irDvOuYbWsjWPVomVewJotN/kEWZ/w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YxNjAp02nN0A7EXAOG4X+BjeL3/JDUB7pNilbHdihXc=; b=jN7I+EYJ0CTv9s/dcYHTPfoOT5KiPvpmNsFpUry1RU2rwF10yy5/SRTd1JFU83AwtfvipTzX52ullNaZr+lmfz9eIPq5ulkgTr95dGFsgtoyeeL94qNhuVEQVyeU6Cn6Sf/WoK7681/Kl+NvzrQ+JKG2C9i/agk3j8dMFKJzMBQ= Received: from DM4PR10MB8218.namprd10.prod.outlook.com (2603:10b6:8:1cc::16) by PH0PR10MB7077.namprd10.prod.outlook.com (2603:10b6:510:286::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4; Mon, 5 Jan 2026 20:12:06 +0000 Received: from DM4PR10MB8218.namprd10.prod.outlook.com ([fe80::f3ea:674e:7f2e:b711]) by DM4PR10MB8218.namprd10.prod.outlook.com ([fe80::f3ea:674e:7f2e:b711%6]) with mapi id 15.20.9478.004; Mon, 5 Jan 2026 20:12:06 +0000 From: Lorenzo Stoakes To: Andrew Morton Cc: "Liam R . Howlett" , Vlastimil Babka , Jann Horn , Pedro Falcato , Yeoreum Yun , linux-mm@kvack.org, linux-kernel@vger.kernel.org, David Hildenbrand , Jeongjun Park , Rik van Riel , Harry Yoo Subject: [PATCH v2 1/4] mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge Date: Mon, 5 Jan 2026 20:11:47 +0000 Message-ID: X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: LO4P123CA0330.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:18c::11) To DM4PR10MB8218.namprd10.prod.outlook.com (2603:10b6:8:1cc::16) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM4PR10MB8218:EE_|PH0PR10MB7077:EE_ X-MS-Office365-Filtering-Correlation-Id: 3316f6d6-b6c2-48d1-e828-08de4c96b293 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|7416014|366016|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?lQkyYh4UQj776SPfh0YMyCe6W99Uwh2Sng+HdByiD73vmf7AFavIDRedR+lV?= =?us-ascii?Q?S3dPOB6WYLEJWF0yvsCvrAsF1JZf5sP4uIoGhtqAtIHw11m2DqqPKPnFZStC?= =?us-ascii?Q?LhcpEfxxHcCCM5ICl9uagyNZhGwoBmE6e25HD2FdOIsR2YbdSYoXOBYPe3e/?= =?us-ascii?Q?X0ibchCei2laMSUmFSYBXw2124a66uQluJhNHrPT+sHFV+/BjfUnNZcEIXhA?= =?us-ascii?Q?jpbkMobhhjLoKZjErWW8OlG8Qc6ABoQBHZOt5lHrIqd/bZYkgJKwAoPVj6eb?= =?us-ascii?Q?0Tzj2bM5Wd8ZxjRHmaqfBLqH6OvONeVxf0V7BGyr6aiIreM9kyS3RdcIWuQO?= =?us-ascii?Q?X1JyqKlyPJLoX1HupQNyUiAjt3IMByEWVkNsdAXDVtnSAMtH5sHHMgH5uHXD?= =?us-ascii?Q?BnHpGAiWzzAB1WxYJx/t9IrBButsrfQCx4XYwEdvRhbIcbLWipSyyTgseAYz?= =?us-ascii?Q?64MhQOGsQ7/06CFU4+8MvRMA0G5ofH3lLnGg9hFaRgSH/XjQfa7S7C1GHa0F?= =?us-ascii?Q?V4Jln1+G5jkZ309gvQJuKReIH30Y8UQLnTO15pQXQp6mhVTPC8ZXjYxgKNHj?= =?us-ascii?Q?6TstCwjIofu956Edhnwc/mT+60vkg+VFD/F8YFrobOewuZ9cS37EfVvrk0KF?= =?us-ascii?Q?wa8gTrLNKEhs1DAzEuaB9+qk+GxPybw8Nyrod903jHhT7FX7gC82Ys7GZLeD?= =?us-ascii?Q?aNirhS1R7AO3gbexYzBwN//Jc4omEHe+wLd/9uFkrCvogS6OVOuRyruU+/Mk?= =?us-ascii?Q?bDRiMy9Qz8LMw6EIvFgthoWHIvxh4BhzhEi2dQ2+1Pbz6EQR8o7tkf51s6jM?= =?us-ascii?Q?k87f3RCKoddcmLA5Z0LcPEm1V4SZ3lxhiKDhfPJ82Dnf25rvIqGSJB/ETjIR?= =?us-ascii?Q?0SRUEazSwzRWAa2xGELuFLYB0YB2Sq1ie2rOPNustMH+HW32XL/nRjXkMp2v?= =?us-ascii?Q?JxDchkOSuJS5gUVH1YpaIK1JpOibxm28VXNazuXV2xkRgo/yrZMo+5YZQOvs?= =?us-ascii?Q?/5CRE2C8pJ242Ke50vDG56v5bmzyyVzuVNzpLMEAgtYV0Fcui1AETLjklOVs?= =?us-ascii?Q?6RLyoy+TSIo4ZGIEg7+J3jpM2eUhZiylnC3s/+IBuRuQ/55BCz2KHuMp+td8?= =?us-ascii?Q?6aaUoliEz0DL16DK+G5+fidvHnaeSe5497c+pnOiccskHI+jDxz3wskhrcYE?= =?us-ascii?Q?LSNffFPvbOBELpRjDehiIGeCB5ZmSCybd0AlUTpbTDw5ajWuvaZ2ZJljplk+?= =?us-ascii?Q?lkDR0T/ckOgplAIQmyN8+UFWW7aJsBPVaLrWK7MvY5QcMEtLpxVJ2z8uUIYt?= =?us-ascii?Q?+AWkvE6BA2f8OsZGYfH5BvYb0VfqSG66lcRkK42ywQPHFXm6HDrpQkX0G1Be?= =?us-ascii?Q?nJvpR1Y+pv4FQrhl/cR8BHnFIA3Dv9YH1hkUXIuaBfRJUjjMP/LGUdH8A9K2?= =?us-ascii?Q?1CgODs2SoflGfg1H547y9+SYxp0Muc2iewPATeFvKOWc6I8XVOfiFw=3D=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR10MB8218.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(7416014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?gv8R4+/eBWIZAI3VQ9YyOUyocHttmgInQaggvOESPlZKpdZyjVpPklFLn0se?= =?us-ascii?Q?WYpcJEMc81agH0z87fUtsDE/LioUwGbYOUzLgj7GGHqdTTumlTaB2xD7HD+D?= =?us-ascii?Q?xdaR04LpX58YzEP6P5aXZOoV9x72u6A9vVhXLCst5RTevWu98/hRJ+xM4TKe?= =?us-ascii?Q?UQOKPhGHhIt/R3sb/c7D9gLkR31DriRyWnf8yPCZVtsuHbnNcZON8PnmoaAz?= =?us-ascii?Q?HlunbxmKX2BP/1DUCshNVkZAqfN5sftGahBUZuB034sux1p0mYGkRz+mZY6l?= =?us-ascii?Q?zoZUEwoD0w9stNw/zXOdbtM8TLA0WqtoS83YTJo47rajq4A6xhKZ4mZUHHFs?= =?us-ascii?Q?zDnxRerGW4BMWMU6Aw8sJWIP8mnxhzK6ryjJ0Q8hFXmyIfARtKDYNQarudSB?= =?us-ascii?Q?zVcDEeJ1SurixwK2YHlmAxp57NzXll+8Xted6BuurBwgQpL7cmKHXqPfhhmD?= =?us-ascii?Q?b9L1f+MIsd5EFFd0yuNLNG7PIAeVOrDAm4/JnR01dGCsIs1yO1OJtGVap9Zn?= =?us-ascii?Q?9Ig75i3C//C2PbQpt8xmng3xY0NadTaJtGq1ZNzUCqo++GakO4XakH9juFle?= =?us-ascii?Q?/4xX9W2H8QywIUl9/IiIPYup7NtKqPj8wmrHoYdmUr4LEXI+AsNejh95eK5y?= =?us-ascii?Q?vnzWVD6xuX4YN3tO98ozrvfT7MLQv8J2NC/qdEPorXLYxMvMTl67jVSvR+hI?= =?us-ascii?Q?X+LT+f/fHXBmvUFlDOt0OpMAPWKCteXi/Yf3OfgnBjP6/zduZWGHkKYjFYuw?= =?us-ascii?Q?4DaZDQuYUHwuiJQi6ADmYSMx/EuZWREHKBPiuVEYmWYEWTGkmDA4i1wlduAy?= =?us-ascii?Q?QO4hu94o/pJzn57x/cd4hMYzS/GKPTzbdUrKkkeg7c8+56sGUnxrr0Udah1l?= =?us-ascii?Q?RzOBoRI+NcEIy+67X30VQfEd1BXyBfGyg8u/14dwHXXHaL4WDKvnmQHbGg8l?= =?us-ascii?Q?O93aICCVepjbFFf5sXIwH7IcyEourbd3Hx4031CVFYlHcfJl7+eyOna1wxyz?= =?us-ascii?Q?4Aq6X6Km9qkU/5zFaHEfKaLwQuK4wtDPFSN1XWhmYZeR+2CekcMDDOrmmI0W?= =?us-ascii?Q?HpTdTJ1moSJqinkTUoB6VJcbsEJllB56nuRP5hksRHdhvJN9LZkbHfd61G7E?= =?us-ascii?Q?UtRizCfs8IEnYyMXnBNdMYRcI1EsChgOU1KLkDP7uCwnuGzS4KUnKnHX4F+7?= =?us-ascii?Q?aspzK4cDPx6P+ZNgwW4CaPFeHtBOW8GflIKSCImsoi5VWkKuuTej0R468ul+?= =?us-ascii?Q?YVMMSOONUFb1sFT7YZjFZ4PKS0ceoA89/R8WoIl5yejLn3lyh7KbRoWKkGDn?= =?us-ascii?Q?4S/JM4rPAK/Bxxp3WkeWIPNAEPWcBVLY/JZvkEUkJSKxRcmh4ALngGQ0Ju9o?= =?us-ascii?Q?m7ZQ0wSNRYUKPkHFzXDYlLYMLkr8SlXVtlenfmqHJZ4JzuN/nZfsnyG4udeD?= =?us-ascii?Q?xRIMaxWvO3HBqRu3LukZBdnzIDgNDYQihm0nVsvToYO5x7ziTgoOWGW5N4Il?= =?us-ascii?Q?w05m59jyg+gkzWHbPzFd2Nw6WzLEVffXnjRBfGvg+hd+XyS8T2WszAF9UTsY?= =?us-ascii?Q?Riehi+eiFFvUZh8NQq0J5QvPBVRSF4kDKBWYu8S0lti/MOUHn0dhsCei6TqH?= =?us-ascii?Q?Lpe5/+5/0TI3YxH81dPhq/N4oJOBBPwxo9jE5kC09hHVIxyZbkCSIqGk3iXP?= =?us-ascii?Q?U0LvfuZoOUKVevkd98HTssNw9Goam3mifqHXrYTk1Ur/DGYpmyAP5cdSZHSG?= =?us-ascii?Q?wnbuhNRobDi5XegaQJjOfKNG5qH0n1A=3D?= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: o6TBx1fPRAfufWNvLDq80THLXEzKVlu2GSJMpcw432n6TIqXv34hXC+h+KatBVNYBdLN/GsJB3wJ8CaGXbxwnqx+dwGI6EVBiR6AGLCBCPq4rsCVlc2ifnpNYnkqa8hCKAanorUvpZCrikTa77TbK8zNxFX5/Phf4J2YaKA/speSIlUNu3sRVT3Lo5PkYnm/TaswjPb8IQ/bPlTYW7XVyFU5VJXrm2PXD2m2IDqWomWGsAUOtmSQwSg/5Dc+Gv6k6oqtJhn63oasKa3nv1ltdmsb2elhfjzvd0kH7PdAFXOr0hr48/4ybtKSk6DcFPHoTEF/O6jNeKYIMOKqPRUwtbQIhDUuEGGFx4hMMLBd1Alks8E/7SZE335rTIwdAEdsxdOuNXPJENccM2JZak68+treeIbSIASpUI/i2qZimwO0AcAxjf+WUYMANuZ1JbtXZ9nLHXNVot8WVLT2pQyuLPEJg4V0CnvK5ifmWbLPUvXolE2ECJv1yFud+Bhv2UPdVe11GN/dGQvpOjZUtvP6Ozj3Pcu6AmMPxDi3AS/pH330VSMFPWmfjoE/sMcAH1ulLs3Fbyvpi7l9Ll6d2mw0yy8GLbs6OffWLuOhv11Pr58= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3316f6d6-b6c2-48d1-e828-08de4c96b293 X-MS-Exchange-CrossTenant-AuthSource: DM4PR10MB8218.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2026 20:12:06.0332 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9XsMlrdCj5CtMoJHnEAMFywaEQDGb/imbs7+4A61aqTocfzNJO58UvHMP0eO7KwkmEYKK3dpna/fSKpGInok2yCXYrIzuU9lxehBvINe+bw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB7077 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2026-01-05_02,2026-01-05_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 bulkscore=0 malwarescore=0 spamscore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2512120000 definitions=main-2601050175 X-Authority-Analysis: v=2.4 cv=RoPI7SmK c=1 sm=1 tr=0 ts=695c1b1b b=1 cx=c_pps a=qoll8+KPOyaMroiJ2sR5sw==:117 a=qoll8+KPOyaMroiJ2sR5sw==:17 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=vUbySO9Y5rIA:10 a=GoEa3M9JfhUA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VwQbUJbxAAAA:8 a=1XWaLZrsAAAA:8 a=yPCof4ZbAAAA:8 a=hSkVLCK3AAAA:8 a=PW_XkhgRYGIbnebEDp8A:9 a=cQPPKAXgyycSBL8etih5:22 cc=ntf awl=host:12110 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMTA1MDE3NSBTYWx0ZWRfX9PDHViksvcpu qL/eUpCHCyZSSOLdSRJ0C5eJJBiv4CmdAc6NbV8sLHDbJFf9AI0cjVqq8ei6NVXJvIy50OelLW1 tQ4v2CpUdKZNZOw1XUJgERUSVZhSmaunPvqB6njBeSYAvk3JTgwKqHFogMg7W9jFnsFue+/t/Ma eQnoSfyS2pSHiKITihy4A/lRs8sdMoZNrybRGwCkZv2bgYHTVBnE0jOXjk6gfafw3vfuvwElAsc tIFZougFXpEGhJT7I+ncgGtCg7Vcu6RzzSy7/R2aS3+oO24SQFIKOA3n6VktR6vmoBqYS/4nfBg Pxgi2gkB3jb2WcFnsUF75WC/JTco3okCSX7gPxcvt1/MkTgwEs2p8pW/S/31LdisPuTfR10OC+8 SPoUJtTajBnsLSFavj3B2PLfP4gH6DXiyyao9PCkadW1mLVqNs0tMGv1GRe7pCOn2YApT2CPVv5 eJee8dsMCPxlKFKE3R99tkhXA3uvOcZfmQICXGGA= X-Proofpoint-ORIG-GUID: 9NNrnBjMleGsNSvxfgwXoiqlF9hb83Df X-Proofpoint-GUID: 9NNrnBjMleGsNSvxfgwXoiqlF9hb83Df Content-Type: text/plain; charset="utf-8" Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios. The key piece of logic introduced was the ability to merge a faulted VMA immediately next to an unfaulted VMA, which relies upon dup_anon_vma() to correctly handle anon_vma state. In the case of the merge of an existing VMA (that is changing properties of a VMA and then merging if those properties are shared by adjacent VMAs), dup_anon_vma() is invoked correctly. However in the case of the merge of a new VMA, a corner case peculiar to mremap() was missed. The issue is that vma_expand() only performs dup_anon_vma() if the target (the VMA that will ultimately become the merged VMA): is not the next VMA, i.e. the one that appears after the range in which the new VMA is to be established. A key insight here is that in all other cases other than mremap(), a new VMA merge either expands an existing VMA, meaning that the target VMA will be that VMA, or would have anon_vma be NULL. Specifically: * __mmap_region() - no anon_vma in place, initial mapping. * do_brk_flags() - expanding an existing VMA. * vma_merge_extend() - expanding an existing VMA. * relocate_vma_down() - no anon_vma in place, initial mapping. In addition, we are in the unique situation of needing to duplicate anon_vma state from a VMA that is neither the previous or next VMA being merged with. dup_anon_vma() deals exclusively with the target=3Dunfaulted, src=3Dfaulted case. This leaves four possibilities, in each case where the copied VMA is faulted: 1. Previous VMA unfaulted: copied -----| v |-----------|.............| | unfaulted |(faulted VMA)| |-----------|.............| prev target =3D prev, expand prev to cover. 2. Next VMA unfaulted: copied -----| v |.............|-----------| |(faulted VMA)| unfaulted | |.............|-----------| next target =3D next, expand next to cover. 3. Both adjacent VMAs unfaulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| unfaulted | |-----------|.............|-----------| prev next target =3D prev, expand prev to cover. 4. prev unfaulted, next faulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| faulted | |-----------|.............|-----------| prev next target =3D prev, expand prev to cover. Essentially equivalent to 3, but with additional requirement that next's anon_vma is the same as the copied VMA's. This is covered by the existing logic. To account for this very explicitly, we introduce vma_merge_copied_range(), which sets a newly introduced vmg->copied_from field, then invokes vma_merge_new_range() which handles the rest of the logic. We then update the key vma_expand() function to clean up the logic and make what's going on clearer, making the 'remove next' case less special, before invoking dup_anon_vma() unconditionally should we be copying from a VMA. Note that in case 3, the if (remove_next) ... branch will be a no-op, as next=3Dsrc in this instance and src is unfaulted. In case 4, it won't be, but since in this instance next=3Dsrc and it is faulted, this will have required tgt=3Dfaulted, src=3Dfaulted to be compati= ble, meaning that next->anon_vma =3D=3D vmg->copied_from->anon_vma, and thus a single dup_anon_vma() of next suffices to copy anon_vma state for the copied-from VMA also. If we are copying from a VMA in a successful merge we must _always_ propagate anon_vma state. This issue can be observed most directly by invoked mremap() to move around a VMA and cause this kind of merge with the MREMAP_DONTUNMAP flag specified. This will result in unlink_anon_vmas() being called after failing to duplicate anon_vma state to the target VMA, which results in the anon_vma itself being freed with folios still possessing dangling pointers to the anon_vma and thus a use-after-free bug. This bug was discovered via a syzbot report, which this patch resolves. We further make a change to update the mergeable anon_vma check to assert the copied-from anon_vma did not have CoW parents, as otherwise dup_anon_vma() might incorrectly propagate CoW ancestors from the next VMA in case 4 despite the anon_vma's being identical for both VMAs. Signed-off-by: Lorenzo Stoakes Fixes: 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merg= es") Reported-by: syzbot+b165fc2e11771c66d8ba@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/694a2745.050a0220.19928e.0017.GAE@googl= e.com/ Cc: stable@kernel.org Acked-by: Vlastimil Babka Reported-by: syzbot+5272541ccbbb14e2ec30@syzkaller.appspotmail.com Reviewed-by: Harry Yoo Reviewed-by: Jeongjun Park --- mm/vma.c | 84 +++++++++++++++++++++++++++++++++++++++----------------- mm/vma.h | 3 ++ 2 files changed, 62 insertions(+), 25 deletions(-) diff --git a/mm/vma.c b/mm/vma.c index 6377aa290a27..660f4732f8a5 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -829,6 +829,8 @@ static __must_check struct vm_area_struct *vma_merge_ex= isting_range( VM_WARN_ON_VMG(middle && !(vma_iter_addr(vmg->vmi) >=3D middle->vm_start && vma_iter_addr(vmg->vmi) < middle->vm_end), vmg); + /* An existing merge can never be used by the mremap() logic. */ + VM_WARN_ON_VMG(vmg->copied_from, vmg); =20 vmg->state =3D VMA_MERGE_NOMERGE; =20 @@ -1098,6 +1100,33 @@ struct vm_area_struct *vma_merge_new_range(struct vm= a_merge_struct *vmg) return NULL; } =20 +/* + * vma_merge_copied_range - Attempt to merge a VMA that is being copied by + * mremap() + * + * @vmg: Describes the VMA we are adding, in the copied-to range @vmg->sta= rt to + * @vmg->end (exclusive), which we try to merge with any adjacent VM= As if + * possible. + * + * vmg->prev, next, start, end, pgoff should all be relative to the COPIED= TO + * range, i.e. the target range for the VMA. + * + * Returns: In instances where no merge was possible, NULL. Otherwise, a p= ointer + * to the VMA we expanded. + * + * ASSUMPTIONS: Same as vma_merge_new_range(), except vmg->middle must con= tain + * the copied-from VMA. + */ +static struct vm_area_struct *vma_merge_copied_range(struct vma_merge_stru= ct *vmg) +{ + /* We must have a copied-from VMA. */ + VM_WARN_ON_VMG(!vmg->middle, vmg); + + vmg->copied_from =3D vmg->middle; + vmg->middle =3D NULL; + return vma_merge_new_range(vmg); +} + /* * vma_expand - Expand an existing VMA * @@ -1117,46 +1146,52 @@ struct vm_area_struct *vma_merge_new_range(struct v= ma_merge_struct *vmg) int vma_expand(struct vma_merge_struct *vmg) { struct vm_area_struct *anon_dup =3D NULL; - bool remove_next =3D false; struct vm_area_struct *target =3D vmg->target; struct vm_area_struct *next =3D vmg->next; + bool remove_next =3D false; vm_flags_t sticky_flags; - - sticky_flags =3D vmg->vm_flags & VM_STICKY; - sticky_flags |=3D target->vm_flags & VM_STICKY; - - VM_WARN_ON_VMG(!target, vmg); + int ret =3D 0; =20 mmap_assert_write_locked(vmg->mm); - vma_start_write(target); - if (next && (target !=3D next) && (vmg->end =3D=3D next->vm_end)) { - int ret; =20 - sticky_flags |=3D next->vm_flags & VM_STICKY; + if (next && target !=3D next && vmg->end =3D=3D next->vm_end) remove_next =3D true; - /* This should already have been checked by this point. */ - VM_WARN_ON_VMG(!can_merge_remove_vma(next), vmg); - vma_start_write(next); - /* - * In this case we don't report OOM, so vmg->give_up_on_mm is - * safe. - */ - ret =3D dup_anon_vma(target, next, &anon_dup); - if (ret) - return ret; - } =20 + /* We must have a target. */ + VM_WARN_ON_VMG(!target, vmg); + /* This should have already been checked by this point. */ + VM_WARN_ON_VMG(remove_next && !can_merge_remove_vma(next), vmg); /* Not merging but overwriting any part of next is not handled. */ VM_WARN_ON_VMG(next && !remove_next && next !=3D target && vmg->end > next->vm_start, vmg); - /* Only handles expanding */ + /* Only handles expanding. */ VM_WARN_ON_VMG(target->vm_start < vmg->start || target->vm_end > vmg->end, vmg); =20 + sticky_flags =3D vmg->vm_flags & VM_STICKY; + sticky_flags |=3D target->vm_flags & VM_STICKY; if (remove_next) - vmg->__remove_next =3D true; + sticky_flags |=3D next->vm_flags & VM_STICKY; =20 + /* + * If we are removing the next VMA or copying from a VMA + * (e.g. mremap()'ing), we must propagate anon_vma state. + * + * Note that, by convention, callers ignore OOM for this case, so + * we don't need to account for vmg->give_up_on_mm here. + */ + if (remove_next) + ret =3D dup_anon_vma(target, next, &anon_dup); + if (!ret && vmg->copied_from) + ret =3D dup_anon_vma(target, vmg->copied_from, &anon_dup); + if (ret) + return ret; + + if (remove_next) { + vma_start_write(next); + vmg->__remove_next =3D true; + } if (commit_merge(vmg)) goto nomem; =20 @@ -1828,10 +1863,9 @@ struct vm_area_struct *copy_vma(struct vm_area_struc= t **vmap, if (new_vma && new_vma->vm_start < addr + len) return NULL; /* should never get here */ =20 - vmg.middle =3D NULL; /* New VMA range. */ vmg.pgoff =3D pgoff; vmg.next =3D vma_iter_next_rewind(&vmi, NULL); - new_vma =3D vma_merge_new_range(&vmg); + new_vma =3D vma_merge_copied_range(&vmg); =20 if (new_vma) { /* diff --git a/mm/vma.h b/mm/vma.h index e4c7bd79de5f..d51efd9da113 100644 --- a/mm/vma.h +++ b/mm/vma.h @@ -106,6 +106,9 @@ struct vma_merge_struct { struct anon_vma_name *anon_name; enum vma_merge_state state; =20 + /* If copied from (i.e. mremap()'d) the VMA from which we are copying. */ + struct vm_area_struct *copied_from; + /* Flags which callers can use to modify merge behaviour: */ =20 /* --=20 2.52.0 From nobody Sat Feb 7 05:01:37 2026 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F2F3522097 for ; Mon, 5 Jan 2026 20:13:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.165.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767644011; cv=fail; b=F3ZMkcOvItuU8sAKVua4WNYATwz3e2JviuI/O5t5lUbiKQQMF4k1amrXUOWRSqTAjRxT0+I7YY1YCN2esfzOhmuIH5TXcx1T38xaV0xKvqPieZ0D7kAc6/Hio3tB8XfqB3s/AtuAMJCuzd7QIAGMUQub+3G1pUCrLgQohW9f6bU= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767644011; c=relaxed/simple; bh=y39y1A4pVx/nFRSmyvXqj8FuSTCSs6G7lHHbYnkJUIU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=o2m8icLwX9Zy4MGxZfLnEqKRMIWoBNyDe4w57clGMokyPYALlNYChqaVRE5+UuLbzpTGdg1+B5jlICj2rkUJg1NL8hfxpqN+5Ov7my2K0q0ABbo5nYnJLIof4WzmVpBRl8V/rRQYzrxNyLV+BJQfGScP07IgyPZoMW+c3/gRe7k= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=hwIl/T0r; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=zhLPd2Ca; arc=fail smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="hwIl/T0r"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="zhLPd2Ca" Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 605JpsGV1920803; Mon, 5 Jan 2026 20:12:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2025-04-25; bh=2f7b/ZureIQ9M2/dKm0jsTyp6hhSkf9f78eZ9OnjW68=; b= hwIl/T0rNRSlDTYpe9fYWHD9bHqHW7OM7RP2pHhfSPSoM2jc3qKcOx0/ab5Jl6xl ZLKAVjYB+Rtdxh557ueFUs3tqur0nytJO0Y/HjxldaRrr1iczW1eC8ywQ/+O+DhC A83SesOre7feqZJc1Aaebk19PNyuoBKee5POsuX9G+VVNWNvKt0QfIqYhpK10RiB LhrO5o0JCqXClBhno1v5YH0ndoY6i/pcQV1E0/fc2g1F8cweASdHvg6WJcKTQQbm /WZPJtbT41gT/lGmu77B8waCXR1wE9xZB9JpyAYK47s95Kbz06YzRedg2c+ahcJy 3Sz2camD5JyENgXWQcjvGg== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 4bgktm80wy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Jan 2026 20:12:13 +0000 (GMT) Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 605JR9Je033967; Mon, 5 Jan 2026 20:12:13 GMT Received: from cy7pr03cu001.outbound.protection.outlook.com (mail-westcentralusazon11010038.outbound.protection.outlook.com [40.93.198.38]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 4besj7sj45-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Jan 2026 20:12:13 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nQ1ludz2SI2gNd9uFhZYNVf+YtUandKSivFCmwRnclswQ2HN0A8SGBcIPVUQAytY3Oiw3sJ0oXdbRwfxLdMTFPMAijAdn7b1YgUVuXrUqm0lX9Kqr6FEceN9ecsINE570wQgD0XDeQt6Nyu7JsmWGCV4VqCdJ7sPpLRGCk3CNffrtVmQc/rhQ2FU6LpyHxreaAVmVrGifZFmu9QDZdxyEmxyrqCDq8YqKqSna8g4IGmKUempfqRkEwP2H6ogWTeMyFUp1YSP3s/m8f68+4CQ53BAwLgDTolsgABcYYDRFUgzrIPkrSASUoanjVDThgP6zGfJswhK8+JfZU95Qj6/CQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2f7b/ZureIQ9M2/dKm0jsTyp6hhSkf9f78eZ9OnjW68=; b=szxqy827sae+gQmdOnaQ8o7JZYtryOGUWp5ADwwiDquCHbG7lXuNRkYIB94zWATgcmB2qBfX6Ug7/aNd5yYrCxzSVbJOF4D3Pne6YXd8yiOk5pYVp0DJGUESIAXHnUwyxjHNcHXXWeA7RzBjLxMxRGku2SeAUZLKwDHyd5+2q7y3WbpuJnVp5H+xmckfsu1GgzPPIxk8MT4mIsfpZLFblzJkrgGbrStiDQ5NNpyZxJQCh33yfOeckGfYeRzyhFdtiTmto0bGJy50C9RNg3Dki6bJ/vsWFBibZGb/pXaVZvBBsvzVuBLQgvN2m75pCSFHWx/2rLEo+yASPXro9+h6zQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2f7b/ZureIQ9M2/dKm0jsTyp6hhSkf9f78eZ9OnjW68=; b=zhLPd2CaPpxtuh2KOKNnb47xKizrMT2MYpy3mtXHcOg76worBSSskoSYJz2Yvv4r8uoXWiDivUTWmofJkoOSIMXzzM2SFdbB87FSFM/cJ4qYrx7xPj54bJZu23lQXZZRjdLkzeZX3NN1QQOPFVZdSyG22o1+I/IYzShSqTmeXTw= Received: from DM4PR10MB8218.namprd10.prod.outlook.com (2603:10b6:8:1cc::16) by PH0PR10MB7077.namprd10.prod.outlook.com (2603:10b6:510:286::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4; Mon, 5 Jan 2026 20:12:08 +0000 Received: from DM4PR10MB8218.namprd10.prod.outlook.com ([fe80::f3ea:674e:7f2e:b711]) by DM4PR10MB8218.namprd10.prod.outlook.com ([fe80::f3ea:674e:7f2e:b711%6]) with mapi id 15.20.9478.004; Mon, 5 Jan 2026 20:12:08 +0000 From: Lorenzo Stoakes To: Andrew Morton Cc: "Liam R . Howlett" , Vlastimil Babka , Jann Horn , Pedro Falcato , Yeoreum Yun , linux-mm@kvack.org, linux-kernel@vger.kernel.org, David Hildenbrand , Jeongjun Park , Rik van Riel , Harry Yoo Subject: [PATCH v2 2/4] tools/testing/selftests: add tests for !tgt, src mremap() merges Date: Mon, 5 Jan 2026 20:11:48 +0000 Message-ID: X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: LO2P265CA0127.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9f::19) To DM4PR10MB8218.namprd10.prod.outlook.com (2603:10b6:8:1cc::16) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM4PR10MB8218:EE_|PH0PR10MB7077:EE_ X-MS-Office365-Filtering-Correlation-Id: da836536-e06e-4f53-f293-08de4c96b3f2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|7416014|366016|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?Pcss+vCLQqaMSESRx9fzNiml0zfdHOdI5n5u+bWuJgcNovDDDPWs0KP7ZsAH?= =?us-ascii?Q?Wp8E/R2sRUUK03IcxmyaHnwubVBR8XdxzNXeo9oGKU0FVeJeWfYwoDJvO/9L?= =?us-ascii?Q?7bm5H0P8ut4OBkM8StYxGRztFvqzvf4nzDLxHNc+A8U8gnLogPCwLWr0tCB+?= =?us-ascii?Q?CRv3u/SmkJv4bM58zYNOPU6dyt6prR0X1V+9eKEk4auYwgsEjcSIj1f035HO?= =?us-ascii?Q?uNvLUvftxkYS5u/t1W6wYGJkjxi/wl9ztXo5UiBBVu8PkaN572Q0gUKwEdNJ?= =?us-ascii?Q?BDOVW1POTcJohSV3dpAwvwJ+SoXVYRfCXD002iM0tLKpb9vml9c1/8k+sFG3?= =?us-ascii?Q?1HpPMG4gtmRHcOoTIQERj6XCOuT1rlAmKi0h+KNGhimSMmY+Kru9GGXcHGp+?= =?us-ascii?Q?hWf3Q74a677j1gMlP9Vc4bMHP+DJc3I3yOFNZcVpD4WaibLnNogkLglqfLsa?= =?us-ascii?Q?FOtzBPqD7DfpP1CEvHD7yCwv4txfz5DzZKiMDN5fsVTHGSGOubwl0cXFwiTu?= =?us-ascii?Q?6NTCdCcijSg+d7QIlWK6zMvdzOVDBIWFvHbBG1EkqlH5+lBymZq6iFIRmOct?= =?us-ascii?Q?BAQ1b99C+DebZO+FpYIi7M+JWCikh1BOz3bLordbVeX2C8R+XoYPNsFZEGYF?= =?us-ascii?Q?dIuR2+TNzFU2g8gg9UR9PUeVD1yK87ytxodTSnmyMfY3aFMfQ1kLTM9VtlSZ?= =?us-ascii?Q?B6QvXE/ZBN7afAaB1L/6mev5ALFEEdjfmgpi+hFDWDRsjmj4Igrgnlg0SLj4?= =?us-ascii?Q?vOjEbj3+lzxGBixAWFe+YDFsQazIxaLW07sKOw4Yyu68yMwOiHc+DE2pyC/z?= =?us-ascii?Q?WX5HBIq+9kB6+VIe67Hzb/xKut/ItwAP8YbAa0IAL1qEMvfvwdamP2eqPEcn?= =?us-ascii?Q?8XTUkkZRJ1RZMY8LQLWHOGjx0QIQ4k9rtQbsp1vNYr6vASB5DLFLdLfiZ/jZ?= =?us-ascii?Q?kESVMu8R3UEraisobhbWTqGHGmkYRAUan3QjpfALufQnEnuKwFEIjWnYXymO?= =?us-ascii?Q?SvRRdoM0b7j3rZ/OjshdIoOv32XrURMU3gZWSjCtK6HeKzprNKkHx1JS7qa3?= =?us-ascii?Q?llRKpaGr8hAb9xIKiIMS3j6dVCga8zrSJl9Kl24NKcuSy5TRvq6g/Bsc2uQ1?= =?us-ascii?Q?MFNd+E5Nx6oUW4VFUrQwJcabiaAyWuaCOWiHdFdc93Y4DL91dang1sdxkmSO?= =?us-ascii?Q?44svWHoGmvluSYatkIzb9AdC4KowExJS8XVU0EmS/x/OX9uNiArrqFOhDkuA?= =?us-ascii?Q?6VdBjty0vi+1ZMxh2wIEElpeC7Rz4G5OvN2pLKOlOF0RZc59+BFQ36tQjhq/?= =?us-ascii?Q?LLBQW1noGSLlie2GcRxB3Illw/pd5uKMlBCaUOuJrJj+rV0qL2Lgf2bpgbQa?= =?us-ascii?Q?fOI3DN0b3juCGw46lBWoJsXmCVaDpnX4GMlcMuY4D+yQxvPBy+venYRA2wwJ?= =?us-ascii?Q?bWxbehWNU2NSzuQ+PY0kKXVnvd0ul3Fy?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR10MB8218.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(7416014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?h5dJiNcZ2rzZSuwVoj9dEECN+z/Zch+8L0isjnYWdeFk/HCnY7keGnhDcx10?= =?us-ascii?Q?pp3Jag/dwPc4EFz2ThbD4jfNzW6wa0GF1y1DLERKuOG0R2o6fTbKGfXURMOh?= =?us-ascii?Q?/F2RcoDCcwXYf+0WuCvL6/sCRTEf+VeaO8xxULcalDV1ncafF7N2QqJml9mb?= =?us-ascii?Q?BAnJMfPjYPN1PJSZfJjV9wWQSosuK+WDDK8HxEZWbWDKjXUIdUQdXAHajI91?= =?us-ascii?Q?/ZCsRODN9FE4ID+VEAo1dqLIpZHI83Zns+ag0tLnvt7Zqbag06TwZtM6tV89?= =?us-ascii?Q?2rS20oTizVX5WlCwhz0u2OiRgWVQ35eY+PPnQf3hXoJtH67g4oPfKtjX9SYK?= =?us-ascii?Q?omTPU4wpZ4/1xEddrvVXi9kSXLfeVRXUjRBhdfefdQ+e5echjGM7MlWloRMa?= =?us-ascii?Q?7cs6yEwTij5n/Nvp+T44bn91Hpmu4Yk1vYRDd0AkBi/JLlomXAJng1sKWcAo?= =?us-ascii?Q?9AnxlDjWywlQtxCSdHhkO8Jw6kZ5rjJr0kycjhwxuXNwfM+UeuYyOjYovwSH?= =?us-ascii?Q?xqMvan6WVp7zvogZeRXOIwyPmxkkEveszuOp0JfQxtNNozkuXk+Nj7xPtqOm?= =?us-ascii?Q?Pu7ONV1KdDqtSOVBtGrSKAv0TUFZtY3vkwxn833Ef5IiDErUdDHrTuLTlFJG?= =?us-ascii?Q?rJZsbsbsrf5edif0Qc0oXeZJx38L4aHcfIxrAecrTH1awzhHClwLDpnTC/bt?= =?us-ascii?Q?IYyxq8AvdqVW7yGXdmm4yK0nZxBWlJRSPXi3CcCf3wtFf5HvgBym9xKrHxrx?= =?us-ascii?Q?R9o7lwZKetTVEfYI0sOAybpGVen2saWcxmobqTN8BxQ2Vc//nCDlENmNcuDW?= =?us-ascii?Q?0QnlTTt2VopmskMXggaOhaHIt6cFmJSEZrqk2rtJOdfpR1Vs/QetyzMZUscy?= =?us-ascii?Q?JYYLcEH/Kk9djBvpPS4xbZl9c4ANTpjGGP3csF/l7b6kH+Qv2tmill4Bz6nJ?= =?us-ascii?Q?M22q6rlsYKHXTDYdFglDZA8QqgiZQN+1DYmvfX555CbQN1RWsyvHRC5amXyj?= =?us-ascii?Q?qplvENodOueNbmkug6jVDT8AQW/ycoyPF4dvTKRxSvUN0BDCChfz6NqoZIkH?= =?us-ascii?Q?NzfYxrL/zERb5m2fJO4DD1gnhw/57snWIc2KyLAAZ65/9y7GhAywXoL/Xz11?= =?us-ascii?Q?fiyTKMSl6DRss7f+2mj6HGla8UaIs4ooWT1WcTdszw+04RCUyzkuOOIkgb2q?= =?us-ascii?Q?mkPBWO0aJrG6Rhr7KF4lSL/PSNCff7mYFaGwk2R9LnGptsBHttM6UlQbUHo8?= =?us-ascii?Q?DHzQSLTucm1in3wmbufROQvUiqusc/ySZcpXalvq6gdtRbMD9CfTn35kDdWT?= =?us-ascii?Q?LKffJ38lYPaTZkm18MwqMYL/EBaRs+9NQFeGhzJCn9gLbsi7a9lV8Z/CJ5+T?= =?us-ascii?Q?/gSOOzixzIYuK0loPaMBvO9pY19PiTXpB0n01WRYkCJvGZcgamNJpCqEchYE?= =?us-ascii?Q?vOZP05JJYIzcKQIN1wfTzUGwQ5WMBBO3/uFcLr5gEdRPIDCi/4BADlgeTfd8?= =?us-ascii?Q?ld6EKBPZvChHPOlN6dA2AKt/MmJeH5ImTT1tiWJiHKbNfT+5nXa1YgtQ53o6?= =?us-ascii?Q?v0igz+NClahAfXgIVikwTgSv5JCeowT8DgJX5Q1NwKn68rgd/iy88En2WwG8?= =?us-ascii?Q?s3nE7GZP4Qi+MmQ6ahG8kuJRXn+rT3JXvObqBKGNiioa9XkaSBQjkCwz0Q1p?= =?us-ascii?Q?b+EXCzDuf3XrBd1zc8/LB2r7f8n47ieZCcQCN8ZbqFvPwREv/fXmGd9dH490?= =?us-ascii?Q?sgC+RCgZ8FeUSAsVk+e9OLn/KRgbag0=3D?= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: af4cxozLSG7zaSRTfMp5UbGmAsZ+caQP39YsIa5uBshDuGD4qGmS3JPSlsnFYZ88Q/dW2iM6+o6gT9vPF3BmaOi1VHm4Cx/1rUHDR+IDbNeXeUkeXabx8Fpp4nGBUwItNnywI1uMO0giUyM+MoJXHlxjO4/TOmryLUiiKcvUrGfRhbUU0AVO4jze89XsUH/DPVjGvw7O8YKq5QcSy4mGChcnnanNg6+B78gHkKvojt7vlVifg7Po38cX+3DqrJ2nym5jQDSsyD1EnQDM7nI7frvHUrdqU2vXj7o6mUsok1yckZJPro+3VmbA/gWtjlrW47zBtG7gq/MrdBDXL6Yy2mqAdkIsk4P9jfdwoK27YXdqIi6on52FvnVwjlTkxOtV3i3iujxGzt6Lh+GAIqKSKtTLbsGO/9CCBXuwgixduriQ4rqVySr9uuu4em345z83iORYcT66Upm2W88BN+AHO0jQrd4A3kcfsF6oPVRBxupSJj1cKcr7s/C18MPp/vtTBXqF1smhlLMqKPGIdKlRnGQRNpfge2T0zHGPS8DRCTzrFDH/HcFdrKQrZ7IHJwpyElhoYHNJnfvj/xqHhoQ/lgwRYlPTvuOkOzeb6z7n1rY= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: da836536-e06e-4f53-f293-08de4c96b3f2 X-MS-Exchange-CrossTenant-AuthSource: DM4PR10MB8218.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2026 20:12:08.2051 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: FkPh9Wbd5lQKRNn2v6a5MoguC2gs805pauYn1KuIuo3P4YGLkPlRW++dp4fmqN98paK+9T6Xt77HnIAwsMcH2WUuSrHZ62HoWz5F9lB6tvI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB7077 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2026-01-05_02,2026-01-05_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 suspectscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 spamscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2512120000 definitions=main-2601050175 X-Authority-Analysis: v=2.4 cv=RoPI7SmK c=1 sm=1 tr=0 ts=695c1b1d b=1 cx=c_pps a=WeWmnZmh0fydH62SvGsd2A==:117 a=WeWmnZmh0fydH62SvGsd2A==:17 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=vUbySO9Y5rIA:10 a=GoEa3M9JfhUA:10 a=VkNPw1HP01LnGYTKEx00:22 a=yPCof4ZbAAAA:8 a=VwQbUJbxAAAA:8 a=a_FPZE3UsW7wCDZMUWMA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMTA1MDE3NSBTYWx0ZWRfX/3u6mbSdMY6R RcRM6vGfPYEBPBvVUYYInwjL45oV1LsTS3r1lKjEubFblq6e4s9q8bAzbmgETUsFCzubDlR/Hsp yg1HB63U+PCrYdP4SCLaHwr60tcG2NqZlV0x6QWPcQnhbaho1ECyWwQFGjiJAnIj/CbHkoBZRWr jA4utmbrmZ/czO5bqetjTbtHOvEEL/vmW+L0ZvBVWfS2deLBmMjAy12KF68YTrUqkNsIr6gg7YX CnhAhM28RKbzO7DTgqN8Xqp1HGQMLNuHO5xf8CAUJRgaevJ92l/wTRu8SFLHtFMbYX0/gSMF4vF CoogeK7D4gKohmkzdS/jgXr4IGlSKGN0viBNCqAKXG+HZjawdjRBSLkkp04rf71iKquSEme6r6D pDEQWl6PO4BoLyVAnLy78apNOIUG6bJWGze593bi7hvg066IwtbHhN+dKYvChUMPE+wdqPcqgmG hHRLncdmhz9ojG7J3XQ== X-Proofpoint-ORIG-GUID: h8WT2PbbSTVmBMXbdCtdjKQuSTla3jbG X-Proofpoint-GUID: h8WT2PbbSTVmBMXbdCtdjKQuSTla3jbG Content-Type: text/plain; charset="utf-8" Test that mremap()'ing a VMA into a position such that the target VMA on merge is unfaulted and the source faulted is correctly performed. We cover 4 cases: 1. Previous VMA unfaulted: copied -----| v |-----------|.............| | unfaulted |(faulted VMA)| |-----------|.............| prev target =3D prev, expand prev to cover. 2. Next VMA unfaulted: copied -----| v |.............|-----------| |(faulted VMA)| unfaulted | |.............|-----------| next target =3D next, expand next to cover. 3. Both adjacent VMAs unfaulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| unfaulted | |-----------|.............|-----------| prev next target =3D prev, expand prev to cover. 4. prev unfaulted, next faulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| faulted | |-----------|.............|-----------| prev next target =3D prev, expand prev to cover. Essentially equivalent to 3, but with additional requirement that next's anon_vma is the same as the copied VMA's. Each of these are performed with MREMAP_DONTUNMAP set, which will cause a KASAN assert for UAF or an assert on zero refcount anon_vma if a bug exists with correctly propagating anon_vma state in each scenario. Signed-off-by: Lorenzo Stoakes Fixes: 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merg= es") Cc: stable@kernel.org --- tools/testing/selftests/mm/merge.c | 232 +++++++++++++++++++++++++++++ 1 file changed, 232 insertions(+) diff --git a/tools/testing/selftests/mm/merge.c b/tools/testing/selftests/m= m/merge.c index 363c1033cc7d..22be149f7109 100644 --- a/tools/testing/selftests/mm/merge.c +++ b/tools/testing/selftests/mm/merge.c @@ -1171,4 +1171,236 @@ TEST_F(merge, mremap_correct_placed_faulted) ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr + 15 * page_size); } =20 +TEST_F(merge, mremap_faulted_to_unfaulted_prev) +{ + struct procmap_fd *procmap =3D &self->procmap; + unsigned int page_size =3D self->page_size; + char *ptr_a, *ptr_b; + + /* + * mremap() such that A and B merge: + * + * |------------| + * | \ | + * |-----------| | / |---------| + * | unfaulted | v \ | faulted | + * |-----------| / |---------| + * B \ A + */ + + /* Map VMA A into place. */ + ptr_a =3D mmap(&self->carveout[page_size + 3 * page_size], + 3 * page_size, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + ASSERT_NE(ptr_a, MAP_FAILED); + /* Fault it in. */ + ptr_a[0] =3D 'x'; + + /* + * Now move it out of the way so we can place VMA B in position, + * unfaulted. + */ + ptr_a =3D mremap(ptr_a, 3 * page_size, 3 * page_size, + MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]); + ASSERT_NE(ptr_a, MAP_FAILED); + + /* Map VMA B into place. */ + ptr_b =3D mmap(&self->carveout[page_size], 3 * page_size, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + ASSERT_NE(ptr_b, MAP_FAILED); + + /* + * Now move VMA A into position with MREMAP_DONTUNMAP to catch incorrect + * anon_vma propagation. + */ + ptr_a =3D mremap(ptr_a, 3 * page_size, 3 * page_size, + MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP, + &self->carveout[page_size + 3 * page_size]); + ASSERT_NE(ptr_a, MAP_FAILED); + + /* The VMAs should have merged. */ + ASSERT_TRUE(find_vma_procmap(procmap, ptr_b)); + ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b); + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 6 * page_size); +} + +TEST_F(merge, mremap_faulted_to_unfaulted_next) +{ + struct procmap_fd *procmap =3D &self->procmap; + unsigned int page_size =3D self->page_size; + char *ptr_a, *ptr_b; + + /* + * mremap() such that A and B merge: + * + * |---------------------------| + * | \ | + * | |-----------| / |---------| + * v | unfaulted | \ | faulted | + * |-----------| / |---------| + * B \ A + * + * Then unmap VMA A to trigger the bug. + */ + + /* Map VMA A into place. */ + ptr_a =3D mmap(&self->carveout[page_size], 3 * page_size, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + ASSERT_NE(ptr_a, MAP_FAILED); + /* Fault it in. */ + ptr_a[0] =3D 'x'; + + /* + * Now move it out of the way so we can place VMA B in position, + * unfaulted. + */ + ptr_a =3D mremap(ptr_a, 3 * page_size, 3 * page_size, + MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]); + ASSERT_NE(ptr_a, MAP_FAILED); + + /* Map VMA B into place. */ + ptr_b =3D mmap(&self->carveout[page_size + 3 * page_size], 3 * page_size, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + ASSERT_NE(ptr_b, MAP_FAILED); + + /* + * Now move VMA A into position with MREMAP_DONTUNMAP to catch incorrect + * anon_vma propagation. + */ + ptr_a =3D mremap(ptr_a, 3 * page_size, 3 * page_size, + MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP, + &self->carveout[page_size]); + ASSERT_NE(ptr_a, MAP_FAILED); + + /* The VMAs should have merged. */ + ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); + ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 6 * page_size); +} + +TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfaulted_next) +{ + struct procmap_fd *procmap =3D &self->procmap; + unsigned int page_size =3D self->page_size; + char *ptr_a, *ptr_b, *ptr_c; + + /* + * mremap() with MREMAP_DONTUNMAP such that A, B and C merge: + * + * |---------------------------| + * | \ | + * |-----------| | |-----------| / |---------| + * | unfaulted | v | unfaulted | \ | faulted | + * |-----------| |-----------| / |---------| + * A C \ B + */ + + /* Map VMA B into place. */ + ptr_b =3D mmap(&self->carveout[page_size + 3 * page_size], 3 * page_size, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + ASSERT_NE(ptr_b, MAP_FAILED); + /* Fault it in. */ + ptr_b[0] =3D 'x'; + + /* + * Now move it out of the way so we can place VMAs A, C in position, + * unfaulted. + */ + ptr_b =3D mremap(ptr_b, 3 * page_size, 3 * page_size, + MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]); + ASSERT_NE(ptr_b, MAP_FAILED); + + /* Map VMA A into place. */ + + ptr_a =3D mmap(&self->carveout[page_size], 3 * page_size, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + ASSERT_NE(ptr_a, MAP_FAILED); + + /* Map VMA C into place. */ + ptr_c =3D mmap(&self->carveout[page_size + 3 * page_size + 3 * page_size], + 3 * page_size, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + ASSERT_NE(ptr_c, MAP_FAILED); + + /* + * Now move VMA B into position with MREMAP_DONTUNMAP to catch incorrect + * anon_vma propagation. + */ + ptr_b =3D mremap(ptr_b, 3 * page_size, 3 * page_size, + MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP, + &self->carveout[page_size + 3 * page_size]); + ASSERT_NE(ptr_b, MAP_FAILED); + + /* The VMAs should have merged. */ + ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); + ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size); +} + +TEST_F(merge, mremap_faulted_to_unfaulted_prev_faulted_next) +{ + struct procmap_fd *procmap =3D &self->procmap; + unsigned int page_size =3D self->page_size; + char *ptr_a, *ptr_b, *ptr_bc; + + /* + * mremap() with MREMAP_DONTUNMAP such that A, B and C merge: + * + * |---------------------------| + * | \ | + * |-----------| | |-----------| / |---------| + * | unfaulted | v | faulted | \ | faulted | + * |-----------| |-----------| / |---------| + * A C \ B + */ + + /* + * Map VMA B and C into place. We have to map them together so their + * anon_vma is the same and the vma->vm_pgoff's are correctly aligned. + */ + ptr_bc =3D mmap(&self->carveout[page_size + 3 * page_size], + 3 * page_size + 3 * page_size, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + ASSERT_NE(ptr_bc, MAP_FAILED); + + /* Fault it in. */ + ptr_bc[0] =3D 'x'; + + /* + * Now move VMA B out the way (splitting VMA BC) so we can place VMA A + * in position, unfaulted, and leave the remainder of the VMA we just + * moved in place, faulted, as VMA C. + */ + ptr_b =3D mremap(ptr_bc, 3 * page_size, 3 * page_size, + MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]); + ASSERT_NE(ptr_b, MAP_FAILED); + + /* Map VMA A into place. */ + ptr_a =3D mmap(&self->carveout[page_size], 3 * page_size, + PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0); + ASSERT_NE(ptr_a, MAP_FAILED); + + /* + * Now move VMA B into position with MREMAP_DONTUNMAP to catch incorrect + * anon_vma propagation. + */ + ptr_b =3D mremap(ptr_b, 3 * page_size, 3 * page_size, + MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP, + &self->carveout[page_size + 3 * page_size]); + ASSERT_NE(ptr_b, MAP_FAILED); + + /* The VMAs should have merged. */ + ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); + ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size); +} + TEST_HARNESS_MAIN --=20 2.52.0 From nobody Sat Feb 7 05:01:37 2026 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 92EDD31B123 for ; Mon, 5 Jan 2026 20:12:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767643952; cv=fail; b=K0/Wg12NAi47VyjRGsUnT04RkiH7XVJD5ubl6RM2pBWqtLqgO3sO8E+LlpmQHO28sGtYrjZ/SqJg1qey5lsMubyr9URxecddGl5gALJ9kDmMZFR2UiibiEU/qigttlF+rnDcyi1vfMfzAhq3+bh5Rsd6bnM8xnk4FS/ehfZIIqU= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767643952; c=relaxed/simple; bh=lW9tAEzq/39suI5sn75vpxsWON1bTWTB3/Bod73GlCY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=p3Kyb/+7riCVMMhJfWRxasdB9GPSw9FcYd7fUoijh749NLl3lAnRCJ11Kqdw77D+p8xoDRwkz8OxReu1ZWpGDIfqLDBWIngmYf7LaVFAPgdzoNlCcTptpZcfq9YOE+tb7hF60cqAuOtjykMOUfy2C/DTFRCg9vcN/Zsn4Bt++tQ= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=piI3AcAg; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=ylLoGMMr; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="piI3AcAg"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="ylLoGMMr" Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 605HpM7w1935090; Mon, 5 Jan 2026 20:12:16 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2025-04-25; bh=DTfiZyf/2+UgnsYJ9XqdaZsbFBQjH75YOxTKwUXybaM=; b= piI3AcAgPnmUsKMw9tedns2NbD1Q3bQYrNxoM4E8/o5if658+Xb/z5DzTJoS/O7o BLsEhRy9AUPL1Ah6QeLPgpX3sKn7fW8FM9+fIUbCb8DGKZeSfYp4Sa2c/lwPE/wu /C5R8aYdrMhVjjcgthvFHq3YGsMLxVdMpBU6TsXauhCAsHkeAiPnpCkWQ5eDGfSt n/f+CZqoXESabxL+oq0sEzDi3j5DDD/XjAw7JJLXRHmI32x7ZOmFKHC+1bliIZfQ fe9A2tAhJ9kUjCBlXlz0+GcC1z70WtgtRLGaxNo8X8j7CBROxVIr1z1wo2yvpCq5 w8/DMzxzXFsd6xmfRDVa6w== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 4bgj2c076y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Jan 2026 20:12:15 +0000 (GMT) Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 605J8Q9E034230; Mon, 5 Jan 2026 20:12:14 GMT Received: from mw6pr02cu001.outbound.protection.outlook.com (mail-westus2azon11012042.outbound.protection.outlook.com [52.101.48.42]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 4besj7sj4u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Jan 2026 20:12:14 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=bexTJUCYfKXntCArC22OfbYmENDiLBTOyCI1NCid/5Vyffqb3uEgstk+0cfuwJuyApXU0ZDkbA9Cko6TowDu2u7KIRPF05/S/eR7iFVRTTnSpgcInfKjyFK9NSzJz3lVljkanxfZoGdEp/Lr/3Ws8KWKrDduCyyk2C7xAeWumPOYh6W63T0Z4RPMQDqLw4bCT76EliLbBdUskdj7M39n0u6wnkP/g1zs9PkwFDsmFjeNjdgcjKHDfkA09+u2xe00OTadjQ95NOdbATUaeaw7PzlEzyAz1lL9EiGyi8cnKFFQnBhDsxnrdI8OULg9Cgynro7RPaXTvyHd/U41F766dQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DTfiZyf/2+UgnsYJ9XqdaZsbFBQjH75YOxTKwUXybaM=; b=g7JXV4d5oba3+LIUknIPts2ijxFiNESeBjTsFbHPjrD+2crfLT09YqAj2+zN7OI3mZaTopE/zqmidCW/2CevJ+/kPPwczA4jnLrtjHT8Z5htKCobeH/4nxv6OusOxiGiDDs28p+UgsEuFLRVTtRIWxUdgYwxC0CtfjJ+LkskmN8/dDZIN8eQi6h6HUPiua/NHiIWEtcpOFN22Y4oOgRoZgtgq0j69cHH8c1II8XAbk6xamkM+MwLo3zTy6axYY/iXC/LlO6Pp+3CWz8fqimFHpEy2Wx/mibRaaBXep6bBveK4nvREZ9lvwn23kIJtiNJ7ZK0/GQ/T1QS/9bsZhuxyA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DTfiZyf/2+UgnsYJ9XqdaZsbFBQjH75YOxTKwUXybaM=; b=ylLoGMMr1gs211YbmX8oFTv3f+K75elMFLmX3R2jtRk/NqZSAzlM8eydhfccDmMtzxPKKzjMVZbPVOr+0I7ObdRa/wRhIqFtMPGNwCZUISABKeFXai5p2eoLTYT4Y8fZ5WsXc0yjJQ5C6N632WOC18jmz+jown0iQi8V3hD0eNQ= Received: from DM4PR10MB8218.namprd10.prod.outlook.com (2603:10b6:8:1cc::16) by SJ5PPF136884A98.namprd10.prod.outlook.com (2603:10b6:a0f:fc02::78b) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4; Mon, 5 Jan 2026 20:12:11 +0000 Received: from DM4PR10MB8218.namprd10.prod.outlook.com ([fe80::f3ea:674e:7f2e:b711]) by DM4PR10MB8218.namprd10.prod.outlook.com ([fe80::f3ea:674e:7f2e:b711%6]) with mapi id 15.20.9478.004; Mon, 5 Jan 2026 20:12:10 +0000 From: Lorenzo Stoakes To: Andrew Morton Cc: "Liam R . Howlett" , Vlastimil Babka , Jann Horn , Pedro Falcato , Yeoreum Yun , linux-mm@kvack.org, linux-kernel@vger.kernel.org, David Hildenbrand , Jeongjun Park , Rik van Riel , Harry Yoo Subject: [PATCH v2 3/4] mm/vma: enforce VMA fork limit on unfaulted,faulted mremap merge too Date: Mon, 5 Jan 2026 20:11:49 +0000 Message-ID: <6e2b9b3024ae1220961c8b81d74296d4720eaf2b.1767638272.git.lorenzo.stoakes@oracle.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: LO3P265CA0005.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:bb::10) To DM4PR10MB8218.namprd10.prod.outlook.com (2603:10b6:8:1cc::16) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM4PR10MB8218:EE_|SJ5PPF136884A98:EE_ X-MS-Office365-Filtering-Correlation-Id: 9414e77f-e510-46ce-b51c-08de4c96b547 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|366016; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?OIYZaO64Tl9FvTcvn4VV/IA1q/45Igx+N1S4849A23NuCCj3Gc14/F7tPvZf?= =?us-ascii?Q?RUFIlnLZ2dVG3A/8d1wQvTAMCiNqJsutphfPx3Vjiu2Ka7qbTEKdDtWBbMl9?= =?us-ascii?Q?TxS+eCzWly6v81p6iTcsjCwXDEZnsj63hhn7aPabQ/CHrPOuOqnID4KLLBJl?= =?us-ascii?Q?Gmu8fyUJsx/ME38y5wJ53hFaz7Y/JWR39Q4pFVMINGR8rck+wWxija6AyCqB?= =?us-ascii?Q?sgQtoVSFALW7DVXLVuR8LFNGejqPAxqTrISAiTj0i3fHiuqL4FbO9tfGQSXd?= =?us-ascii?Q?1NnyxFH8aHJImFt3G5AUvu8rdEiC1az5TiJaRehcgH86hqPX9Tsb8ktlxS8v?= =?us-ascii?Q?8WOy+K8CIzM4E90oWE/odsH7Cl/ShDCCRUUxFTXPoCZM2tYmZZoEmDV4xQIm?= =?us-ascii?Q?oW41FXHQAlsDp0NKuB1Ja6PRVTtPohauBQihFvfsmOs9g0Zl8WIaLNO57enq?= =?us-ascii?Q?l3bH8yS1jcWh2i8j02LpoqjNR58QJ1vOrfb7haVAUrYM0b13DDoIgMhm5B/K?= =?us-ascii?Q?lx2m74+1kxKJbr+EBYKkcsJASS/lVoaI2tvkfsZv4BX6OzLnZ0ksgqOqyk5Q?= =?us-ascii?Q?Eo/prAvRqgSd8EUC5ikvLfnzqnhzeO/3XVF9ZUz9z6xQOWrKjLDVKO5kbNpu?= =?us-ascii?Q?q9v2+dU16LhE9akYt9cN05jr0zs1/8fRas45IaH3+4PJNmy2W50s3xiIT4MQ?= =?us-ascii?Q?1uEs+u0RaWEXrdPI0YdDk9+5fixT9moWYTyG6d15kMKYcNqNwJvKt+w3mbir?= =?us-ascii?Q?8XInN4O75NwJUagoY+DrZ9o1Hbuqh98z7p2UMI2vgAD/tAW1TV0AbfmGuoz6?= =?us-ascii?Q?9Cu+k+gwR+pIfCktiXBIlRgFv0wqUznRuu9yy/3mGoiiGpnhu2dT7Xo/UUwM?= =?us-ascii?Q?NcAqwqo2AUDLOr8ps9aiCav3SyEpFYJFdyEsbfRotFx3Okeg94bsyd43sb8p?= =?us-ascii?Q?/Jwy8pk9Vskgz01sGe44OOzfmAywYW/KCJd53oKKMVRYNY5DSxhaCFoablT1?= =?us-ascii?Q?OVZ2Q8eKVHpmgQRKzzdkVOBofIamFZyj9cVg6h5CZ8c7EXFZUTZLbjnv5c9d?= =?us-ascii?Q?J3KpxmUwCQSwUSNy+UjVxXCZSUygMNf9U6be4yFrHhOYuPZOleh041wjyzcZ?= =?us-ascii?Q?rqw+dLfBrnWxQA4mz6JiRWIM8HotpaZjZeTIMxT+Svmiyyxfxg+FnwIvyqQ7?= =?us-ascii?Q?Rvh+x6tspdcJ+QYa5uu/AnnrMhlwk/zcDACTBu2o2ebY1gi4x/7r1KZxgDYS?= =?us-ascii?Q?JQQO9NRoco90H68ab3i4ZEcgX4cLEF4asta6kZh8rZXT/9lUc6ACgHblC+CJ?= =?us-ascii?Q?m9qrRwTYrFjDnf75vx9RZ+QozMqx2dwzOs6aON8NY2CtFWN7yl85Z156B18y?= =?us-ascii?Q?9zMLbUQT8LbKEsBZWguQiZX9si+Ta490RsuTiUHrE2shbRdocQxLPMQKuY5a?= =?us-ascii?Q?/ngvj37Tv85NeLtAXANbHXIvfvDANOgf?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR10MB8218.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?ZGZrUC4qXORQmA8rO8+X8JImEj7UCPNkuyoQeixfi2JGaKScYVpE9E/lDQ1R?= =?us-ascii?Q?gY7eFFSERTRIx4HAto86+tFoFwf3SxkTY8r7Qus1BrSlFJAwPBtONU5u8oSf?= =?us-ascii?Q?etbNmg9JAaRvr6xEe7x3PV0DNrgwj1ES72XjuFgfmLl936XHbzM4CmWqhbP/?= =?us-ascii?Q?ljTtrKxnRRfaTNhzfupMFSTx+BBqCD44QzWOYT8PZurbdaK7ukA6UYJ+8lLb?= =?us-ascii?Q?eOTld4jMzDB6IFv0tKu6+6ZA6MfXXFvq7D9Mbc4ySiG+17XcPsR2KmxrNA44?= =?us-ascii?Q?9WRDdSA0JTtwpCenE5et8QSxMDebIf74bv6qvd58u5X956irAtO36nrc7Hfg?= =?us-ascii?Q?hNAPpo3X3J3PmA6/nKiIiR3aSAWVGS2yiioIlxa7m5iZRzO+zUCmgNs6AUci?= =?us-ascii?Q?BYTJD1NRidIq7EOZQy8Ct5T1Ryl07xXJpO86j6+zM5nt8sGAiBA9ShvT7sXe?= =?us-ascii?Q?Cpa4+znKpN4F/wIqdZJt0uOpFzFjXoYgy7UONfsfOt/mMb/6TYSHkrUPNhOl?= =?us-ascii?Q?jMU5rWWfNTdhCPMQD2hsxIQSqiDWEyWnlEIVgDFrQCRl6MifQMtqMfRnNDTb?= =?us-ascii?Q?eWezWxIxsq93DZ1SNilWjkQHo/azw7zUfSlLQT39cdQPC4zTm/a3ugIDa0fV?= =?us-ascii?Q?9qK2S0/zgSQx52ZZgOjWCe5KKKVkzIeRYTszHY2bl1frAtgbSsh6s6euXzhp?= =?us-ascii?Q?ooamrijYrHeqNK6fCiug+cAnfV2EzwsuaqkMwduvgr/KtXql9g5/1zPudX74?= =?us-ascii?Q?QXZIv52YiSQf1HtaI8eMxO7Pwh6n+p2B4L1j154gSKOSmCoOusgG8xoZ6QOA?= =?us-ascii?Q?80C06HbyyC6Oh8Yfq/kl6C6JsEd0OIMhONWOEY3r0sdHkFiUrj+d793q3fJf?= =?us-ascii?Q?kG/8QIG4VBA38OPqmOilb6PSeKgJRrnmzfFK/TI0ns6hHLqCitmxRzGKepa0?= =?us-ascii?Q?pQ2CqQhooMVDbIsxYfGUZJxMo6Hebb+vXsAvvRWd+T16xibubtlkD74qoArV?= =?us-ascii?Q?PF2Pa8qFj5KddYw/8USPX2LdZR3zm4A3at4zs9mPALMF7kX3IeulWqWUgR+E?= =?us-ascii?Q?ooYyxzEViu4aMqYXqtekcr/keCuVRE7q6WDrmJRiEygV0h4sbz/GF300+zAm?= =?us-ascii?Q?w3ZMGLGvcs4T+2izMBJBT82DEaX4BUr5hBineJNgq+J1ISxGkpOpJlceBLcM?= =?us-ascii?Q?nEKJe1OYy2SxE1lInRpaeQ/dp+X4l7EKQpP2uob18PeTAIQxCimcoq5kQKq9?= =?us-ascii?Q?SQ1IyVrtT557d0LAHqNOn7dCyiZ/bAC2qPq31G3rjd2XAPEe6CddpNAiVq9H?= =?us-ascii?Q?f9/Y1r+nhzEg8k9pqMpPOkXnUd/x6b5OK3qBAo/f6ttIYHfXQETr5DdbjgfS?= =?us-ascii?Q?6zre0jwoaA+kMD50gWRxf8Ky96VX9w80rFdRQBoeSlbq5a9xbaCfQJ+Xl9xa?= =?us-ascii?Q?2olnsMmj2ebKhG6huIzWqR/GII/8I4z4AkmP4MfMD3qR4eNReOMqyW4GUgIa?= =?us-ascii?Q?K/tb3H8xaRVXh45nTrppFIOi7u6KLJwS/pIOpaur0MgICCTkIyZtaQwTlKMm?= =?us-ascii?Q?yNM26ZLdZQfVZeoMUMd68D3q20vSW/t4nm6YhnbERyZP7Jav2QGv7WPY09Gz?= =?us-ascii?Q?DzmcgNacRN6e9gBsYlILhxYTvwJePN4iFdw835ZUwSBP8WDC0hWgx446CP+h?= =?us-ascii?Q?aa+dYTHKYQsB0KZfPuRj3DYGS9Hu55o/rSdzthkIyIK2vyWozZtSJyIpytDL?= =?us-ascii?Q?yAu11ogJNBAuRFLr/d8PQ5dxznOr+CU=3D?= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Xte8+eNKrwJT8OlXzExp7HvideHd4TK6+9DnzEl2W8B8CfDH7Ge+OZ4p3bpVh81AzB56UKUguLfmpd4licvkQ4cqaotCQEkiSNBkVA+CTLiKfTNbMhp3thRBs/wMzqUp5ZADP63xvbrxSRkaIdEIZOJL9laDteH6RwWMcbyWWEZYHncQRGuUshuspGxavxxzGeOCstRXS3+ZI+VQBvaAwtnLnCgqAYTFrbXjG4NNYmDjJ1V4pu5DEE82gxro36gxyUPJLU1vB5m2alIIX/qb7vKmVVhSThVsIBI755UpmSUbmBDlebxP8HAxkl6Fps91BfhOmb5Dl1Cdifg6lraXPUqxD/Jc/C1L+V6XzNUD6iA3oDMOiAjY2WUttaQo04TbPuL09KHiRmimxnN6z55tWJXQYUqJtbRzRxmaBAwwA1ryhFH9pdHoNueaB7GrZs/iaxymMaHVKrgUgWyTr03k89oikZv62vhqavjJv+Akmr/6T4T/RGiYvBEGBTV9t/c3bLBatfuDvjvbeDq4ZFpvG8d5wrQbqzKBFQ3ccFqsmW7B5yx4SgQk/rlUVPKe6cyJi9fvsqomfjCIAqUF/1yq6dDYXcBL9NaGBVWpLkqoN2Y= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9414e77f-e510-46ce-b51c-08de4c96b547 X-MS-Exchange-CrossTenant-AuthSource: DM4PR10MB8218.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2026 20:12:10.4438 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0XRRGRbTB05IfIGgEVOpRb6Gn8UvIuV0nYKPcKZOwk45hoiZrecbO1O0H4MEhbiyyrWxYWbU2nJFb09yKD2jrBQyH9KW9QMGDMLClxexmnw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ5PPF136884A98 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2026-01-05_02,2026-01-05_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 suspectscore=0 mlxlogscore=999 phishscore=0 malwarescore=0 spamscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2512120000 definitions=main-2601050175 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMTA1MDE3NSBTYWx0ZWRfX7y2St3e0wNZS w9k7mKIH4X64eauyzNddzd9/+R5RdryxLlgsSZMMhVKymGiEZ/UBuYkJi41jlKdsny+SkiBMONk QIu/hc1X+UtnZzHe1pDfZ1ckc9elyTh69b+7lLzZ8/RmKeIfDvG6xzmmLh8594FUE9zJ6X2OtSb F0B2aSOJCHvTnmOsdRmKwvTbbIC7iJAg9YusTpbKrN/tmx2Y53ecuBghGsx8s136u5fNgAakCXk VseN/5EjPPk/6iVc3aW1iBKUMW6eOK4YYlg1Ons+z6waPbBoG2+IlJhcwLO6YK6I/Of2ZGD6iCT n+mQSdLr8n/lTWyRLvRS3TWTizE+hHRNiqY8+k5RluQPI0Qp/AFjhLpqdHMfdfu/jDSWQxTiWLO NwdG4iE5m/3Hr20EGwehEqZ15cCHLqVBAaJ+gKFFU+TM+fymhzDtOJ+gmUDxScRoVz9IEdcKwtF 1d7W/+Zpag+n+axHV0w== X-Authority-Analysis: v=2.4 cv=KeDfcAYD c=1 sm=1 tr=0 ts=695c1b1f b=1 cx=c_pps a=WeWmnZmh0fydH62SvGsd2A==:117 a=WeWmnZmh0fydH62SvGsd2A==:17 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=vUbySO9Y5rIA:10 a=GoEa3M9JfhUA:10 a=VkNPw1HP01LnGYTKEx00:22 a=yPCof4ZbAAAA:8 a=VwQbUJbxAAAA:8 a=2gQd8Ctu3wjniymgDV0A:9 X-Proofpoint-ORIG-GUID: NSmt2m0f8laVrUQsTVtxBb5FS6k7tgDd X-Proofpoint-GUID: NSmt2m0f8laVrUQsTVtxBb5FS6k7tgDd Content-Type: text/plain; charset="utf-8" The is_mergeable_anon_vma() function uses vmg->middle as the source VMA. However when merging a new VMA, this field is NULL. In all cases except mremap(), the new VMA will either be newly established and thus lack an anon_vma, or will be an expansion of an existing VMA thus we do not care about whether VMA is CoW'd or not. In the case of an mremap(), we can end up in a situation where we can accidentally allow an unfaulted/faulted merge with a VMA that has been forked, violating the general rule that we do not permit this for reasons of anon_vma lock scalability. Now we have the ability to be aware of the fact we are copying a VMA and also know which VMA that is, we can explicitly check for this, so do so. This is pertinent since commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges"), as this patch permits unfaulted/faulted merges that were previously disallowed running afoul of this issue. While we are here, vma_had_uncowed_parents() is a confusing name, so make it simple and rename it to vma_is_fork_child(). Signed-off-by: Lorenzo Stoakes Fixes: 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merg= es") Cc: stable@kernel.org Acked-by: Vlastimil Babka Reviewed-by: Harry Yoo Reviewed-by: Jeongjun Park --- mm/vma.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/mm/vma.c b/mm/vma.c index 660f4732f8a5..fb45a6be7417 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -67,18 +67,13 @@ struct mmap_state { .state =3D VMA_MERGE_START, \ } =20 -/* - * If, at any point, the VMA had unCoW'd mappings from parents, it will ma= intain - * more than one anon_vma_chain connecting it to more than one anon_vma. A= merge - * would mean a wider range of folios sharing the root anon_vma lock, and = thus - * potential lock contention, we do not wish to encourage merging such tha= t this - * scales to a problem. - */ -static bool vma_had_uncowed_parents(struct vm_area_struct *vma) +/* Was this VMA ever forked from a parent, i.e. maybe contains CoW mapping= s? */ +static bool vma_is_fork_child(struct vm_area_struct *vma) { /* * The list_is_singular() test is to avoid merging VMA cloned from - * parents. This can improve scalability caused by anon_vma lock. + * parents. This can improve scalability caused by the anon_vma root + * lock. */ return vma && vma->anon_vma && !list_is_singular(&vma->anon_vma_chain); } @@ -115,11 +110,19 @@ static bool is_mergeable_anon_vma(struct vma_merge_st= ruct *vmg, bool merge_next) VM_WARN_ON(src && src_anon !=3D src->anon_vma); =20 /* Case 1 - we will dup_anon_vma() from src into tgt. */ - if (!tgt_anon && src_anon) - return !vma_had_uncowed_parents(src); + if (!tgt_anon && src_anon) { + struct vm_area_struct *copied_from =3D vmg->copied_from; + + if (vma_is_fork_child(src)) + return false; + if (vma_is_fork_child(copied_from)) + return false; + + return true; + } /* Case 2 - we will simply use tgt's anon_vma. */ if (tgt_anon && !src_anon) - return !vma_had_uncowed_parents(tgt); + return !vma_is_fork_child(tgt); /* Case 3 - the anon_vma's are already shared. */ return src_anon =3D=3D tgt_anon; } --=20 2.52.0 From nobody Sat Feb 7 05:01:37 2026 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DAD7D2BB1D for ; Mon, 5 Jan 2026 20:13:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.165.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767643990; cv=fail; b=e8FNXqFqVPBqE4oySchqERLQZ6G/c05cDmL0vITs9OzeEpb2AGDViM8N9SmSaPgxgpPm0sx/iEe3kM9B8HjVDf29o6FeoCWst6JZOqlMcO/VLSrzVJslFT14o/xVy7NzMDdqspxu8K3PAqg1Al/QEac51Jpat7Qqp4fVGRjuNjw= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767643990; c=relaxed/simple; bh=4rDcKr8gPOUD/x6WFzdeM4QUPe54qs7bFQk+3uL4NZc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=UYYNbu4OhdUGv6GfdIzJbjRRn6/PpQmLYdYtzsJu/SZuOyhfG9qQYC9HkfDkjfZ8aDlvFbWYfktVcV9ii5kr1YHghNs7tBWa4eiwcigWyPFGCKVL//ODns3F62vQbPjW12MLaN3tTfi+Uu+bJ59rq0LTvsFXXTq+27PUUL/1w1k= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=ChrT9Y9M; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=PKK7nimZ; arc=fail smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="ChrT9Y9M"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="PKK7nimZ" Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 605JKcE41874497; Mon, 5 Jan 2026 20:12:18 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2025-04-25; bh=scuAgwS9CEhqIXwWEDiyls3Jhbzu6h+qqUyy5rcJJts=; b= ChrT9Y9M97uCe1hbGs3WBOiywiNG0bVgTVIwt7LPG6u8SJhBB/e6QCnc66verTL2 hwB0Em+CM2/0vMsrkXB91ZymJdeASPCBG5k3vxHxHWnY7LTaCSUL7zVP4rAZ/x89 X6fMcod8KpAtAKsTRwlgUolyTaSa0o/NSkenwtCL8x2jCXgoBqVkeH1N37QOUCLY 9g/dC7uOc0+NBbkMFUBxfFoQ0BwBRbPF5plBq4DbJRdfaRSRu8uVaGx56qgRfkhp ZSeeMr2RC+oEAqUQXhsUGQ3Q9VIf+TO+sLLv/qKkMUWBbtYx7DwhbwM0JT2E/5xT uV4dQN8jPBa0zPC8WxTFGw== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 4bgkcfr2jv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Jan 2026 20:12:18 +0000 (GMT) Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 605JBCDN020542; Mon, 5 Jan 2026 20:12:16 GMT Received: from ch1pr05cu001.outbound.protection.outlook.com (mail-northcentralusazon11010052.outbound.protection.outlook.com [52.101.193.52]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 4besjhssse-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Jan 2026 20:12:16 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=DB8smq36KbYanMUgWd9zInM7vfJ2F1alQhfMB+40/x4aMEEMF64nPU8fqpsrQFzr2IY4h4wQo2suEGbIeLq/6pUl+GqCu85ZA1i0o0Z2zfHhwI5esuOC7NbfDjh80OfOSAogDd/dV/X3yQD35ISIHkiIiGwwkiesucp6KtaNFmUUDcLQNtJsNBXHyIGwgDHEn8nCne6bWgd/Zkpn/XDuTVhkHUT0Nirq7oABt1o2xf/S0OeZw1KJTRJiAKATqTVuzfhOIXarFczRwTwGSSWGAs6DSmO6KEpaUdu916GyL8rFgs40POFDJ+IdKa6UbCG0oYuw42EHfyn+FwY/5mnrkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=scuAgwS9CEhqIXwWEDiyls3Jhbzu6h+qqUyy5rcJJts=; b=hfcJxAK7hVE6O0UvRNJW1GSW971Um5kIZKGQX90hElChJTkiar7L553BhoRvYmZyW9NkhrhJLxPwxS442CwWtalmhbbtA79DQCAd9vULZ9Ni1siBQuOOlRM+8Yi8QLI9nCZ4Bvvo+UL1mCKq1016WiKT6DsmuWUPRt1GntcvcaEYju5GwmFhh9B1yOogjlwVivmy8vqMTygCbnGCjJ27JE8edMYGE1FyGQtCeJf/cSSXyT4GGdgu13Byh4EQi5LdkX7CTVTjJF7BIBiEv9T+c6UgbPfySvr2fKbUdVpghnMZsdJiX5pMQZB/5n801iGVTsOIpi/C8K4gHuXi4QFs6w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=scuAgwS9CEhqIXwWEDiyls3Jhbzu6h+qqUyy5rcJJts=; b=PKK7nimZumiQlQVMAtQVY4zQA3oRFL+sq79sYyWMQvNTa0U4pXXYUMEeW02b9IAoqqSIbH125DUrjomCp1ya5emDa9SnUYRvB7jKNhwz1WpUfDdf0KlYi+oO27TalDK+2qZzCPMuZ8Ixw20kd70Fe6WeIjhtHGcDzs5dT6yMdso= Received: from DM4PR10MB8218.namprd10.prod.outlook.com (2603:10b6:8:1cc::16) by SJ5PPF136884A98.namprd10.prod.outlook.com (2603:10b6:a0f:fc02::78b) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4; Mon, 5 Jan 2026 20:12:13 +0000 Received: from DM4PR10MB8218.namprd10.prod.outlook.com ([fe80::f3ea:674e:7f2e:b711]) by DM4PR10MB8218.namprd10.prod.outlook.com ([fe80::f3ea:674e:7f2e:b711%6]) with mapi id 15.20.9478.004; Mon, 5 Jan 2026 20:12:13 +0000 From: Lorenzo Stoakes To: Andrew Morton Cc: "Liam R . Howlett" , Vlastimil Babka , Jann Horn , Pedro Falcato , Yeoreum Yun , linux-mm@kvack.org, linux-kernel@vger.kernel.org, David Hildenbrand , Jeongjun Park , Rik van Riel , Harry Yoo Subject: [PATCH v2 4/4] tools/testing/selftests: add forked (un)/faulted VMA merge tests Date: Mon, 5 Jan 2026 20:11:50 +0000 Message-ID: <1daf76d89fdb9d96f38a6a0152d8f3c2e9e30ac7.1767638272.git.lorenzo.stoakes@oracle.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: LO4P265CA0142.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2c4::16) To DM4PR10MB8218.namprd10.prod.outlook.com (2603:10b6:8:1cc::16) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DM4PR10MB8218:EE_|SJ5PPF136884A98:EE_ X-MS-Office365-Filtering-Correlation-Id: d0d96eae-fca3-4b0a-30e0-08de4c96b6ae X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|366016; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?uxcLNOdFGRE9n4w1qFRMV7zrqOqrDpa1/DQu0i0uVyE4WL3uP6IdVby0fx9e?= =?us-ascii?Q?wLIn//gVt58Bh/XSsWynQ0x2uwyixm78aKcyDbCAiIKe+F7bHYI8izL32ZLq?= =?us-ascii?Q?iwOskkXxd3WW8S4UcDzAsFjBjFkv3S3/ea27RD62guAOC0p0PsECwaKxpsf6?= =?us-ascii?Q?IXmCUoj/hAc++J/C8qqF6FoWJpB3iFyKi9T9rMQVBwFm2UaqBZfuXwbUogTM?= =?us-ascii?Q?zEI8mzVrl7VWnQocyJxD07Ln/IEkVrVtppW1cDTg0UT6gmRT/13+Yq/079x4?= =?us-ascii?Q?Xkz7MY3cxAVRIj2sHZZSRlquOuuRFB9bJ4T5rmlb94FxkwXs4Y8joTnPY9f+?= =?us-ascii?Q?DhUKs02CxKQ1hi0FkhH/em2LfMp2nZy7B7c058zY1QxdEPK2dqJfaTKHS2IR?= =?us-ascii?Q?Ij1yjZmhw2a0AIwuBEOK4/GONs45BGeAHbX37i32IVENmmJt5B2+4g3QW4xV?= =?us-ascii?Q?wIJD4ssadmVLgQiE6AigTFG8v3S0no/w/fNz356BRAMOgglKEOhk/VOez8tR?= =?us-ascii?Q?kMSZweFxtEpByxg+8ShzafgrxemDF4ozLJPr6e9pxw14HwR7tlyvDKsIH3Lx?= =?us-ascii?Q?ryz/4aKd8vwl0nS4BCA22U6yo7bqNfO4BhL6no57ux7tBYd4WXSIWCsw1mFP?= =?us-ascii?Q?A4LQGnOxcOXUdeFSYX2bcY90JMtfexGHhbW/3x/tNC9Rd4wUygrWFcvBXp9h?= =?us-ascii?Q?/s6DNan2ejr+Xp01JrjHKLR/06SNv2WcaOEYKb7ZoK/ASFNbYnrHyOrufhUp?= =?us-ascii?Q?NRWYn+2zzls7VYSYIW9sN2TEQ0QLgCELhxp6K9bWY5OqvZmaMeWLWyP5ZZFK?= =?us-ascii?Q?NBJIzCN6Eab+7lSq6ZqF7Jp47l+mxO0VXmSWW2usKJexdjRKjCxIXrIt6NpX?= =?us-ascii?Q?S3hCN/LSjbxBHpu1g2u/wn3uzqOfwFmfkD5WIG/Cz6+A7qHUt1Fp5OfKkmEx?= =?us-ascii?Q?i69I9hmh1IGhbsJ0lDb1czo3e8I8yfN6lsO0+HFJNcnTaszBcdDvU40X0rJO?= =?us-ascii?Q?VfJfwkjeHYrftuYWwHnmtVih5vs4LcGV8VaOJd9ycE4ppgrUFsfh2uwJd3rm?= =?us-ascii?Q?uY3Dm4yP7HjeehpCwinSyrSP0rUDWq5NOm/z4fCTGErgZvIGGxylvx4KIQFj?= =?us-ascii?Q?Z1ic13f6AYODrQpS9LepqLfOmFB+jEsM9+AVqspF7vvowqnNNULbFGv9js8f?= =?us-ascii?Q?u9OvLj5ti7nhEcLWqrkL2Nn3aW7A5E4uig/nnjz4jyYAB0aMBkex7zQ7q+6x?= =?us-ascii?Q?wnfDQoFOefcStvvO4L396ItRDLLWK1wxjFrJR47t42XqLIoq6QNb79u1TqEO?= =?us-ascii?Q?SRK3AdJNKiFIuJk5yAiQSgrh3+IoLhVbw0Qnalyt0Emn4EhktW4wT7cEy+8R?= =?us-ascii?Q?+wID33S1sf/48KxwlMGb5JmvHWpaSFuFOKqDBnvUf5jpGWfZExdvUPPpKiWz?= =?us-ascii?Q?bMTe7r6XqV4ViROZ5vPuCrHVFjKz10MF?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR10MB8218.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?cQmSNNcUKWHVnoc96RFMyB/Guh705EqMDrvEuIPFjn7VoAlRKCqWrYF254f5?= =?us-ascii?Q?N0LbSgJWKVfknYdB/Ejp9eLQcz2k2pPwkCU1zKhBrtvFk5xdtEiaoflN1eKH?= =?us-ascii?Q?dqCTThzhgRe6NzQ5QAAaZ/FiA7tOL3QjnWSBKcQP/xKmU+A/vUCCOe34O64o?= =?us-ascii?Q?G71sqoWo2srCwnCb5j6BWdCnzOj8SguCxq14ofeDzeT0F4hVNq/HyNGVpfTa?= =?us-ascii?Q?022eggU6M8UBS1z2Zo84ZOPflNGp6rrZjbKPCKg5Em3ZlwdLNvCwm5yF00B3?= =?us-ascii?Q?oG3P5KuFb1FiLxcFXPjGsvdmslHWKRLXGXpkvcXos/hOESnpTTX9jolhh31+?= =?us-ascii?Q?266De8OUE6t7ZTFYiZZpmX4qhSzNEFTsJGtFQ+q5P9GhhfEfEpndDlBamYzq?= =?us-ascii?Q?Y5GKEPphW0y8+NNC/lxAVNXw7Vfdh3EgwKSt45wGDY8vSjG/42q69i59AEHb?= =?us-ascii?Q?0AN4uek6mMS1GC3rzHxQ1uVKjzAF8+Ckdm+WyjszwgQt+VnQbpjamlknwmIA?= =?us-ascii?Q?goQGTRGvCc3PWGuStx7jYaP1IbZW3x04xbwzIb443/lK7tZZMZdiLRolgT29?= =?us-ascii?Q?o7FJYchxRhqxMr5XkERluNNs3z988os9NdOAwJolkP3dW4CZocn5TFEm3TGZ?= =?us-ascii?Q?mSevLzy6orNi3MxzXJerh/IgZzedh4bsJhsBJFxlER2b7SKqnnmL0SRasqXx?= =?us-ascii?Q?hQNCTDJSCFHRSDk1T7i0jwPfQ+472rH2Oie6J1ySTChpYJnLkqku4/5Ejx/c?= =?us-ascii?Q?LX6f4BJAVS+iP6W+F3E6q+Yjosf4P3habSI42F8RbW0dlZelDudwdDwyjnMX?= =?us-ascii?Q?+ExzCcUs/s58KA8/fX211r/q6nc1s6tBKpLm41UwZtqUlJge+kvO3TB5kku5?= =?us-ascii?Q?3eGZbES9GF+r1WJSciPoR5R0Huhop6Ec1vP4birN52MMHsaND/1xrMiWgKCV?= =?us-ascii?Q?t+7+Dt7l/tUfmCrR2h6wpOLLiUNCgroXbghsLwklgR/V+jRiDMAT4ewGBxD+?= =?us-ascii?Q?BjTpLVkFBmmiiKj252PQTNApwHrYDmUM3jUB+Y2bPusqbi59AMkgoXVvKVvZ?= =?us-ascii?Q?y7N8sfqHJIOuon7s7lloptvyyj7YYozh/LNA1p3j7lAYFDrM4N02Gjf3xyQv?= =?us-ascii?Q?rc5JJvwNaX8IoXcZEVSYSwR0v0hrUBiTSsN+TSIDrE2YQzbZKgwN2uLEAr7A?= =?us-ascii?Q?hYfHX+OGpSYQUsRFu54yQSoSpubPRJewrW+YWIJ5KJkz3incfFA9FCFQZ9ax?= =?us-ascii?Q?C9dwoqiCZPVVNsIVd9aZfLPZ4GBx7315EYWzSvL6hbIk7UKHHFomcO2vS+9d?= =?us-ascii?Q?ksiI89QQ2EwXSrB/AAfxVbACABQN5KNyUs4X5hkyugH4ERvyHTFm/Rw93cNv?= =?us-ascii?Q?sJOnLWMRcsGPj0AFKZa5lcDiBSQsrPUFDmsXqItyfuKzDvHft7fkwXqg4600?= =?us-ascii?Q?QCOcHfKYqm355jdu68mfpF0BCU8XK/fg+T/LkRrKWChzWvcxrDzEHkCSklbn?= =?us-ascii?Q?xGJqa4RrVqGakLbpfYoOcmAVu0U+Cehvi7dKAPt/l9nKSep9aXMw6QpP8qce?= =?us-ascii?Q?39HRntHYXAfhOcEF2aWMNx6dazN/CKCgxAdHR4eg4CgNwATROTP+iq3FHatI?= =?us-ascii?Q?ivhBeWSGvdZjHubmqXpmXBQDlBX5VVvb/0ZPtfGn7/nOzFJBfDBRTA2/L9pc?= =?us-ascii?Q?qCA6T8bnb5jgU6VgJYl70+2uCSxyd/2vi0fSxzgfRBbPZS4Ae9adDNhg3R0j?= =?us-ascii?Q?q4lQKhoXgveS9WhaKsD5eICKEgAtSm0=3D?= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 0D2L1SA1TmQpoy+f8eXCI8Fry7aKcma+8d9QoNLqjlOtLsMPuysvaEpSoJRl4IPFNbHEOjpj9Oi/kZDFuzkuSetoTuepxbTOin+OURo4wik1XyZY8kSY4cYSQkKWNyrYx+0+49J9J7z872biklR+GFDGsxWsVNqZOQbkfQ5iib9OPD8xZI/50cT0m4yvNzi8KKXhVtvG06eujJIgYt82AEchgh+1QNFIsHUZl7dh58eHHDK0gyELBTwEA+JDC9lkpUJBsQyBSLkf7vsb14nOzyQSC1xZZkdruTwnz1SzEzrlRrewfmAINbH9gHl+uDaWAcaIya+8CQGv4yhmQEJDQTTvj4o7eKKBPX5fg0b46d2s5isTno88wReuBeJDoycfHpJHz0EcB/7FlvGWDDtkbsKaRUCaWqh1vRBD3DPLst72K49HOpItSSQDd/BpUtBa+ytIDl2foGywKgzKxaBcCbNhyK98nM0r5zfwFFKj9K4Wanvhrj2fb5tjwnSokbvuugoOKHSNB1ZjZIt0vfsRiox6pwsaMSdLFvKKGOH4J+2fpTeNVdyZX4gYWQFTBArBcH6ltQ7j23VHaUIQYTR5ASilkhujewu90cH7LOxSKCs= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d0d96eae-fca3-4b0a-30e0-08de4c96b6ae X-MS-Exchange-CrossTenant-AuthSource: DM4PR10MB8218.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2026 20:12:12.9520 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Rvi3JRFpFBNCNcwi34DIPxukSPbYFEDuH1NeOvryf+DhhTu40g78bfV8gdT2DfgRMgqd9jf7wqcUyu8qIAqF/NGJRoX1JzYe+Mn9dxQ69dY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ5PPF136884A98 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2026-01-05_02,2026-01-05_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=869 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 mlxscore=0 phishscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2512120000 definitions=main-2601050175 X-Proofpoint-ORIG-GUID: hHTqTLw4GaE2zrqX6iIyrsi1SJWq0wxe X-Authority-Analysis: v=2.4 cv=VKPQXtPX c=1 sm=1 tr=0 ts=695c1b22 b=1 cx=c_pps a=zPCbziy225d3KhSqZt3L1A==:117 a=zPCbziy225d3KhSqZt3L1A==:17 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=vUbySO9Y5rIA:10 a=GoEa3M9JfhUA:10 a=VkNPw1HP01LnGYTKEx00:22 a=yPCof4ZbAAAA:8 a=VwQbUJbxAAAA:8 a=24_Z-CCR0W1utOZiRgIA:9 cc=ntf awl=host:12109 X-Proofpoint-GUID: hHTqTLw4GaE2zrqX6iIyrsi1SJWq0wxe X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMTA1MDE3NSBTYWx0ZWRfX9/O93ZlRWwdQ PtBcqnv7SAPEJTmqyTdJlwlspR0IPxaH2sN7uvVU1riMYa92jA5YKsduTTMxvTgVj9uNK1bLBeC oeU5kwxg1Iq5lRzXX5V6BGMnh7ksMqzb4mN28LE0xaF47ype/KkNWFwu3Anaf9qa6wFWeZtkslY XRmm3qZL77lLQZBGb6QVC8VKQvSWcyoyQzX1d17lmnS780eRo5qiwd7CcIYXOD4HM8C6DDz7xJh qfSXiE8GA0iAhHh+852hTh17tO7FPl27Q1wgJ2z7K1Y5mYdQrbSDjRzAYi2StFZMmffz1NWN1w4 +P2wJ8IbEad8UMBjR/DeQNu2EsnuCFCxQBCyp5ZNc0m9EPh0RWvF4saIkeGJIktoJ3znvznpWaO H3oEvWALeC5x/UGCLKOakrwmgoqjTC+tMUl7AEAgbjNFoDRosA6RZdt5xs6K9qJRqNUfVCM4QzY s5eVEqToi4v2fYHivQ0uBhNdSrMkeiFCuGikU/PE= Content-Type: text/plain; charset="utf-8" Now we correctly handle forked faulted/unfaulted merge on mremap(), exhaustively assert that we handle this correctly. Do this in the less duplicative way by adding a new merge_with_fork fixture and forked/unforked variants, and abstract the forking logic as necessary to avoid code duplication with this also. Signed-off-by: Lorenzo Stoakes Fixes: 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merg= es") Cc: stable@kernel.org --- tools/testing/selftests/mm/merge.c | 180 ++++++++++++++++++++++------- 1 file changed, 139 insertions(+), 41 deletions(-) diff --git a/tools/testing/selftests/mm/merge.c b/tools/testing/selftests/m= m/merge.c index 22be149f7109..10b686102b79 100644 --- a/tools/testing/selftests/mm/merge.c +++ b/tools/testing/selftests/mm/merge.c @@ -22,12 +22,37 @@ FIXTURE(merge) struct procmap_fd procmap; }; =20 +static char *map_carveout(unsigned int page_size) +{ + return mmap(NULL, 30 * page_size, PROT_NONE, + MAP_ANON | MAP_PRIVATE, -1, 0); +} + +static pid_t do_fork(struct procmap_fd *procmap) +{ + pid_t pid =3D fork(); + + if (pid =3D=3D -1) + return -1; + if (pid !=3D 0) { + wait(NULL); + return pid; + } + + /* Reopen for child. */ + if (close_procmap(procmap)) + return -1; + if (open_self_procmap(procmap)) + return -1; + + return 0; +} + FIXTURE_SETUP(merge) { self->page_size =3D psize(); /* Carve out PROT_NONE region to map over. */ - self->carveout =3D mmap(NULL, 30 * self->page_size, PROT_NONE, - MAP_ANON | MAP_PRIVATE, -1, 0); + self->carveout =3D map_carveout(self->page_size); ASSERT_NE(self->carveout, MAP_FAILED); /* Setup PROCMAP_QUERY interface. */ ASSERT_EQ(open_self_procmap(&self->procmap), 0); @@ -36,7 +61,8 @@ FIXTURE_SETUP(merge) FIXTURE_TEARDOWN(merge) { ASSERT_EQ(munmap(self->carveout, 30 * self->page_size), 0); - ASSERT_EQ(close_procmap(&self->procmap), 0); + /* May fail for parent of forked process. */ + close_procmap(&self->procmap); /* * Clear unconditionally, as some tests set this. It is no issue if this * fails (KSM may be disabled for instance). @@ -44,6 +70,44 @@ FIXTURE_TEARDOWN(merge) prctl(PR_SET_MEMORY_MERGE, 0, 0, 0, 0); } =20 +FIXTURE(merge_with_fork) +{ + unsigned int page_size; + char *carveout; + struct procmap_fd procmap; +}; + +FIXTURE_VARIANT(merge_with_fork) +{ + bool forked; +}; + +FIXTURE_VARIANT_ADD(merge_with_fork, forked) +{ + .forked =3D true, +}; + +FIXTURE_VARIANT_ADD(merge_with_fork, unforked) +{ + .forked =3D false, +}; + +FIXTURE_SETUP(merge_with_fork) +{ + self->page_size =3D psize(); + self->carveout =3D map_carveout(self->page_size); + ASSERT_NE(self->carveout, MAP_FAILED); + ASSERT_EQ(open_self_procmap(&self->procmap), 0); +} + +FIXTURE_TEARDOWN(merge_with_fork) +{ + ASSERT_EQ(munmap(self->carveout, 30 * self->page_size), 0); + ASSERT_EQ(close_procmap(&self->procmap), 0); + /* See above. */ + prctl(PR_SET_MEMORY_MERGE, 0, 0, 0, 0); +} + TEST_F(merge, mprotect_unfaulted_left) { unsigned int page_size =3D self->page_size; @@ -322,8 +386,8 @@ TEST_F(merge, forked_target_vma) unsigned int page_size =3D self->page_size; char *carveout =3D self->carveout; struct procmap_fd *procmap =3D &self->procmap; - pid_t pid; char *ptr, *ptr2; + pid_t pid; int i; =20 /* @@ -344,19 +408,10 @@ TEST_F(merge, forked_target_vma) */ ptr[0] =3D 'x'; =20 - pid =3D fork(); + pid =3D do_fork(&self->procmap); ASSERT_NE(pid, -1); - - if (pid !=3D 0) { - wait(NULL); + if (pid !=3D 0) return; - } - - /* Child process below: */ - - /* Reopen for child. */ - ASSERT_EQ(close_procmap(&self->procmap), 0); - ASSERT_EQ(open_self_procmap(&self->procmap), 0); =20 /* unCOWing everything does not cause the AVC to go away. */ for (i =3D 0; i < 5 * page_size; i +=3D page_size) @@ -386,8 +441,8 @@ TEST_F(merge, forked_source_vma) unsigned int page_size =3D self->page_size; char *carveout =3D self->carveout; struct procmap_fd *procmap =3D &self->procmap; - pid_t pid; char *ptr, *ptr2; + pid_t pid; int i; =20 /* @@ -408,19 +463,10 @@ TEST_F(merge, forked_source_vma) */ ptr[0] =3D 'x'; =20 - pid =3D fork(); + pid =3D do_fork(&self->procmap); ASSERT_NE(pid, -1); - - if (pid !=3D 0) { - wait(NULL); + if (pid !=3D 0) return; - } - - /* Child process below: */ - - /* Reopen for child. */ - ASSERT_EQ(close_procmap(&self->procmap), 0); - ASSERT_EQ(open_self_procmap(&self->procmap), 0); =20 /* unCOWing everything does not cause the AVC to go away. */ for (i =3D 0; i < 5 * page_size; i +=3D page_size) @@ -1171,10 +1217,11 @@ TEST_F(merge, mremap_correct_placed_faulted) ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr + 15 * page_size); } =20 -TEST_F(merge, mremap_faulted_to_unfaulted_prev) +TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_prev) { struct procmap_fd *procmap =3D &self->procmap; unsigned int page_size =3D self->page_size; + unsigned long offset; char *ptr_a, *ptr_b; =20 /* @@ -1197,6 +1244,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev) /* Fault it in. */ ptr_a[0] =3D 'x'; =20 + if (variant->forked) { + pid_t pid =3D do_fork(&self->procmap); + + ASSERT_NE(pid, -1); + if (pid !=3D 0) + return; + } + /* * Now move it out of the way so we can place VMA B in position, * unfaulted. @@ -1220,16 +1275,19 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev) &self->carveout[page_size + 3 * page_size]); ASSERT_NE(ptr_a, MAP_FAILED); =20 - /* The VMAs should have merged. */ + /* The VMAs should have merged, if not forked. */ ASSERT_TRUE(find_vma_procmap(procmap, ptr_b)); ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b); - ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 6 * page_size); + + offset =3D variant->forked ? 3 * page_size : 6 * page_size; + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + offset); } =20 -TEST_F(merge, mremap_faulted_to_unfaulted_next) +TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_next) { struct procmap_fd *procmap =3D &self->procmap; unsigned int page_size =3D self->page_size; + unsigned long offset; char *ptr_a, *ptr_b; =20 /* @@ -1253,6 +1311,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_next) /* Fault it in. */ ptr_a[0] =3D 'x'; =20 + if (variant->forked) { + pid_t pid =3D do_fork(&self->procmap); + + ASSERT_NE(pid, -1); + if (pid !=3D 0) + return; + } + /* * Now move it out of the way so we can place VMA B in position, * unfaulted. @@ -1276,16 +1342,18 @@ TEST_F(merge, mremap_faulted_to_unfaulted_next) &self->carveout[page_size]); ASSERT_NE(ptr_a, MAP_FAILED); =20 - /* The VMAs should have merged. */ + /* The VMAs should have merged, if not forked. */ ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); - ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 6 * page_size); + offset =3D variant->forked ? 3 * page_size : 6 * page_size; + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + offset); } =20 -TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfaulted_next) +TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_prev_unfaulted_next) { struct procmap_fd *procmap =3D &self->procmap; unsigned int page_size =3D self->page_size; + unsigned long offset; char *ptr_a, *ptr_b, *ptr_c; =20 /* @@ -1307,6 +1375,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfau= lted_next) /* Fault it in. */ ptr_b[0] =3D 'x'; =20 + if (variant->forked) { + pid_t pid =3D do_fork(&self->procmap); + + ASSERT_NE(pid, -1); + if (pid !=3D 0) + return; + } + /* * Now move it out of the way so we can place VMAs A, C in position, * unfaulted. @@ -1337,13 +1413,21 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfa= ulted_next) &self->carveout[page_size + 3 * page_size]); ASSERT_NE(ptr_b, MAP_FAILED); =20 - /* The VMAs should have merged. */ + /* The VMAs should have merged, if not forked. */ ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); - ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size); + offset =3D variant->forked ? 3 * page_size : 9 * page_size; + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + offset); + + /* If forked, B and C should also not have merged. */ + if (variant->forked) { + ASSERT_TRUE(find_vma_procmap(procmap, ptr_b)); + ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b); + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 3 * page_size); + } } =20 -TEST_F(merge, mremap_faulted_to_unfaulted_prev_faulted_next) +TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_prev_faulted_next) { struct procmap_fd *procmap =3D &self->procmap; unsigned int page_size =3D self->page_size; @@ -1373,6 +1457,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_fault= ed_next) /* Fault it in. */ ptr_bc[0] =3D 'x'; =20 + if (variant->forked) { + pid_t pid =3D do_fork(&self->procmap); + + ASSERT_NE(pid, -1); + if (pid !=3D 0) + return; + } + /* * Now move VMA B out the way (splitting VMA BC) so we can place VMA A * in position, unfaulted, and leave the remainder of the VMA we just @@ -1397,10 +1489,16 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_faul= ted_next) &self->carveout[page_size + 3 * page_size]); ASSERT_NE(ptr_b, MAP_FAILED); =20 - /* The VMAs should have merged. */ - ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); - ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); - ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size); + /* The VMAs should have merged. A,B,C if unforked, B, C if forked. */ + if (variant->forked) { + ASSERT_TRUE(find_vma_procmap(procmap, ptr_b)); + ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b); + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 6 * page_size); + } else { + ASSERT_TRUE(find_vma_procmap(procmap, ptr_a)); + ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a); + ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size); + } } =20 TEST_HARNESS_MAIN --=20 2.52.0