Commit 3215eaceca87 ("mm/mremap: refactor initial parameter sanity checks") moved the sanity check for vrm->new_addr from mremap_to() to check_mremap_params().
However, this caused a regression as vrm->new_addr is now checked even when MREMAP_FIXED and MREMAP_DONTUNMAP flags are not specified. In this case, vrm->new_addr can be garbage and create unexpected failures.
Fix this by moving the new_addr check after the vrm_implies_new_addr() guard. This ensures that the new_addr is only checked when the user has specified one explicitly.
Cc: stable@vger.kernel.org Fixes: 3215eaceca87 ("mm/mremap: refactor initial parameter sanity checks") Reviewed-by: Liam R. Howlett Liam.Howlett@oracle.com Signed-off-by: Carlos Llamas cmllamas@google.com --- v2: - split out vrm->new_len into individual checks - cc stable, collect tags
v1: https://lore.kernel.org/all/20250828032653.521314-1-cmllamas@google.com/
mm/mremap.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/mm/mremap.c b/mm/mremap.c index e618a706aff5..35de0a7b910e 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1774,15 +1774,18 @@ static unsigned long check_mremap_params(struct vma_remap_struct *vrm) if (!vrm->new_len) return -EINVAL;
- /* Is the new length or address silly? */ - if (vrm->new_len > TASK_SIZE || - vrm->new_addr > TASK_SIZE - vrm->new_len) + /* Is the new length silly? */ + if (vrm->new_len > TASK_SIZE) return -EINVAL;
/* Remainder of checks are for cases with specific new_addr. */ if (!vrm_implies_new_addr(vrm)) return 0;
+ /* Is the new address silly? */ + if (vrm->new_addr > TASK_SIZE - vrm->new_len) + return -EINVAL; + /* The new address must be page-aligned. */ if (offset_in_page(vrm->new_addr)) return -EINVAL;
On 8/28/25 16:26, Carlos Llamas wrote:
Commit 3215eaceca87 ("mm/mremap: refactor initial parameter sanity checks") moved the sanity check for vrm->new_addr from mremap_to() to check_mremap_params().
However, this caused a regression as vrm->new_addr is now checked even when MREMAP_FIXED and MREMAP_DONTUNMAP flags are not specified. In this case, vrm->new_addr can be garbage and create unexpected failures.
Fix this by moving the new_addr check after the vrm_implies_new_addr() guard. This ensures that the new_addr is only checked when the user has specified one explicitly.
Cc: stable@vger.kernel.org
Not necessary, but for mm-hotfixes please, Andrew.
Fixes: 3215eaceca87 ("mm/mremap: refactor initial parameter sanity checks") Reviewed-by: Liam R. Howlett Liam.Howlett@oracle.com Signed-off-by: Carlos Llamas cmllamas@google.com
Reviewed-by: Vlastimil Babka vbabka@suse.cz
v2:
- split out vrm->new_len into individual checks
- cc stable, collect tags
v1: https://lore.kernel.org/all/20250828032653.521314-1-cmllamas@google.com/
mm/mremap.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/mm/mremap.c b/mm/mremap.c index e618a706aff5..35de0a7b910e 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1774,15 +1774,18 @@ static unsigned long check_mremap_params(struct vma_remap_struct *vrm) if (!vrm->new_len) return -EINVAL;
- /* Is the new length or address silly? */
- if (vrm->new_len > TASK_SIZE ||
vrm->new_addr > TASK_SIZE - vrm->new_len)
- /* Is the new length silly? */
- if (vrm->new_len > TASK_SIZE) return -EINVAL;
/* Remainder of checks are for cases with specific new_addr. */ if (!vrm_implies_new_addr(vrm)) return 0;
- /* Is the new address silly? */
- if (vrm->new_addr > TASK_SIZE - vrm->new_len)
return -EINVAL;- /* The new address must be page-aligned. */ if (offset_in_page(vrm->new_addr)) return -EINVAL;
(For future reference) please send separately rather than in reply to first :)
Otherwise harder for me to find your series!
On Thu, Aug 28, 2025 at 02:26:56PM +0000, Carlos Llamas wrote:
Commit 3215eaceca87 ("mm/mremap: refactor initial parameter sanity checks") moved the sanity check for vrm->new_addr from mremap_to() to check_mremap_params().
However, this caused a regression as vrm->new_addr is now checked even when MREMAP_FIXED and MREMAP_DONTUNMAP flags are not specified. In this case, vrm->new_addr can be garbage and create unexpected failures.
Fix this by moving the new_addr check after the vrm_implies_new_addr() guard. This ensures that the new_addr is only checked when the user has specified one explicitly.
Cc: stable@vger.kernel.org
Yeah oopsies on me suggesting this :P losing track of my own patches :)
Fixes: 3215eaceca87 ("mm/mremap: refactor initial parameter sanity checks") Reviewed-by: Liam R. Howlett Liam.Howlett@oracle.com Signed-off-by: Carlos Llamas cmllamas@google.com
LGTM, so:
Reviewed-by: Lorenzo Stoakes lorenzo.stoakes@oracle.com
And again thanks so much for this! :)
v2:
- split out vrm->new_len into individual checks
- cc stable, collect tags
v1: https://lore.kernel.org/all/20250828032653.521314-1-cmllamas@google.com/
mm/mremap.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/mm/mremap.c b/mm/mremap.c index e618a706aff5..35de0a7b910e 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1774,15 +1774,18 @@ static unsigned long check_mremap_params(struct vma_remap_struct *vrm) if (!vrm->new_len) return -EINVAL;
- /* Is the new length or address silly? */
- if (vrm->new_len > TASK_SIZE ||
vrm->new_addr > TASK_SIZE - vrm->new_len)
/* Is the new length silly? */
if (vrm->new_len > TASK_SIZE) return -EINVAL;
/* Remainder of checks are for cases with specific new_addr. */ if (!vrm_implies_new_addr(vrm)) return 0;
/* Is the new address silly? */
if (vrm->new_addr > TASK_SIZE - vrm->new_len)
return -EINVAL;/* The new address must be page-aligned. */ if (offset_in_page(vrm->new_addr)) return -EINVAL;
-- 2.51.0.268.g9569e192d0-goog
Cheers, Lorenzo
linux-stable-mirror@lists.linaro.org
-
Carlos Llamas -
Lorenzo Stoakes -
Vlastimil Babka