Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp665758pxk; Sun, 30 Aug 2020 18:54:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwcOa/Ex9XZIiMo74/QjX9EoUqcYV6ya+tJaa4FP50BHvZZ8c8Jhbvf0udHSOmT9Y/4bSp0 X-Received: by 2002:a17:906:90d5:: with SMTP id v21mr3747434ejw.123.1598838855255; Sun, 30 Aug 2020 18:54:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598838855; cv=none; d=google.com; s=arc-20160816; b=aFXlKxz6ERvjQLHaY4U1U4lClaS3f43uSUfNqDjM8VI8DHi6Je7MyW6r/iB0gDR6FR c5qxmstnA6MejdO8zzQfF1tT7du/nUA7ySL/uK7mPgx95vwATf6RDvpWmvQdLdY46yZa vaXVqGeJIntqQ8Xkp2xBTh5ZOfPrdolj+nVmFOBtRt4HidIqAI+23PL6tkrl16S2Lmrw KIjNUQly76xhbaPyOmSyblEWVmqLKoqWaz+ICqmPhvVnAPlHZQFYs4klh7+xWWa3soCG rCJpF22AuugRrDE7g+mpXW4V3KGk1l6gKX8jLIOWggpZLZObTM+L3IOvwFwVBHe0wBmb LDFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=pK+cSPTb7Tzx4/p4zK4jm5iIstlqhK614j35t+rtzQ4=; b=bcsB2ZC8kmaDrRNSLvtrBhADzPVy+zKW1ceFVSRyxesY5lip9od181INcUB0gOaStq R7VO4bmOo2XMlQCsgQ/qAQpig8KilxlRg4nq56Y/pOzxvnyasiZLnThepUdiYwHLI4OD qiCn9guXkMn1WoFJkFfsi+AgrWuqN/zmspJFq6qMVK+PrnjSWoE9k5nMI0BdB0yRss2c u/jXsXH6Qh3MIWeZvjX140es4oh9mQH2P5JC9qI9Ws9kL7xKucu9R/0Z7Lu/e9c8x7a1 NpdateN+C05FRFDO5/Qm9JkSRkTKx49VPk0RDkLbt5wcAw1RnmY6pqm6PErPP9p0GYTa CjyQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u18si4517397ejr.700.2020.08.30.18.53.52; Sun, 30 Aug 2020 18:54:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726954AbgHaBwt (ORCPT + 99 others); Sun, 30 Aug 2020 21:52:49 -0400 Received: from out30-132.freemail.mail.aliyun.com ([115.124.30.132]:38415 "EHLO out30-132.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726454AbgHaBws (ORCPT ); Sun, 30 Aug 2020 21:52:48 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R991e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e01353;MF=richard.weiyang@linux.alibaba.com;NM=1;PH=DS;RN=5;SR=0;TI=SMTPD_---0U7IVksK_1598838766; Received: from localhost(mailfrom:richard.weiyang@linux.alibaba.com fp:SMTPD_---0U7IVksK_1598838766) by smtp.aliyun-inc.com(127.0.0.1); Mon, 31 Aug 2020 09:52:46 +0800 From: Wei Yang To: viro@zeniv.linux.org.uk, akpm@linux-foundation.org Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Wei Yang Subject: [PATCH] [RFC] exec: the vma passed to shift_arg_pages() must not have next Date: Mon, 31 Aug 2020 09:51:21 +0800 Message-Id: <20200831015121.20036-1-richard.weiyang@linux.alibaba.com> X-Mailer: git-send-email 2.20.1 (Apple Git-117) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We can divide vma_adjust() into two categories based on whether the *insert* is NULL or not. And when *insert* is NULL, it has two users: mremap() and shift_arg_pages(). For the second vma_adjust() in shift_arg_pages(), the vma must not have next. Otherwise vma_adjust() would expand next->vm_start instead of just shift the vma. Fortunately, shift_arg_pages() is only used in setup_arg_pages() to move stack, which is placed on the top of the address range. This means the vma is not expected to have a next. Since mremap() calls vma_adjust() to expand itself, shift_arg_pages() is the only case it may fall into mprotect case 4 by accident. Let's add a BUG_ON() and comment to inform the following audience. Signed-off-by: Wei Yang --- fs/exec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index a91003e28eaa..3ff44ab0d112 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -682,6 +682,7 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) struct mmu_gather tlb; BUG_ON(new_start > new_end); + BUG_ON(vma->vm_next); /* * ensure there are no vmas between where we want to go @@ -726,6 +727,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift) /* * Shrink the vma to just the new range. Always succeeds. + * Since !vma->vm_next, __vma_adjust() would not go to mprotect case + * 4 to expand next. */ vma_adjust(vma, new_start, new_end, vma->vm_pgoff, NULL); -- 2.20.1 (Apple Git-117)