Re: [RFC PATCH] mm/mmap: Fix uprobe anon page be overwritten when expanding vma during mremap

[Oleg Nesterov]

On 05/24, David Hildenbrand wrote:
>
> On 24.05.25 18:45, Oleg Nesterov wrote:
> >
> >To be honest, I can't even understand this part due to my ignorance.
> >What does "the old uprobe anon page to be orphan" actually mean?
> >How can the unnecessary uprobe_mmap() lead to an "unbalanced"
> >inc_mm_counter(MM_ANONPAGES) ? Or what else can explain the
> >"BUG: Bad rss-counter state" from check_mm() ? Or there are more problems?
>
> Essentially, we end up mapping an anonymous page (when install the uprobe)
> after preparing the new VMA, but before moving over the pages from the old
> VMA.
>
> So when we then move over the pages from the old VMA, we overwrite the PTE
> mapping an anonymous page (due to uprobe).
>
> As we simply overwrite the PTE that is mapping an anonymous page, we run
> into inconsistency later: RSS counter mismatch, memory leak, etc.

Ah, I seem to start understand... move_ptes() doesn't even check *new_pte,
I guess it assumes pte_none(ptep_get(new_pte), right? So the old anonymous
page is simply leaked after set_pte_at(mm, new_addr, new_pte, pte)...

Correct?

> We should never be installing an anonymous page (due to uprobe) into a VMA
> during mremap() before moving over the pages from the old VMA.

OK. But do you see any reason why uprobe_mmap() should be ever called during
mremap() ? not to mention munmap() ...

Thanks!

Oleg.