Re: [RFC PATCH] mm/mmap: Fix uprobe anon page be overwritten when expanding vma during mremap

[David Hildenbrand]

On 25.05.25 11:59, Oleg Nesterov wrote:
> On 05/24, David Hildenbrand wrote:
> > On 24.05.25 18:45, Oleg Nesterov wrote:
> > > To be honest, I can't even understand this part due to my ignorance.
> > > What does "the old uprobe anon page to be orphan" actually mean?
> > > How can the unnecessary uprobe_mmap() lead to an "unbalanced"
> > > inc_mm_counter(MM_ANONPAGES) ? Or what else can explain the
> > > "BUG: Bad rss-counter state" from check_mm() ? Or there are more problems?
> >
> > Essentially, we end up mapping an anonymous page (when install the uprobe)
> > after preparing the new VMA, but before moving over the pages from the old
> > VMA.
> >
> > So when we then move over the pages from the old VMA, we overwrite the PTE
> > mapping an anonymous page (due to uprobe).
> >
> > As we simply overwrite the PTE that is mapping an anonymous page, we run
> > into inconsistency later: RSS counter mismatch, memory leak, etc.
>
> Ah, I seem to start understand... move_ptes() doesn't even check *new_pte,
> I guess it assumes pte_none(ptep_get(new_pte), right? So the old anonymous
> page is simply leaked after set_pte_at(mm, new_addr, new_pte, pte)...
>
> Correct?

Right. Ordinary page faults cannot happen concurrently, so the 
assumption is that there really isn't anything mapped yet.

> > We should never be installing an anonymous page (due to uprobe) into a VMA
> > during mremap() before moving over the pages from the old VMA.
>
> OK. But do you see any reason why uprobe_mmap() should be ever called during
> mremap() ?

Only when growing a VMA: we might now cover a part with a uprobe, which 
we have take care of.

not to mention munmap() ...

I cannot think of something that would require it during munmap().

--
Cheers,

David / dhildenb