[PATCH 0/2] mm: mremap: fix sign for EFAULT error return value

[PATCH 0/2] mm: mremap: fix sign for EFAULT error return value

[Niels Dossche]

The mremap syscall is supposed to return a pointer to the new virtual
memory area on success, and a negative value of the error code in case
of failure. Currently, EFAULT is returned when the VMA is not found,
instead of -EFAULT. The users of this syscall will therefore believe
the syscall succeeded in case the VMA didn't exist, as it returns a
pointer to address 0xe (0xe being the value of EFAULT).

This can easily be reproduced by the following C program. I expected
mremap to fail, but it does not. If the bug is present, it will print
0xe, otherwise the mremap will fail.

The patchset contains two patches: one that fixes the error, and
one that adds a small test case.


#define _GNU_SOURCE
#include <sys/mman.h>
#include <stdio.h>
int main() {
	// Get pointer that's definitely not mapped
	void* ptr = mmap(NULL, 4096, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (ptr == MAP_FAILED) { perror("mmap"); return 1; }
	int err = munmap(ptr, 4096);
	if (err < 0) { perror("munmap"); return 1; }
	// Remap unexisting VMA
	ptr = mremap(ptr, 4096, 4096, 0);
	if (ptr == MAP_FAILED) { perror("mremap"); return 1; }
	printf("%p\n", ptr);
	return 0;
}


Niels Dossche (2):
  mm: mremap: fix sign for EFAULT error return value
  selftest/vm: test that mremap fails on non-existent vma

 mm/mremap.c                                  | 2 +-
 tools/testing/selftests/vm/hugepage-mremap.c | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

-- 
2.35.2

[PATCH 1/2] mm: mremap: fix sign for EFAULT error return value

[Niels Dossche]

The mremap syscall is supposed to return a pointer to the new virtual
memory area on success, and a negative value of the error code in case
of failure. Currently, EFAULT is returned when the VMA is not found,
instead of -EFAULT. The users of this syscall will therefore believe
the syscall succeeded in case the VMA didn't exist, as it returns a
pointer to address 0xe (0xe being the value of EFAULT).
Fix the sign of the error value.

Fixes: 550a7d60bd5e ("mm, hugepages: add mremap() support for hugepage backed vma")
Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
---
 mm/mremap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/mremap.c b/mm/mremap.c
index 303d3290b938..0b93fac76851 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -947,7 +947,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
 		return -EINTR;
 	vma = vma_lookup(mm, addr);
 	if (!vma) {
-		ret = EFAULT;
+		ret = -EFAULT;
 		goto out;
 	}
 
-- 
2.35.2

[PATCH 2/2] selftest/vm: test that mremap fails on non-existent vma

[Niels Dossche]

Add a regression test that validates that mremap fails for vma's that
don't exist.

Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
---
 tools/testing/selftests/vm/hugepage-mremap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/testing/selftests/vm/hugepage-mremap.c b/tools/testing/selftests/vm/hugepage-mremap.c
index 1d689084a54b..585978f181ed 100644
--- a/tools/testing/selftests/vm/hugepage-mremap.c
+++ b/tools/testing/selftests/vm/hugepage-mremap.c
@@ -178,6 +178,12 @@ int main(int argc, char *argv[])
 
 	munmap(addr, length);
 
+	addr = mremap(addr, length, length, 0);
+	if (addr != MAP_FAILED) {
+		printf("mremap: Expected failure, but call succeeded\n");
+		exit(1);
+	}
+
 	close(fd);
 	unlink(argv[argc-1]);
 
-- 
2.35.2