Re: [PATCH v3 2/5] mm/mseal: update madvise() logic

From: David Hildenbrand
Date: Thu Jul 24 2025 - 18:13:40 EST

Next message: Yang Shi: "[PATCH 4/4] arm64: mm: split linear mapping if BBML2 is not supported on secondary CPUs"
Previous message: Yang Shi: "[PATCH 3/4] arm64: mm: support large block mapping when rodata=full"
In reply to: Jeff Xu: "Re: [PATCH v3 2/5] mm/mseal: update madvise() logic"
Next in thread: Lorenzo Stoakes: "Re: [PATCH v3 2/5] mm/mseal: update madvise() logic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 16.07.25 19:38, Lorenzo Stoakes wrote:

The madvise() logic is inexplicably performed in mm/mseal.c - this ought
to be located in mm/madvise.c.

Additionally can_modify_vma_madv() is inconsistently named and, in
combination with is_ro_anon(), is very confusing logic.

Put a static function in mm/madvise.c instead - can_madvise_modify() -
that spells out exactly what's happening. Also explicitly check for an
anon VMA.

Also add commentary to explain what's going on.

Essentially - we disallow discarding of data in mseal()'d mappings in
instances where the user couldn't otherwise write to that data.

Shared mappings are always backed, so no discard will actually truly
discard the data. Read-only anonymous and MAP_PRIVATE file-backed
mappings are the ones we are interested in.

We make a change to the logic here to correct a mistake - we must disallow
discard of read-only MAP_PRIVATE file-backed mappings, which previously we
were not.

The justification for this change is to account for the case where:

1. A MAP_PRIVATE R/W file-backed mapping is established.
2. The mapping is written to, which backs it with anonymous memory.
3. The mapping is mprotect()'d read-only.
4. The mapping is mseal()'d.

Thinking about this a bit (should have realized this implication earlier) ... assuming we have:

1. A MAP_PRIVATE R/O file-backed mapping.
2. The mapping is mseal()'d.

We only really have anon folios in there with things like (a) uprobe (b) debugger access (c) similarly weird FOLL_FORCE stuff.

Now, most executables/libraries are mapped that way. If someone would rely on MADV_DONTNEED to zap pages in there (to free up memory), that would get rejected.

Does something like that rely on MADV_DONTNEED working? Good question.

Checking for anon_vma in addition, ad mentioned in the other thread, would be a "cheap" check to rule out that there are currently anon vmas in there.

Well, not 100% reliable, because MADV_DONTNEED can race with page faults ...

--
Cheers,

David / dhildenb

Next message: Yang Shi: "[PATCH 4/4] arm64: mm: split linear mapping if BBML2 is not supported on secondary CPUs"
Previous message: Yang Shi: "[PATCH 3/4] arm64: mm: support large block mapping when rodata=full"
In reply to: Jeff Xu: "Re: [PATCH v3 2/5] mm/mseal: update madvise() logic"
Next in thread: Lorenzo Stoakes: "Re: [PATCH v3 2/5] mm/mseal: update madvise() logic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]