Re: [PATCH] mm/madvise: reject invalid process_madvise() advice for zero-length vectors

Next message: Heiner Kallweit: "Re: [RFC Patch net-next v1 3/9] r8169: add support for multi tx queues"
Previous message: Randy Dunlap: "Re: [PATCH 3/3] Documentation: security-bugs: clarify requirements for AI-assisted reports"
In reply to: fujunjie: "[PATCH] mm/madvise: reject invalid process_madvise() advice for zero-length vectors"
Next in thread: fujunjie: "Re: [PATCH] mm/madvise: reject invalid process_madvise() advice for zero-length vectors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Morton

Date: Sun Apr 26 2026 - 15:41:53 EST

On Sun, 26 Apr 2026 11:08:22 +0000 fujunjie <fujunjie1@xxxxxx> wrote:

> process_madvise() validates the advice while walking the imported iovec.

Seems inefficient to be checking `behavior' repeatedly. I wonder if
your change will permit us to remove that madvise_behavior_valid()
check from is_valid_madvise().

> If the iovec has zero total length, vector_madvise() never enters the
> loop and returns 0 without checking whether the advice value is valid.
>
> For a local mm, such as process_madvise(PIDFD_SELF, ...), the remote-only
> process_madvise_remote_valid() check is skipped. As a result, an invalid
> advice can be reported as success when the vector has zero total length.
> This differs from madvise(), which rejects an invalid advice before
> returning success for a zero-length range.
>
> Reject invalid advice before walking the vector. Valid zero-length
> requests remain no-ops and continue to return 0.
>
> Add a selftest that covers invalid advice with a zero-length iovec and an
> empty vector, while also checking that a valid zero-length request still
> succeeds.

lgtm, thanks. Slightly non-backward-compatible but I think we can live
with that.

My process_madvise manpage doesn't even anticipate bogus `advice'
parameters.

And grr, the manpage calls it `advice' but the kernel calls it
`behavior'.