patch: linux-user: fix several mremap bugs

- https://lists.gnu.org/archive/html/qemu-devel/2025-10/msg02738.html

Author: mikdusan

command/base

@@ -13,7 +13,7 @@ QEMU_REV="10.1.1"
 QEMU_GIT_COMMIT=""
 
 # reset to blank when QEMU_REV/GIT_COMMIT bumps, otherwise begin count from 1
-QEMU_REV_ZIG_SERIAL=
+QEMU_REV_ZIG_SERIAL=1
 
 if [ -n "$QEMU_GIT_COMMIT" ]; then
     QEMU_SRC_BASENAME="${QEMU_NAME}-${QEMU_REV}-${QEMU_GIT_COMMIT}"

command/patch

@@ -7,3 +7,6 @@ set -e
 WORKDIR "/work/src/${QEMU_SRC_BASENAME}"
 RUN patch -p1 -i "${WORK_ROOT}/patch/linux-user__signal.diff"
 RUN patch -p1 -i "${WORK_ROOT}/patch/linux-user__syscall.diff"
+RUN patch -p1 -i "${WORK_ROOT}/patch/linux-user__mlugg1.diff"
+RUN patch -p1 -i "${WORK_ROOT}/patch/linux-user__mlugg2.diff"
+RUN patch -p1 -i "${WORK_ROOT}/patch/linux-user__mlugg3.diff"

patch/linux-user__mlugg1.diff

@@ -0,0 +1,14 @@
+diff --git a/linux-user/mmap.c b/linux-user/mmap.c
+index 847092a28a..ec8392b35b 100644
+--- a/linux-user/mmap.c
++++ b/linux-user/mmap.c
+@@ -1164,7 +1164,8 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size,
+                     errno = ENOMEM;
+                     host_addr = MAP_FAILED;
+                 } else if (reserved_va && old_size > new_size) {
+-                    mmap_reserve_or_unmap(old_addr + old_size,
++                    /* Re-reserve pages we just shrunk out of the mapping */
++                    mmap_reserve_or_unmap(old_addr + new_size,
+                                           old_size - new_size);
+                 }
+             }

patch/linux-user__mlugg2.diff

@@ -0,0 +1,23 @@
+diff --git a/linux-user/mmap.c b/linux-user/mmap.c
+index ec8392b35b..4c5fe832ad 100644
+--- a/linux-user/mmap.c
++++ b/linux-user/mmap.c
+@@ -1103,12 +1103,15 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size,
+     int prot;
+     void *host_addr;
+ 
+-    if (!guest_range_valid_untagged(old_addr, old_size) ||
+-        ((flags & MREMAP_FIXED) &&
++    if (!guest_range_valid_untagged(old_addr, old_size)) {
++        errno = EFAULT;
++        return -1;
++    }
++    if (((flags & MREMAP_FIXED) &&
+          !guest_range_valid_untagged(new_addr, new_size)) ||
+         ((flags & MREMAP_MAYMOVE) == 0 &&
+          !guest_range_valid_untagged(old_addr, new_size))) {
+-        errno = ENOMEM;
++        errno = EINVAL;
+         return -1;
+     }
+ 

patch/linux-user__mlugg3.diff

@@ -0,0 +1,85 @@
+diff --git a/linux-user/mmap.c b/linux-user/mmap.c
+index 4c5fe832ad..e1ed9085c7 100644
+--- a/linux-user/mmap.c
++++ b/linux-user/mmap.c
+@@ -1014,59 +1014,38 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int target_prot,
+ static int mmap_reserve_or_unmap(abi_ulong start, abi_ulong len)
+ {
+     int host_page_size = qemu_real_host_page_size();
++    abi_ulong end;
+     abi_ulong real_start;
+-    abi_ulong real_last;
+-    abi_ulong real_len;
+-    abi_ulong last;
+-    abi_ulong a;
++    abi_ulong real_end;
++    abi_ulong off;
+     void *host_start;
+     int prot;
+ 
+-    last = start + len - 1;
++    end = ROUND_UP(start + len, TARGET_PAGE_SIZE);
++
+     real_start = start & -host_page_size;
+-    real_last = ROUND_UP(last, host_page_size) - 1;
++    real_end = ROUND_UP(end, host_page_size);
+ 
+-    /*
+-     * If guest pages remain on the first or last host pages,
+-     * adjust the deallocation to retain those guest pages.
+-     * The single page special case is required for the last page,
+-     * lest real_start overflow to zero.
+-     */
+-    if (real_last - real_start < host_page_size) {
+-        prot = 0;
+-        for (a = real_start; a < start; a += TARGET_PAGE_SIZE) {
+-            prot |= page_get_flags(a);
+-        }
+-        for (a = last; a < real_last; a += TARGET_PAGE_SIZE) {
+-            prot |= page_get_flags(a + 1);
+-        }
+-        if (prot != 0) {
+-            return 0;
+-        }
+-    } else {
+-        for (prot = 0, a = real_start; a < start; a += TARGET_PAGE_SIZE) {
+-            prot |= page_get_flags(a);
+-        }
+-        if (prot != 0) {
+-            real_start += host_page_size;
+-        }
++    /* end or real_end may have overflowed to 0, but that's okay. */
+ 
+-        for (prot = 0, a = last; a < real_last; a += TARGET_PAGE_SIZE) {
+-            prot |= page_get_flags(a + 1);
+-        }
+-        if (prot != 0) {
+-            real_last -= host_page_size;
+-        }
++    /* If [real_start,start) contains a mapped guest page, retain the first page. */
++    for (prot = 0, off = 0; off < start - real_start; off += TARGET_PAGE_SIZE) {
++        prot |= page_get_flags(real_start + off);
++    }
++    if (prot != 0) {
++        real_start += host_page_size;
++    }
+ 
+-        if (real_last < real_start) {
+-            return 0;
+-        }
++    /* If [end,real_end) contains a mapped guest page, retain the last page. */
++    for (prot = 0, off = 0; off < real_end - end; off += TARGET_PAGE_SIZE) {
++        prot |= page_get_flags(end + off);
++    }
++    if (prot != 0) {
++        real_end -= host_page_size;
+     }
+ 
+-    real_len = real_last - real_start + 1;
+     host_start = g2h_untagged(real_start);
+-
+-    return do_munmap(host_start, real_len);
++    return do_munmap(host_start, real_end - real_start);
+ }
+ 
+ int target_munmap(abi_ulong start, abi_ulong len)