From: Andrew Morton <akpm@linux-foundation.org>
To: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Suren Baghdasaryan <surenb@google.com>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Pedro Falcato <pfalcato@suse.de>,
David Hildenbrand <david@redhat.com>,
Vlastimil Babka <vbabka@suse.cz>, Michal Hocko <mhocko@suse.com>,
Jann Horn <jannh@google.com>,
shikemeng@huaweicloud.com, kasong@tencent.com, nphamcs@gmail.com,
bhe@redhat.com, baohua@kernel.org, chrisl@kernel.org,
Matthew Wilcox <willy@infradead.org>
Subject: Re: [PATCH v2 00/10] Remove XA_ZERO from error recovery of dup_mmap()
Date: Thu, 15 Jan 2026 11:01:53 -0800 [thread overview]
Message-ID: <20260115110153.bbbce63a68df01d8cd4e6eaa@linux-foundation.org> (raw)
In-Reply-To: <20260115182720.1691130-1-Liam.Howlett@oracle.com>
On Thu, 15 Jan 2026 13:27:10 -0500 "Liam R. Howlett" <Liam.Howlett@oracle.com> wrote:
> It is possible that the dup_mmap() call fails on allocating or setting
> up a vma after the maple tree of the oldmm is copied. Today, that
> failure point is marked by inserting an XA_ZERO entry over the failure
> point so that the exact location does not need to be communicated
> through to exit_mmap().
>
> However, a race exists in the tear down process because the dup_mmap()
> drops the mmap lock before exit_mmap() can remove the partially set up
> vma tree. This means that other tasks may get to the mm tree and find
> the invalid vma pointer (since it's an XA_ZERO entry), even though the
> mm is marked as MMF_OOM_SKIP and MMF_UNSTABLE.
>
> To remove the race fully, the tree must be cleaned up before dropping
> the lock. This is accomplished by extracting the vma cleanup in
> exit_mmap() and changing the required functions to pass through the vma
> search limit. Any other tree modifications would require extra cycles
> which should be spent on freeing memory.
>
> This does run the risk of increasing the possibility of finding no vmas
> (which is already possible!) in code that isn't careful.
>
> The final four patches are to address the excessive argument lists being
> passed between the functions. Using the struct unmap_desc also allows
> some special-case code to be removed in favour of the struct setup
> differences.
Thanks, all. I quietly added this series to mm.git's mm-new branch.
All being well I shall move it into mm.git's mm-unstable branch (and
hence into linux-next) a few days from now.
prev parent reply other threads:[~2026-01-15 19:01 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-15 18:27 [PATCH v2 00/10] Remove XA_ZERO from error recovery of dup_mmap() Liam R. Howlett
2026-01-15 18:27 ` [PATCH v2 01/10] mm/mmap: Move exit_mmap() trace point Liam R. Howlett
2026-01-15 18:27 ` [PATCH v2 02/10] mm/mmap: Abstract vma clean up from exit_mmap() Liam R. Howlett
2026-01-15 18:27 ` [PATCH v2 03/10] mm/vma: Add limits to unmap_region() for vmas Liam R. Howlett
2026-01-15 18:27 ` [PATCH v2 04/10] mm/memory: Add tree limit to free_pgtables() Liam R. Howlett
2026-01-15 18:27 ` [PATCH v2 05/10] mm/vma: Add page table limit to unmap_region() Liam R. Howlett
2026-01-15 18:27 ` [PATCH v2 06/10] mm: Change dup_mmap() recovery Liam R. Howlett
2026-01-15 18:27 ` [PATCH v2 07/10] mm: Introduce unmap_desc struct to reduce function arguments Liam R. Howlett
2026-01-15 18:27 ` [PATCH v2 08/10] mm/vma: Use unmap_desc in exit_mmap() and vms_clear_ptes() Liam R. Howlett
2026-01-16 1:30 ` kernel test robot
2026-01-16 17:55 ` Liam R. Howlett
2026-01-16 19:48 ` Liam R. Howlett
2026-01-16 2:04 ` kernel test robot
2026-01-16 8:27 ` Lorenzo Stoakes
2026-01-16 16:15 ` Liam R. Howlett
2026-01-17 1:07 ` SeongJae Park
2026-01-17 3:25 ` Andrew Morton
2026-01-15 18:27 ` [PATCH v2 09/10] mm/vma: Use unmap_region() in vms_clear_ptes() Liam R. Howlett
2026-01-15 18:27 ` [PATCH v2 10/10] mm: Use unmap_desc struct for freeing page tables Liam R. Howlett
2026-01-15 19:01 ` Andrew Morton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260115110153.bbbce63a68df01d8cd4e6eaa@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=Liam.Howlett@oracle.com \
--cc=baohua@kernel.org \
--cc=bhe@redhat.com \
--cc=chrisl@kernel.org \
--cc=david@redhat.com \
--cc=jannh@google.com \
--cc=kasong@tencent.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mhocko@suse.com \
--cc=nphamcs@gmail.com \
--cc=pfalcato@suse.de \
--cc=shikemeng@huaweicloud.com \
--cc=surenb@google.com \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.