From: sashiko-bot@kernel.org
To: tao <tao.wangtao@honor.com>
Cc: damon@lists.linux.dev
Subject: Re: [PATCH 10/15] mm: defer anon_vma creation with ANON_VMA_LAZY
Date: Wed, 27 May 2026 12:29:25 +0000 [thread overview]
Message-ID: <20260527122926.3DADA1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260527110147.17815-11-tao.wangtao@honor.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Unconditional increment of the root anon_vma refcount when reusing an existing anon_vma causes a memory leak.
--
commit e7b82bf7c91f9ff13c87c5b6d44b365dcfcf93c5
Author: tao <tao.wangtao@honor.com>
mm: defer anon_vma creation with ANON_VMA_LAZY
This commit defers anon_vma creation until fork by marking VMAs as
ANON_VMA_LAZY to reduce allocation overhead. During fork, lazy VMAs are
upgraded to establish the sharing topology, and child VMAs are created
without allocating a new anon_vma.
> diff --git a/mm/rmap.c b/mm/rmap.c
> index 12693c6897120..59848e1aaf531 100644
> --- a/mm/rmap.c
> +++ b/mm/rmap.c
[ ... ]
> @@ -282,19 +393,30 @@ int __anon_vma_prepare(struct vm_area_struct *vma)
>
> anon_vma = find_mergeable_anon_vma(vma);
> allocated = NULL;
> - if (!anon_vma) {
> + /* If parent_anon_vma exists, mergeable anon_vma root must match it. */
> + if (!anon_vma ||
> + (parent_anon_vma && anon_vma->root != parent_anon_vma->root)) {
> anon_vma = anon_vma_alloc();
> if (unlikely(!anon_vma))
> goto out_enomem_free_avc;
> - anon_vma->num_children++; /* self-parent link for new root */
> allocated = anon_vma;
> + if (parent_anon_vma) {
> + anon_vma->root = parent_anon_vma->root;
> + anon_vma->parent = parent_anon_vma;
> + }
> }
>
> anon_tree = make_anon_vma_tree(anon_vma);
> + if (upgrade_lazy)
> + is_lazy = vma_unlink_anon_vma_lazy(vma, anon_tree);
> anon_vma_tree_lock_write(anon_tree);
> /* page_table_lock to protect against threads */
> spin_lock(&mm->page_table_lock);
> - if (likely(!vma->anon_vma)) {
> + if (likely(!vma->anon_vma || is_lazy)) {
> + if (anon_vma->root != anon_vma)
> + get_anon_vma(anon_vma->root);
[Severity: High]
Does this code leak the root anon_vma when reusing an existing anon_vma?
When find_mergeable_anon_vma() finds a compatible anon_vma to reuse,
allocated is left as NULL. However, the code proceeds to unconditionally
call get_anon_vma(anon_vma->root) as long as anon_vma->root != anon_vma.
The root's refcount tracks the number of child anon_vma structs, not the
number of VMAs sharing the child anon_vma. Because a new anon_vma was not
allocated, the root's refcount was already correctly incremented when the
existing child anon_vma was originally created.
When the VMAs are later unmapped and the child anon_vma's interval tree
becomes completely empty, __put_anon_vma() is called exactly once for the
child anon_vma, which decrements the root's refcount exactly once. Since the
root's refcount is incremented every time a VMA reuses the child anon_vma
but only decremented once when the child is freed, it seems the extraneous
references will permanently leak root anon_vma structures.
> + if (allocated)
> + anon_vma->parent->num_children++;
> vma->anon_vma = anon_tree;
> anon_vma_chain_assign(vma, avc, anon_vma);
> anon_vma_interval_tree_insert(avc, &anon_vma->rb_root);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260527110147.17815-1-tao.wangtao@honor.com?part=10
next prev parent reply other threads:[~2026-05-27 12:29 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 11:01 [PATCH 0/15] mm: introduce ANON_VMA_LAZY for deferred anon_vma creation tao
2026-05-27 11:01 ` [PATCH 01/15] mm/rmap: introduce anon_rmap APIs for anonymous folios tao
2026-05-27 11:32 ` sashiko-bot
2026-05-27 11:44 ` Lorenzo Stoakes
2026-05-28 7:47 ` wangtao
2026-05-27 11:01 ` [PATCH 02/15] mm: convert anon_vma rmap APIs to anon_rmap tao
2026-05-27 11:49 ` Lorenzo Stoakes
2026-05-28 8:55 ` wangtao
2026-05-27 11:01 ` [PATCH 03/15] mm: introduce anon_vma_tree_t for multiple anon_vma topologies tao
2026-05-27 11:56 ` Lorenzo Stoakes
2026-05-28 9:00 ` wangtao
2026-05-27 11:01 ` [PATCH 04/15] mm: switch to anon_vma_tree_t APIs in preparation for ANON_VMA_LAZY tao
2026-05-27 11:53 ` sashiko-bot
2026-05-27 11:01 ` [PATCH 05/15] mm: add CONFIG_ANON_VMA_LAZY and folio helpers tao
2026-05-27 11:01 ` [PATCH 06/15] mm: add CONFIG_VMA_REF and VMA helpers tao
2026-05-27 11:42 ` sashiko-bot
2026-05-27 11:01 ` [PATCH 07/15] mm: replace direct FOLIO_MAPPING_ANON usage with helpers tao
2026-05-27 11:43 ` sashiko-bot
2026-05-27 11:01 ` [PATCH 08/15] mm: prepare rmap infrastructure for ANON_VMA_LAZY tao
2026-05-27 14:01 ` sashiko-bot
2026-05-27 11:01 ` [PATCH 09/15] mm: implement ANON_VMA_LAZY rmap semantics tao
2026-05-27 12:15 ` sashiko-bot
2026-05-27 11:01 ` [PATCH 10/15] mm: defer anon_vma creation with ANON_VMA_LAZY tao
2026-05-27 12:29 ` sashiko-bot [this message]
2026-05-27 11:01 ` [PATCH 11/15] mm: handle ANON_VMA_LAZY in huge page operations tao
2026-05-27 12:21 ` sashiko-bot
2026-05-27 11:01 ` [PATCH 12/15] mm: handle ANON_VMA_LAZY during migration tao
2026-05-27 12:23 ` sashiko-bot
2026-05-27 11:01 ` [PATCH 13/15] mm: support setup and upgrade of ANON_VMA_LAZY folios tao
2026-05-27 13:02 ` sashiko-bot
2026-05-27 11:01 ` [PATCH 14/15] mm: support merging of ANON_VMA_LAZY VMAs tao
2026-05-27 12:49 ` sashiko-bot
2026-05-27 11:01 ` [PATCH 15/15] mm: enable CONFIG_ANON_VMA_LAZY on arm64 and x86_64 tao
2026-05-27 17:19 ` sashiko-bot
2026-05-27 11:23 ` [PATCH 0/15] mm: introduce ANON_VMA_LAZY for deferred anon_vma creation Pedro Falcato
2026-05-28 6:45 ` wangtao
2026-05-28 7:14 ` Lorenzo Stoakes
2026-05-27 11:30 ` Lorenzo Stoakes
2026-05-28 7:11 ` wangtao
2026-05-28 7:22 ` Lorenzo Stoakes
2026-05-27 14:33 ` Lorenzo Stoakes
2026-05-28 7:57 ` wangtao
2026-05-28 8:14 ` Lorenzo Stoakes
2026-05-28 23:31 ` Barry Song
2026-05-29 2:20 ` wangzicheng
2026-05-29 6:56 ` Lorenzo Stoakes
2026-05-29 6:45 ` Lorenzo Stoakes
2026-05-29 9:41 ` wangtao
2026-05-29 12:03 ` Lorenzo Stoakes
2026-06-01 1:46 ` wangtao
2026-06-02 2:15 ` Barry Song
2026-06-02 2:46 ` Lance Yang
2026-06-02 15:37 ` Lorenzo Stoakes
2026-06-02 19:44 ` Pedro Falcato
2026-06-02 23:03 ` Barry Song
2026-06-03 7:07 ` Lorenzo Stoakes
2026-06-02 19:56 ` Harry Yoo
2026-06-02 22:27 ` Barry Song
2026-06-02 20:47 ` Lorenzo Stoakes
2026-05-29 15:07 ` Jonathan Corbet
2026-05-29 15:40 ` Lorenzo Stoakes
2026-05-30 11:28 ` Barry Song
2026-06-02 16:07 ` Harry Yoo
2026-06-03 2:59 ` wangtao
2026-06-03 3:12 ` wangtao
2026-06-03 7:54 ` Lorenzo Stoakes
2026-06-03 11:05 ` wangtao
2026-06-03 11:53 ` Lorenzo Stoakes
2026-06-04 3:50 ` wangtao
2026-06-03 20:25 ` David Hildenbrand (Arm)
2026-06-03 22:14 ` Barry Song
2026-06-04 4:03 ` wangtao
2026-06-04 4:20 ` Barry Song
2026-06-04 7:35 ` wangtao
2026-06-09 15:26 ` Suren Baghdasaryan
2026-06-09 15:49 ` David Hildenbrand (Arm)
2026-06-04 3:10 ` xu.xin16
2026-06-04 4:10 ` wangtao
2026-06-05 9:38 ` David Hildenbrand (Arm)
2026-06-05 10:07 ` Lorenzo Stoakes
2026-06-05 10:56 ` David Hildenbrand (Arm)
2026-06-04 9:40 ` Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260527122926.3DADA1F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=damon@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tao.wangtao@honor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.