From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933395AbbCDR7E (ORCPT <rfc822;w@1wt.eu>);
	Wed, 4 Mar 2015 12:59:04 -0500
Received: from mx1.redhat.com ([209.132.183.28]:37928 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S933141AbbCDR7B (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 4 Mar 2015 12:59:01 -0500
Message-ID: <54F747CE.5050204@redhat.com>
Date: Wed, 04 Mar 2015 12:58:38 -0500
From: Rik van Riel <riel@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Leon Yu <chianglungyu@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Konstantin Khlebnikov <koct9i@gmail.com>,
        Michal Hocko <mhocko@suse.cz>
CC: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        Vlastimil Babka <vbabka@suse.cz>,
        Daniel Forrest <dan.forrest@ssec.wisc.edu>,
        Chris Clayton <chris2553@googlemail.com>,
        Oded Gabbay <oded.gabbay@amd.com>,
        Chih-Wei Huang <cwhuang@android-x86.org>, stable@vger.kernel.org
Subject: Re: [PATCH v2] mm: fix anon_vma->degree underflow in anon_vma endless
 growing prevention
References: <1425473541-4924-1-git-send-email-chianglungyu@gmail.com>
In-Reply-To: <1425473541-4924-1-git-send-email-chianglungyu@gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 03/04/2015 07:52 AM, Leon Yu wrote:
> I have constantly stumbled upon "kernel BUG at mm/rmap.c:399!" after
> upgrading to 3.19 and had no luck with 4.0-rc1 neither.
> 
> So, after looking into new logic introduced by 7a3ef208e662 ("mm: prevent
> endless growth of anon_vma hierarchy"), I found chances are that
> unlink_anon_vmas() is called without incrementing dst->anon_vma->degree in
> anon_vma_clone() due to allocation failure.  If dst->anon_vma is not NULL
> in error path, its degree will be incorrectly decremented in
> unlink_anon_vmas() and eventually underflow when exiting as a result of
> another call to unlink_anon_vmas().  That's how "kernel BUG at
> mm/rmap.c:399!" is triggered for me.
> 
> This patch fixes the underflow by dropping dst->anon_vma when allocation
> fails.  It's safe to do so regardless of original value of dst->anon_vma
> because dst->anon_vma doesn't have valid meaning if anon_vma_clone()
> fails.  Besides, callers don't care dst->anon_vma in such case neither.
> 
> Also suggested by Michal Hocko, we can clean up vma_adjust() a bit as
> anon_vma_clone() now does the work.
> 
> Fixes: 7a3ef208e662 ("mm: prevent endless growth of anon_vma hierarchy")
> Signed-off-by: Leon Yu <chianglungyu@gmail.com>
> Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
> Reviewed-by: Michal Hocko <mhocko@suse.cz>
> Acked-by: David Rientjes <rientjes@google.com>
> Cc: <stable@vger.kernel.org>

Acked-by: Rik van Riel <riel@redhat.com>