diff options
| author | Konstantin Khlebnikov <koct9i@gmail.com> | 2015-01-11 16:54:06 +0300 |
|---|---|---|
| committer | Zefan Li <lizefan@huawei.com> | 2015-04-14 12:33:52 +0300 |
| commit | 8463d31289d4c79e739798583bc5862c594c11cb (patch) | |
| tree | db6aec175cbb8c543de5d3fd6a3e82ca98f74fe1 /mm | |
| parent | df5f1b2e38a0f9d212c073502c4ba95feeeef33b (diff) | |
| download | linux-8463d31289d4c79e739798583bc5862c594c11cb.tar.xz | |
mm: fix corner case in anon_vma endless growing prevention
commit b800c91a0517071156e772d4fb329ad33590da62 upstream.
Fix for BUG_ON(anon_vma->degree) splashes in unlink_anon_vmas() ("kernel
BUG at mm/rmap.c:399!") caused by commit 7a3ef208e662 ("mm: prevent
endless growth of anon_vma hierarchy")
Anon_vma_clone() is usually called for a copy of source vma in
destination argument. If source vma has anon_vma it should be already
in dst->anon_vma. NULL in dst->anon_vma is used as a sign that it's
called from anon_vma_fork(). In this case anon_vma_clone() finds
anon_vma for reusing.
Vma_adjust() calls it differently and this breaks anon_vma reusing
logic: anon_vma_clone() links vma to old anon_vma and updates degree
counters but vma_adjust() overrides vma->anon_vma right after that. As
a result final unlink_anon_vmas() decrements degree for wrong anon_vma.
This patch assigns ->anon_vma before calling anon_vma_clone().
Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
Reported-and-tested-by: Chris Clayton <chris2553@googlemail.com>
Reported-and-tested-by: Oded Gabbay <oded.gabbay@amd.com>
Reported-and-tested-by: Chih-Wei Huang <cwhuang@android-x86.org>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Daniel Forrest <dan.forrest@ssec.wisc.edu>
Cc: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[lizf: Backported to 3.4: define variable @error and return this instead
of returning -ENOMEM]
Signed-off-by: Zefan Li <lizefan@huawei.com>
Diffstat (limited to 'mm')
| -rw-r--r-- | mm/mmap.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/mm/mmap.c b/mm/mmap.c index 84dc5fc27a8a..f880ca164c00 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -567,9 +567,14 @@ again: remove_next = 1 + (end > next->vm_end); * shrinking vma had, to cover any anon pages imported. */ if (exporter && exporter->anon_vma && !importer->anon_vma) { - if (anon_vma_clone(importer, exporter)) - return -ENOMEM; + int error; + importer->anon_vma = exporter->anon_vma; + error = anon_vma_clone(importer, exporter); + if (error) { + importer->anon_vma = NULL; + return error; + } } } |