mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
mm: fix anon_vma->degree underflow in anon_vma endless growing prevention
commit 3fe89b3e2a7bbf3e97657104b9b33a9d81b950b3 upstream.
I have constantly stumbled upon "kernel BUG at mm/rmap.c:399!" after
upgrading to 3.19 and had no luck with 4.0-rc1 neither.
So, after looking into new logic introduced by commit 7a3ef208e662 ("mm:
prevent endless growth of anon_vma hierarchy"), I found chances are that
unlink_anon_vmas() is called without incrementing dst->anon_vma->degree
in anon_vma_clone() due to allocation failure. If dst->anon_vma is not
NULL in error path, its degree will be incorrectly decremented in
unlink_anon_vmas() and eventually underflow when exiting as a result of
another call to unlink_anon_vmas(). That's how "kernel BUG at
mm/rmap.c:399!" is triggered for me.
This patch fixes the underflow by dropping dst->anon_vma when allocation
fails. It's safe to do so regardless of original value of dst->anon_vma
because dst->anon_vma doesn't have valid meaning if anon_vma_clone()
fails. Besides, callers don't care dst->anon_vma in such case neither.
Also suggested by Michal Hocko, we can clean up vma_adjust() a bit as
anon_vma_clone() now does the work.
[akpm@linux-foundation.org: tweak comment]
Fixes: 7a3ef208e662 ("mm: prevent endless growth of anon_vma hierarchy")
Signed-off-by: Leon Yu <chianglungyu@gmail.com>
Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
Reviewed-by: Michal Hocko <mhocko@suse.cz>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Zefan Li <lizefan@huawei.com>
This commit is contained in:
Leon Yu
Zefan Li
parent
14b98571ea
commit
972dafe08e
2 changed files with 8 additions and 3 deletions
|
|
@ -571,12 +571,10 @@ again: remove_next = 1 + (end > next->vm_end);
|
|||
|
||||
importer->anon_vma = exporter->anon_vma;
|
||||
error = anon_vma_clone(importer, exporter);
|
||||
if (error) {
|
||||
importer->anon_vma = NULL;
|
||||
if (error)
|
||||
return error;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (file) {
|
||||
mapping = file->f_mapping;
|
||||
|
|
|
|||
|
|
@ -292,6 +292,13 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
|
|||
return 0;
|
||||
|
||||
enomem_failure:
|
||||
/*
|
||||
* dst->anon_vma is dropped here otherwise its degree can be incorrectly
|
||||
* decremented in unlink_anon_vmas().
|
||||
* We can safely do this because callers of anon_vma_clone() don't care
|
||||
* about dst->anon_vma if anon_vma_clone() failed.
|
||||
*/
|
||||
dst->anon_vma = NULL;
|
||||
unlink_anon_vmas(dst);
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue