From: "David Hildenbrand (Arm)" <david@kernel.org>
To: Sasha Levin <sashal@kernel.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Hugh Dickins <hughd@google.com>, Zi Yan <ziy@nvidia.com>,
Gavin Guo <gavinguo@igalia.com>
Subject: Re: VM_BUG_ON_VMA in split_huge_pmd_locked: huge PMD doesn't cover full VMA range
Date: Wed, 25 Feb 2026 21:30:38 +0100 [thread overview]
Message-ID: <6e7ffb3a-e876-48a9-8aa5-0889905de5ac@kernel.org> (raw)
In-Reply-To: <aZ78kFBEA2SjgT93@laps>
> The suspected race window is:
>
> 1. VMA [A, A+2MB) has a THP. Migration starts, PMD becomes a migration
> entry.
>
> 2. Concurrently, __split_vma() runs under mmap_write_lock. It calls
> vma_adjust_trans_huge() which acquires the PMD lock, splits the PMD
> migration entry into 512 PTE migration entries, and releases the PMD
> lock. Then VMA boundaries are modified (e.g., vma->vm_start = A+X).
split_huge_pmd_locked() will call __split_huge_pmd_locked() either for
* pmd_trans_huge(): Present PMD
* pmd_is_valid_softleaf(): Migration PMDs (for our purpose)
__split_huge_pmd_locked() will remap either, resulting in a PTE table.
>
> 3. remove_migration_ptes() runs via rmap_walk_anon() WITHOUT mmap_lock
> (only the anon_vma lock). page_vma_mapped_walk() acquires the PMD
> lock. If it wins the lock BEFORE step 2's split, it finds the PMD
> migration entry still intact and returns with pvmw->pte == NULL.
If 2. runs after 3, 2. would simply split the (present) PMD.
If 2. runs before 3, 2. would simply split the migration PMD.
And both should sync on the PMD table lock.
exit() cannot run before 2. completed.
Wondering if it's instead some missed vma_adjust_trans_huge() case. I
see a call from commit_merge(), so maybe some odd corner cases with VMA
merging.
--
Cheers,
David
prev parent reply other threads:[~2026-02-25 20:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-25 13:43 Sasha Levin
2026-02-25 13:50 ` David Hildenbrand (Arm)
2026-02-25 18:12 ` Sasha Levin
2026-02-25 20:30 ` David Hildenbrand (Arm) [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6e7ffb3a-e876-48a9-8aa5-0889905de5ac@kernel.org \
--to=david@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=gavinguo@igalia.com \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=sashal@kernel.org \
--cc=ziy@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox