From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33A4EC28B30 for ; Thu, 20 Mar 2025 20:12:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E4679280002; Thu, 20 Mar 2025 16:12:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DD077280001; Thu, 20 Mar 2025 16:12:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C4B33280002; Thu, 20 Mar 2025 16:12:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id A71A4280001 for ; Thu, 20 Mar 2025 16:12:12 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id B18A1BAB49 for ; Thu, 20 Mar 2025 20:12:13 +0000 (UTC) X-FDA: 83243026146.04.D09E2B9 Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46]) by imf26.hostedemail.com (Postfix) with ESMTP id BAF07140013 for ; Thu, 20 Mar 2025 20:12:11 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=0ROOzlmx; spf=pass (imf26.hostedemail.com: domain of jannh@google.com designates 209.85.208.46 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1742501531; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=B1x4Sip77bRhKwudUrm/uxzVeVNaKyX906SjzDoUTfI=; b=cva7sor2inoWZNztpLtXSohglbhFa3PeUeGVlRZJqbWn8wdo6IIZHU9rx7MT0MlxV9icYs jj63gJUbcNOeopsfQsjLSPgcYNoQtBc990+hCC6jcsZQuxj409EzKzloRzUm028fREgOp9 SlhfivAFqrYPyMS8A9FWju2lv0WuMWw= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=0ROOzlmx; spf=pass (imf26.hostedemail.com: domain of jannh@google.com designates 209.85.208.46 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1742501531; a=rsa-sha256; cv=none; b=gdx9KsByAWE4yfzZ4Pv1lAUML3lKGJvPfvF2HT6kGyanS4QpLtAWNsdOUvdhgX4XngvDeI Ygx8OKgLwty7E+uPvUlENOQxFXHstfwhO19kDRYqVV7e05muDYkm0V3d4Lpbr7qf4J93QW vDMagEY7q+gAI08GdpJdakAlY7Cutcc= Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-5e50bae0f5bso2814a12.0 for ; Thu, 20 Mar 2025 13:12:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1742501530; x=1743106330; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=B1x4Sip77bRhKwudUrm/uxzVeVNaKyX906SjzDoUTfI=; b=0ROOzlmxn7cgXgf+WRc6wT9//IxLqpd7lkPthKqlx0fUi9tMOWvXbzyLDJi/N0G9+T s5DmwUUBvm3Je0jVoAFOrfIqpe0VZW7ch7ORt3MkgTS1nG5lCpHYQVE0b8tM/KonFKgG pstX7+h7Qab9vbMA+jsjOGWcQA3mrumIZpJml6irWGPXhlSwKjOUSSjT8UZ4TTMqMCW3 RyxhIaXG86zJlmMprVBA827HZ52QQ1PpIi6YKoMKp89xlDSjhaCIdLRALPk2bAvcolYU fFsPhTz+mZ2UBvjbsg7bKkvA1tLFBtMjmt560i2Au97Q0OkECNu32teouvpDDMHlmRI5 V5rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742501530; x=1743106330; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=B1x4Sip77bRhKwudUrm/uxzVeVNaKyX906SjzDoUTfI=; b=gygrptB7BGIHQguBJLsMFQ4R+arjls+Vz8z8JeK+N/0MKHb+6lb70IfU56ODtr9/O7 LgMVH63MMRtKHO+DkecXhDw2Oa5Nvx/TWtvDmnuucYPeLJsCOAPKNduhYfNWQX8Q1Kt8 /eMAh9sjNbNMGWSqTRMvaXsJl57OQCpcGYW7cbI0Gv0WhVp8OehSJ/T7JOQgrijfSCes rguGctytito4NgTC2lV0tgyeupHy/6KaEVayrXkddiHSwsEsbEeECHunYvE35S4+DUh6 VgSg0417X1k0gFXSgMNZKh1JYSTJPIIcnp5cB0rM1AmPQF1d5flM0HIpnmTXyFnCX0PM AZjA== X-Forwarded-Encrypted: i=1; AJvYcCX+KxomCuTsJj2cnTvKeTt3yzAQRtoO1/pK7ebsLq0A+jPDMHfpzq0m9fBOWmH2ecsqqNhhfHuh/w==@kvack.org X-Gm-Message-State: AOJu0YyfUGqBCcbBfjyafKPVSLInXji2k1nuthFyVf/i6fncyxuqeDhB Ora0sYzSkGFTO4HOC1ymyWTzg1JvFDBAAhk0b3rXoGjW7v7XUg9vilvdDEPFFAtcPUxzxYB7NOr zhZu358+pIfd4dwLa5mi9Ng4k1PDL4qW/Jl4x X-Gm-Gg: ASbGnctdrztL/f0LzJO+rhHnku1Opv9ZRXQvMmh5lfjGF4qBAj/zPD+96GiDdf0g0qt ahyBBYLJDhg8VMjkq4iLybcPZKAYfBU4gYtd0BLJpBhNaUlAz1HxrJbn5jjatkCDgsnAiwlaDFk Z4KIRJRLR7pbOOSH3ll/iEfl5ggNTBp0RJMXsbPGYS0wPslH2EHzE1gQ== X-Google-Smtp-Source: AGHT+IH3H/93GP64mI7VwpEHCKTXQc1J3spAOJr7x0UvpM61uGxO255UnFofpEt/8N8Vb04SGbDKq1hSDvyF4fDz95M= X-Received: by 2002:aa7:d0d0:0:b0:5e4:9ee2:afe1 with SMTP id 4fb4d7f45d1cf-5ebcd942a05mr24832a12.2.1742501529686; Thu, 20 Mar 2025 13:12:09 -0700 (PDT) MIME-Version: 1.0 References: <67dc67f0.050a0220.25ae54.001e.GAE@google.com> In-Reply-To: From: Jann Horn Date: Thu, 20 Mar 2025 21:11:33 +0100 X-Gm-Features: AQ5f1Jqsf83O01Rsh9nBw38V4HH27C3Dj6gaC_Nt1u7DLeqczEG7OwPLeZzeLEo Message-ID: Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in vma_merge_existing_range To: Pedro Falcato Cc: syzbot , lorenzo.stoakes@oracle.com, Liam.Howlett@oracle.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, vbabka@suse.cz Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: BAF07140013 X-Stat-Signature: 8aydhuigmu6qsotm9fzgrjwdwaqkr79c X-Rspam-User: X-Rspamd-Server: rspam12 X-HE-Tag: 1742501531-502090 X-HE-Meta: U2FsdGVkX18WYY98ina2QP0zhWDre0B6ZtFOEcsk48VWMyUcxNiJEr+EEV878ANepoHdRmOSPCZSWKGiidiVr3C4Oi8Ybxe08KqiA35ceXZeAqtt3l+4m1JvYPuSZQfLEBPJYDhoaMATAYddZh/OTL6dHSbay9M+mWwop3wKIq80PqBwBJk1WbpqZlCkw033xpz4u6kiauvWZnaXbiqQE4LTlfHBpwgcytW5Do+iTNWkQZ2gRxY4MQ6hEckWc72eXejez0j65JpAN3Pghg4hYDUScswDa5Rua7OV9DulBROi+2nX/Zp2naEofiE3nuuIg/PY4wMa0A4bkeOeCwLjmtm5cy7qGVoYHxGN6U2CCJTRfmEOZlPUq7yvhxjIYv/+DxT3YFQoBBfPy84dImX2QX8UMfMDR/ewD5TheCY+5fwmREsC/lo+u7+noRwChU/tSF/ZnBS6ZlFzdSvofQx1Hh+w0xMDcYmmo4YUY/RI9EUeNuUOnU01IvmlDYaIFHBsITW54zoUJFwxURgnZiFDO9rOfRE1VOEfa5Dtab6PoF469SA1ITyW2cCEM4JK6rbhBj/BSFpdz1kolBihSlym5VDSFgKfWfkpJca5shQW/WmqD6DJFG49QFDRnfeFTKZv8Asc9CvKINTCRphYXO4vNJAAPYZr9n17+w5XfdcIFMkU/BDEeJFCPBxcvEJpQIZkUgkHM3B9xkpyUtiYJz7ZQo4cqIiws7Srf7+DRadcdsEUdqFcoKYVb4OKdS44OyeQifhTzEQDPHvBSf3TSCqoLz3klDA2SVZUEByINdiIE6EDwiPPNejmV1uLsEdn1X5QY4DOinmVqKB9VXxgX8a9B8g+yodOtfUrkLcZquOGLfF0zPp5XNrmpQir+5hCsTKwdZIN1sWywTq/pvYJJ/aQT+8kcrZSAiq2O8KdcaLtyccLRkuPZ1yfg8+NzcgkDFjo+4cLvf1akay5dzH7h+n Mh4G1Rdt YaKoSEjPKnoWTCVRrKDqfwTAbLNilmWqgWsYmps3arpxk4aji7/5QAPuEo43AoZy/rrOUVKOA42LSyoV5NuaKFSn8lopjoXk5l7L31AksosDPilbJfva1HIA1l6Yq2N/cJUnYWmrR9pfMlWmXm84BCwomhCsQjP6+RabNZTGdI98oGOt+06VcB58Wrgk7NZCAje+G+Axx1f/apy3WFT4f22h1nih31MFi0i4Ecl775ZPqTXNA3YV91/O3WsOeKJIa9waSo2yxlspOoSt9W4nzjkar0hfoOIUlg2+2djiZte4Mu2LMunhX28K89FjT8jPbP32QRJOjtyY7bTSUnjDe1DWqXLO2D6LkgZK7hBtGtDkhfXw78/cqmrBZCpuUVTMfCNRJQfWDEYP+5w7omgnFuu/Czqp2XIhrPr4rqqb+lpaszOVV2XWvP4PGcaqRjef1WSVmFwFF/IeOwC3Q3ELu3OPNmqgKo0CaDgy6dYA3Re5wL+Zt+1fFh6o9I1yXSNZtMiyD9TMxzdIwc7DR7mP7lofNldIOe76wmHt5dnPdFRG9mkTa5QxiNwJtJKx693o5H0gQw5rOPkl7SrIzrJd8vRUZEnSHkJcF+iseK0Q5dS6ca17JXbtxS0RHpPl1HimZGWdB4CvIjC/9gBBZo0H8KD3lF6VPwVt5l+m7UgAqKU5Z48FgRjHkyW0WNybxskPZDcZQ+8As/9HZuNXWEEmQYCTip363vZx3554+H6C8Z6D8YfAcsvcUJeUHkhHloon9KDGXeIvEiACAJ9DXZZA7p8Vvc848Odalo1zB8J8d1mvQ3otrpWf81q30PXtT3dH8+rAgvnPxnG6b9hXzWmxRetXBg/6lHZq4DjyV X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Mar 20, 2025 at 9:02=E2=80=AFPM Pedro Falcato wr= ote: > On Thu, Mar 20, 2025 at 12:09:36PM -0700, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: eb88e6bfbc0a Merge tag 'fsnotify_for_v6.14-rc7' of git:= //g.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=3D11e6c83f980= 000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3D77423669c2b= 8fa9 > > dashboard link: https://syzkaller.appspot.com/bug?extid=3D20ed41006cf9d= 842c2b5 > > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for= Debian) 2.40 > > userspace arch: i386 > > > > Unfortunately, I don't have any reproducer for this issue yet. > > > > Downloadable assets: > > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets= /7feb34a89c2a/non_bootable_disk-eb88e6bf.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/ded0ce69669f/vmli= nux-eb88e6bf.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/6e6fa3c719e7= /bzImage-eb88e6bf.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the co= mmit: > > Reported-by: syzbot+20ed41006cf9d842c2b5@syzkaller.appspotmail.com > > > > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 > > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > > > > BUG: unable to handle page fault for address: fffffffffffffff4 > > #PF: supervisor read access in kernel mode > > #PF: error_code(0x0000) - not-present page > > PGD df84067 P4D df84067 PUD df86067 PMD 0 > > Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI > > CPU: 1 UID: 0 PID: 17805 Comm: syz.8.3237 Not tainted 6.14.0-rc6-syzkal= ler-00212-geb88e6bfbc0a #0 > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-= 1.16.3-2~bpo12+1 04/01/2014 > > RIP: 0010:vma_merge_existing_range+0x266/0x2070 mm/vma.c:734 > > Code: e8 5f 25 ad ff 48 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 ea= 03 80 3c 02 00 0f 85 1c 19 00 00 48 8b 04 24 48 8b 74 24 08 <4c> 8b 38 4c = 89 ff e8 9f 1f ad ff 48 8b 44 24 08 49 39 c7 0f 83 db > > RSP: 0000:ffffc9000319f988 EFLAGS: 00010246 > > RAX: fffffffffffffff4 RBX: ffffc9000319fae8 RCX: ffffffff820cd3e5 > > RDX: 1ffffffffffffffe RSI: 0000000080c2a000 RDI: 0000000000000005 > > RBP: 0000000080ce2000 R08: 0000000000000005 R09: 0000000000000000 > > R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001 > > R13: ffffc9000319fb08 R14: ffff888025eddc98 R15: ffff88804eec0a00 > > FS: 0000000000000000(0000) GS:ffff88802b500000(0063) knlGS:00000000f51= 06b40 > > CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 > > CR2: fffffffffffffff4 CR3: 00000000614d6000 CR4: 0000000000352ef0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > Call Trace: > > > > vma_modify.constprop.0+0x87/0x410 mm/vma.c:1517 > > vma_modify_flags_uffd+0x241/0x2e0 mm/vma.c:1598 > > userfaultfd_clear_vma+0x91/0x130 mm/userfaultfd.c:1906 > > userfaultfd_release_all+0x2ae/0x4c0 mm/userfaultfd.c:2024 > > userfaultfd_release+0xf4/0x1c0 fs/userfaultfd.c:865 > > __fput+0x3ff/0xb70 fs/file_table.c:464 > > task_work_run+0x14e/0x250 kernel/task_work.c:227 > > resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] > > exit_to_user_mode_loop kernel/entry/common.c:114 [inline] > > exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] > > __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] > > syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218 > > __do_fast_syscall_32+0x80/0x120 arch/x86/entry/common.c:390 > > do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:412 > > entry_SYSENTER_compat_after_hwframe+0x84/0x8e > > RIP: 0023:0xf7fe6579 > > Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00= 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 = 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 > > RSP: 002b:00000000f510655c EFLAGS: 00000296 ORIG_RAX: 0000000000000135 > > RAX: 0000000000000001 RBX: 0000000080000180 RCX: 0000000000000001 > > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 > > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 > > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > > > > Modules linked in: > > CR2: fffffffffffffff4 > > ---[ end trace 0000000000000000 ]--- > > RIP: 0010:vma_merge_existing_range+0x266/0x2070 mm/vma.c:734 > > Code: e8 5f 25 ad ff 48 8b 14 24 48 b8 00 00 00 00 00 fc ff df 48 c1 ea= 03 80 3c 02 00 0f 85 1c 19 00 00 48 8b 04 24 48 8b 74 24 08 <4c> 8b 38 4c = 89 ff e8 9f 1f ad ff 48 8b 44 24 08 49 39 c7 0f 83 db > > RSP: 0000:ffffc9000319f988 EFLAGS: 00010246 > > RAX: fffffffffffffff4 RBX: ffffc9000319fae8 RCX: ffffffff820cd3e5 > > RDX: 1ffffffffffffffe RSI: 0000000080c2a000 RDI: 0000000000000005 > > RBP: 0000000080ce2000 R08: 0000000000000005 R09: 0000000000000000 > > R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001 > > R13: ffffc9000319fb08 R14: ffff888025eddc98 R15: ffff88804eec0a00 > > FS: 0000000000000000(0000) GS:ffff88802b500000(0063) knlGS:00000000f51= 06b40 > > CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 > > CR2: fffffffffffffff4 CR3: 00000000614d6000 CR4: 0000000000352ef0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > ---------------- > > Code disassembly (best guess): > > 0: e8 5f 25 ad ff call 0xffad2564 > > 5: 48 8b 14 24 mov (%rsp),%rdx > > 9: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax > > 10: fc ff df > > 13: 48 c1 ea 03 shr $0x3,%rdx > > 17: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) > > 1b: 0f 85 1c 19 00 00 jne 0x193d > > 21: 48 8b 04 24 mov (%rsp),%rax > > 25: 48 8b 74 24 08 mov 0x8(%rsp),%rsi > > * 2a: 4c 8b 38 mov (%rax),%r15 <-- trapping instructi= on > > 2d: 4c 89 ff mov %r15,%rdi > > 30: e8 9f 1f ad ff call 0xffad1fd4 > > 35: 48 8b 44 24 08 mov 0x8(%rsp),%rax > > 3a: 49 39 c7 cmp %rax,%r15 > > 3d: 0f .byte 0xf > > 3e: 83 .byte 0x83 > > 3f: db .byte 0xdb > > Ahh, fun bug. This *seems* to be the bug: > > First, in vma_modify: > > merged =3D vma_merge_existing_range(vmg); > if (merged) > return merged; > if (vmg_nomem(vmg)) > return ERR_PTR(-ENOMEM); > > then, all the way up to userfaultfd_release_all (the return value propaga= tes > vma_modify -> vma_modify_flags_uffd -> userfaultfd_clear_vma): > > prev =3D NULL; > for_each_vma(vmi, vma) { > cond_resched(); > BUG_ON(!!vma->vm_userfaultfd_ctx.ctx ^ > !!(vma->vm_flags & __VM_UFFD_FLAGS)); > if (vma->vm_userfaultfd_ctx.ctx !=3D ctx) { > prev =3D vma; > continue; > } > > vma =3D userfaultfd_clear_vma(&vmi, prev, vma, > vma->vm_start, vma->vm_end); > prev =3D vma; > } > > So, if uffd gets an IS_ERR(vma), it keeps going and takes that vma as the= prev value, > which leads to that ERR_PTR(-ENOMEM) deref crash (-12 =3D -ENOMEM =3D 0xf= fffff4). > This situation is kind of awkward because ->release() errors don't mean a= thing. > So, I have another idea (pasting for syzbot) which might just be cromulen= t. > Untested, but thoughts? > > #syz test > > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c > index d06453fa8aba..fb835d82eb84 100644 > --- a/mm/userfaultfd.c > +++ b/mm/userfaultfd.c > @@ -2023,6 +2023,8 @@ void userfaultfd_release_all(struct mm_struct *mm, > > vma =3D userfaultfd_clear_vma(&vmi, prev, vma, > vma->vm_start, vma->vm_end); > + if (WARN_ON(IS_ERR(vma))) > + break; If this WARN_ON() was ever actually hit, I think we'd leave dangling pointers in VMAs? As much as Linus hates BUG_ON(), I personally think that would be a situation warranting BUG_ON(), or at least CHECK_DATA_CORRUPTION(). That said: > prev =3D vma; > } > mmap_write_unlock(mm); > diff --git a/mm/vma.c b/mm/vma.c > index 71ca012c616c..b2167b7dc27d 100644 > --- a/mm/vma.c > +++ b/mm/vma.c > @@ -1517,8 +1517,16 @@ static struct vm_area_struct *vma_modify(struct vm= a_merge_struct *vmg) > merged =3D vma_merge_existing_range(vmg); > if (merged) > return merged; > - if (vmg_nomem(vmg)) > + if (vmg_nomem(vmg)) { > + /* If we can avoid failing the whole modification > + * due to a merge OOM and validly keep going > + * (we're modifying the whole VMA), return vma intact. > + * It won't get merged, but such is life - we're avoiding > + * OOM conditions in other parts of mm/ this way */ > + if (start <=3D vma->vm_start && end >=3D vma->vm_end) > + return vma; > return ERR_PTR(-ENOMEM); > + } Along the lines of your idea, perhaps we could add a parameter "bool never_fail" to vma_modify() that is passed through to vma_merge_existing_range(), and guarantee that it never fails when that parameter is set? Then we could also check that never_fail is only used in cases where no split is necessary. That somewhat avoids having this kind of check that only ever runs in error conditions...