From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71139C07E8A for ; Tue, 15 Aug 2023 19:44:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CAD7194002B; Tue, 15 Aug 2023 15:44:26 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C5CAE8D0001; Tue, 15 Aug 2023 15:44:26 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AFDB294002B; Tue, 15 Aug 2023 15:44:26 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 98B9F8D0001 for ; Tue, 15 Aug 2023 15:44:26 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 4037CA09FD for ; Tue, 15 Aug 2023 19:44:26 +0000 (UTC) X-FDA: 81127365732.02.C7CEAA2 Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by imf11.hostedemail.com (Postfix) with ESMTP id 7CA4D4001D for ; Tue, 15 Aug 2023 19:44:24 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=BYMJ8DSa; spf=pass (imf11.hostedemail.com: domain of jannh@google.com designates 209.85.128.43 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1692128664; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=nxUR3sFcYnjoFTxoNsttWpRWyrvyRoinPGeHchrLRHY=; b=rrT5c+zdleXkAhIZWMYHlnc4ilp1x+RrG8i45EPiKZqmSOmftdbyC0MdLsL3IBeyjC70ic NamD14njFPsFZkZwquNWefK9CxmBf6HYlEF+H+AsWKSxebhJdGlJgI+jyJclQn5oeQbm6a kG9+Epu7HoJ0DoiT2Us0oNxtZGIwF7I= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1692128664; a=rsa-sha256; cv=none; b=dkKTw7IQrSDkEhFkiTsPYVKOYh9LRpTY5b7QEcxQedUHUXLIA/fKti5AhveTZuhgnq3Qc2 dAWymXvKvs+mL123SvE2ZaUG0fUVxlvWBmSK4qo8M+SvPmuNfWxwHPMQqi4gnZGCEZ9lnr ooX8gJ+1unAT6Nag9sBvvLC8if0zOAk= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=BYMJ8DSa; spf=pass (imf11.hostedemail.com: domain of jannh@google.com designates 209.85.128.43 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-3fe1e44fd2bso20715e9.0 for ; Tue, 15 Aug 2023 12:44:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1692128663; x=1692733463; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=nxUR3sFcYnjoFTxoNsttWpRWyrvyRoinPGeHchrLRHY=; b=BYMJ8DSaKVAqTrDaY2VT7LqIqaqLYhxA7mPH+ucSeoG4M40jE2+mgmiyRy5Bcadwxh 13/uORC/Cq2VC5Gp/cnp4iGu2+9CoZmoPfp7chv3MGkqkTzLyUIs9lZpk89GfegBcLq1 3ILFfmr+vSekS48j1C0tfvIjThuz4tA0w/2cz8ThOpTy3ORfR0xNNzp2XxxEfV4YpxGm I7mnn3Fw2pHRLAXABn3kshHdAKvhU4OgN5mGbY9I/9NghJtkLgOA3nYljoHBCS27i+qX 8VKpvqZ46hUXzXCN/+DhAba+0BlgJqgfaNdljLtYwh4HALPe2KuWuzYbydjFnc6j+tGx EqeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692128663; x=1692733463; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=nxUR3sFcYnjoFTxoNsttWpRWyrvyRoinPGeHchrLRHY=; b=c5OumcigO8C+NTKqeF2WTp2djZBmZIbVt7Kk/mwFq43b5ys95aQyxDuh+Qjr2RCaSE 41bUlbt0pUA0u9zMLiwxazGd6DDeA4v5WVa/7oWnGveba87Qoxh9W9aIFMlDvq0wdCGK np3ivGrC8BFcNZ06fabgfAcmgPuLviJBvFtIzyJ4jpxeewJvZbvHDHhC3B+0QqUmPPS1 eSQkGfd3y0J2wezi0mJIFxbMYGjf12WjJ8GrghoeTCBS96mUyBuk5PfGBbhXR3z7HH61 PT/bkcLCKYdeIjKk1azVoISlZjQHOxmN53f2JxDLVD0zXmAN1uIvRQR03Npl19QYeqL4 tEFw== X-Gm-Message-State: AOJu0YyzGhrU2qorBwrHpjvS+hhRoP4tdUqgYPwaSsMAjELp9Y/inSLL 8vU5wDqFq0TS8NavUp4XiZePtgCoOos3leNG2LgR7Ws6/WngYtBVUrQj6Mkj X-Google-Smtp-Source: AGHT+IHK88BoURYieB1sfnjnsRaXzB6aiB/2b7ubSGAwNjvAZ85CNjaPzCQBhVhsfWDT1nTKTdbwkvEfzZvFedAYf1U= X-Received: by 2002:a05:600c:46d1:b0:3f1:9a3d:4f7f with SMTP id q17-20020a05600c46d100b003f19a3d4f7fmr2589wmo.1.1692128662890; Tue, 15 Aug 2023 12:44:22 -0700 (PDT) MIME-Version: 1.0 From: Jann Horn Date: Tue, 15 Aug 2023 21:43:46 +0200 Message-ID: Subject: [mm] VMA merging behavior wrt anon_vma has been slightly broken since Linux 3.0 (in a non-dangerous way) To: Linux-MM , Andrew Morton , Shaohua Li Cc: kernel list , Peter Zijlstra , Liam Howlett Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 7CA4D4001D X-Rspam-User: X-Stat-Signature: mbpneuksbxbgok7d6oyszt8faynfcfoy X-Rspamd-Server: rspam03 X-HE-Tag: 1692128664-889069 X-HE-Meta: U2FsdGVkX1/tYCQOO+3X7TVn5fuItzVcSQdhbZwWX0DsdZ5YAdd740/ugfySWqxPYBX03IZ1eZpz2zGHtn9KZv+SPvJRkVPr0qWWH8KjQBJRLRzaTcp9OPyCL/qkXf1A9pqxsLSTurMcFMGXnCYjb6PVadgOKzn+GWPLtc4igMX+U34Y2UpoCp+AJ62WcFHPgt7hOA5bdLu0gM4/b2UsEDl6I4jDX27RBQG8xqP1rGTZxviUcxVQHqKlLS7B+627KET1u0AD1ximThJNk0QyMWsOX+FwiOb4iRkqApFzcCNqUIKeHgffNqwzSV1H7l3humqpR9dN1zvLJn/FhzYiTprFHLN1RunhNvfXIj5ob9VVD31ouzOxm77ksk6W2dSaqEcO6XzLbfNm4yjZ7phY2QrSOdz7Kf7Ny6dQ2b8tPGzg9AW1jn/oRGFe6RRFexM7+o+7ZapnAZUIoaPq/0Yjq1tisjgPC25K4ogROXqBSnnT+ykvhaTxDARzOXFxWUeYOwev0L/Os/b5ss4DeUS79+bSgsDn/EECWF44QNdRW3QnkKtaRxG2O1FiX+8kfyh7p1OI1lCkvfw1uGmhlgG5S3XfOpynHw43qHrVNL/XGv6nkANb/1YVCj89u79zAuWekR18GJo0zPd0vBt2ZLhzPMql8LO/4kCQvKe+djr2cQaIm47ptyF21FRo9pHol4E9nxS2wfqKmHaOIqhDgi3ldJP2WWLEbTbJX+yBgagGdFsYMp0gBTYyz74xVhMPPdHR6WmhmG6hSJPqaDXfVKeYm32tjU5dLgiRELMKqI4cTF6CVGxJH3gba+yD5d5owt4FIs/8CaWIN/43b0l0ofM9OS+7aninatBZS1FC0CZsPYKSHbm0y2Nc/Q16tpNr8YVulMFUj2+lpm9XvdEBiDPO1JGyWpvdWmHCPhWhh5a9NpjertoaS3rRgofQ1FgZEH8IPrrqBpLSfHd9KvEf8bx fBaOlHid zUW+t9zZ5LetWqIYfGJg70Kx1tUBmfDf4MeIxPWVr4/JfUFjyb6iHkDsCWFt86ZO4zKLdzVePAAejVVWnWU4/EWkvyHIg98CHcrws93vfK0EYdlF5VyVv2Uh64JKXWo9S8Xu08TP1Ahe4P1GF4nUQZe8yNQRqzmKNrGodWQh3SqZeE0zDTs72mRmLz+b00FdnoJv9bfm4Gq3BbUJd22+1IMfWUXZpBc42nDfJrGLUDKYJRWFNukMvAZvLIy+ZFc9UU/XAikL8/SbCv9E= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi! I think VMA merging was accidentally nerfed a bit by commit 965f55dea0e3 ("mmap: avoid merging cloned VMAs"), which landed in Linux 3.0 - essentially, that commit makes it impossible to merge a VMA with an anon_vma into an adjacent VMA that does not have an anon_vma. (But the other direction works.) is_mergeable_anon_vma() is defined as: ``` static inline bool is_mergeable_anon_vma(struct anon_vma *anon_vma1, struct anon_vma *anon_vma2, struct vm_area_struct *vma) { /* * The list_is_singular() test is to avoid merging VMA cloned from * parents. This can improve scalability caused by anon_vma lock. */ if ((!anon_vma1 || !anon_vma2) && (!vma || list_is_singular(&vma->anon_vma_chain))) return true; return anon_vma1 == anon_vma2; } ``` If this function is called with a non-NULL vma pointer (which is almost always the case, except when checking for whether it's possible to merge in both directions at the same time), and one of the two anon_vmas is non-NULL, this returns list_is_singular(&vma->anon_vma_chain). I believe that list_is_singular() call is supposed to check whether the anon_vma_chain contains *more than one* element, but it actually also fails if the anon_vma_chain contains zero elements. This means that the dup_anon_vma() calls in vma_merge() are effectively all no-ops because they are never called with a target that does not have an anon_vma and a source that has an anon_vma. I think this is unintentional - though I guess this unintentional refusal to merge VMAs this way also lowers the complexity of what can happen in the VMA merging logic. So I think the right fix here is to make this kind of merging possible again by changing "list_is_singular(&vma->anon_vma_chain)" to "list_empty(&vma->anon_vma_chain) || list_is_singular(&vma->anon_vma_chain)", but my security hat makes me say that I'd also be happy if the unintentional breakage stayed this way it is now.