From: Lorenzo Stoakes <ljs@kernel.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: ZhengYuan Huang <gality369@gmail.com>,
akpm@linux-foundation.org, david@kernel.org,
Liam.Howlett@oracle.com, vbabka@kernel.org, rppt@kernel.org,
surenb@google.com, mhocko@suse.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, baijiaju1990@gmail.com,
r33s3n6@gmail.com, zzzccc427@gmail.com
Subject: Re: [PATCH] mm: prepare anon_vma before swapin rmap
Date: Sat, 18 Apr 2026 10:38:54 +0100 [thread overview]
Message-ID: <aeNQ_g-kL1qHr7EN@lucifer> (raw)
In-Reply-To: <aeGxBwfWFlimkm-V@casper.infradead.org>
On Fri, Apr 17, 2026 at 05:03:19AM +0100, Matthew Wilcox wrote:
> On Fri, Apr 17, 2026 at 09:16:06AM +0800, ZhengYuan Huang wrote:
> > Commit a373baed5a9d ("mm: delay the check for a NULL anon_vma") moved
> > anon_vma preparation out of the generic fault path and into the fault
> > handlers that actually need to install anonymous rmap state.
> >
> > do_swap_page() was left behind. It can still restore anonymous mappings
> > via folio_add_new_anon_rmap() or folio_add_anon_rmap_ptes(), but it does
> > not call vmf_anon_prepare() first. On a VMA-lock fault this can leave
> > vma->anon_vma NULL all the way down to __folio_set_anon(), which BUG_ONs
> > on that violated invariant.
>
> Huh. Can you share your reproducer? I wonder if there's an equivalent
> problem with do_numa_fault(). And maybe the right solution might be
> to put the call to vmf_anon_prepare() in handle_pte_fault() instead.
>
> I'm asking because I don't quite understand how we get to this point
> without an anon_vma being assigned to this VMA. We should allocate one on
> the first fault ... so we cannot have ever faulted, but if we've never
> faulted, how does madvise() manage to swap out a page if none has been
> allocated?
Yeah there really isn't any way this should be possible unless something
else is causing a bug here.
My recent anon_vma changes are too new for them to be the culprit I think
:))
>
> (also if you share your reproducer, perhaps someone will add it to the
> self-tests and maybe it'll prevent another bug in the future)
Yes, if this is a real bug we really need to see how this is happening.
Thanks, Lorenzo
next prev parent reply other threads:[~2026-04-18 9:39 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 1:16 ZhengYuan Huang
2026-04-17 4:03 ` Matthew Wilcox
2026-04-18 9:38 ` Lorenzo Stoakes [this message]
2026-04-17 10:53 ` David Hildenbrand (Arm)
2026-04-17 11:57 ` David Hildenbrand (Arm)
2026-04-17 13:03 ` Matthew Wilcox
2026-04-17 13:36 ` Vlastimil Babka (SUSE)
2026-04-17 15:09 ` Matthew Wilcox
2026-04-18 9:35 ` Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeNQ_g-kL1qHr7EN@lucifer \
--to=ljs@kernel.org \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=baijiaju1990@gmail.com \
--cc=david@kernel.org \
--cc=gality369@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=r33s3n6@gmail.com \
--cc=rppt@kernel.org \
--cc=surenb@google.com \
--cc=vbabka@kernel.org \
--cc=willy@infradead.org \
--cc=zzzccc427@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox