From: Pedro Falcato <pfalcato@suse.de>
To: "Lorenzo Stoakes (Oracle)" <ljs@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@kernel.org>,
Mike Rapoport <rppt@kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Michal Hocko <mhocko@suse.com>, Jann Horn <jannh@google.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Jianzhou Zhao <luckd0g@163.com>,
Oscar Salvador <osalvador@suse.de>
Subject: Re: [PATCH 1/3] mm/mremap: correct invalid map count check
Date: Fri, 27 Mar 2026 09:19:02 +0000 [thread overview]
Message-ID: <gigiefu6cc6qz3gjghzb67lhlay67ljn2g27mmricgwbmg33j6@li2nqvunflpl> (raw)
In-Reply-To: <73e218c67dcd197c5331840fb011e2c17155bfb0.1773249037.git.ljs@kernel.org>
On Wed, Mar 11, 2026 at 05:24:36PM +0000, Lorenzo Stoakes (Oracle) wrote:
> We currently check to see, if on moving a VMA when doing mremap(), if it
> might violate the sys.vm.max_map_count limit.
>
> This was introduced in the mists of time prior to 2.6.12.
>
> At this point in time, as now, the move_vma() operation would copy the
> VMA (+1 mapping if not merged), then potentially split the source VMA upon
> unmap.
>
> Prior to commit 659ace584e7a ("mmap: don't return ENOMEM when mapcount is
> temporarily exceeded in munmap()"), a VMA split would check whether
> mm->map_count >= sysctl_max_map_count prior to a split before it ran.
>
> On unmap of the source VMA, if we are moving a partial VMA, we might split
> the VMA twice.
>
> This would mean, on invocation of split_vma() (as was), we'd check whether
> mm->map_count >= sysctl_max_map_count with a map count elevated by one,
> then again with a map count elevated by two, ending up with a map count
> elevated by three.
>
> At this point we'd reduce the map count on unmap.
>
> At the start of move_vma(), there was a check that has remained throughout
> mremap()'s history of mm->map_count >= sysctl_max_map_count - 3 (which
> implies mm->mmap_count + 4 > sysctl_max_map_count - that is, we must have
> headroom for 4 additional mappings).
>
> After mm->map_count is elevated by 3, it is decremented by one once the
> unmap completes. The mmap write lock is held, so nothing else will observe
> mm->map_count > sysctl_max_map_count.
>
> It appears this check was always incorrect - it should have either be one
> of 'mm->map_count > sysctl_max_map_count - 3' or 'mm->map_count >=
> sysctl_max_map_count - 2'.
>
> After commit 659ace584e7a ("mmap: don't return ENOMEM when mapcount is
> temporarily exceeded in munmap()"), the map count check on split is
> eliminated in the newly introduced __split_vma(), which the unmap path
> uses, and has that path check whether mm->map_count >=
> sysctl_max_map_count.
>
> This is valid since, net, an unmap can only cause an increase in map count
> of 1 (split both sides, unmap middle).
>
> Since we only copy a VMA and (if MREMAP_DONTUNMAP is not set) unmap
> afterwards, the maximum number of additional mappings that will actually be
> subject to any check will be 2.
>
> Therefore, update the check to assert this corrected value. Additionally,
> update the check introduced by commit ea2c3f6f5545 ("mm,mremap: bail out
> earlier in mremap_to under map pressure") to account for this.
>
> While we're here, clean up the comment prior to that.
>
> Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
--
Pedro
next prev parent reply other threads:[~2026-03-27 9:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 17:24 [PATCH 0/3] mm: improve map count checks Lorenzo Stoakes (Oracle)
2026-03-11 17:24 ` [PATCH 1/3] mm/mremap: correct invalid map count check Lorenzo Stoakes (Oracle)
2026-03-27 9:19 ` Pedro Falcato [this message]
2026-03-11 17:24 ` [PATCH 2/3] mm: abstract reading sysctl_max_map_count, and READ_ONCE() Lorenzo Stoakes (Oracle)
2026-03-27 9:20 ` Pedro Falcato
2026-03-11 17:24 ` [PATCH 3/3] mm/mremap: check map count under mmap write lock and abstract Lorenzo Stoakes (Oracle)
2026-03-27 9:22 ` Pedro Falcato
2026-03-27 9:58 ` Lorenzo Stoakes (Oracle)
2026-03-27 5:42 ` [PATCH 0/3] mm: improve map count checks Andrew Morton
2026-03-27 9:23 ` Pedro Falcato
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=gigiefu6cc6qz3gjghzb67lhlay67ljn2g27mmricgwbmg33j6@li2nqvunflpl \
--to=pfalcato@suse.de \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=luckd0g@163.com \
--cc=mhocko@suse.com \
--cc=osalvador@suse.de \
--cc=rppt@kernel.org \
--cc=surenb@google.com \
--cc=vbabka@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox