On Wed, 1 Aug 2018, Linus Torvalds wrote: > > Anyway, the upshot of all this is that I think I know what the ia64 > problem was, and John sent the patch for the ashmem case, and I'm > going to hold off reverting that vma_is_anonymous() false-positives > commit after all. I'd better send deletion of zap_pmd_range()'s VM_BUG_ON_VMA(): below (but I've no proprietorial interest, if you prefer to do your own). John's patch is good, and originally I thought it was safe from that VM_BUG_ON_VMA(), because the /dev/ashmem fd exposed to the user is disconnected from the vm_file in the vma, and madvise(,,MADV_REMOVE) insists on VM_SHARED. But afterwards read John's earlier mail, drawing attention to the vfs_fallocate() in there: I may be wrong, and I don't know if Android has THP in the config anyway, but it looks to me like an unmap_mapping_range() from ashmem's vfs_fallocate() could hit precisely the VM_BUG_ON_VMA(), once it's vma_is_anonymous(). (I'm not familiar with ashmem, and I certainly don't understand the role of MAP_PRIVATE ashmem mappings - hole-punch's zap_pte_range() should end up leaving any anon pages in place; but the presence of the BUG is requiring us all to understand too much too quickly.) [PATCH] mm: delete historical BUG from zap_pmd_range() Delete the old VM_BUG_ON_VMA() from zap_pmd_range(), which asserted that mmap_sem must be held when splitting an "anonymous" vma there. Whether that's still strictly true nowadays is not entirely clear, but the danger of sometimes crashing on the BUG is now fairly clear. Signed-off-by: Hugh Dickins <hughd@xxxxxxxxxx> --- mm/memory.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- 4.18-rc7/mm/memory.c 2018-06-16 18:48:22.041173422 -0700 +++ linux/mm/memory.c 2018-08-01 11:01:21.397286507 -0700 @@ -1417,11 +1417,9 @@ static inline unsigned long zap_pmd_rang do { next = pmd_addr_end(addr, end); if (is_swap_pmd(*pmd) || pmd_trans_huge(*pmd) || pmd_devmap(*pmd)) { - if (next - addr != HPAGE_PMD_SIZE) { - VM_BUG_ON_VMA(vma_is_anonymous(vma) && - !rwsem_is_locked(&tlb->mm->mmap_sem), vma); + if (next - addr != HPAGE_PMD_SIZE) __split_huge_pmd(vma, pmd, addr, false, NULL); - } else if (zap_huge_pmd(tlb, vma, pmd, addr)) + else if (zap_huge_pmd(tlb, vma, pmd, addr)) goto next; /* fall through */ }