On Fri, Mar 21, 2025 at 10:09:37AM +0000, Lorenzo Stoakes wrote: > Currently, if a VMA merge fails due to an OOM condition arising on commit > merge or a failure to duplicate anon_vma's, we report this so the caller > can handle it. > > However there are cases where the caller is only ostensibly trying a > merge, and doesn't mind if it fails due to this condition. > Ok, so here's my problem with your idea: I don't think merge should be exposed to vma_modify() callers. Right now (at least AIUI), you want to modify a given VMA, you call vma_modify(), and it gives you a vma you can straight up modify without any problems. Essentially breaks down any VMAs necessary. This feels contractually simple and easy to use, and I don't think leaking details about merging is the correct approach here. > Since we do not want to introduce an implicit assumption that we only > actually modify VMAs after OOM conditions might arise, add a 'give up on > oom' option and make an explicit contract that, should this flag be set, we > absolutely will not modify any VMAs should OOM arise and just bail out. > Thus, to me the most natural solution is still mine. Do you think it places too many constraints on vma_modify()? vma_modify() on a single VMA, without splitting, Just Working(tm) is a sensible expectation (and vma_merge being fully best-effort). Things like mprotect() failing due to OOM are also pretty disastrous, so if we could limit that it'd be great. In any case, your solution looks palatable to me, but I want to make sure we're not making this excessively complicated. -- Pedro
