mm/mmap: Fix error path in do_vmi_align_munmap()

The error unrolling was leaving the VMAs detached in many cases and
leaving the locked_vm statistic altered, and skipping the unrolling
entirely in the case of the vma tree write failing.

Fix the error path by re-attaching the detached VMAs and adding the
necessary goto for the failed vma tree write, and fix the locked_vm
statistic by only updating after the vma tree write succeeds.

Fixes: 763ecb0350 ("mm: remove the vma linked list")
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Liam R. Howlett 2023-06-17 20:47:08 -04:00 committed by Linus Torvalds
parent 1b29d27161
commit 606c812eb1

View File

@ -2318,21 +2318,6 @@ int split_vma(struct vma_iterator *vmi, struct vm_area_struct *vma,
return __split_vma(vmi, vma, addr, new_below); return __split_vma(vmi, vma, addr, new_below);
} }
static inline int munmap_sidetree(struct vm_area_struct *vma,
struct ma_state *mas_detach)
{
vma_start_write(vma);
mas_set_range(mas_detach, vma->vm_start, vma->vm_end - 1);
if (mas_store_gfp(mas_detach, vma, GFP_KERNEL))
return -ENOMEM;
vma_mark_detached(vma, true);
if (vma->vm_flags & VM_LOCKED)
vma->vm_mm->locked_vm -= vma_pages(vma);
return 0;
}
/* /*
* do_vmi_align_munmap() - munmap the aligned region from @start to @end. * do_vmi_align_munmap() - munmap the aligned region from @start to @end.
* @vmi: The vma iterator * @vmi: The vma iterator
@ -2354,6 +2339,7 @@ do_vmi_align_munmap(struct vma_iterator *vmi, struct vm_area_struct *vma,
struct maple_tree mt_detach; struct maple_tree mt_detach;
int count = 0; int count = 0;
int error = -ENOMEM; int error = -ENOMEM;
unsigned long locked_vm = 0;
MA_STATE(mas_detach, &mt_detach, 0, 0); MA_STATE(mas_detach, &mt_detach, 0, 0);
mt_init_flags(&mt_detach, vmi->mas.tree->ma_flags & MT_FLAGS_LOCK_MASK); mt_init_flags(&mt_detach, vmi->mas.tree->ma_flags & MT_FLAGS_LOCK_MASK);
mt_set_external_lock(&mt_detach, &mm->mmap_lock); mt_set_external_lock(&mt_detach, &mm->mmap_lock);
@ -2399,9 +2385,13 @@ do_vmi_align_munmap(struct vma_iterator *vmi, struct vm_area_struct *vma,
if (error) if (error)
goto end_split_failed; goto end_split_failed;
} }
error = munmap_sidetree(next, &mas_detach); vma_start_write(next);
if (error) mas_set_range(&mas_detach, next->vm_start, next->vm_end - 1);
goto munmap_sidetree_failed; if (mas_store_gfp(&mas_detach, next, GFP_KERNEL))
goto munmap_gather_failed;
vma_mark_detached(next, true);
if (next->vm_flags & VM_LOCKED)
locked_vm += vma_pages(next);
count++; count++;
#ifdef CONFIG_DEBUG_VM_MAPLE_TREE #ifdef CONFIG_DEBUG_VM_MAPLE_TREE
@ -2447,10 +2437,12 @@ do_vmi_align_munmap(struct vma_iterator *vmi, struct vm_area_struct *vma,
} }
#endif #endif
/* Point of no return */ /* Point of no return */
error = -ENOMEM;
vma_iter_set(vmi, start); vma_iter_set(vmi, start);
if (vma_iter_clear_gfp(vmi, start, end, GFP_KERNEL)) if (vma_iter_clear_gfp(vmi, start, end, GFP_KERNEL))
return -ENOMEM; goto clear_tree_failed;
mm->locked_vm -= locked_vm;
mm->map_count -= count; mm->map_count -= count;
/* /*
* Do not downgrade mmap_lock if we are next to VM_GROWSDOWN or * Do not downgrade mmap_lock if we are next to VM_GROWSDOWN or
@ -2480,9 +2472,14 @@ do_vmi_align_munmap(struct vma_iterator *vmi, struct vm_area_struct *vma,
validate_mm(mm); validate_mm(mm);
return downgrade ? 1 : 0; return downgrade ? 1 : 0;
clear_tree_failed:
userfaultfd_error: userfaultfd_error:
munmap_sidetree_failed: munmap_gather_failed:
end_split_failed: end_split_failed:
mas_set(&mas_detach, 0);
mas_for_each(&mas_detach, next, end)
vma_mark_detached(next, false);
__mt_destroy(&mt_detach); __mt_destroy(&mt_detach);
start_split_failed: start_split_failed:
map_count_exceeded: map_count_exceeded: