Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3846075rdh;
        Fri, 29 Sep 2023 04:20:59 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFnm65F02/7/JjQbfLr4wIAUScQw22FWYJgcuuvZNJ427kyjz+yvRIupRpLppV+4C8GIfPT
X-Received: by 2002:a05:6358:5246:b0:143:9dcb:1d with SMTP id c6-20020a056358524600b001439dcb001dmr4094839rwa.21.1695986459497;
        Fri, 29 Sep 2023 04:20:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695986459; cv=none;
        d=google.com; s=arc-20160816;
        b=TGtXSBP/GBASGze5idKcHuIB1V3VWEVdmuy3TR+PA4fatrQInNPT3zU/g3JBRQ0qr2
         zkrTm8GDGsdjgl2scuLHkufeeVp9Wkfizd5QQPzJ3nOmQsSVnPe4zGcskiKU9DvRZ0hW
         o4/1m97iEckPxazscjCZbvJCtodslCUv6MMl9mwQexRUsxBZSJqolUunOZsnNQquLZIw
         JQXYR/epodf7DLR+Y6B/FMNPV1kzc8Xmec4i6efJA9BrjKw6w2A05xhCNIif8L7ONqmP
         umSLtCRMX1IDishoS8LHDY19TB3wrF0uBXJzeKUNhCXW3bTT42o/Vhq7MOyws02/wiM3
         sDjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id:dkim-signature:dkim-signature;
        bh=uP27RjshjL1KIEOKtQj2rsOmdqwjCeXDZ2XS9nnjPxk=;
        fh=iG2hBtJAsCZ/YCIMkoxBuzq8rJKw2UghXEOvTsOiZuY=;
        b=CECHBuJ6Vf2DlYryDGeXwFa36jbMct1BLBLEnVnp4c5jX3lUTrnZrnLr3VMtidIeFP
         UwD8+oI9I/TBwd8Qlf0EEf1TuOl+BViGHHCwBxuZC1L7BdIz0OsaJPfgqJtjPkh9CKki
         mfvlreqMNlngNCNEW/em/IN0cLtVfPMAFTzeHKM+4KYI2+cpM+3BokQCISOSaC/LI/GC
         1n2KVmtNpUmAOwzxVHcAlotDIqVp0hGnmrx2/+4IlAmxgKf14N1zsCYQV95qcmkpSKaR
         8APdrpV46KygIfoiXWmI5WdpLSu2w2E0G+t/vk6o7biQWi57bVzv3wxRqGyxOXMl4G9D
         I4sw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=jgC4hodI;
       dkim=neutral (no key) header.i=@suse.cz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from morse.vger.email (morse.vger.email. [23.128.96.31])
        by mx.google.com with ESMTPS id u11-20020a6540cb000000b0055fc5e67d56si20309115pgp.7.2023.09.29.04.20.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Sep 2023 04:20:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=jgC4hodI;
       dkim=neutral (no key) header.i=@suse.cz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id B893D80D7F5F;
	Fri, 29 Sep 2023 03:08:09 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232905AbjI2KIB (ORCPT <rfc822;yangyccccc@gmail.com> + 99 others);
        Fri, 29 Sep 2023 06:08:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60068 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232784AbjI2KH7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 29 Sep 2023 06:07:59 -0400
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7F5E0199;
        Fri, 29 Sep 2023 03:07:56 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out2.suse.de (Postfix) with ESMTPS id 385091F390;
        Fri, 29 Sep 2023 10:07:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa;
        t=1695982074; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=uP27RjshjL1KIEOKtQj2rsOmdqwjCeXDZ2XS9nnjPxk=;
        b=jgC4hodI36kBtyUgQ90FUnGcpwVkK+BYwH3LsdSL3wTjWCN4U0gN0fHoWpwjUuiwE8rcCN
        B7aQAnIn2MzJZZyMvrGiYLLSMbtQCGi4lLZCeEredW+cfLz9MmBkcQmiMCrgCZ7idj7ADn
        wkrtJbsl1rsi1aQeb4i1wo5cwMLac0I=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;
        s=susede2_ed25519; t=1695982074;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=uP27RjshjL1KIEOKtQj2rsOmdqwjCeXDZ2XS9nnjPxk=;
        b=quDPbF5KwxD1lPn4oS1Y0e6lyTlb4+GsLzJQXWhcybTZ8V+JiKd++t2An1D55TPYKezVX3
        TJulFFAUnydJkaAQ==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 119B31390A;
        Fri, 29 Sep 2023 10:07:54 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id iVZ9A/qhFmWKHQAAMHmgww
        (envelope-from <vbabka@suse.cz>); Fri, 29 Sep 2023 10:07:54 +0000
Message-ID: <437896e6-c54e-4c5a-f1af-46d91ea6f155@suse.cz>
Date:   Fri, 29 Sep 2023 12:07:53 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.1
Subject: Re: [PATCH 2/3] mmap: Fix error paths with dup_anon_vma()
Content-Language: en-US
To:     "Liam R. Howlett" <Liam.Howlett@oracle.com>,
        Andrew Morton <akpm@linux-foundation.org>
Cc:     maple-tree@lists.infradead.org, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, Jann Horn <jannh@google.com>,
        Lorenzo Stoakes <lstoakes@gmail.com>,
        Suren Baghdasaryan <surenb@google.com>,
        Matthew Wilcox <willy@infradead.org>, stable@vger.kernel.org
References: <20230927160746.1928098-1-Liam.Howlett@oracle.com>
 <20230927160746.1928098-3-Liam.Howlett@oracle.com>
From:   Vlastimil Babka <vbabka@suse.cz>
In-Reply-To: <20230927160746.1928098-3-Liam.Howlett@oracle.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-4.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Fri, 29 Sep 2023 03:08:09 -0700 (PDT)

On 9/27/23 18:07, Liam R. Howlett wrote:
> When the calling function fails after the dup_anon_vma(), the
> duplication of the anon_vma is not being undone.  Add the necessary
> unlink_anon_vma() call to the error paths that are missing them.
> 
> This issue showed up during inspection of the error path in vma_merge()
> for an unrelated vma iterator issue.
> 
> Users may experience increased memory usage, which may be problematic as
> the failure would likely be caused by a low memory situation.
> 
> Fixes: d4af56c5c7c6 ("mm: start tracking VMAs with maple tree")
> Cc: stable@vger.kernel.org
> Cc: Jann Horn <jannh@google.com>
> Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
> ---
>  mm/mmap.c | 20 ++++++++++++++------
>  1 file changed, 14 insertions(+), 6 deletions(-)
> 
> diff --git a/mm/mmap.c b/mm/mmap.c
> index b5bc4ca9bdc4..2f0ee489db8a 100644
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -587,7 +587,7 @@ static inline void vma_complete(struct vma_prepare *vp,
>   * Returns: 0 on success.
>   */
>  static inline int dup_anon_vma(struct vm_area_struct *dst,
> -			       struct vm_area_struct *src)
> +		struct vm_area_struct *src, struct vm_area_struct **dup)
>  {
>  	/*
>  	 * Easily overlooked: when mprotect shifts the boundary, make sure the
> @@ -597,6 +597,7 @@ static inline int dup_anon_vma(struct vm_area_struct *dst,
>  	if (src->anon_vma && !dst->anon_vma) {
>  		vma_assert_write_locked(dst);
>  		dst->anon_vma = src->anon_vma;
> +		*dup = dst;
>  		return anon_vma_clone(dst, src);

So the code is simpler that way and seems current callers are fine, but
shouldn't we rather only assign *dup if the clone succeeds?

>  	}
>  
> @@ -624,6 +625,7 @@ int vma_expand(struct vma_iterator *vmi, struct vm_area_struct *vma,
>  	       unsigned long start, unsigned long end, pgoff_t pgoff,
>  	       struct vm_area_struct *next)
>  {
> +	struct vm_area_struct *anon_dup = NULL;
>  	bool remove_next = false;
>  	struct vma_prepare vp;
>  
> @@ -633,7 +635,7 @@ int vma_expand(struct vma_iterator *vmi, struct vm_area_struct *vma,
>  
>  		remove_next = true;
>  		vma_start_write(next);
> -		ret = dup_anon_vma(vma, next);
> +		ret = dup_anon_vma(vma, next, &anon_dup);
>  		if (ret)
>  			return ret;
>  	}
> @@ -661,6 +663,8 @@ int vma_expand(struct vma_iterator *vmi, struct vm_area_struct *vma,
>  	return 0;
>  
>  nomem:
> +	if (anon_dup)
> +		unlink_anon_vmas(anon_dup);
>  	return -ENOMEM;
>  }
>  
> @@ -860,6 +864,7 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm,
>  {
>  	struct vm_area_struct *curr, *next, *res;
>  	struct vm_area_struct *vma, *adjust, *remove, *remove2;
> +	struct vm_area_struct *anon_dup = NULL;
>  	struct vma_prepare vp;
>  	pgoff_t vma_pgoff;
>  	int err = 0;
> @@ -927,18 +932,18 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm,
>  		vma_start_write(next);
>  		remove = next;				/* case 1 */
>  		vma_end = next->vm_end;
> -		err = dup_anon_vma(prev, next);
> +		err = dup_anon_vma(prev, next, &anon_dup);
>  		if (curr) {				/* case 6 */
>  			vma_start_write(curr);
>  			remove = curr;
>  			remove2 = next;
>  			if (!next->anon_vma)
> -				err = dup_anon_vma(prev, curr);
> +				err = dup_anon_vma(prev, curr, &anon_dup);
>  		}
>  	} else if (merge_prev) {			/* case 2 */
>  		if (curr) {
>  			vma_start_write(curr);
> -			err = dup_anon_vma(prev, curr);
> +			err = dup_anon_vma(prev, curr, &anon_dup);
>  			if (end == curr->vm_end) {	/* case 7 */
>  				remove = curr;
>  			} else {			/* case 5 */
> @@ -954,7 +959,7 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm,
>  			vma_end = addr;
>  			adjust = next;
>  			adj_start = -(prev->vm_end - addr);
> -			err = dup_anon_vma(next, prev);
> +			err = dup_anon_vma(next, prev, &anon_dup);
>  		} else {
>  			/*
>  			 * Note that cases 3 and 8 are the ONLY ones where prev
> @@ -1018,6 +1023,9 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm,
>  	return res;
>  
>  prealloc_fail:
> +	if (anon_dup)
> +		unlink_anon_vmas(anon_dup);
> +
>  anon_vma_fail:
>  	if (merge_prev)
>  		vma_next(vmi);