Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp2072533rdb; Tue, 3 Oct 2023 09:21:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHacP1Ra9WK2pJBQodLOD4XIB585/AIw65MFT8lBjdUVY5m0UVDTV1Fiqr1NhnyWbZCQ+WY X-Received: by 2002:a05:6830:20d9:b0:6b9:52cb:3adf with SMTP id z25-20020a05683020d900b006b952cb3adfmr15557185otq.20.1696350107522; Tue, 03 Oct 2023 09:21:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696350107; cv=none; d=google.com; s=arc-20160816; b=OBTbKFdd7Y31DbHp8QucFcZI7sxoO2T3Lcqnyp2/ZJ4gmUIeJWdejloAVvZqw2JM8c UptcFhq3ybToPjpyt6b10HTvrs6ItU2g2MEt8PQJSlFwdOTzTrm+unjKhr8U68Uq5jUh SbzFJFNveE7jLTq6w0d/OGS+XDmoeh2l+vhlMtJ8g4v4lHKfetKoaApf+3P6gkRkKnFw 5xg3ZQu8bg3mYrlK4/eXjCSmD/4QGDgQEoxrgpu2rRnSYRkiW0qrZjlWc3Yc6G6kX6Pu loFpmvzkDBt3k8rlHKpN01wraTnF7zfMQoJuJf9renigKZJyj9s3MjLFUGGtBUQfN79L EHjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=dpyVNkJRXjRkFR/rn/ddNmNe1O9yMqnXww/ltlxxeCg=; fh=0ExLjLeOgbwWmggocmqV56/qJMsjVchAZKwOnSJm8iQ=; b=D1R4kawVSdL1wldbbYFWg9muHvsCLQVKdrsjTsNVVihVeyiApw3dXyQJ+lD1o/yTik wif7Xtoohlkpb5Pt7L7fvnshvrBMymTJsnh7LWfdIM1Z4ZuvBpIJruUxU/pffzMU43U8 rKITTPDisOEAXn/q9OY8RjaqwVWqeDu8V/141TT40yDt2W/iTb5Yb2EyCjJi4PX7+xpf EaKKQb6J7hhQ5UDptmbSZy5i4J1PgIhfPexLFyGS4nnTEzmo6xKz6WGO60pOdd53bWkO kby7ZXqpnagEEiEr0+FBdB4E8hBb3o6MH52RuZ6ouFBH2rgF6LNj9Lgs+poNOFJJVfzl QwqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=DnGtbFwz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id v135-20020a63618d000000b00588fa0def24si1653868pgb.777.2023.10.03.09.21.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Oct 2023 09:21:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=DnGtbFwz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 45C4A81A43F6; Tue, 3 Oct 2023 09:21:43 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240423AbjJCQVm (ORCPT + 99 others); Tue, 3 Oct 2023 12:21:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41172 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232414AbjJCQVk (ORCPT ); Tue, 3 Oct 2023 12:21:40 -0400 Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9B308A9 for ; Tue, 3 Oct 2023 09:21:36 -0700 (PDT) Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-59bf1dde73fso13842037b3.3 for ; Tue, 03 Oct 2023 09:21:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1696350096; x=1696954896; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=dpyVNkJRXjRkFR/rn/ddNmNe1O9yMqnXww/ltlxxeCg=; b=DnGtbFwzDUxWK97sGgcMJ+dCXqK+MF3U2LulPeBCMtPnAWPReGHXlqcFBO6Fz+BnR/ b9mW82cfFvhV3fU02cRQ7FkkYQUzqizKjNdUrs/iCn3AXqSFoH9wfg7+MeyX8x0gOV05 hZE6ZA3EboMqtIU7mS9+FSREZWinu5U8ENfYjypGafbgPSpzTKZlXNut2yAXQEJuoZW2 nTJBgrx1t3IBlJ8w4v0lYU8BeFAnMTz2Id6xOQe1jxyn24VRbmZviwPiuY0eCaEBxTl6 MXVCmpKmO+9UqX7HrOKp4EpiB9TvGagn2EGE1LstU+BDyyG9rpCqr7UuaNnuuTz+LNWP t3NA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696350096; x=1696954896; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dpyVNkJRXjRkFR/rn/ddNmNe1O9yMqnXww/ltlxxeCg=; b=Zcr4S5jfpAQ7ziDjRv526iZa+MrNrBUSp1r1blyy7j9Bg1EaYOWJNc88XoLCiBMBWx /wtDvNCgZ7U4l32/oDdYy9fNQG2iDlhSeU37XNTzEzgTF42FU6M0NSnC4SdQe5SVE8Rf HpSFdPLqzdxJy41jtaFVrAgheNhinKnRFmRBokf5WnwKHpwauPY+dfVPZ5qwwuT8/LvW r1oYIEg2xRhyOyFv/iXwgUM7UA8ce0V4oPlAkifChYbjqLfW43S0sW6FgiC66Hhia57Y ELmeGPcMD2II/nox+25MSm9Rw1vFC8rpXAagg6U+PO4FW2+2XjvlhdclnUb/sgm4TOBY KTnw== X-Gm-Message-State: AOJu0Ywugo+hmBkuKJ4TWibOjC7yAtIyPbG+YNcClB/CMkPdu1uvqsX/ SHdd/xr85/Ql5e8mxQ/TRXp9Zf8zpoIACYDWG0qMgQ== X-Received: by 2002:a81:5251:0:b0:586:a170:7dbe with SMTP id g78-20020a815251000000b00586a1707dbemr111089ywb.13.1696350095583; Tue, 03 Oct 2023 09:21:35 -0700 (PDT) MIME-Version: 1.0 References: <20230929183041.2835469-1-Liam.Howlett@oracle.com> <20230929183041.2835469-3-Liam.Howlett@oracle.com> In-Reply-To: <20230929183041.2835469-3-Liam.Howlett@oracle.com> From: Suren Baghdasaryan Date: Tue, 3 Oct 2023 09:21:22 -0700 Message-ID: Subject: Re: [PATCH v3 2/3] mmap: Fix error paths with dup_anon_vma() To: "Liam R. Howlett" Cc: Andrew Morton , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Jann Horn , Lorenzo Stoakes , Vlastimil Babka , Matthew Wilcox , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 03 Oct 2023 09:21:43 -0700 (PDT) On Fri, Sep 29, 2023 at 11:30=E2=80=AFAM Liam R. Howlett wrote: > > When the calling function fails after the dup_anon_vma(), the > duplication of the anon_vma is not being undone. Add the necessary > unlink_anon_vma() call to the error paths that are missing them. > > This issue showed up during inspection of the error path in vma_merge() > for an unrelated vma iterator issue. > > Users may experience increased memory usage, which may be problematic as > the failure would likely be caused by a low memory situation. > > Fixes: d4af56c5c7c6 ("mm: start tracking VMAs with maple tree") > Cc: stable@vger.kernel.org > Cc: Jann Horn > Signed-off-by: Liam R. Howlett > --- > mm/mmap.c | 30 ++++++++++++++++++++++-------- > 1 file changed, 22 insertions(+), 8 deletions(-) > > diff --git a/mm/mmap.c b/mm/mmap.c > index acb7dea49e23..f9f0a5fe4db4 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -583,11 +583,12 @@ static inline void vma_complete(struct vma_prepare = *vp, > * dup_anon_vma() - Helper function to duplicate anon_vma > * @dst: The destination VMA > * @src: The source VMA > + * @dup: Pointer to the destination VMA when successful. > * > * Returns: 0 on success. > */ > static inline int dup_anon_vma(struct vm_area_struct *dst, > - struct vm_area_struct *src) > + struct vm_area_struct *src, struct vm_area_struct **dup) > { > /* > * Easily overlooked: when mprotect shifts the boundary, make sur= e the > @@ -595,9 +596,15 @@ static inline int dup_anon_vma(struct vm_area_struct= *dst, > * anon pages imported. > */ > if (src->anon_vma && !dst->anon_vma) { > + int ret; > + > vma_assert_write_locked(dst); > dst->anon_vma =3D src->anon_vma; > - return anon_vma_clone(dst, src); > + ret =3D anon_vma_clone(dst, src); > + if (ret) > + return ret; > + > + *dup =3D dst; > } > > return 0; > @@ -624,6 +631,7 @@ int vma_expand(struct vma_iterator *vmi, struct vm_ar= ea_struct *vma, > unsigned long start, unsigned long end, pgoff_t pgoff, > struct vm_area_struct *next) > { > + struct vm_area_struct *anon_dup =3D NULL; > bool remove_next =3D false; > struct vma_prepare vp; > > @@ -633,7 +641,7 @@ int vma_expand(struct vma_iterator *vmi, struct vm_ar= ea_struct *vma, > > remove_next =3D true; > vma_start_write(next); > - ret =3D dup_anon_vma(vma, next); > + ret =3D dup_anon_vma(vma, next, &anon_dup); > if (ret) > return ret; Shouldn't the above be changed to a "goto nomem" instead of "return ret" ? > } > @@ -661,6 +669,8 @@ int vma_expand(struct vma_iterator *vmi, struct vm_ar= ea_struct *vma, > return 0; > > nomem: > + if (anon_dup) > + unlink_anon_vmas(anon_dup); > return -ENOMEM; > } > > @@ -860,6 +870,7 @@ struct vm_area_struct *vma_merge(struct vma_iterator = *vmi, struct mm_struct *mm, > { > struct vm_area_struct *curr, *next, *res; > struct vm_area_struct *vma, *adjust, *remove, *remove2; > + struct vm_area_struct *anon_dup =3D NULL; > struct vma_prepare vp; > pgoff_t vma_pgoff; > int err =3D 0; > @@ -927,18 +938,18 @@ struct vm_area_struct *vma_merge(struct vma_iterato= r *vmi, struct mm_struct *mm, > vma_start_write(next); > remove =3D next; /* case 1 */ > vma_end =3D next->vm_end; > - err =3D dup_anon_vma(prev, next); > + err =3D dup_anon_vma(prev, next, &anon_dup); > if (curr) { /* case 6 */ > vma_start_write(curr); > remove =3D curr; > remove2 =3D next; > if (!next->anon_vma) > - err =3D dup_anon_vma(prev, curr); > + err =3D dup_anon_vma(prev, curr, &anon_du= p); > } > } else if (merge_prev) { /* case 2 */ > if (curr) { > vma_start_write(curr); > - err =3D dup_anon_vma(prev, curr); > + err =3D dup_anon_vma(prev, curr, &anon_dup); > if (end =3D=3D curr->vm_end) { /* case 7 */ > remove =3D curr; > } else { /* case 5 */ > @@ -954,7 +965,7 @@ struct vm_area_struct *vma_merge(struct vma_iterator = *vmi, struct mm_struct *mm, > vma_end =3D addr; > adjust =3D next; > adj_start =3D -(prev->vm_end - addr); > - err =3D dup_anon_vma(next, prev); > + err =3D dup_anon_vma(next, prev, &anon_dup); > } else { > /* > * Note that cases 3 and 8 are the ONLY ones wher= e prev > @@ -968,7 +979,7 @@ struct vm_area_struct *vma_merge(struct vma_iterator = *vmi, struct mm_struct *mm, > vma_pgoff =3D curr->vm_pgoff; > vma_start_write(curr); > remove =3D curr; > - err =3D dup_anon_vma(next, curr); > + err =3D dup_anon_vma(next, curr, &anon_du= p); > } > } > } > @@ -1018,6 +1029,9 @@ struct vm_area_struct *vma_merge(struct vma_iterato= r *vmi, struct mm_struct *mm, > return res; > > prealloc_fail: > + if (anon_dup) > + unlink_anon_vmas(anon_dup); Maybe a stupid question, but why can't we do this unlinking inside dup_anon_vma() itself when anon_vma_clone() fails? That would eliminate the need for the out parameter in that function. I suspect that there is a reason for that which I'm missing. > + > anon_vma_fail: > vma_iter_set(vmi, addr); > vma_iter_load(vmi); > -- > 2.40.1 >