On 2020-01-07 at 18:19 Konstantin Khlebnikov wrote:
>Function vm_area_dup() makes exact copy of structure. It's better to stop
>referencing parent structures because various helpers use these pointers.
>
>For example if VM_WIPEONFORK is set then anon_vma_prepare() will try to
>merge anon_vma with previous and next VMA. Poking parent VMAs and sharing
>their anon_vma is safe for now but is not expected behavior.
>
>Note: this will break commit 4e4a9eb92133 ("mm/rmap.c: reuse mergeable
>anon_vma as parent when fork") without related fix because it contains
>several flaws hidden by current initialization sequence in dup_mmap().
>
>Signed-off-by: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxxxxxx>
looks fine to me.
Reviewed-by: Li Xinhai <lixinhai.lxh@xxxxxxxxx>
>---
> kernel/fork.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
>diff --git a/kernel/fork.c b/kernel/fork.c
>index c33626993831..784c9ae56aa9 100644
>--- a/kernel/fork.c
>+++ b/kernel/fork.c
>@@ -544,10 +544,12 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm,
> tmp = vm_area_dup(mpnt);
> if (!tmp)
> goto fail_nomem;
>+ tmp->vm_mm = mm;
>+ tmp->vm_prev = prev;
>+ tmp->vm_next = NULL;
> retval = vma_dup_policy(mpnt, tmp);
> if (retval)
> goto fail_nomem_policy;
>- tmp->vm_mm = mm;
> retval = dup_userfaultfd(tmp, &uf);
> if (retval)
> goto fail_nomem_anon_vma_fork;
>@@ -559,7 +561,6 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm,
> } else if (anon_vma_fork(tmp, mpnt, prev))
> goto fail_nomem_anon_vma_fork;
> tmp->vm_flags &= ~(VM_LOCKED | VM_LOCKONFAULT);
>- tmp->vm_next = tmp->vm_prev = NULL;
> file = tmp->vm_file;
> if (file) {
> struct inode *inode = file_inode(file);
>@@ -592,7 +593,6 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm,
> */
> *pprev = tmp;
> pprev = &tmp->vm_next;
>- tmp->vm_prev = prev;
> prev = tmp;
>
> __vma_link_rb(mm, tmp, rb_link, rb_parent);
>
