sorry, should send to Rik van Riel<riel@xxxxxxxxxxx>
On 2020-02-08 at 16:35 Li Xinhai wrote:
>In dup_mmap(), anon_vma_prepare() is called for vma has VM_WIPEONFORK,
>and parameter 'tmp' (i.e., the new vma of child) has same ->vm_next and
>->vm_prev as its parent vma. That allows anon_vma used by parent been
>mistakenly shared by child (find_mergeable_anon_vma() will do this reuse
>work).
>
>Besides this issue, call anon_vma_prepare() should be avoided because we
>don't copy page for this vma. Preparing anon_vma will be handled during
>fault.
>
>Fixes: d2cd9ede6e19 ("mm,fork: introduce MADV_WIPEONFORK")
>Signed-off-by: Li Xinhai <lixinhai.lxh@xxxxxxxxx>
>Cc: Rik van Riel <riel@xxxxxxxxxx>
>Cc: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
>Cc: Matthew Wilcox <willy@xxxxxxxxxxxxx>
>---
> kernel/fork.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
>diff --git a/kernel/fork.c b/kernel/fork.c
>index 0808095..1bbd49a 100644
>--- a/kernel/fork.c
>+++ b/kernel/fork.c
>@@ -552,10 +552,12 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm,
> if (retval)
> goto fail_nomem_anon_vma_fork;
> if (tmp->vm_flags & VM_WIPEONFORK) {
>- /* VM_WIPEONFORK gets a clean slate in the child. */
>+ /*
>+ * VM_WIPEONFORK gets a clean slate in the child.
>+ * Don't prepare anon_vma until fault since we don't
>+ * copy page for current vma.
>+ */
> tmp->anon_vma = NULL;
>- if (anon_vma_prepare(tmp))
>- goto fail_nomem_anon_vma_fork;
> } else if (anon_vma_fork(tmp, mpnt))
> goto fail_nomem_anon_vma_fork;
> tmp->vm_flags &= ~(VM_LOCKED | VM_LOCKONFAULT);
>--
>1.8.3.1
>
