This is a note to let you know that I've just added the patch titled
mm/mmap: Fix error return in do_vmi_align_munmap()
to the 6.3-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
mm-mmap-fix-error-return-in-do_vmi_align_munmap.patch
and it can be found in the queue-6.3 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From fc0766af431cd7fe01d04231dfcc3458dafa792c Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw@xxxxxxxxxxxx>
Date: Wed, 28 Jun 2023 10:55:03 +0100
Subject: mm/mmap: Fix error return in do_vmi_align_munmap()
From: David Woodhouse <dwmw@xxxxxxxxxxxx>
commit 6c26bd4384da24841bac4f067741bbca18b0fb74 upstream,
If mas_store_gfp() in the gather loop failed, the 'error' variable that
ultimately gets returned was not being set. In many cases, its original
value of -ENOMEM was still in place, and that was fine. But if VMAs had
been split at the start or end of the range, then 'error' could be zero.
Change to the 'error = foo(); if (error) goto …' idiom to fix the bug.
Also clean up a later case which avoided the same bug by *explicitly*
setting error = -ENOMEM right before calling the function that might
return -ENOMEM.
In a final cosmetic change, move the 'Point of no return' comment to
*after* the goto. That's been in the wrong place since the preallocation
was removed, and this new error path was added.
Fixes: 606c812eb1d5 ("mm/mmap: Fix error path in do_vmi_align_munmap()")
Signed-off-by: David Woodhouse <dwmw@xxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Reviewed-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx>
Signed-off-by: David Woodhouse <dwmw@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
mm/mmap.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2348,7 +2348,8 @@ do_vmi_align_munmap(struct vma_iterator
goto end_split_failed;
}
mas_set_range(&mas_detach, next->vm_start, next->vm_end - 1);
- if (mas_store_gfp(&mas_detach, next, GFP_KERNEL))
+ error = mas_store_gfp(&mas_detach, next, GFP_KERNEL);
+ if (error)
goto munmap_gather_failed;
if (next->vm_flags & VM_LOCKED)
locked_vm += vma_pages(next);
@@ -2396,12 +2397,12 @@ do_vmi_align_munmap(struct vma_iterator
BUG_ON(count != test_count);
}
#endif
- /* Point of no return */
- error = -ENOMEM;
vma_iter_set(vmi, start);
- if (vma_iter_clear_gfp(vmi, start, end, GFP_KERNEL))
+ error = vma_iter_clear_gfp(vmi, start, end, GFP_KERNEL);
+ if (error)
goto clear_tree_failed;
+ /* Point of no return */
mm->locked_vm -= locked_vm;
mm->map_count -= count;
/*
Patches currently in stable-queue which might be from dwmw@xxxxxxxxxxxx are
queue-6.3/mm-mmap-fix-error-return-in-do_vmi_align_munmap.patch
queue-6.3/mm-mmap-fix-error-path-in-do_vmi_align_munmap.patch
