LCOV - code coverage report
Current view: top level - mm - mmap.c (source / functions) Hit Total Coverage
Test: gcov_data_raspi2_qemu_modules_combined.info Lines: 747 992 75.3 %
Date: 2020-09-30 20:25:01 Functions: 70 87 80.5 %
Branches: 644 979 65.8 %

           Branch data     Line data    Source code
       1                 :            : // SPDX-License-Identifier: GPL-2.0-only
       2                 :            : /*
       3                 :            :  * mm/mmap.c
       4                 :            :  *
       5                 :            :  * Written by obz.
       6                 :            :  *
       7                 :            :  * Address space accounting code        <alan@lxorguk.ukuu.org.uk>
       8                 :            :  */
       9                 :            : 
      10                 :            : #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
      11                 :            : 
      12                 :            : #include <linux/kernel.h>
      13                 :            : #include <linux/slab.h>
      14                 :            : #include <linux/backing-dev.h>
      15                 :            : #include <linux/mm.h>
      16                 :            : #include <linux/vmacache.h>
      17                 :            : #include <linux/shm.h>
      18                 :            : #include <linux/mman.h>
      19                 :            : #include <linux/pagemap.h>
      20                 :            : #include <linux/swap.h>
      21                 :            : #include <linux/syscalls.h>
      22                 :            : #include <linux/capability.h>
      23                 :            : #include <linux/init.h>
      24                 :            : #include <linux/file.h>
      25                 :            : #include <linux/fs.h>
      26                 :            : #include <linux/personality.h>
      27                 :            : #include <linux/security.h>
      28                 :            : #include <linux/hugetlb.h>
      29                 :            : #include <linux/shmem_fs.h>
      30                 :            : #include <linux/profile.h>
      31                 :            : #include <linux/export.h>
      32                 :            : #include <linux/mount.h>
      33                 :            : #include <linux/mempolicy.h>
      34                 :            : #include <linux/rmap.h>
      35                 :            : #include <linux/mmu_notifier.h>
      36                 :            : #include <linux/mmdebug.h>
      37                 :            : #include <linux/perf_event.h>
      38                 :            : #include <linux/audit.h>
      39                 :            : #include <linux/khugepaged.h>
      40                 :            : #include <linux/uprobes.h>
      41                 :            : #include <linux/rbtree_augmented.h>
      42                 :            : #include <linux/notifier.h>
      43                 :            : #include <linux/memory.h>
      44                 :            : #include <linux/printk.h>
      45                 :            : #include <linux/userfaultfd_k.h>
      46                 :            : #include <linux/moduleparam.h>
      47                 :            : #include <linux/pkeys.h>
      48                 :            : #include <linux/oom.h>
      49                 :            : #include <linux/sched/mm.h>
      50                 :            : 
      51                 :            : #include <linux/uaccess.h>
      52                 :            : #include <asm/cacheflush.h>
      53                 :            : #include <asm/tlb.h>
      54                 :            : #include <asm/mmu_context.h>
      55                 :            : 
      56                 :            : #include "internal.h"
      57                 :            : 
      58                 :            : #ifndef arch_mmap_check
      59                 :            : #define arch_mmap_check(addr, len, flags)       (0)
      60                 :            : #endif
      61                 :            : 
      62                 :            : #ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
      63                 :            : const int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
      64                 :            : const int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
      65                 :            : int mmap_rnd_bits __read_mostly = CONFIG_ARCH_MMAP_RND_BITS;
      66                 :            : #endif
      67                 :            : #ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
      68                 :            : const int mmap_rnd_compat_bits_min = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN;
      69                 :            : const int mmap_rnd_compat_bits_max = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX;
      70                 :            : int mmap_rnd_compat_bits __read_mostly = CONFIG_ARCH_MMAP_RND_COMPAT_BITS;
      71                 :            : #endif
      72                 :            : 
      73                 :            : static bool ignore_rlimit_data;
      74                 :            : core_param(ignore_rlimit_data, ignore_rlimit_data, bool, 0644);
      75                 :            : 
      76                 :            : static void unmap_region(struct mm_struct *mm,
      77                 :            :                 struct vm_area_struct *vma, struct vm_area_struct *prev,
      78                 :            :                 unsigned long start, unsigned long end);
      79                 :            : 
      80                 :            : /* description of effects of mapping type and prot in current implementation.
      81                 :            :  * this is due to the limited x86 page protection hardware.  The expected
      82                 :            :  * behavior is in parens:
      83                 :            :  *
      84                 :            :  * map_type     prot
      85                 :            :  *              PROT_NONE       PROT_READ       PROT_WRITE      PROT_EXEC
      86                 :            :  * MAP_SHARED   r: (no) no      r: (yes) yes    r: (no) yes     r: (no) yes
      87                 :            :  *              w: (no) no      w: (no) no      w: (yes) yes    w: (no) no
      88                 :            :  *              x: (no) no      x: (no) yes     x: (no) yes     x: (yes) yes
      89                 :            :  *
      90                 :            :  * MAP_PRIVATE  r: (no) no      r: (yes) yes    r: (no) yes     r: (no) yes
      91                 :            :  *              w: (no) no      w: (no) no      w: (copy) copy  w: (no) no
      92                 :            :  *              x: (no) no      x: (no) yes     x: (no) yes     x: (yes) yes
      93                 :            :  */
      94                 :            : pgprot_t protection_map[16] __ro_after_init = {
      95                 :            :         __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
      96                 :            :         __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
      97                 :            : };
      98                 :            : 
      99                 :            : #ifndef CONFIG_ARCH_HAS_FILTER_PGPROT
     100                 :            : static inline pgprot_t arch_filter_pgprot(pgprot_t prot)
     101                 :            : {
     102                 :            :         return prot;
     103                 :            : }
     104                 :            : #endif
     105                 :            : 
     106                 :     449328 : pgprot_t vm_get_page_prot(unsigned long vm_flags)
     107                 :            : {
     108                 :   27696444 :         pgprot_t ret = __pgprot(pgprot_val(protection_map[vm_flags &
     109                 :            :                                 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
     110                 :            :                         pgprot_val(arch_vm_get_page_prot(vm_flags)));
     111                 :            : 
     112                 :     449328 :         return arch_filter_pgprot(ret);
     113                 :            : }
     114                 :            : EXPORT_SYMBOL(vm_get_page_prot);
     115                 :            : 
     116                 :   15677302 : static pgprot_t vm_pgprot_modify(pgprot_t oldprot, unsigned long vm_flags)
     117                 :            : {
     118                 :   15677302 :         return pgprot_modify(oldprot, vm_get_page_prot(vm_flags));
     119                 :            : }
     120                 :            : 
     121                 :            : /* Update vma->vm_page_prot to reflect vma->vm_flags. */
     122                 :   15670474 : void vma_set_page_prot(struct vm_area_struct *vma)
     123                 :            : {
     124                 :   15670474 :         unsigned long vm_flags = vma->vm_flags;
     125                 :            :         pgprot_t vm_page_prot;
     126                 :            : 
     127                 :   15670474 :         vm_page_prot = vm_pgprot_modify(vma->vm_page_prot, vm_flags);
     128         [ +  + ]:   15670634 :         if (vma_wants_writenotify(vma, vm_page_prot)) {
     129                 :          2 :                 vm_flags &= ~VM_SHARED;
     130                 :          2 :                 vm_page_prot = vm_pgprot_modify(vm_page_prot, vm_flags);
     131                 :            :         }
     132                 :            :         /* remove_protection_ptes reads vma->vm_page_prot without mmap_sem */
     133                 :            :         WRITE_ONCE(vma->vm_page_prot, vm_page_prot);
     134                 :   15670574 : }
     135                 :            : 
     136                 :            : /*
     137                 :            :  * Requires inode->i_mapping->i_mmap_rwsem
     138                 :            :  */
     139                 :   37572242 : static void __remove_shared_vm_struct(struct vm_area_struct *vma,
     140                 :            :                 struct file *file, struct address_space *mapping)
     141                 :            : {
     142         [ +  + ]:   37572242 :         if (vma->vm_flags & VM_DENYWRITE)
     143                 :    5958628 :                 atomic_inc(&file_inode(file)->i_writecount);
     144         [ +  + ]:   37572046 :         if (vma->vm_flags & VM_SHARED)
     145                 :            :                 mapping_unmap_writable(mapping);
     146                 :            : 
     147                 :            :         flush_dcache_mmap_lock(mapping);
     148                 :   37572000 :         vma_interval_tree_remove(vma, &mapping->i_mmap);
     149                 :            :         flush_dcache_mmap_unlock(mapping);
     150                 :   37570822 : }
     151                 :            : 
     152                 :            : /*
     153                 :            :  * Unlink a file-based vm structure from its interval tree, to hide
     154                 :            :  * vma from rmap and vmtruncate before freeing its page tables.
     155                 :            :  */
     156                 :   46305478 : void unlink_file_vma(struct vm_area_struct *vma)
     157                 :            : {
     158                 :   46305478 :         struct file *file = vma->vm_file;
     159                 :            : 
     160         [ +  + ]:   46305478 :         if (file) {
     161                 :   37572134 :                 struct address_space *mapping = file->f_mapping;
     162                 :            :                 i_mmap_lock_write(mapping);
     163                 :   37572502 :                 __remove_shared_vm_struct(vma, file, mapping);
     164                 :            :                 i_mmap_unlock_write(mapping);
     165                 :            :         }
     166                 :   46305618 : }
     167                 :            : 
     168                 :            : /*
     169                 :            :  * Close a vm structure and free it, returning the next.
     170                 :            :  */
     171                 :   46305018 : static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
     172                 :            : {
     173                 :   46305018 :         struct vm_area_struct *next = vma->vm_next;
     174                 :            : 
     175                 :   46305018 :         might_sleep();
     176   [ +  +  +  + ]:   46305204 :         if (vma->vm_ops && vma->vm_ops->close)
     177                 :    2752882 :                 vma->vm_ops->close(vma);
     178         [ +  + ]:   46305482 :         if (vma->vm_file)
     179                 :   37572274 :                 fput(vma->vm_file);
     180                 :            :         mpol_put(vma_policy(vma));
     181                 :   46305386 :         vm_area_free(vma);
     182                 :   46305578 :         return next;
     183                 :            : }
     184                 :            : 
     185                 :            : static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags,
     186                 :            :                 struct list_head *uf);
     187                 :    2907216 : SYSCALL_DEFINE1(brk, unsigned long, brk)
     188                 :            : {
     189                 :            :         unsigned long retval;
     190                 :            :         unsigned long newbrk, oldbrk, origbrk;
     191                 :    1453608 :         struct mm_struct *mm = current->mm;
     192                 :            :         struct vm_area_struct *next;
     193                 :            :         unsigned long min_brk;
     194                 :            :         bool populate;
     195                 :            :         bool downgraded = false;
     196                 :    1453608 :         LIST_HEAD(uf);
     197                 :            : 
     198         [ +  - ]:    1453608 :         if (down_write_killable(&mm->mmap_sem))
     199                 :            :                 return -EINTR;
     200                 :            : 
     201                 :    1453608 :         origbrk = mm->brk;
     202                 :            : 
     203                 :            : #ifdef CONFIG_COMPAT_BRK
     204                 :            :         /*
     205                 :            :          * CONFIG_COMPAT_BRK can still be overridden by setting
     206                 :            :          * randomize_va_space to 2, which will still cause mm->start_brk
     207                 :            :          * to be arbitrarily shifted
     208                 :            :          */
     209                 :            :         if (current->brk_randomized)
     210                 :            :                 min_brk = mm->start_brk;
     211                 :            :         else
     212                 :            :                 min_brk = mm->end_data;
     213                 :            : #else
     214                 :    1453608 :         min_brk = mm->start_brk;
     215                 :            : #endif
     216         [ +  + ]:    1453608 :         if (brk < min_brk)
     217                 :            :                 goto out;
     218                 :            : 
     219                 :            :         /*
     220                 :            :          * Check against rlimit here. If this check is done later after the test
     221                 :            :          * of oldbrk with newbrk then it can escape the test and let the data
     222                 :            :          * segment grow beyond its set limit the in case where the limit is
     223                 :            :          * not page aligned -Ram Gupta
     224                 :            :          */
     225         [ +  - ]:    1112308 :         if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
     226                 :            :                               mm->end_data, mm->start_data))
     227                 :            :                 goto out;
     228                 :            : 
     229                 :     556158 :         newbrk = PAGE_ALIGN(brk);
     230                 :     556158 :         oldbrk = PAGE_ALIGN(mm->brk);
     231         [ +  + ]:     556158 :         if (oldbrk == newbrk) {
     232                 :          4 :                 mm->brk = brk;
     233                 :          4 :                 goto success;
     234                 :            :         }
     235                 :            : 
     236                 :            :         /*
     237                 :            :          * Always allow shrinking brk.
     238                 :            :          * __do_munmap() may downgrade mmap_sem to read.
     239                 :            :          */
     240         [ +  + ]:     556154 :         if (brk <= mm->brk) {
     241                 :            :                 int ret;
     242                 :            : 
     243                 :            :                 /*
     244                 :            :                  * mm->brk must to be protected by write mmap_sem so update it
     245                 :            :                  * before downgrading mmap_sem. When __do_munmap() fails,
     246                 :            :                  * mm->brk will be restored from origbrk.
     247                 :            :                  */
     248                 :      34872 :                 mm->brk = brk;
     249                 :      34872 :                 ret = __do_munmap(mm, newbrk, oldbrk-newbrk, &uf, true);
     250         [ -  + ]:      34872 :                 if (ret < 0) {
     251                 :          0 :                         mm->brk = origbrk;
     252                 :          0 :                         goto out;
     253         [ +  - ]:      34872 :                 } else if (ret == 1) {
     254                 :            :                         downgraded = true;
     255                 :            :                 }
     256                 :            :                 goto success;
     257                 :            :         }
     258                 :            : 
     259                 :            :         /* Check against existing mmap mappings. */
     260                 :     521282 :         next = find_vma(mm, oldbrk);
     261   [ +  +  +  - ]:    1042560 :         if (next && newbrk + PAGE_SIZE > vm_start_gap(next))
     262                 :            :                 goto out;
     263                 :            : 
     264                 :            :         /* Ok, looks good - let it rip. */
     265         [ +  + ]:     521286 :         if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0)
     266                 :            :                 goto out;
     267                 :     521278 :         mm->brk = brk;
     268                 :            : 
     269                 :            : success:
     270   [ +  +  +  + ]:     556154 :         populate = newbrk > oldbrk && (mm->def_flags & VM_LOCKED) != 0;
     271         [ +  + ]:     556154 :         if (downgraded)
     272                 :      34872 :                 up_read(&mm->mmap_sem);
     273                 :            :         else
     274                 :     521282 :                 up_write(&mm->mmap_sem);
     275                 :            :         userfaultfd_unmap_complete(mm, &uf);
     276         [ -  + ]:     556152 :         if (populate)
     277                 :          0 :                 mm_populate(oldbrk, newbrk - oldbrk);
     278                 :     556152 :         return brk;
     279                 :            : 
     280                 :            : out:
     281                 :            :         retval = origbrk;
     282                 :     897450 :         up_write(&mm->mmap_sem);
     283                 :     897454 :         return retval;
     284                 :            : }
     285                 :            : 
     286                 :  224083582 : static inline unsigned long vma_compute_gap(struct vm_area_struct *vma)
     287                 :            : {
     288                 :            :         unsigned long gap, prev_end;
     289                 :            : 
     290                 :            :         /*
     291                 :            :          * Note: in the rare case of a VM_GROWSDOWN above a VM_GROWSUP, we
     292                 :            :          * allow two stack_guard_gaps between them here, and when choosing
     293                 :            :          * an unmapped area; whereas when expanding we only require one.
     294                 :            :          * That's a little inconsistent, but keeps the code here simpler.
     295                 :            :          */
     296                 :            :         gap = vm_start_gap(vma);
     297         [ +  + ]:  224083582 :         if (vma->vm_prev) {
     298                 :            :                 prev_end = vm_end_gap(vma->vm_prev);
     299         [ +  + ]:  219917050 :                 if (gap > prev_end)
     300                 :   54288980 :                         gap -= prev_end;
     301                 :            :                 else
     302                 :            :                         gap = 0;
     303                 :            :         }
     304                 :  224083582 :         return gap;
     305                 :            : }
     306                 :            : 
     307                 :            : #ifdef CONFIG_DEBUG_VM_RB
     308                 :            : static unsigned long vma_compute_subtree_gap(struct vm_area_struct *vma)
     309                 :            : {
     310                 :            :         unsigned long max = vma_compute_gap(vma), subtree_gap;
     311                 :            :         if (vma->vm_rb.rb_left) {
     312                 :            :                 subtree_gap = rb_entry(vma->vm_rb.rb_left,
     313                 :            :                                 struct vm_area_struct, vm_rb)->rb_subtree_gap;
     314                 :            :                 if (subtree_gap > max)
     315                 :            :                         max = subtree_gap;
     316                 :            :         }
     317                 :            :         if (vma->vm_rb.rb_right) {
     318                 :            :                 subtree_gap = rb_entry(vma->vm_rb.rb_right,
     319                 :            :                                 struct vm_area_struct, vm_rb)->rb_subtree_gap;
     320                 :            :                 if (subtree_gap > max)
     321                 :            :                         max = subtree_gap;
     322                 :            :         }
     323                 :            :         return max;
     324                 :            : }
     325                 :            : 
     326                 :            : static int browse_rb(struct mm_struct *mm)
     327                 :            : {
     328                 :            :         struct rb_root *root = &mm->mm_rb;
     329                 :            :         int i = 0, j, bug = 0;
     330                 :            :         struct rb_node *nd, *pn = NULL;
     331                 :            :         unsigned long prev = 0, pend = 0;
     332                 :            : 
     333                 :            :         for (nd = rb_first(root); nd; nd = rb_next(nd)) {
     334                 :            :                 struct vm_area_struct *vma;
     335                 :            :                 vma = rb_entry(nd, struct vm_area_struct, vm_rb);
     336                 :            :                 if (vma->vm_start < prev) {
     337                 :            :                         pr_emerg("vm_start %lx < prev %lx\n",
     338                 :            :                                   vma->vm_start, prev);
     339                 :            :                         bug = 1;
     340                 :            :                 }
     341                 :            :                 if (vma->vm_start < pend) {
     342                 :            :                         pr_emerg("vm_start %lx < pend %lx\n",
     343                 :            :                                   vma->vm_start, pend);
     344                 :            :                         bug = 1;
     345                 :            :                 }
     346                 :            :                 if (vma->vm_start > vma->vm_end) {
     347                 :            :                         pr_emerg("vm_start %lx > vm_end %lx\n",
     348                 :            :                                   vma->vm_start, vma->vm_end);
     349                 :            :                         bug = 1;
     350                 :            :                 }
     351                 :            :                 spin_lock(&mm->page_table_lock);
     352                 :            :                 if (vma->rb_subtree_gap != vma_compute_subtree_gap(vma)) {
     353                 :            :                         pr_emerg("free gap %lx, correct %lx\n",
     354                 :            :                                vma->rb_subtree_gap,
     355                 :            :                                vma_compute_subtree_gap(vma));
     356                 :            :                         bug = 1;
     357                 :            :                 }
     358                 :            :                 spin_unlock(&mm->page_table_lock);
     359                 :            :                 i++;
     360                 :            :                 pn = nd;
     361                 :            :                 prev = vma->vm_start;
     362                 :            :                 pend = vma->vm_end;
     363                 :            :         }
     364                 :            :         j = 0;
     365                 :            :         for (nd = pn; nd; nd = rb_prev(nd))
     366                 :            :                 j++;
     367                 :            :         if (i != j) {
     368                 :            :                 pr_emerg("backwards %d, forwards %d\n", j, i);
     369                 :            :                 bug = 1;
     370                 :            :         }
     371                 :            :         return bug ? -1 : i;
     372                 :            : }
     373                 :            : 
     374                 :            : static void validate_mm_rb(struct rb_root *root, struct vm_area_struct *ignore)
     375                 :            : {
     376                 :            :         struct rb_node *nd;
     377                 :            : 
     378                 :            :         for (nd = rb_first(root); nd; nd = rb_next(nd)) {
     379                 :            :                 struct vm_area_struct *vma;
     380                 :            :                 vma = rb_entry(nd, struct vm_area_struct, vm_rb);
     381                 :            :                 VM_BUG_ON_VMA(vma != ignore &&
     382                 :            :                         vma->rb_subtree_gap != vma_compute_subtree_gap(vma),
     383                 :            :                         vma);
     384                 :            :         }
     385                 :            : }
     386                 :            : 
     387                 :            : static void validate_mm(struct mm_struct *mm)
     388                 :            : {
     389                 :            :         int bug = 0;
     390                 :            :         int i = 0;
     391                 :            :         unsigned long highest_address = 0;
     392                 :            :         struct vm_area_struct *vma = mm->mmap;
     393                 :            : 
     394                 :            :         while (vma) {
     395                 :            :                 struct anon_vma *anon_vma = vma->anon_vma;
     396                 :            :                 struct anon_vma_chain *avc;
     397                 :            : 
     398                 :            :                 if (anon_vma) {
     399                 :            :                         anon_vma_lock_read(anon_vma);
     400                 :            :                         list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
     401                 :            :                                 anon_vma_interval_tree_verify(avc);
     402                 :            :                         anon_vma_unlock_read(anon_vma);
     403                 :            :                 }
     404                 :            : 
     405                 :            :                 highest_address = vm_end_gap(vma);
     406                 :            :                 vma = vma->vm_next;
     407                 :            :                 i++;
     408                 :            :         }
     409                 :            :         if (i != mm->map_count) {
     410                 :            :                 pr_emerg("map_count %d vm_next %d\n", mm->map_count, i);
     411                 :            :                 bug = 1;
     412                 :            :         }
     413                 :            :         if (highest_address != mm->highest_vm_end) {
     414                 :            :                 pr_emerg("mm->highest_vm_end %lx, found %lx\n",
     415                 :            :                           mm->highest_vm_end, highest_address);
     416                 :            :                 bug = 1;
     417                 :            :         }
     418                 :            :         i = browse_rb(mm);
     419                 :            :         if (i != mm->map_count) {
     420                 :            :                 if (i != -1)
     421                 :            :                         pr_emerg("map_count %d rb %d\n", mm->map_count, i);
     422                 :            :                 bug = 1;
     423                 :            :         }
     424                 :            :         VM_BUG_ON_MM(bug, mm);
     425                 :            : }
     426                 :            : #else
     427                 :            : #define validate_mm_rb(root, ignore) do { } while (0)
     428                 :            : #define validate_mm(mm) do { } while (0)
     429                 :            : #endif
     430                 :            : 
     431   [ +  +  +  +  :  347147620 : RB_DECLARE_CALLBACKS_MAX(static, vma_gap_callbacks,
          +  +  +  +  +  
          +  +  +  +  +  
                   +  + ]
     432                 :            :                          struct vm_area_struct, vm_rb,
     433                 :            :                          unsigned long, rb_subtree_gap, vma_compute_gap)
     434                 :            : 
     435                 :            : /*
     436                 :            :  * Update augmented rbtree rb_subtree_gap values after vma->vm_start or
     437                 :            :  * vma->vm_prev->vm_end values changed, without modifying the vma's position
     438                 :            :  * in the rbtree.
     439                 :            :  */
     440                 :            : static void vma_gap_update(struct vm_area_struct *vma)
     441                 :            : {
     442                 :            :         /*
     443                 :            :          * As it turns out, RB_DECLARE_CALLBACKS_MAX() already created
     444                 :            :          * a callback function that does exactly what we want.
     445                 :            :          */
     446                 :   75189380 :         vma_gap_callbacks_propagate(&vma->vm_rb, NULL);
     447                 :            : }
     448                 :            : 
     449                 :            : static inline void vma_rb_insert(struct vm_area_struct *vma,
     450                 :            :                                  struct rb_root *root)
     451                 :            : {
     452                 :            :         /* All rb_subtree_gap values must be consistent prior to insertion */
     453                 :            :         validate_mm_rb(root, NULL);
     454                 :            : 
     455                 :            :         rb_insert_augmented(&vma->vm_rb, root, &vma_gap_callbacks);
     456                 :            : }
     457                 :            : 
     458                 :    5263490 : static void __vma_rb_erase(struct vm_area_struct *vma, struct rb_root *root)
     459                 :            : {
     460                 :            :         /*
     461                 :            :          * Note rb_erase_augmented is a fairly large inline function,
     462                 :            :          * so make sure we instantiate it only once with our desired
     463                 :            :          * augmented rbtree callbacks.
     464                 :            :          */
     465                 :    5263490 :         rb_erase_augmented(&vma->vm_rb, root, &vma_gap_callbacks);
     466                 :    5263560 : }
     467                 :            : 
     468                 :            : static __always_inline void vma_rb_erase_ignore(struct vm_area_struct *vma,
     469                 :            :                                                 struct rb_root *root,
     470                 :            :                                                 struct vm_area_struct *ignore)
     471                 :            : {
     472                 :            :         /*
     473                 :            :          * All rb_subtree_gap values must be consistent prior to erase,
     474                 :            :          * with the possible exception of the "next" vma being erased if
     475                 :            :          * next->vm_start was reduced.
     476                 :            :          */
     477                 :            :         validate_mm_rb(root, ignore);
     478                 :            : 
     479                 :        844 :         __vma_rb_erase(vma, root);
     480                 :            : }
     481                 :            : 
     482                 :            : static __always_inline void vma_rb_erase(struct vm_area_struct *vma,
     483                 :            :                                          struct rb_root *root)
     484                 :            : {
     485                 :            :         /*
     486                 :            :          * All rb_subtree_gap values must be consistent prior to erase,
     487                 :            :          * with the possible exception of the vma being erased.
     488                 :            :          */
     489                 :            :         validate_mm_rb(root, vma);
     490                 :            : 
     491                 :    5262662 :         __vma_rb_erase(vma, root);
     492                 :            : }
     493                 :            : 
     494                 :            : /*
     495                 :            :  * vma has some anon_vma assigned, and is already inserted on that
     496                 :            :  * anon_vma's interval trees.
     497                 :            :  *
     498                 :            :  * Before updating the vma's vm_start / vm_end / vm_pgoff fields, the
     499                 :            :  * vma must be removed from the anon_vma's interval trees using
     500                 :            :  * anon_vma_interval_tree_pre_update_vma().
     501                 :            :  *
     502                 :            :  * After the update, the vma will be reinserted using
     503                 :            :  * anon_vma_interval_tree_post_update_vma().
     504                 :            :  *
     505                 :            :  * The entire update must be protected by exclusive mmap_sem and by
     506                 :            :  * the root anon_vma's mutex.
     507                 :            :  */
     508                 :            : static inline void
     509                 :    5177630 : anon_vma_interval_tree_pre_update_vma(struct vm_area_struct *vma)
     510                 :            : {
     511                 :            :         struct anon_vma_chain *avc;
     512                 :            : 
     513         [ +  + ]:   10315864 :         list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
     514                 :    5138214 :                 anon_vma_interval_tree_remove(avc, &avc->anon_vma->rb_root);
     515                 :    5177650 : }
     516                 :            : 
     517                 :            : static inline void
     518                 :    5177652 : anon_vma_interval_tree_post_update_vma(struct vm_area_struct *vma)
     519                 :            : {
     520                 :            :         struct anon_vma_chain *avc;
     521                 :            : 
     522         [ +  + ]:   10315872 :         list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
     523                 :    5138168 :                 anon_vma_interval_tree_insert(avc, &avc->anon_vma->rb_root);
     524                 :    5177704 : }
     525                 :            : 
     526                 :            : static int find_vma_links(struct mm_struct *mm, unsigned long addr,
     527                 :            :                 unsigned long end, struct vm_area_struct **pprev,
     528                 :            :                 struct rb_node ***rb_link, struct rb_node **rb_parent)
     529                 :            : {
     530                 :            :         struct rb_node **__rb_link, *__rb_parent, *rb_prev;
     531                 :            : 
     532                 :   25243702 :         __rb_link = &mm->mm_rb.rb_node;
     533                 :            :         rb_prev = __rb_parent = NULL;
     534                 :            : 
     535   [ +  +  +  +  :  162031896 :         while (*__rb_link) {
          +  +  +  +  +  
                      + ]
     536                 :            :                 struct vm_area_struct *vma_tmp;
     537                 :            : 
     538                 :            :                 __rb_parent = *__rb_link;
     539                 :            :                 vma_tmp = rb_entry(__rb_parent, struct vm_area_struct, vm_rb);
     540                 :            : 
     541   [ +  +  +  +  :  140033744 :                 if (vma_tmp->vm_end > addr) {
          +  +  +  +  +  
                      + ]
     542                 :            :                         /* Fail if an existing vma overlaps the area */
     543   [ +  -  +  -  :   94789812 :                         if (vma_tmp->vm_start < end)
          +  -  +  +  +  
                      + ]
     544                 :            :                                 return -ENOMEM;
     545                 :   91544262 :                         __rb_link = &__rb_parent->rb_left;
     546                 :            :                 } else {
     547                 :            :                         rb_prev = __rb_parent;
     548                 :   45243932 :                         __rb_link = &__rb_parent->rb_right;
     549                 :            :                 }
     550                 :            :         }
     551                 :            : 
     552                 :            :         *pprev = NULL;
     553   [ +  -  +  +  :   21998152 :         if (rb_prev)
          +  +  +  +  +  
                      + ]
     554                 :   21100066 :                 *pprev = rb_entry(rb_prev, struct vm_area_struct, vm_rb);
     555                 :   21998152 :         *rb_link = __rb_link;
     556                 :   21998152 :         *rb_parent = __rb_parent;
     557                 :            :         return 0;
     558                 :            : }
     559                 :            : 
     560                 :          0 : static unsigned long count_vma_pages_range(struct mm_struct *mm,
     561                 :            :                 unsigned long addr, unsigned long end)
     562                 :            : {
     563                 :            :         unsigned long nr_pages = 0;
     564                 :            :         struct vm_area_struct *vma;
     565                 :            : 
     566                 :            :         /* Find first overlaping mapping */
     567                 :            :         vma = find_vma_intersection(mm, addr, end);
     568         [ #  # ]:          0 :         if (!vma)
     569                 :            :                 return 0;
     570                 :            : 
     571                 :          0 :         nr_pages = (min(end, vma->vm_end) -
     572                 :          0 :                 max(addr, vma->vm_start)) >> PAGE_SHIFT;
     573                 :            : 
     574                 :            :         /* Iterate over the rest of the overlaps */
     575         [ #  # ]:          0 :         for (vma = vma->vm_next; vma; vma = vma->vm_next) {
     576                 :            :                 unsigned long overlap_len;
     577                 :            : 
     578         [ #  # ]:          0 :                 if (vma->vm_start > end)
     579                 :            :                         break;
     580                 :            : 
     581                 :          0 :                 overlap_len = min(end, vma->vm_end) - vma->vm_start;
     582                 :          0 :                 nr_pages += overlap_len >> PAGE_SHIFT;
     583                 :            :         }
     584                 :            : 
     585                 :          0 :         return nr_pages;
     586                 :            : }
     587                 :            : 
     588                 :   49006470 : void __vma_link_rb(struct mm_struct *mm, struct vm_area_struct *vma,
     589                 :            :                 struct rb_node **rb_link, struct rb_node *rb_parent)
     590                 :            : {
     591                 :            :         /* Update tracking information for the gap following the new vma. */
     592         [ +  + ]:   49006470 :         if (vma->vm_next)
     593                 :            :                 vma_gap_update(vma->vm_next);
     594                 :            :         else
     595                 :   29154604 :                 mm->highest_vm_end = vm_end_gap(vma);
     596                 :            : 
     597                 :            :         /*
     598                 :            :          * vma->vm_prev wasn't known when we followed the rbtree to find the
     599                 :            :          * correct insertion point for that vma. As a result, we could not
     600                 :            :          * update the vma vm_rb parents rb_subtree_gap values on the way down.
     601                 :            :          * So, we first insert the vma with a zero rb_subtree_gap value
     602                 :            :          * (to be consistent with what we did on the way down), and then
     603                 :            :          * immediately update the gap to the correct value. Finally we
     604                 :            :          * rebalance the rbtree after all augmented values have been set.
     605                 :            :          */
     606                 :   49006754 :         rb_link_node(&vma->vm_rb, rb_parent, rb_link);
     607                 :   49006754 :         vma->rb_subtree_gap = 0;
     608                 :            :         vma_gap_update(vma);
     609                 :   49006334 :         vma_rb_insert(vma, &mm->mm_rb);
     610                 :   49006646 : }
     611                 :            : 
     612                 :   21415340 : static void __vma_link_file(struct vm_area_struct *vma)
     613                 :            : {
     614                 :            :         struct file *file;
     615                 :            : 
     616                 :   21415340 :         file = vma->vm_file;
     617         [ +  + ]:   21415340 :         if (file) {
     618                 :   17478464 :                 struct address_space *mapping = file->f_mapping;
     619                 :            : 
     620         [ +  + ]:   17478464 :                 if (vma->vm_flags & VM_DENYWRITE)
     621                 :    3158006 :                         atomic_dec(&file_inode(file)->i_writecount);
     622         [ +  + ]:   17478672 :                 if (vma->vm_flags & VM_SHARED)
     623                 :       6708 :                         atomic_inc(&mapping->i_mmap_writable);
     624                 :            : 
     625                 :            :                 flush_dcache_mmap_lock(mapping);
     626                 :   17478840 :                 vma_interval_tree_insert(vma, &mapping->i_mmap);
     627                 :            :                 flush_dcache_mmap_unlock(mapping);
     628                 :            :         }
     629                 :   21415268 : }
     630                 :            : 
     631                 :            : static void
     632                 :   21645972 : __vma_link(struct mm_struct *mm, struct vm_area_struct *vma,
     633                 :            :         struct vm_area_struct *prev, struct rb_node **rb_link,
     634                 :            :         struct rb_node *rb_parent)
     635                 :            : {
     636                 :   21645972 :         __vma_link_list(mm, vma, prev, rb_parent);
     637                 :   21646162 :         __vma_link_rb(mm, vma, rb_link, rb_parent);
     638                 :   21646180 : }
     639                 :            : 
     640                 :   12019560 : static void vma_link(struct mm_struct *mm, struct vm_area_struct *vma,
     641                 :            :                         struct vm_area_struct *prev, struct rb_node **rb_link,
     642                 :            :                         struct rb_node *rb_parent)
     643                 :            : {
     644                 :            :         struct address_space *mapping = NULL;
     645                 :            : 
     646         [ +  + ]:   12019560 :         if (vma->vm_file) {
     647                 :    8082588 :                 mapping = vma->vm_file->f_mapping;
     648                 :            :                 i_mmap_lock_write(mapping);
     649                 :            :         }
     650                 :            : 
     651                 :   12019732 :         __vma_link(mm, vma, prev, rb_link, rb_parent);
     652                 :   12019502 :         __vma_link_file(vma);
     653                 :            : 
     654         [ +  + ]:   12019602 :         if (mapping)
     655                 :            :                 i_mmap_unlock_write(mapping);
     656                 :            : 
     657                 :   12019660 :         mm->map_count++;
     658                 :            :         validate_mm(mm);
     659                 :   12019660 : }
     660                 :            : 
     661                 :            : /*
     662                 :            :  * Helper for vma_adjust() in the split_vma insert case: insert a vma into the
     663                 :            :  * mm's list and rbtree.  It has already been inserted into the interval tree.
     664                 :            :  */
     665                 :    9626282 : static void __insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
     666                 :            : {
     667                 :            :         struct vm_area_struct *prev;
     668                 :            :         struct rb_node **rb_link, *rb_parent;
     669                 :            : 
     670         [ -  + ]:   19252564 :         if (find_vma_links(mm, vma->vm_start, vma->vm_end,
     671                 :            :                            &prev, &rb_link, &rb_parent))
     672                 :          0 :                 BUG();
     673                 :    9626282 :         __vma_link(mm, vma, prev, rb_link, rb_parent);
     674                 :    9626532 :         mm->map_count++;
     675                 :    9626532 : }
     676                 :            : 
     677                 :            : static __always_inline void __vma_unlink_common(struct mm_struct *mm,
     678                 :            :                                                 struct vm_area_struct *vma,
     679                 :            :                                                 struct vm_area_struct *prev,
     680                 :            :                                                 bool has_prev,
     681                 :            :                                                 struct vm_area_struct *ignore)
     682                 :            : {
     683                 :            :         struct vm_area_struct *next;
     684                 :            : 
     685                 :        844 :         vma_rb_erase_ignore(vma, &mm->mm_rb, ignore);
     686                 :        844 :         next = vma->vm_next;
     687                 :            :         if (has_prev)
     688                 :        842 :                 prev->vm_next = next;
     689                 :            :         else {
     690                 :          2 :                 prev = vma->vm_prev;
     691         [ +  - ]:          2 :                 if (prev)
     692                 :          2 :                         prev->vm_next = next;
     693                 :            :                 else
     694                 :          0 :                         mm->mmap = next;
     695                 :            :         }
     696   [ +  -  +  - ]:        844 :         if (next)
     697                 :        844 :                 next->vm_prev = prev;
     698                 :            : 
     699                 :            :         /* Kill the cache */
     700                 :        844 :         vmacache_invalidate(mm);
     701                 :            : }
     702                 :            : 
     703                 :        842 : static inline void __vma_unlink_prev(struct mm_struct *mm,
     704                 :            :                                      struct vm_area_struct *vma,
     705                 :            :                                      struct vm_area_struct *prev)
     706                 :            : {
     707                 :            :         __vma_unlink_common(mm, vma, prev, true, vma);
     708                 :        842 : }
     709                 :            : 
     710                 :            : /*
     711                 :            :  * We cannot adjust vm_start, vm_end, vm_pgoff fields of a vma that
     712                 :            :  * is already present in an i_mmap tree without adjusting the tree.
     713                 :            :  * The following helper function should be used when such adjustments
     714                 :            :  * are necessary.  The "insert" vma (if any) is to be inserted
     715                 :            :  * before we drop the necessary locks.
     716                 :            :  */
     717                 :   10918942 : int __vma_adjust(struct vm_area_struct *vma, unsigned long start,
     718                 :            :         unsigned long end, pgoff_t pgoff, struct vm_area_struct *insert,
     719                 :            :         struct vm_area_struct *expand)
     720                 :            : {
     721                 :   10918942 :         struct mm_struct *mm = vma->vm_mm;
     722                 :   10918942 :         struct vm_area_struct *next = vma->vm_next, *orig_vma = vma;
     723                 :            :         struct address_space *mapping = NULL;
     724                 :            :         struct rb_root_cached *root = NULL;
     725                 :            :         struct anon_vma *anon_vma = NULL;
     726                 :   10918942 :         struct file *file = vma->vm_file;
     727                 :            :         bool start_changed = false, end_changed = false;
     728                 :            :         long adjust_next = 0;
     729                 :            :         int remove_next = 0;
     730                 :            : 
     731         [ +  + ]:   10918942 :         if (next && !insert) {
     732                 :            :                 struct vm_area_struct *exporter = NULL, *importer = NULL;
     733                 :            : 
     734         [ +  + ]:     394908 :                 if (end >= next->vm_end) {
     735                 :            :                         /*
     736                 :            :                          * vma expands, overlapping all the next, and
     737                 :            :                          * perhaps the one after too (mprotect case 6).
     738                 :            :                          * The only other cases that gets here are
     739                 :            :                          * case 1, case 7 and case 8.
     740                 :            :                          */
     741         [ +  + ]:        440 :                         if (next == expand) {
     742                 :            :                                 /*
     743                 :            :                                  * The only case where we don't expand "vma"
     744                 :            :                                  * and we expand "next" instead is case 8.
     745                 :            :                                  */
     746                 :            :                                 VM_WARN_ON(end != next->vm_end);
     747                 :            :                                 /*
     748                 :            :                                  * remove_next == 3 means we're
     749                 :            :                                  * removing "vma" and that to do so we
     750                 :            :                                  * swapped "vma" and "next".
     751                 :            :                                  */
     752                 :            :                                 remove_next = 3;
     753                 :            :                                 VM_WARN_ON(file != next->vm_file);
     754                 :            :                                 swap(vma, next);
     755                 :            :                         } else {
     756                 :            :                                 VM_WARN_ON(expand != vma);
     757                 :            :                                 /*
     758                 :            :                                  * case 1, 6, 7, remove_next == 2 is case 6,
     759                 :            :                                  * remove_next == 1 is case 1 or 7.
     760                 :            :                                  */
     761         [ +  + ]:        438 :                                 remove_next = 1 + (end > next->vm_end);
     762                 :            :                                 VM_WARN_ON(remove_next == 2 &&
     763                 :            :                                            end != next->vm_next->vm_end);
     764                 :            :                                 VM_WARN_ON(remove_next == 1 &&
     765                 :            :                                            end != next->vm_end);
     766                 :            :                                 /* trim end to next, for case 6 first pass */
     767                 :            :                                 end = next->vm_end;
     768                 :            :                         }
     769                 :            : 
     770                 :            :                         exporter = next;
     771                 :            :                         importer = vma;
     772                 :            : 
     773                 :            :                         /*
     774                 :            :                          * If next doesn't have anon_vma, import from vma after
     775                 :            :                          * next, if the vma overlaps with it.
     776                 :            :                          */
     777   [ +  +  -  + ]:        440 :                         if (remove_next == 2 && !next->anon_vma)
     778                 :          0 :                                 exporter = next->vm_next;
     779                 :            : 
     780         [ +  + ]:     394468 :                 } else if (end > next->vm_start) {
     781                 :            :                         /*
     782                 :            :                          * vma expands, overlapping part of the next:
     783                 :            :                          * mprotect case 5 shifting the boundary up.
     784                 :            :                          */
     785                 :      41124 :                         adjust_next = (end - next->vm_start) >> PAGE_SHIFT;
     786                 :            :                         exporter = next;
     787                 :            :                         importer = vma;
     788                 :            :                         VM_WARN_ON(expand != importer);
     789         [ +  + ]:     353344 :                 } else if (end < vma->vm_end) {
     790                 :            :                         /*
     791                 :            :                          * vma shrinks, and !insert tells it's not
     792                 :            :                          * split_vma inserting another: so it must be
     793                 :            :                          * mprotect case 4 shifting the boundary down.
     794                 :            :                          */
     795                 :        850 :                         adjust_next = -((vma->vm_end - end) >> PAGE_SHIFT);
     796                 :            :                         exporter = vma;
     797                 :            :                         importer = next;
     798                 :            :                         VM_WARN_ON(expand != importer);
     799                 :            :                 }
     800                 :            : 
     801                 :            :                 /*
     802                 :            :                  * Easily overlooked: when mprotect shifts the boundary,
     803                 :            :                  * make sure the expanding vma has anon_vma set if the
     804                 :            :                  * shrinking vma had, to cover any anon pages imported.
     805                 :            :                  */
     806   [ +  +  +  +  :     394908 :                 if (exporter && exporter->anon_vma && !importer->anon_vma) {
                   +  - ]
     807                 :            :                         int error;
     808                 :            : 
     809                 :          0 :                         importer->anon_vma = exporter->anon_vma;
     810                 :          0 :                         error = anon_vma_clone(importer, exporter);
     811         [ #  # ]:          0 :                         if (error)
     812                 :            :                                 return error;
     813                 :            :                 }
     814                 :            :         }
     815                 :            : again:
     816                 :            :         vma_adjust_trans_huge(orig_vma, start, end, adjust_next);
     817                 :            : 
     818         [ +  + ]:   10919178 :         if (file) {
     819                 :    9395868 :                 mapping = file->f_mapping;
     820                 :    9395868 :                 root = &mapping->i_mmap;
     821                 :            :                 uprobe_munmap(vma, vma->vm_start, vma->vm_end);
     822                 :            : 
     823                 :            :                 if (adjust_next)
     824                 :            :                         uprobe_munmap(next, next->vm_start, next->vm_end);
     825                 :            : 
     826                 :            :                 i_mmap_lock_write(mapping);
     827         [ +  + ]:    9396154 :                 if (insert) {
     828                 :            :                         /*
     829                 :            :                          * Put into interval tree now, so instantiated pages
     830                 :            :                          * are visible to arm/parisc __flush_dcache_page
     831                 :            :                          * throughout; but we cannot insert into address
     832                 :            :                          * space until vma start or end is updated.
     833                 :            :                          */
     834                 :    9395448 :                         __vma_link_file(insert);
     835                 :            :                 }
     836                 :            :         }
     837                 :            : 
     838                 :   10919304 :         anon_vma = vma->anon_vma;
     839         [ +  + ]:   10919304 :         if (!anon_vma && adjust_next)
     840                 :        850 :                 anon_vma = next->anon_vma;
     841         [ +  + ]:   10919304 :         if (anon_vma) {
     842                 :            :                 VM_WARN_ON(adjust_next && next->anon_vma &&
     843                 :            :                            anon_vma != next->anon_vma);
     844                 :            :                 anon_vma_lock_write(anon_vma);
     845                 :    4686562 :                 anon_vma_interval_tree_pre_update_vma(vma);
     846         [ +  + ]:    4686490 :                 if (adjust_next)
     847                 :      41974 :                         anon_vma_interval_tree_pre_update_vma(next);
     848                 :            :         }
     849                 :            : 
     850         [ +  + ]:   10919226 :         if (root) {
     851                 :            :                 flush_dcache_mmap_lock(mapping);
     852                 :    9396150 :                 vma_interval_tree_remove(vma, root);
     853         [ -  + ]:    9396172 :                 if (adjust_next)
     854                 :          0 :                         vma_interval_tree_remove(next, root);
     855                 :            :         }
     856                 :            : 
     857         [ +  + ]:   10919354 :         if (start != vma->vm_start) {
     858                 :    4069244 :                 vma->vm_start = start;
     859                 :            :                 start_changed = true;
     860                 :            :         }
     861         [ +  + ]:   10919354 :         if (end != vma->vm_end) {
     862                 :    6849926 :                 vma->vm_end = end;
     863                 :            :                 end_changed = true;
     864                 :            :         }
     865                 :   10919354 :         vma->vm_pgoff = pgoff;
     866         [ +  + ]:   10919354 :         if (adjust_next) {
     867                 :      41974 :                 next->vm_start += adjust_next << PAGE_SHIFT;
     868                 :      41974 :                 next->vm_pgoff += adjust_next;
     869                 :            :         }
     870                 :            : 
     871         [ +  + ]:   10919354 :         if (root) {
     872         [ -  + ]:    9396098 :                 if (adjust_next)
     873                 :          0 :                         vma_interval_tree_insert(next, root);
     874                 :    9396098 :                 vma_interval_tree_insert(vma, root);
     875                 :            :                 flush_dcache_mmap_unlock(mapping);
     876                 :            :         }
     877                 :            : 
     878         [ +  + ]:   10919170 :         if (remove_next) {
     879                 :            :                 /*
     880                 :            :                  * vma_merge has merged next into vma, and needs
     881                 :            :                  * us to remove next before dropping the locks.
     882                 :            :                  */
     883         [ +  + ]:        844 :                 if (remove_next != 3)
     884                 :        842 :                         __vma_unlink_prev(mm, next, vma);
     885                 :            :                 else
     886                 :            :                         /*
     887                 :            :                          * vma is not before next if they've been
     888                 :            :                          * swapped.
     889                 :            :                          *
     890                 :            :                          * pre-swap() next->vm_start was reduced so
     891                 :            :                          * tell validate_mm_rb to ignore pre-swap()
     892                 :            :                          * "next" (which is stored in post-swap()
     893                 :            :                          * "vma").
     894                 :            :                          */
     895                 :            :                         __vma_unlink_common(mm, next, NULL, false, vma);
     896         [ +  + ]:        834 :                 if (file)
     897                 :          2 :                         __remove_shared_vm_struct(next, file, mapping);
     898         [ +  + ]:   10918326 :         } else if (insert) {
     899                 :            :                 /*
     900                 :            :                  * split_vma has split insert from vma, and needs
     901                 :            :                  * us to insert it before dropping the locks
     902                 :            :                  * (it may either follow vma or precede it).
     903                 :            :                  */
     904                 :    9626322 :                 __insert_vm_struct(mm, insert);
     905                 :            :         } else {
     906         [ +  + ]:    1292004 :                 if (start_changed)
     907                 :            :                         vma_gap_update(vma);
     908         [ +  + ]:    1292008 :                 if (end_changed) {
     909         [ +  + ]:     560744 :                         if (!next)
     910                 :     448770 :                                 mm->highest_vm_end = vm_end_gap(vma);
     911         [ +  + ]:     111974 :                         else if (!adjust_next)
     912                 :            :                                 vma_gap_update(next);
     913                 :            :                 }
     914                 :            :         }
     915                 :            : 
     916         [ +  + ]:   10919258 :         if (anon_vma) {
     917                 :    4686548 :                 anon_vma_interval_tree_post_update_vma(vma);
     918         [ +  + ]:    4686518 :                 if (adjust_next)
     919                 :      41974 :                         anon_vma_interval_tree_post_update_vma(next);
     920                 :            :                 anon_vma_unlock_write(anon_vma);
     921                 :            :         }
     922         [ +  + ]:   10919308 :         if (mapping)
     923                 :            :                 i_mmap_unlock_write(mapping);
     924                 :            : 
     925                 :            :         if (root) {
     926                 :            :                 uprobe_mmap(vma);
     927                 :            : 
     928                 :            :                 if (adjust_next)
     929                 :            :                         uprobe_mmap(next);
     930                 :            :         }
     931                 :            : 
     932         [ +  + ]:   10919332 :         if (remove_next) {
     933         [ +  + ]:        844 :                 if (file) {
     934                 :            :                         uprobe_munmap(next, next->vm_start, next->vm_end);
     935                 :          2 :                         fput(file);
     936                 :            :                 }
     937         [ +  + ]:        844 :                 if (next->anon_vma)
     938                 :            :                         anon_vma_merge(vma, next);
     939                 :        844 :                 mm->map_count--;
     940                 :            :                 mpol_put(vma_policy(next));
     941                 :        844 :                 vm_area_free(next);
     942                 :            :                 /*
     943                 :            :                  * In mprotect's case 6 (see comments on vma_merge),
     944                 :            :                  * we must remove another next too. It would clutter
     945                 :            :                  * up the code too much to do both in one go.
     946                 :            :                  */
     947         [ +  + ]:        844 :                 if (remove_next != 3) {
     948                 :            :                         /*
     949                 :            :                          * If "next" was removed and vma->vm_end was
     950                 :            :                          * expanded (up) over it, in turn
     951                 :            :                          * "next->vm_prev->vm_end" changed and the
     952                 :            :                          * "vma->vm_next" gap must be updated.
     953                 :            :                          */
     954                 :        842 :                         next = vma->vm_next;
     955                 :            :                 } else {
     956                 :            :                         /*
     957                 :            :                          * For the scope of the comment "next" and
     958                 :            :                          * "vma" considered pre-swap(): if "vma" was
     959                 :            :                          * removed, next->vm_start was expanded (down)
     960                 :            :                          * over it and the "next" gap must be updated.
     961                 :            :                          * Because of the swap() the post-swap() "vma"
     962                 :            :                          * actually points to pre-swap() "next"
     963                 :            :                          * (post-swap() "next" as opposed is now a
     964                 :            :                          * dangling pointer).
     965                 :            :                          */
     966                 :            :                         next = vma;
     967                 :            :                 }
     968         [ +  + ]:        844 :                 if (remove_next == 2) {
     969                 :            :                         remove_next = 1;
     970                 :        404 :                         end = next->vm_end;
     971                 :        404 :                         goto again;
     972                 :            :                 }
     973         [ +  - ]:        440 :                 else if (next)
     974                 :            :                         vma_gap_update(next);
     975                 :            :                 else {
     976                 :            :                         /*
     977                 :            :                          * If remove_next == 2 we obviously can't
     978                 :            :                          * reach this path.
     979                 :            :                          *
     980                 :            :                          * If remove_next == 3 we can't reach this
     981                 :            :                          * path because pre-swap() next is always not
     982                 :            :                          * NULL. pre-swap() "next" is not being
     983                 :            :                          * removed and its next->vm_end is not altered
     984                 :            :                          * (and furthermore "end" already matches
     985                 :            :                          * next->vm_end in remove_next == 3).
     986                 :            :                          *
     987                 :            :                          * We reach this only in the remove_next == 1
     988                 :            :                          * case if the "next" vma that was removed was
     989                 :            :                          * the highest vma of the mm. However in such
     990                 :            :                          * case next->vm_end == "end" and the extended
     991                 :            :                          * "vma" has vma->vm_end == next->vm_end so
     992                 :            :                          * mm->highest_vm_end doesn't need any update
     993                 :            :                          * in remove_next == 1 case.
     994                 :            :                          */
     995                 :            :                         VM_WARN_ON(mm->highest_vm_end != vm_end_gap(vma));
     996                 :            :                 }
     997                 :            :         }
     998                 :            :         if (insert && file)
     999                 :            :                 uprobe_mmap(insert);
    1000                 :            : 
    1001                 :            :         validate_mm(mm);
    1002                 :            : 
    1003                 :            :         return 0;
    1004                 :            : }
    1005                 :            : 
    1006                 :            : /*
    1007                 :            :  * If the vma has a ->close operation then the driver probably needs to release
    1008                 :            :  * per-vma resources, so we don't attempt to merge those.
    1009                 :            :  */
    1010                 :            : static inline int is_mergeable_vma(struct vm_area_struct *vma,
    1011                 :            :                                 struct file *file, unsigned long vm_flags,
    1012                 :            :                                 struct vm_userfaultfd_ctx vm_userfaultfd_ctx)
    1013                 :            : {
    1014                 :            :         /*
    1015                 :            :          * VM_SOFTDIRTY should not prevent from VMA merging, if we
    1016                 :            :          * match the flags but dirty bit -- the caller should mark
    1017                 :            :          * merged VMA as dirty. If dirty bit won't be excluded from
    1018                 :            :          * comparison, we increase pressure on the memory system forcing
    1019                 :            :          * the kernel to generate new VMAs when old one could be
    1020                 :            :          * extended instead.
    1021                 :            :          */
    1022   [ +  +  +  + ]:   14533632 :         if ((vma->vm_flags ^ vm_flags) & ~VM_SOFTDIRTY)
    1023                 :            :                 return 0;
    1024   [ +  +  +  + ]:    3461296 :         if (vma->vm_file != file)
    1025                 :            :                 return 0;
    1026   [ -  +  #  #  :     663866 :         if (vma->vm_ops && vma->vm_ops->close)
             +  +  +  - ]
    1027                 :            :                 return 0;
    1028                 :            :         if (!is_mergeable_vm_userfaultfd_ctx(vma, vm_userfaultfd_ctx))
    1029                 :            :                 return 0;
    1030                 :            :         return 1;
    1031                 :            : }
    1032                 :            : 
    1033                 :            : static inline int is_mergeable_anon_vma(struct anon_vma *anon_vma1,
    1034                 :            :                                         struct anon_vma *anon_vma2,
    1035                 :            :                                         struct vm_area_struct *vma)
    1036                 :            : {
    1037                 :            :         /*
    1038                 :            :          * The list_is_singular() test is to avoid merging VMA cloned from
    1039                 :            :          * parents. This can improve scalability caused by anon_vma lock.
    1040                 :            :          */
    1041   [ +  +  +  +  :    1326548 :         if ((!anon_vma1 || !anon_vma2) && (!vma ||
          +  -  +  +  +  
             +  +  +  +  
                      + ]
    1042                 :     662246 :                 list_is_singular(&vma->anon_vma_chain)))
    1043                 :            :                 return 1;
    1044                 :     275042 :         return anon_vma1 == anon_vma2;
    1045                 :            : }
    1046                 :            : 
    1047                 :            : /*
    1048                 :            :  * Return true if we can merge this (vm_flags,anon_vma,file,vm_pgoff)
    1049                 :            :  * in front of (at a lower virtual address and file offset than) the vma.
    1050                 :            :  *
    1051                 :            :  * We cannot merge two vmas if they have differently assigned (non-NULL)
    1052                 :            :  * anon_vmas, nor if same anon_vma is assigned but offsets incompatible.
    1053                 :            :  *
    1054                 :            :  * We don't check here for the merged mmap wrapping around the end of pagecache
    1055                 :            :  * indices (16TB on ia32) because do_mmap_pgoff() does not permit mmap's which
    1056                 :            :  * wrap, nor mmaps which cover the final page at index -1UL.
    1057                 :            :  */
    1058                 :            : static int
    1059                 :    8119568 : can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
    1060                 :            :                      struct anon_vma *anon_vma, struct file *file,
    1061                 :            :                      pgoff_t vm_pgoff,
    1062                 :            :                      struct vm_userfaultfd_ctx vm_userfaultfd_ctx)
    1063                 :            : {
    1064   [ +  +  +  + ]:    8667846 :         if (is_mergeable_vma(vma, file, vm_flags, vm_userfaultfd_ctx) &&
    1065                 :     548278 :             is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
    1066         [ +  + ]:     519816 :                 if (vma->vm_pgoff == vm_pgoff)
    1067                 :            :                         return 1;
    1068                 :            :         }
    1069                 :            :         return 0;
    1070                 :            : }
    1071                 :            : 
    1072                 :            : /*
    1073                 :            :  * Return true if we can merge this (vm_flags,anon_vma,file,vm_pgoff)
    1074                 :            :  * beyond (at a higher virtual address and file offset than) the vma.
    1075                 :            :  *
    1076                 :            :  * We cannot merge two vmas if they have differently assigned (non-NULL)
    1077                 :            :  * anon_vmas, nor if same anon_vma is assigned but offsets incompatible.
    1078                 :            :  */
    1079                 :            : static int
    1080                 :    6414064 : can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
    1081                 :            :                     struct anon_vma *anon_vma, struct file *file,
    1082                 :            :                     pgoff_t vm_pgoff,
    1083                 :            :                     struct vm_userfaultfd_ctx vm_userfaultfd_ctx)
    1084                 :            : {
    1085   [ +  +  +  + ]:    6529650 :         if (is_mergeable_vma(vma, file, vm_flags, vm_userfaultfd_ctx) &&
    1086                 :     115586 :             is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
    1087                 :            :                 pgoff_t vm_pglen;
    1088                 :            :                 vm_pglen = vma_pages(vma);
    1089         [ -  + ]:     111562 :                 if (vma->vm_pgoff + vm_pglen == vm_pgoff)
    1090                 :            :                         return 1;
    1091                 :            :         }
    1092                 :            :         return 0;
    1093                 :            : }
    1094                 :            : 
    1095                 :            : /*
    1096                 :            :  * Given a mapping request (addr,end,vm_flags,file,pgoff), figure out
    1097                 :            :  * whether that can be merged with its predecessor or its successor.
    1098                 :            :  * Or both (it neatly fills a hole).
    1099                 :            :  *
    1100                 :            :  * In most cases - when called for mmap, brk or mremap - [addr,end) is
    1101                 :            :  * certain not to be mapped by the time vma_merge is called; but when
    1102                 :            :  * called for mprotect, it is certain to be already mapped (either at
    1103                 :            :  * an offset within prev, or at the start of next), and the flags of
    1104                 :            :  * this area are about to be changed to vm_flags - and the no-change
    1105                 :            :  * case has already been eliminated.
    1106                 :            :  *
    1107                 :            :  * The following mprotect cases have to be considered, where AAAA is
    1108                 :            :  * the area passed down from mprotect_fixup, never extending beyond one
    1109                 :            :  * vma, PPPPPP is the prev vma specified, and NNNNNN the next vma after:
    1110                 :            :  *
    1111                 :            :  *     AAAA             AAAA                AAAA          AAAA
    1112                 :            :  *    PPPPPPNNNNNN    PPPPPPNNNNNN    PPPPPPNNNNNN    PPPPNNNNXXXX
    1113                 :            :  *    cannot merge    might become    might become    might become
    1114                 :            :  *                    PPNNNNNNNNNN    PPPPPPPPPPNN    PPPPPPPPPPPP 6 or
    1115                 :            :  *    mmap, brk or    case 4 below    case 5 below    PPPPPPPPXXXX 7 or
    1116                 :            :  *    mremap move:                                    PPPPXXXXXXXX 8
    1117                 :            :  *        AAAA
    1118                 :            :  *    PPPP    NNNN    PPPPPPPPPPPP    PPPPPPPPNNNN    PPPPNNNNNNNN
    1119                 :            :  *    might become    case 1 below    case 2 below    case 3 below
    1120                 :            :  *
    1121                 :            :  * It is important for case 8 that the vma NNNN overlapping the
    1122                 :            :  * region AAAA is never going to extended over XXXX. Instead XXXX must
    1123                 :            :  * be extended in region AAAA and NNNN must be removed. This way in
    1124                 :            :  * all cases where vma_merge succeeds, the moment vma_adjust drops the
    1125                 :            :  * rmap_locks, the properties of the merged vma will be already
    1126                 :            :  * correct for the whole merged range. Some of those properties like
    1127                 :            :  * vm_page_prot/vm_flags may be accessed by rmap_walks and they must
    1128                 :            :  * be correct for the whole merged range immediately after the
    1129                 :            :  * rmap_locks are released. Otherwise if XXXX would be removed and
    1130                 :            :  * NNNN would be extended over the XXXX range, remove_migration_ptes
    1131                 :            :  * or other rmap walkers (if working on addresses beyond the "end"
    1132                 :            :  * parameter) may establish ptes with the wrong permissions of NNNN
    1133                 :            :  * instead of the right permissions of XXXX.
    1134                 :            :  */
    1135                 :   16363850 : struct vm_area_struct *vma_merge(struct mm_struct *mm,
    1136                 :            :                         struct vm_area_struct *prev, unsigned long addr,
    1137                 :            :                         unsigned long end, unsigned long vm_flags,
    1138                 :            :                         struct anon_vma *anon_vma, struct file *file,
    1139                 :            :                         pgoff_t pgoff, struct mempolicy *policy,
    1140                 :            :                         struct vm_userfaultfd_ctx vm_userfaultfd_ctx)
    1141                 :            : {
    1142                 :   16363850 :         pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
    1143                 :            :         struct vm_area_struct *area, *next;
    1144                 :            :         int err;
    1145                 :            : 
    1146                 :            :         /*
    1147                 :            :          * We later require that vma->vm_flags == vm_flags,
    1148                 :            :          * so this tests vma->vm_flags & VM_SPECIAL, too.
    1149                 :            :          */
    1150         [ +  + ]:   16363850 :         if (vm_flags & VM_SPECIAL)
    1151                 :            :                 return NULL;
    1152                 :            : 
    1153         [ +  + ]:   16363628 :         if (prev)
    1154                 :   15914666 :                 next = prev->vm_next;
    1155                 :            :         else
    1156                 :     448962 :                 next = mm->mmap;
    1157                 :            :         area = next;
    1158   [ +  +  +  + ]:   16363628 :         if (area && area->vm_end == end)             /* cases 6, 7, 8 */
    1159                 :       2428 :                 next = next->vm_next;
    1160                 :            : 
    1161                 :            :         /* verify some invariant that must be enforced by the caller */
    1162                 :            :         VM_WARN_ON(prev && addr <= prev->vm_start);
    1163                 :            :         VM_WARN_ON(area && end > area->vm_end);
    1164                 :            :         VM_WARN_ON(addr >= end);
    1165                 :            : 
    1166                 :            :         /*
    1167                 :            :          * Can it merge with the predecessor?
    1168                 :            :          */
    1169   [ +  +  +  + ]:   16363628 :         if (prev && prev->vm_end == addr &&
    1170         [ +  + ]:    6414102 :                         mpol_equal(vma_policy(prev), policy) &&
    1171                 :    6414076 :                         can_vma_merge_after(prev, vm_flags,
    1172                 :            :                                             anon_vma, file, pgoff,
    1173                 :            :                                             vm_userfaultfd_ctx)) {
    1174                 :            :                 /*
    1175                 :            :                  * OK, it can.  Can we now merge in the successor as well?
    1176                 :            :                  */
    1177   [ +  -  +  + ]:     111562 :                 if (next && end == next->vm_start &&
    1178         [ +  + ]:       1256 :                                 mpol_equal(policy, vma_policy(next)) &&
    1179                 :       1256 :                                 can_vma_merge_before(next, vm_flags,
    1180                 :            :                                                      anon_vma, file,
    1181                 :            :                                                      pgoff+pglen,
    1182         [ +  - ]:        438 :                                                      vm_userfaultfd_ctx) &&
    1183                 :        438 :                                 is_mergeable_anon_vma(prev->anon_vma,
    1184                 :            :                                                       next->anon_vma, NULL)) {
    1185                 :            :                                                         /* cases 1, 6 */
    1186                 :        438 :                         err = __vma_adjust(prev, prev->vm_start,
    1187                 :            :                                          next->vm_end, prev->vm_pgoff, NULL,
    1188                 :            :                                          prev);
    1189                 :            :                 } else                                  /* cases 2, 5, 7 */
    1190                 :     111124 :                         err = __vma_adjust(prev, prev->vm_start,
    1191                 :            :                                          end, prev->vm_pgoff, NULL, prev);
    1192         [ +  - ]:     111562 :                 if (err)
    1193                 :            :                         return NULL;
    1194                 :            :                 khugepaged_enter_vma_merge(prev, vm_flags);
    1195                 :     111562 :                 return prev;
    1196                 :            :         }
    1197                 :            : 
    1198                 :            :         /*
    1199                 :            :          * Can this new request be merged in front of next?
    1200                 :            :          */
    1201   [ +  +  +  + ]:   16252092 :         if (next && end == next->vm_start &&
    1202         [ +  + ]:    8118256 :                         mpol_equal(policy, vma_policy(next)) &&
    1203                 :    8118182 :                         can_vma_merge_before(next, vm_flags,
    1204                 :            :                                              anon_vma, file, pgoff+pglen,
    1205                 :            :                                              vm_userfaultfd_ctx)) {
    1206   [ +  +  +  + ]:     283350 :                 if (prev && addr < prev->vm_end)  /* case 4 */
    1207                 :        850 :                         err = __vma_adjust(prev, prev->vm_start,
    1208                 :            :                                          addr, prev->vm_pgoff, NULL, next);
    1209                 :            :                 else {                                  /* cases 3, 8 */
    1210                 :     565000 :                         err = __vma_adjust(area, addr, next->vm_end,
    1211                 :     282500 :                                          next->vm_pgoff - pglen, NULL, next);
    1212                 :            :                         /*
    1213                 :            :                          * In case 3 area is already equal to next and
    1214                 :            :                          * this is a noop, but in case 8 "area" has
    1215                 :            :                          * been removed and next was expanded over it.
    1216                 :            :                          */
    1217                 :            :                         area = next;
    1218                 :            :                 }
    1219         [ +  - ]:     283346 :                 if (err)
    1220                 :            :                         return NULL;
    1221                 :            :                 khugepaged_enter_vma_merge(area, vm_flags);
    1222                 :     283346 :                 return area;
    1223                 :            :         }
    1224                 :            : 
    1225                 :            :         return NULL;
    1226                 :            : }
    1227                 :            : 
    1228                 :            : /*
    1229                 :            :  * Rough compatbility check to quickly see if it's even worth looking
    1230                 :            :  * at sharing an anon_vma.
    1231                 :            :  *
    1232                 :            :  * They need to have the same vm_file, and the flags can only differ
    1233                 :            :  * in things that mprotect may change.
    1234                 :            :  *
    1235                 :            :  * NOTE! The fact that we share an anon_vma doesn't _have_ to mean that
    1236                 :            :  * we can merge the two vma's. For example, we refuse to merge a vma if
    1237                 :            :  * there is a vm_ops->close() function, because that indicates that the
    1238                 :            :  * driver is doing some kind of reference counting. But that doesn't
    1239                 :            :  * really matter for the anon_vma sharing case.
    1240                 :            :  */
    1241                 :   11361038 : static int anon_vma_compatible(struct vm_area_struct *a, struct vm_area_struct *b)
    1242                 :            : {
    1243                 :   22722076 :         return a->vm_end == b->vm_start &&
    1244         [ +  + ]:    7272372 :                 mpol_equal(vma_policy(a), vma_policy(b)) &&
    1245         [ +  + ]:   10639778 :                 a->vm_file == b->vm_file &&
    1246   [ +  +  +  + ]:   14791144 :                 !((a->vm_flags ^ b->vm_flags) & ~(VM_READ|VM_WRITE|VM_EXEC|VM_SOFTDIRTY)) &&
    1247                 :      62700 :                 b->vm_pgoff == a->vm_pgoff + ((b->vm_start - a->vm_start) >> PAGE_SHIFT);
    1248                 :            : }
    1249                 :            : 
    1250                 :            : /*
    1251                 :            :  * Do some basic sanity checking to see if we can re-use the anon_vma
    1252                 :            :  * from 'old'. The 'a'/'b' vma's are in VM order - one of them will be
    1253                 :            :  * the same as 'old', the other will be the new one that is trying
    1254                 :            :  * to share the anon_vma.
    1255                 :            :  *
    1256                 :            :  * NOTE! This runs with mm_sem held for reading, so it is possible that
    1257                 :            :  * the anon_vma of 'old' is concurrently in the process of being set up
    1258                 :            :  * by another page fault trying to merge _that_. But that's ok: if it
    1259                 :            :  * is being set up, that automatically means that it will be a singleton
    1260                 :            :  * acceptable for merging, so we can do all of this optimistically. But
    1261                 :            :  * we do that READ_ONCE() to make sure that we never re-load the pointer.
    1262                 :            :  *
    1263                 :            :  * IOW: that the "list_is_singular()" test on the anon_vma_chain only
    1264                 :            :  * matters for the 'stable anon_vma' case (ie the thing we want to avoid
    1265                 :            :  * is to return an anon_vma that is "complex" due to having gone through
    1266                 :            :  * a fork).
    1267                 :            :  *
    1268                 :            :  * We also make sure that the two vma's are compatible (adjacent,
    1269                 :            :  * and with the same memory policies). That's all stable, even with just
    1270                 :            :  * a read lock on the mm_sem.
    1271                 :            :  */
    1272                 :   11361042 : static struct anon_vma *reusable_anon_vma(struct vm_area_struct *old, struct vm_area_struct *a, struct vm_area_struct *b)
    1273                 :            : {
    1274         [ +  + ]:   11361042 :         if (anon_vma_compatible(a, b)) {
    1275                 :      61658 :                 struct anon_vma *anon_vma = READ_ONCE(old->anon_vma);
    1276                 :            : 
    1277   [ +  +  +  + ]:      93110 :                 if (anon_vma && list_is_singular(&old->anon_vma_chain))
    1278                 :          2 :                         return anon_vma;
    1279                 :            :         }
    1280                 :            :         return NULL;
    1281                 :            : }
    1282                 :            : 
    1283                 :            : /*
    1284                 :            :  * find_mergeable_anon_vma is used by anon_vma_prepare, to check
    1285                 :            :  * neighbouring vmas for a suitable anon_vma, before it goes off
    1286                 :            :  * to allocate a new anon_vma.  It checks because a repetitive
    1287                 :            :  * sequence of mprotects and faults may otherwise lead to distinct
    1288                 :            :  * anon_vmas being allocated, preventing vma merge in subsequent
    1289                 :            :  * mprotect.
    1290                 :            :  */
    1291                 :    6129528 : struct anon_vma *find_mergeable_anon_vma(struct vm_area_struct *vma)
    1292                 :            : {
    1293                 :            :         struct anon_vma *anon_vma;
    1294                 :            :         struct vm_area_struct *near;
    1295                 :            : 
    1296                 :    6129528 :         near = vma->vm_next;
    1297         [ +  + ]:    6129528 :         if (!near)
    1298                 :            :                 goto try_prev;
    1299                 :            : 
    1300                 :    5680528 :         anon_vma = reusable_anon_vma(near, vma, near);
    1301         [ +  + ]:    5680602 :         if (anon_vma)
    1302                 :            :                 return anon_vma;
    1303                 :            : try_prev:
    1304                 :    6129436 :         near = vma->vm_prev;
    1305         [ +  + ]:    6129436 :         if (!near)
    1306                 :            :                 goto none;
    1307                 :            : 
    1308                 :    5680488 :         anon_vma = reusable_anon_vma(near, near, vma);
    1309         [ -  + ]:    5680484 :         if (anon_vma)
    1310                 :          0 :                 return anon_vma;
    1311                 :            : none:
    1312                 :            :         /*
    1313                 :            :          * There's no absolute need to look only at touching neighbours:
    1314                 :            :          * we could search further afield for "compatible" anon_vmas.
    1315                 :            :          * But it would probably just be a waste of time searching,
    1316                 :            :          * or lead to too many vmas hanging off the same anon_vma.
    1317                 :            :          * We're trying to allow mprotect remerging later on,
    1318                 :            :          * not trying to minimize memory used for anon_vmas.
    1319                 :            :          */
    1320                 :            :         return NULL;
    1321                 :            : }
    1322                 :            : 
    1323                 :            : /*
    1324                 :            :  * If a hint addr is less than mmap_min_addr change hint to be as
    1325                 :            :  * low as possible but still greater than mmap_min_addr
    1326                 :            :  */
    1327                 :            : static inline unsigned long round_hint_to_min(unsigned long hint)
    1328                 :            : {
    1329                 :    5292062 :         hint &= PAGE_MASK;
    1330   [ +  +  -  + ]:    5292982 :         if (((void *)hint != NULL) &&
    1331                 :        920 :             (hint < mmap_min_addr))
    1332                 :          0 :                 return PAGE_ALIGN(mmap_min_addr);
    1333                 :            :         return hint;
    1334                 :            : }
    1335                 :            : 
    1336                 :   10575370 : static inline int mlock_future_check(struct mm_struct *mm,
    1337                 :            :                                      unsigned long flags,
    1338                 :            :                                      unsigned long len)
    1339                 :            : {
    1340                 :            :         unsigned long locked, lock_limit;
    1341                 :            : 
    1342                 :            :         /*  mlock MCL_FUTURE? */
    1343         [ -  + ]:   10575370 :         if (flags & VM_LOCKED) {
    1344                 :          0 :                 locked = len >> PAGE_SHIFT;
    1345                 :          0 :                 locked += mm->locked_vm;
    1346                 :            :                 lock_limit = rlimit(RLIMIT_MEMLOCK);
    1347                 :          0 :                 lock_limit >>= PAGE_SHIFT;
    1348   [ #  #  #  # ]:          0 :                 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
    1349                 :            :                         return -EAGAIN;
    1350                 :            :         }
    1351                 :            :         return 0;
    1352                 :            : }
    1353                 :            : 
    1354                 :            : static inline u64 file_mmap_size_max(struct file *file, struct inode *inode)
    1355                 :            : {
    1356         [ +  + ]:    8082334 :         if (S_ISREG(inode->i_mode))
    1357                 :            :                 return MAX_LFS_FILESIZE;
    1358                 :            : 
    1359         [ +  - ]:        404 :         if (S_ISBLK(inode->i_mode))
    1360                 :            :                 return MAX_LFS_FILESIZE;
    1361                 :            : 
    1362         [ +  - ]:        404 :         if (S_ISSOCK(inode->i_mode))
    1363                 :            :                 return MAX_LFS_FILESIZE;
    1364                 :            : 
    1365                 :            :         /* Special "we do even unsigned file positions" case */
    1366         [ +  - ]:        404 :         if (file->f_mode & FMODE_UNSIGNED_OFFSET)
    1367                 :            :                 return 0;
    1368                 :            : 
    1369                 :            :         /* Yes, random drivers might want more. But I'm tired of buggy drivers */
    1370                 :            :         return ULONG_MAX;
    1371                 :            : }
    1372                 :            : 
    1373                 :    8082334 : static inline bool file_mmap_ok(struct file *file, struct inode *inode,
    1374                 :            :                                 unsigned long pgoff, unsigned long len)
    1375                 :            : {
    1376                 :            :         u64 maxsize = file_mmap_size_max(file, inode);
    1377                 :            : 
    1378   [ +  +  +  + ]:    8082334 :         if (maxsize && len > maxsize)
    1379                 :            :                 return false;
    1380                 :    8082580 :         maxsize -= len;
    1381         [ +  - ]:    8082580 :         if (pgoff > maxsize >> PAGE_SHIFT)
    1382                 :            :                 return false;
    1383                 :    8082580 :         return true;
    1384                 :            : }
    1385                 :            : 
    1386                 :            : /*
    1387                 :            :  * The caller must hold down_write(&current->mm->mmap_sem).
    1388                 :            :  */
    1389                 :    9884904 : unsigned long do_mmap(struct file *file, unsigned long addr,
    1390                 :            :                         unsigned long len, unsigned long prot,
    1391                 :            :                         unsigned long flags, vm_flags_t vm_flags,
    1392                 :            :                         unsigned long pgoff, unsigned long *populate,
    1393                 :            :                         struct list_head *uf)
    1394                 :            : {
    1395                 :    9884904 :         struct mm_struct *mm = current->mm;
    1396                 :            :         int pkey = 0;
    1397                 :            : 
    1398                 :    9884904 :         *populate = 0;
    1399                 :            : 
    1400         [ +  + ]:    9884904 :         if (!len)
    1401                 :            :                 return -EINVAL;
    1402                 :            : 
    1403                 :            :         /*
    1404                 :            :          * Does the application expect PROT_READ to imply PROT_EXEC?
    1405                 :            :          *
    1406                 :            :          * (the exception is when the underlying filesystem is noexec
    1407                 :            :          *  mounted, in which case we dont add PROT_EXEC.)
    1408                 :            :          */
    1409   [ +  +  -  + ]:   19709046 :         if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
    1410   [ #  #  #  # ]:          0 :                 if (!(file && path_noexec(&file->f_path)))
    1411                 :          0 :                         prot |= PROT_EXEC;
    1412                 :            : 
    1413                 :            :         /* force arch specific MAP_FIXED handling in get_unmapped_area */
    1414         [ +  + ]:    9884840 :         if (flags & MAP_FIXED_NOREPLACE)
    1415                 :     448964 :                 flags |= MAP_FIXED;
    1416                 :            : 
    1417         [ +  + ]:    9884840 :         if (!(flags & MAP_FIXED))
    1418                 :            :                 addr = round_hint_to_min(addr);
    1419                 :            : 
    1420                 :            :         /* Careful about overflows.. */
    1421                 :    9884840 :         len = PAGE_ALIGN(len);
    1422         [ +  + ]:    9884840 :         if (!len)
    1423                 :            :                 return -ENOMEM;
    1424                 :            : 
    1425                 :            :         /* offset overflow? */
    1426         [ +  + ]:    9884704 :         if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)
    1427                 :            :                 return -EOVERFLOW;
    1428                 :            : 
    1429                 :            :         /* Too many mappings? */
    1430         [ +  + ]:    9884438 :         if (mm->map_count > sysctl_max_map_count)
    1431                 :            :                 return -ENOMEM;
    1432                 :            : 
    1433                 :            :         /* Obtain the address to map to. we verify (or select) it and ensure
    1434                 :            :          * that it represents a valid section of the address space.
    1435                 :            :          */
    1436                 :    9884862 :         addr = get_unmapped_area(file, addr, len, pgoff, flags);
    1437         [ +  + ]:    9884944 :         if (offset_in_page(addr))
    1438                 :            :                 return addr;
    1439                 :            : 
    1440         [ +  + ]:    9884874 :         if (flags & MAP_FIXED_NOREPLACE) {
    1441                 :     448962 :                 struct vm_area_struct *vma = find_vma(mm, addr);
    1442                 :            : 
    1443   [ +  -  +  + ]:     448964 :                 if (vma && vma->vm_start < addr + len)
    1444                 :            :                         return -EEXIST;
    1445                 :            :         }
    1446                 :            : 
    1447                 :            :         if (prot == PROT_EXEC) {
    1448                 :            :                 pkey = execute_only_pkey(mm);
    1449                 :            :                 if (pkey < 0)
    1450                 :            :                         pkey = 0;
    1451                 :            :         }
    1452                 :            : 
    1453                 :            :         /* Do simple checking here so the lower-level routines won't have
    1454                 :            :          * to. we assume access permissions have been handled by the open
    1455                 :            :          * of the memory object, so we don't do any here.
    1456                 :            :          */
    1457                 :   29653776 :         vm_flags |= calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(flags) |
    1458                 :   19769184 :                         mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
    1459                 :            : 
    1460         [ -  + ]:    9884592 :         if (flags & MAP_LOCKED)
    1461         [ #  # ]:          0 :                 if (!can_do_mlock())
    1462                 :            :                         return -EPERM;
    1463                 :            : 
    1464         [ +  + ]:    9884592 :         if (mlock_future_check(mm, vm_flags, len))
    1465                 :            :                 return -EAGAIN;
    1466                 :            : 
    1467         [ +  + ]:    9884440 :         if (file) {
    1468                 :            :                 struct inode *inode = file_inode(file);
    1469                 :            :                 unsigned long flags_mask;
    1470                 :            : 
    1471         [ +  + ]:    8082334 :                 if (!file_mmap_ok(file, inode, pgoff, len))
    1472                 :            :                         return -EOVERFLOW;
    1473                 :            : 
    1474                 :    8082408 :                 flags_mask = LEGACY_MAP_MASK | file->f_op->mmap_supported_flags;
    1475                 :            : 
    1476   [ +  +  +  + ]:    8082408 :                 switch (flags & MAP_TYPE) {
    1477                 :            :                 case MAP_SHARED:
    1478                 :            :                         /*
    1479                 :            :                          * Force use of MAP_SHARED_VALIDATE with non-legacy
    1480                 :            :                          * flags. E.g. MAP_SYNC is dangerous to use with
    1481                 :            :                          * MAP_SHARED as you don't know which consistency model
    1482                 :            :                          * you will get. We silently ignore unsupported flags
    1483                 :            :                          * with MAP_SHARED to preserve backward compatibility.
    1484                 :            :                          */
    1485                 :      49146 :                         flags &= LEGACY_MAP_MASK;
    1486                 :            :                         /* fall through */
    1487                 :            :                 case MAP_SHARED_VALIDATE:
    1488         [ +  - ]:      49160 :                         if (flags & ~flags_mask)
    1489                 :            :                                 return -EOPNOTSUPP;
    1490         [ +  + ]:      49160 :                         if (prot & PROT_WRITE) {
    1491         [ +  - ]:       6708 :                                 if (!(file->f_mode & FMODE_WRITE))
    1492                 :            :                                         return -EACCES;
    1493         [ +  + ]:       6708 :                                 if (IS_SWAPFILE(file->f_mapping->host))
    1494                 :            :                                         return -ETXTBSY;
    1495                 :            :                         }
    1496                 :            : 
    1497                 :            :                         /*
    1498                 :            :                          * Make sure we don't allow writing to an append-only
    1499                 :            :                          * file..
    1500                 :            :                          */
    1501   [ -  +  #  # ]:      49162 :                         if (IS_APPEND(inode) && (file->f_mode & FMODE_WRITE))
    1502                 :            :                                 return -EACCES;
    1503                 :            : 
    1504                 :            :                         /*
    1505                 :            :                          * Make sure there are no mandatory locks on the file.
    1506                 :            :                          */
    1507         [ +  + ]:      49162 :                         if (locks_verify_locked(file))
    1508                 :            :                                 return -EAGAIN;
    1509                 :            : 
    1510                 :      49158 :                         vm_flags |= VM_SHARED | VM_MAYSHARE;
    1511         [ +  + ]:      49158 :                         if (!(file->f_mode & FMODE_WRITE))
    1512                 :      42446 :                                 vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
    1513                 :            : 
    1514                 :            :                         /* fall through */
    1515                 :            :                 case MAP_PRIVATE:
    1516         [ +  - ]:    8082504 :                         if (!(file->f_mode & FMODE_READ))
    1517                 :            :                                 return -EACCES;
    1518         [ -  + ]:    8082504 :                         if (path_noexec(&file->f_path)) {
    1519         [ #  # ]:          0 :                                 if (vm_flags & VM_EXEC)
    1520                 :            :                                         return -EPERM;
    1521                 :          0 :                                 vm_flags &= ~VM_MAYEXEC;
    1522                 :            :                         }
    1523                 :            : 
    1524         [ +  + ]:    8082774 :                         if (!file->f_op->mmap)
    1525                 :            :                                 return -ENODEV;
    1526         [ +  + ]:    8082644 :                         if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
    1527                 :            :                                 return -EINVAL;
    1528                 :            :                         break;
    1529                 :            : 
    1530                 :            :                 default:
    1531                 :            :                         return -EINVAL;
    1532                 :            :                 }
    1533                 :            :         } else {
    1534      [ -  +  + ]:    1802106 :                 switch (flags & MAP_TYPE) {
    1535                 :            :                 case MAP_SHARED:
    1536         [ #  # ]:          0 :                         if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
    1537                 :            :                                 return -EINVAL;
    1538                 :            :                         /*
    1539                 :            :                          * Ignore pgoff.
    1540                 :            :                          */
    1541                 :            :                         pgoff = 0;
    1542                 :          0 :                         vm_flags |= VM_SHARED | VM_MAYSHARE;
    1543                 :          0 :                         break;
    1544                 :            :                 case MAP_PRIVATE:
    1545                 :            :                         /*
    1546                 :            :                          * Set pgoff according to addr for anon_vma.
    1547                 :            :                          */
    1548                 :    1802100 :                         pgoff = addr >> PAGE_SHIFT;
    1549                 :    1802100 :                         break;
    1550                 :            :                 default:
    1551                 :            :                         return -EINVAL;
    1552                 :            :                 }
    1553                 :            :         }
    1554                 :            : 
    1555                 :            :         /*
    1556                 :            :          * Set 'VM_NORESERVE' if we should not account for the
    1557                 :            :          * memory use of this mapping.
    1558                 :            :          */
    1559         [ +  + ]:    9884796 :         if (flags & MAP_NORESERVE) {
    1560                 :            :                 /* We honor MAP_NORESERVE if allowed to overcommit */
    1561         [ +  - ]:      29252 :                 if (sysctl_overcommit_memory != OVERCOMMIT_NEVER)
    1562                 :      29252 :                         vm_flags |= VM_NORESERVE;
    1563                 :            : 
    1564                 :            :                 /* hugetlb applies strict overcommit unless MAP_NORESERVE */
    1565                 :            :                 if (file && is_file_hugepages(file))
    1566                 :            :                         vm_flags |= VM_NORESERVE;
    1567                 :            :         }
    1568                 :            : 
    1569                 :    9884796 :         addr = mmap_region(file, addr, len, vm_flags, pgoff, uf);
    1570   [ +  +  +  + ]:   19769870 :         if (!IS_ERR_VALUE(addr) &&
    1571         [ +  + ]:   19769750 :             ((vm_flags & VM_LOCKED) ||
    1572                 :    9884810 :              (flags & (MAP_POPULATE | MAP_NONBLOCK)) == MAP_POPULATE))
    1573                 :          0 :                 *populate = len;
    1574                 :    9884930 :         return addr;
    1575                 :            : }
    1576                 :            : 
    1577                 :    8084140 : unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len,
    1578                 :            :                               unsigned long prot, unsigned long flags,
    1579                 :            :                               unsigned long fd, unsigned long pgoff)
    1580                 :            : {
    1581                 :            :         struct file *file = NULL;
    1582                 :            :         unsigned long retval;
    1583                 :            : 
    1584         [ +  + ]:    8084140 :         if (!(flags & MAP_ANONYMOUS)) {
    1585                 :    6282036 :                 audit_mmap_fd(fd, flags);
    1586                 :    6282034 :                 file = fget(fd);
    1587         [ +  + ]:    6282096 :                 if (!file)
    1588                 :            :                         return -EBADF;
    1589                 :            :                 if (is_file_hugepages(file))
    1590                 :            :                         len = ALIGN(len, huge_page_size(hstate_file(file)));
    1591                 :            :                 retval = -EINVAL;
    1592         [ +  + ]:    6282122 :                 if (unlikely(flags & MAP_HUGETLB && !is_file_hugepages(file)))
    1593                 :            :                         goto out_fput;
    1594         [ +  - ]:    1802104 :         } else if (flags & MAP_HUGETLB) {
    1595                 :            :                 struct user_struct *user = NULL;
    1596                 :            :                 struct hstate *hs;
    1597                 :            : 
    1598                 :            :                 hs = hstate_sizelog((flags >> MAP_HUGE_SHIFT) & MAP_HUGE_MASK);
    1599                 :            :                 if (!hs)
    1600                 :            :                         return -EINVAL;
    1601                 :            : 
    1602                 :            :                 len = ALIGN(len, huge_page_size(hs));
    1603                 :            :                 /*
    1604                 :            :                  * VM_NORESERVE is used because the reservations will be
    1605                 :            :                  * taken when vm_ops->mmap() is called
    1606                 :            :                  * A dummy user value is used because we are not locking
    1607                 :            :                  * memory so no accounting is necessary
    1608                 :            :                  */
    1609                 :            :                 file = hugetlb_file_setup(HUGETLB_ANON_FILE, len,
    1610                 :            :                                 VM_NORESERVE,
    1611                 :            :                                 &user, HUGETLB_ANONHUGE_INODE,
    1612                 :            :                                 (flags >> MAP_HUGE_SHIFT) & MAP_HUGE_MASK);
    1613                 :            :                 if (IS_ERR(file))
    1614                 :            :                         return PTR_ERR(file);
    1615                 :            :         }
    1616                 :            : 
    1617                 :    8084094 :         flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);
    1618                 :            : 
    1619                 :    8084094 :         retval = vm_mmap_pgoff(file, addr, len, prot, flags, pgoff);
    1620                 :            : out_fput:
    1621         [ +  + ]:    8084292 :         if (file)
    1622                 :    6282074 :                 fput(file);
    1623                 :    8084092 :         return retval;
    1624                 :            : }
    1625                 :            : 
    1626                 :   16168404 : SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len,
    1627                 :            :                 unsigned long, prot, unsigned long, flags,
    1628                 :            :                 unsigned long, fd, unsigned long, pgoff)
    1629                 :            : {
    1630                 :    8084248 :         return ksys_mmap_pgoff(addr, len, prot, flags, fd, pgoff);
    1631                 :            : }
    1632                 :            : 
    1633                 :            : #ifdef __ARCH_WANT_SYS_OLD_MMAP
    1634                 :            : struct mmap_arg_struct {
    1635                 :            :         unsigned long addr;
    1636                 :            :         unsigned long len;
    1637                 :            :         unsigned long prot;
    1638                 :            :         unsigned long flags;
    1639                 :            :         unsigned long fd;
    1640                 :            :         unsigned long offset;
    1641                 :            : };
    1642                 :            : 
    1643                 :          0 : SYSCALL_DEFINE1(old_mmap, struct mmap_arg_struct __user *, arg)
    1644                 :            : {
    1645                 :            :         struct mmap_arg_struct a;
    1646                 :            : 
    1647         [ #  # ]:          0 :         if (copy_from_user(&a, arg, sizeof(a)))
    1648                 :            :                 return -EFAULT;
    1649         [ #  # ]:          0 :         if (offset_in_page(a.offset))
    1650                 :            :                 return -EINVAL;
    1651                 :            : 
    1652                 :          0 :         return ksys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd,
    1653                 :            :                                a.offset >> PAGE_SHIFT);
    1654                 :            : }
    1655                 :            : #endif /* __ARCH_WANT_SYS_OLD_MMAP */
    1656                 :            : 
    1657                 :            : /*
    1658                 :            :  * Some shared mappings will want the pages marked read-only
    1659                 :            :  * to track write events. If so, we'll downgrade vm_page_prot
    1660                 :            :  * to the private version (using protection_map[] without the
    1661                 :            :  * VM_SHARED bit).
    1662                 :            :  */
    1663                 :   21455952 : int vma_wants_writenotify(struct vm_area_struct *vma, pgprot_t vm_page_prot)
    1664                 :            : {
    1665                 :   21455952 :         vm_flags_t vm_flags = vma->vm_flags;
    1666                 :   21455952 :         const struct vm_operations_struct *vm_ops = vma->vm_ops;
    1667                 :            : 
    1668                 :            :         /* If it was private or non-writable, the write bit is already clear */
    1669         [ +  + ]:   21455952 :         if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
    1670                 :            :                 return 0;
    1671                 :            : 
    1672                 :            :         /* The backer wishes to know when pages are first written to? */
    1673   [ +  -  +  +  :       6708 :         if (vm_ops && (vm_ops->page_mkwrite || vm_ops->pfn_mkwrite))
                   +  - ]
    1674                 :            :                 return 1;
    1675                 :            : 
    1676                 :            :         /* The open routine did something to the protections that pgprot_modify
    1677                 :            :          * won't preserve? */
    1678         [ +  - ]:       6706 :         if (pgprot_val(vm_page_prot) !=
    1679                 :       6706 :             pgprot_val(vm_pgprot_modify(vm_page_prot, vm_flags)))
    1680                 :            :                 return 0;
    1681                 :            : 
    1682                 :            :         /* Do we need to track softdirty? */
    1683                 :            :         if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY))
    1684                 :            :                 return 1;
    1685                 :            : 
    1686                 :            :         /* Specialty mapping? */
    1687         [ +  + ]:       6706 :         if (vm_flags & VM_PFNMAP)
    1688                 :            :                 return 0;
    1689                 :            : 
    1690                 :            :         /* Can the mapping track the dirty pages? */
    1691   [ +  -  +  -  :      12604 :         return vma->vm_file && vma->vm_file->f_mapping &&
                   +  - ]
    1692                 :            :                 mapping_cap_account_dirty(vma->vm_file->f_mapping);
    1693                 :            : }
    1694                 :            : 
    1695                 :            : /*
    1696                 :            :  * We account for memory if it's a private writeable mapping,
    1697                 :            :  * not hugepages and VM_NORESERVE wasn't set.
    1698                 :            :  */
    1699                 :            : static inline int accountable_mapping(struct file *file, vm_flags_t vm_flags)
    1700                 :            : {
    1701                 :            :         /*
    1702                 :            :          * hugetlb has its own accounting separate from the core VM
    1703                 :            :          * VM_HUGETLB may not be set yet so we cannot check for that flag.
    1704                 :            :          */
    1705                 :            :         if (file && is_file_hugepages(file))
    1706                 :            :                 return 0;
    1707                 :            : 
    1708                 :    9884356 :         return (vm_flags & (VM_NORESERVE | VM_SHARED | VM_WRITE)) == VM_WRITE;
    1709                 :            : }
    1710                 :            : 
    1711                 :    9884800 : unsigned long mmap_region(struct file *file, unsigned long addr,
    1712                 :            :                 unsigned long len, vm_flags_t vm_flags, unsigned long pgoff,
    1713                 :            :                 struct list_head *uf)
    1714                 :            : {
    1715                 :    9884800 :         struct mm_struct *mm = current->mm;
    1716                 :            :         struct vm_area_struct *vma, *prev;
    1717                 :            :         int error;
    1718                 :            :         struct rb_node **rb_link, *rb_parent;
    1719                 :            :         unsigned long charged = 0;
    1720                 :            : 
    1721                 :            :         /* Check against address space limit. */
    1722         [ -  + ]:    9884800 :         if (!may_expand_vm(mm, vm_flags, len >> PAGE_SHIFT)) {
    1723                 :            :                 unsigned long nr_pages;
    1724                 :            : 
    1725                 :            :                 /*
    1726                 :            :                  * MAP_FIXED may remove pages of mappings that intersects with
    1727                 :            :                  * requested mapping. Account for the pages it would unmap.
    1728                 :            :                  */
    1729                 :          0 :                 nr_pages = count_vma_pages_range(mm, addr, addr + len);
    1730                 :            : 
    1731         [ #  # ]:          0 :                 if (!may_expand_vm(mm, vm_flags,
    1732                 :            :                                         (len >> PAGE_SHIFT) - nr_pages))
    1733                 :            :                         return -ENOMEM;
    1734                 :            :         }
    1735                 :            : 
    1736                 :            :         /* Clear old maps */
    1737         [ +  + ]:   26260428 :         while (find_vma_links(mm, addr, addr + len, &prev, &rb_link,
    1738                 :            :                               &rb_parent)) {
    1739         [ +  + ]:    3245816 :                 if (do_munmap(mm, addr, len, uf))
    1740                 :            :                         return -ENOMEM;
    1741                 :            :         }
    1742                 :            : 
    1743                 :            :         /*
    1744                 :            :          * Private writable mapping: check memory availability
    1745                 :            :          */
    1746         [ +  + ]:    9884356 :         if (accountable_mapping(file, vm_flags)) {
    1747                 :            :                 charged = len >> PAGE_SHIFT;
    1748         [ +  + ]:    5482438 :                 if (security_vm_enough_memory_mm(mm, charged))
    1749                 :            :                         return -ENOMEM;
    1750                 :    5482368 :                 vm_flags |= VM_ACCOUNT;
    1751                 :            :         }
    1752                 :            : 
    1753                 :            :         /*
    1754                 :            :          * Can we just expand an old mapping?
    1755                 :            :          */
    1756                 :    9884286 :         vma = vma_merge(mm, prev, addr, addr + len, vm_flags,
    1757                 :            :                         NULL, file, pgoff, NULL, NULL_VM_UFFD_CTX);
    1758         [ +  + ]:    9884706 :         if (vma)
    1759                 :            :                 goto out;
    1760                 :            : 
    1761                 :            :         /*
    1762                 :            :          * Determine the object being mapped and call the appropriate
    1763                 :            :          * specific mapper. the address has already been validated, but
    1764                 :            :          * not unmapped, but the maps are removed from the list.
    1765                 :            :          */
    1766                 :    9601486 :         vma = vm_area_alloc(mm);
    1767         [ +  + ]:    9601582 :         if (!vma) {
    1768                 :            :                 error = -ENOMEM;
    1769                 :            :                 goto unacct_error;
    1770                 :            :         }
    1771                 :            : 
    1772                 :    9601532 :         vma->vm_start = addr;
    1773                 :    9601532 :         vma->vm_end = addr + len;
    1774                 :    9601532 :         vma->vm_flags = vm_flags;
    1775                 :    9601532 :         vma->vm_page_prot = vm_get_page_prot(vm_flags);
    1776                 :    9601532 :         vma->vm_pgoff = pgoff;
    1777                 :            : 
    1778         [ +  + ]:    9601532 :         if (file) {
    1779         [ +  + ]:    8082776 :                 if (vm_flags & VM_DENYWRITE) {
    1780                 :            :                         error = deny_write_access(file);
    1781         [ +  + ]:    1795828 :                         if (error)
    1782                 :            :                                 goto free_vma;
    1783                 :            :                 }
    1784         [ +  + ]:    8082594 :                 if (vm_flags & VM_SHARED) {
    1785                 :       6708 :                         error = mapping_map_writable(file->f_mapping);
    1786         [ +  - ]:       6708 :                         if (error)
    1787                 :            :                                 goto allow_write_and_free_vma;
    1788                 :            :                 }
    1789                 :            : 
    1790                 :            :                 /* ->mmap() can change vma->vm_file, but must guarantee that
    1791                 :            :                  * vma_link() below can deny write-access if VM_DENYWRITE is set
    1792                 :            :                  * and map writably if VM_SHARED is set. This usually means the
    1793                 :            :                  * new file must not have been exposed to user-space, yet.
    1794                 :            :                  */
    1795                 :    8082544 :                 vma->vm_file = get_file(file);
    1796                 :            :                 error = call_mmap(file, vma);
    1797         [ +  - ]:    8082470 :                 if (error)
    1798                 :            :                         goto unmap_and_free_vma;
    1799                 :            : 
    1800                 :            :                 /* Can addr have changed??
    1801                 :            :                  *
    1802                 :            :                  * Answer: Yes, several device drivers can do it in their
    1803                 :            :                  *         f_op->mmap method. -DaveM
    1804                 :            :                  * Bug: If addr is changed, prev, rb_link, rb_parent should
    1805                 :            :                  *      be updated for vma_link()
    1806                 :            :                  */
    1807   [ -  +  #  # ]:    8082470 :                 WARN_ON_ONCE(addr != vma->vm_start);
    1808                 :            : 
    1809                 :    8082608 :                 addr = vma->vm_start;
    1810                 :    8082608 :                 vm_flags = vma->vm_flags;
    1811         [ -  + ]:    1518756 :         } else if (vm_flags & VM_SHARED) {
    1812                 :          0 :                 error = shmem_zero_setup(vma);
    1813         [ #  # ]:          0 :                 if (error)
    1814                 :            :                         goto free_vma;
    1815                 :            :         } else {
    1816                 :            :                 vma_set_anonymous(vma);
    1817                 :            :         }
    1818                 :            : 
    1819                 :    9601364 :         vma_link(mm, vma, prev, rb_link, rb_parent);
    1820                 :            :         /* Once vma denies write, undo our temporary denial count */
    1821         [ +  + ]:    9601402 :         if (file) {
    1822         [ +  + ]:    8082766 :                 if (vm_flags & VM_SHARED)
    1823                 :       6708 :                         mapping_unmap_writable(file->f_mapping);
    1824         [ +  + ]:    8082904 :                 if (vm_flags & VM_DENYWRITE)
    1825                 :    1795854 :                         allow_write_access(file);
    1826                 :            :         }
    1827                 :            :         file = vma->vm_file;
    1828                 :            : out:
    1829                 :    9884758 :         perf_event_mmap(vma);
    1830                 :            : 
    1831                 :    9884944 :         vm_stat_account(mm, vm_flags, len >> PAGE_SHIFT);
    1832         [ -  + ]:    9884732 :         if (vm_flags & VM_LOCKED) {
    1833         [ #  # ]:          0 :                 if ((vm_flags & VM_SPECIAL) || vma_is_dax(vma) ||
    1834         [ #  # ]:          0 :                                         is_vm_hugetlb_page(vma) ||
    1835                 :          0 :                                         vma == get_gate_vma(current->mm))
    1836                 :          0 :                         vma->vm_flags &= VM_LOCKED_CLEAR_MASK;
    1837                 :            :                 else
    1838                 :          0 :                         mm->locked_vm += (len >> PAGE_SHIFT);
    1839                 :            :         }
    1840                 :            : 
    1841                 :            :         if (file)
    1842                 :            :                 uprobe_mmap(vma);
    1843                 :            : 
    1844                 :            :         /*
    1845                 :            :          * New (or expanded) vma always get soft dirty status.
    1846                 :            :          * Otherwise user-space soft-dirty page tracker won't
    1847                 :            :          * be able to distinguish situation when vma area unmapped,
    1848                 :            :          * then new mapped in-place (which must be aimed as
    1849                 :            :          * a completely new data area).
    1850                 :            :          */
    1851                 :            :         vma->vm_flags |= VM_SOFTDIRTY;
    1852                 :            : 
    1853                 :    9884732 :         vma_set_page_prot(vma);
    1854                 :            : 
    1855                 :    9884944 :         return addr;
    1856                 :            : 
    1857                 :            : unmap_and_free_vma:
    1858                 :          0 :         vma->vm_file = NULL;
    1859                 :          0 :         fput(file);
    1860                 :            : 
    1861                 :            :         /* Undo any partial mapping done by a device driver. */
    1862                 :          0 :         unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
    1863                 :            :         charged = 0;
    1864         [ #  # ]:          0 :         if (vm_flags & VM_SHARED)
    1865                 :          0 :                 mapping_unmap_writable(file->f_mapping);
    1866                 :            : allow_write_and_free_vma:
    1867         [ #  # ]:          0 :         if (vm_flags & VM_DENYWRITE)
    1868                 :          0 :                 allow_write_access(file);
    1869                 :            : free_vma:
    1870                 :        214 :         vm_area_free(vma);
    1871                 :            : unacct_error:
    1872         [ #  # ]:          0 :         if (charged)
    1873                 :          0 :                 vm_unacct_memory(charged);
    1874                 :          0 :         return error;
    1875                 :            : }
    1876                 :            : 
    1877                 :          0 : unsigned long unmapped_area(struct vm_unmapped_area_info *info)
    1878                 :            : {
    1879                 :            :         /*
    1880                 :            :          * We implement the search by looking for an rbtree node that
    1881                 :            :          * immediately follows a suitable gap. That is,
    1882                 :            :          * - gap_start = vma->vm_prev->vm_end <= info->high_limit - length;
    1883                 :            :          * - gap_end   = vma->vm_start        >= info->low_limit  + length;
    1884                 :            :          * - gap_end - gap_start >= length
    1885                 :            :          */
    1886                 :            : 
    1887                 :          0 :         struct mm_struct *mm = current->mm;
    1888                 :            :         struct vm_area_struct *vma;
    1889                 :            :         unsigned long length, low_limit, high_limit, gap_start, gap_end;
    1890                 :            : 
    1891                 :            :         /* Adjust search length to account for worst case alignment overhead */
    1892                 :          0 :         length = info->length + info->align_mask;
    1893         [ #  # ]:          0 :         if (length < info->length)
    1894                 :            :                 return -ENOMEM;
    1895                 :            : 
    1896                 :            :         /* Adjust search limits by the desired length */
    1897         [ #  # ]:          0 :         if (info->high_limit < length)
    1898                 :            :                 return -ENOMEM;
    1899                 :          0 :         high_limit = info->high_limit - length;
    1900                 :            : 
    1901         [ #  # ]:          0 :         if (info->low_limit > high_limit)
    1902                 :            :                 return -ENOMEM;
    1903                 :          0 :         low_limit = info->low_limit + length;
    1904                 :            : 
    1905                 :            :         /* Check if rbtree root looks promising */
    1906         [ #  # ]:          0 :         if (RB_EMPTY_ROOT(&mm->mm_rb))
    1907                 :            :                 goto check_highest;
    1908                 :          0 :         vma = rb_entry(mm->mm_rb.rb_node, struct vm_area_struct, vm_rb);
    1909         [ #  # ]:          0 :         if (vma->rb_subtree_gap < length)
    1910                 :            :                 goto check_highest;
    1911                 :            : 
    1912                 :            :         while (true) {
    1913                 :            :                 /* Visit left subtree if it looks promising */
    1914                 :            :                 gap_end = vm_start_gap(vma);
    1915   [ #  #  #  # ]:          0 :                 if (gap_end >= low_limit && vma->vm_rb.rb_left) {
    1916                 :            :                         struct vm_area_struct *left =
    1917                 :          0 :                                 rb_entry(vma->vm_rb.rb_left,
    1918                 :            :                                          struct vm_area_struct, vm_rb);
    1919         [ #  # ]:          0 :                         if (left->rb_subtree_gap >= length) {
    1920                 :            :                                 vma = left;
    1921                 :          0 :                                 continue;
    1922                 :            :                         }
    1923                 :            :                 }
    1924                 :            : 
    1925         [ #  # ]:          0 :                 gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
    1926                 :            : check_current:
    1927                 :            :                 /* Check if current node has a suitable gap */
    1928         [ #  # ]:          0 :                 if (gap_start > high_limit)
    1929                 :            :                         return -ENOMEM;
    1930         [ #  # ]:          0 :                 if (gap_end >= low_limit &&
    1931         [ #  # ]:          0 :                     gap_end > gap_start && gap_end - gap_start >= length)
    1932                 :            :                         goto found;
    1933                 :            : 
    1934                 :            :                 /* Visit right subtree if it looks promising */
    1935         [ #  # ]:          0 :                 if (vma->vm_rb.rb_right) {
    1936                 :            :                         struct vm_area_struct *right =
    1937                 :          0 :                                 rb_entry(vma->vm_rb.rb_right,
    1938                 :            :                                          struct vm_area_struct, vm_rb);
    1939         [ #  # ]:          0 :                         if (right->rb_subtree_gap >= length) {
    1940                 :          0 :                                 vma = right;
    1941                 :          0 :                                 continue;
    1942                 :            :                         }
    1943                 :            :                 }
    1944                 :            : 
    1945                 :            :                 /* Go back up the rbtree to find next candidate node */
    1946                 :            :                 while (true) {
    1947                 :          0 :                         struct rb_node *prev = &vma->vm_rb;
    1948         [ #  # ]:          0 :                         if (!rb_parent(prev))
    1949                 :            :                                 goto check_highest;
    1950                 :          0 :                         vma = rb_entry(rb_parent(prev),
    1951                 :            :                                        struct vm_area_struct, vm_rb);
    1952         [ #  # ]:          0 :                         if (prev == vma->vm_rb.rb_left) {
    1953                 :          0 :                                 gap_start = vm_end_gap(vma->vm_prev);
    1954                 :            :                                 gap_end = vm_start_gap(vma);
    1955                 :            :                                 goto check_current;
    1956                 :            :                         }
    1957                 :            :                 }
    1958                 :            :         }
    1959                 :            : 
    1960                 :            : check_highest:
    1961                 :            :         /* Check highest gap, which does not precede any rbtree node */
    1962                 :          0 :         gap_start = mm->highest_vm_end;
    1963                 :            :         gap_end = ULONG_MAX;  /* Only for VM_BUG_ON below */
    1964         [ #  # ]:          0 :         if (gap_start > high_limit)
    1965                 :            :                 return -ENOMEM;
    1966                 :            : 
    1967                 :            : found:
    1968                 :            :         /* We found a suitable gap. Clip it with the original low_limit. */
    1969         [ #  # ]:          0 :         if (gap_start < info->low_limit)
    1970                 :            :                 gap_start = info->low_limit;
    1971                 :            : 
    1972                 :            :         /* Adjust gap address to the desired alignment */
    1973                 :          0 :         gap_start += (info->align_offset - gap_start) & info->align_mask;
    1974                 :            : 
    1975                 :            :         VM_BUG_ON(gap_start + info->length > info->high_limit);
    1976                 :            :         VM_BUG_ON(gap_start + info->length > gap_end);
    1977                 :          0 :         return gap_start;
    1978                 :            : }
    1979                 :            : 
    1980                 :    5292746 : unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
    1981                 :            : {
    1982                 :    5292746 :         struct mm_struct *mm = current->mm;
    1983                 :            :         struct vm_area_struct *vma;
    1984                 :            :         unsigned long length, low_limit, high_limit, gap_start, gap_end;
    1985                 :            : 
    1986                 :            :         /* Adjust search length to account for worst case alignment overhead */
    1987                 :    5292746 :         length = info->length + info->align_mask;
    1988         [ +  + ]:    5292746 :         if (length < info->length)
    1989                 :            :                 return -ENOMEM;
    1990                 :            : 
    1991                 :            :         /*
    1992                 :            :          * Adjust search limits by the desired length.
    1993                 :            :          * See implementation comment at top of unmapped_area().
    1994                 :            :          */
    1995                 :    5292690 :         gap_end = info->high_limit;
    1996         [ +  + ]:    5292690 :         if (gap_end < length)
    1997                 :            :                 return -ENOMEM;
    1998                 :    5292628 :         high_limit = gap_end - length;
    1999                 :            : 
    2000         [ +  + ]:    5292628 :         if (info->low_limit > high_limit)
    2001                 :            :                 return -ENOMEM;
    2002                 :    5292638 :         low_limit = info->low_limit + length;
    2003                 :            : 
    2004                 :            :         /* Check highest gap, which does not precede any rbtree node */
    2005                 :    5292638 :         gap_start = mm->highest_vm_end;
    2006         [ +  + ]:    5292638 :         if (gap_start <= high_limit)
    2007                 :            :                 goto found_highest;
    2008                 :            : 
    2009                 :            :         /* Check if rbtree root looks promising */
    2010         [ +  + ]:    5292702 :         if (RB_EMPTY_ROOT(&mm->mm_rb))
    2011                 :            :                 return -ENOMEM;
    2012                 :    5292352 :         vma = rb_entry(mm->mm_rb.rb_node, struct vm_area_struct, vm_rb);
    2013         [ +  + ]:    5292352 :         if (vma->rb_subtree_gap < length)
    2014                 :            :                 return -ENOMEM;
    2015                 :            : 
    2016                 :            :         while (true) {
    2017                 :            :                 /* Visit right subtree if it looks promising */
    2018         [ +  + ]:   30201702 :                 gap_start = vma->vm_prev ? vm_end_gap(vma->vm_prev) : 0;
    2019   [ +  +  +  + ]:   30201702 :                 if (gap_start <= high_limit && vma->vm_rb.rb_right) {
    2020                 :            :                         struct vm_area_struct *right =
    2021                 :   17589362 :                                 rb_entry(vma->vm_rb.rb_right,
    2022                 :            :                                          struct vm_area_struct, vm_rb);
    2023         [ +  + ]:   17589362 :                         if (right->rb_subtree_gap >= length) {
    2024                 :            :                                 vma = right;
    2025                 :   10331630 :                                 continue;
    2026                 :            :                         }
    2027                 :            :                 }
    2028                 :            : 
    2029                 :            : check_current:
    2030                 :            :                 /* Check if current node has a suitable gap */
    2031                 :            :                 gap_end = vm_start_gap(vma);
    2032         [ +  + ]:   23357568 :                 if (gap_end < low_limit)
    2033                 :            :                         return -ENOMEM;
    2034         [ +  + ]:   46715228 :                 if (gap_start <= high_limit &&
    2035         [ +  + ]:   28740842 :                     gap_end > gap_start && gap_end - gap_start >= length)
    2036                 :            :                         goto found;
    2037                 :            : 
    2038                 :            :                 /* Visit left subtree if it looks promising */
    2039         [ +  + ]:   18064796 :                 if (vma->vm_rb.rb_left) {
    2040                 :            :                         struct vm_area_struct *left =
    2041                 :   17294576 :                                 rb_entry(vma->vm_rb.rb_left,
    2042                 :            :                                          struct vm_area_struct, vm_rb);
    2043         [ +  + ]:   17294576 :                         if (left->rb_subtree_gap >= length) {
    2044                 :   14577246 :                                 vma = left;
    2045                 :   14577246 :                                 continue;
    2046                 :            :                         }
    2047                 :            :                 }
    2048                 :            : 
    2049                 :            :                 /* Go back up the rbtree to find next candidate node */
    2050                 :            :                 while (true) {
    2051                 :    4262490 :                         struct rb_node *prev = &vma->vm_rb;
    2052         [ +  + ]:    4262490 :                         if (!rb_parent(prev))
    2053                 :            :                                 return -ENOMEM;
    2054                 :    4262436 :                         vma = rb_entry(rb_parent(prev),
    2055                 :            :                                        struct vm_area_struct, vm_rb);
    2056         [ +  + ]:    4262436 :                         if (prev == vma->vm_rb.rb_right) {
    2057                 :    3487496 :                                 gap_start = vma->vm_prev ?
    2058         [ +  + ]:    3487496 :                                         vm_end_gap(vma->vm_prev) : 0;
    2059                 :            :                                 goto check_current;
    2060                 :            :                         }
    2061                 :            :                 }
    2062                 :            :         }
    2063                 :            : 
    2064                 :            : found:
    2065                 :            :         /* We found a suitable gap. Clip it with the original high_limit. */
    2066         [ +  + ]:    5292818 :         if (gap_end > info->high_limit)
    2067                 :            :                 gap_end = info->high_limit;
    2068                 :            : 
    2069                 :            : found_highest:
    2070                 :            :         /* Compute highest gap address at the desired alignment */
    2071                 :    5292754 :         gap_end -= info->length;
    2072                 :    5292754 :         gap_end -= (gap_end - info->align_offset) & info->align_mask;
    2073                 :            : 
    2074                 :            :         VM_BUG_ON(gap_end < info->low_limit);
    2075                 :            :         VM_BUG_ON(gap_end < gap_start);
    2076                 :    5292754 :         return gap_end;
    2077                 :            : }
    2078                 :            : 
    2079                 :            : 
    2080                 :            : #ifndef arch_get_mmap_end
    2081                 :            : #define arch_get_mmap_end(addr) (TASK_SIZE)
    2082                 :            : #endif
    2083                 :            : 
    2084                 :            : #ifndef arch_get_mmap_base
    2085                 :            : #define arch_get_mmap_base(addr, base) (base)
    2086                 :            : #endif
    2087                 :            : 
    2088                 :            : /* Get an address range which is currently unmapped.
    2089                 :            :  * For shmat() with addr=0.
    2090                 :            :  *
    2091                 :            :  * Ugly calling convention alert:
    2092                 :            :  * Return value with the low bits set means error value,
    2093                 :            :  * ie
    2094                 :            :  *      if (ret & ~PAGE_MASK)
    2095                 :            :  *              error = ret;
    2096                 :            :  *
    2097                 :            :  * This function "knows" that -ENOMEM has the bits set.
    2098                 :            :  */
    2099                 :            : #ifndef HAVE_ARCH_UNMAPPED_AREA
    2100                 :            : unsigned long
    2101                 :            : arch_get_unmapped_area(struct file *filp, unsigned long addr,
    2102                 :            :                 unsigned long len, unsigned long pgoff, unsigned long flags)
    2103                 :            : {
    2104                 :            :         struct mm_struct *mm = current->mm;
    2105                 :            :         struct vm_area_struct *vma, *prev;
    2106                 :            :         struct vm_unmapped_area_info info;
    2107                 :            :         const unsigned long mmap_end = arch_get_mmap_end(addr);
    2108                 :            : 
    2109                 :            :         if (len > mmap_end - mmap_min_addr)
    2110                 :            :                 return -ENOMEM;
    2111                 :            : 
    2112                 :            :         if (flags & MAP_FIXED)
    2113                 :            :                 return addr;
    2114                 :            : 
    2115                 :            :         if (addr) {
    2116                 :            :                 addr = PAGE_ALIGN(addr);
    2117                 :            :                 vma = find_vma_prev(mm, addr, &prev);
    2118                 :            :                 if (mmap_end - len >= addr && addr >= mmap_min_addr &&
    2119                 :            :                     (!vma || addr + len <= vm_start_gap(vma)) &&
    2120                 :            :                     (!prev || addr >= vm_end_gap(prev)))
    2121                 :            :                         return addr;
    2122                 :            :         }
    2123                 :            : 
    2124                 :            :         info.flags = 0;
    2125                 :            :         info.length = len;
    2126                 :            :         info.low_limit = mm->mmap_base;
    2127                 :            :         info.high_limit = mmap_end;
    2128                 :            :         info.align_mask = 0;
    2129                 :            :         return vm_unmapped_area(&info);
    2130                 :            : }
    2131                 :            : #endif
    2132                 :            : 
    2133                 :            : /*
    2134                 :            :  * This mmap-allocator allocates new areas top-down from below the
    2135                 :            :  * stack's low limit (the base):
    2136                 :            :  */
    2137                 :            : #ifndef HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
    2138                 :            : unsigned long
    2139                 :            : arch_get_unmapped_area_topdown(struct file *filp, unsigned long addr,
    2140                 :            :                           unsigned long len, unsigned long pgoff,
    2141                 :            :                           unsigned long flags)
    2142                 :            : {
    2143                 :            :         struct vm_area_struct *vma, *prev;
    2144                 :            :         struct mm_struct *mm = current->mm;
    2145                 :            :         struct vm_unmapped_area_info info;
    2146                 :            :         const unsigned long mmap_end = arch_get_mmap_end(addr);
    2147                 :            : 
    2148                 :            :         /* requested length too big for entire address space */
    2149                 :            :         if (len > mmap_end - mmap_min_addr)
    2150                 :            :                 return -ENOMEM;
    2151                 :            : 
    2152                 :            :         if (flags & MAP_FIXED)
    2153                 :            :                 return addr;
    2154                 :            : 
    2155                 :            :         /* requesting a specific address */
    2156                 :            :         if (addr) {
    2157                 :            :                 addr = PAGE_ALIGN(addr);
    2158                 :            :                 vma = find_vma_prev(mm, addr, &prev);
    2159                 :            :                 if (mmap_end - len >= addr && addr >= mmap_min_addr &&
    2160                 :            :                                 (!vma || addr + len <= vm_start_gap(vma)) &&
    2161                 :            :                                 (!prev || addr >= vm_end_gap(prev)))
    2162                 :            :                         return addr;
    2163                 :            :         }
    2164                 :            : 
    2165                 :            :         info.flags = VM_UNMAPPED_AREA_TOPDOWN;
    2166                 :            :         info.length = len;
    2167                 :            :         info.low_limit = max(PAGE_SIZE, mmap_min_addr);
    2168                 :            :         info.high_limit = arch_get_mmap_base(addr, mm->mmap_base);
    2169                 :            :         info.align_mask = 0;
    2170                 :            :         addr = vm_unmapped_area(&info);
    2171                 :            : 
    2172                 :            :         /*
    2173                 :            :          * A failed mmap() very likely causes application failure,
    2174                 :            :          * so fall back to the bottom-up function here. This scenario
    2175                 :            :          * can happen with large stack limits and large mmap()
    2176                 :            :          * allocations.
    2177                 :            :          */
    2178                 :            :         if (offset_in_page(addr)) {
    2179                 :            :                 VM_BUG_ON(addr != -ENOMEM);
    2180                 :            :                 info.flags = 0;
    2181                 :            :                 info.low_limit = TASK_UNMAPPED_BASE;
    2182                 :            :                 info.high_limit = mmap_end;
    2183                 :            :                 addr = vm_unmapped_area(&info);
    2184                 :            :         }
    2185                 :            : 
    2186                 :            :         return addr;
    2187                 :            : }
    2188                 :            : #endif
    2189                 :            : 
    2190                 :            : unsigned long
    2191                 :   11025178 : get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
    2192                 :            :                 unsigned long pgoff, unsigned long flags)
    2193                 :            : {
    2194                 :            :         unsigned long (*get_area)(struct file *, unsigned long,
    2195                 :            :                                   unsigned long, unsigned long, unsigned long);
    2196                 :            : 
    2197   [ +  +  +  + ]:   11025178 :         unsigned long error = arch_mmap_check(addr, len, flags);
    2198         [ +  + ]:   11025178 :         if (error)
    2199                 :            :                 return error;
    2200                 :            : 
    2201                 :            :         /* Careful about overflows.. */
    2202         [ +  + ]:   11025038 :         if (len > TASK_SIZE)
    2203                 :            :                 return -ENOMEM;
    2204                 :            : 
    2205                 :   11024946 :         get_area = current->mm->get_unmapped_area;
    2206         [ +  + ]:   11024946 :         if (file) {
    2207         [ +  + ]:    8082484 :                 if (file->f_op->get_unmapped_area)
    2208                 :            :                         get_area = file->f_op->get_unmapped_area;
    2209         [ -  + ]:    2942462 :         } else if (flags & MAP_SHARED) {
    2210                 :            :                 /*
    2211                 :            :                  * mmap_region() will call shmem_zero_setup() to create a file,
    2212                 :            :                  * so use shmem's get_unmapped_area in case it can be huge.
    2213                 :            :                  * do_mmap_pgoff() will clear pgoff, so match alignment.
    2214                 :            :                  */
    2215                 :            :                 pgoff = 0;
    2216                 :            :                 get_area = shmem_get_unmapped_area;
    2217                 :            :         }
    2218                 :            : 
    2219                 :   11024946 :         addr = get_area(file, addr, len, pgoff, flags);
    2220         [ +  + ]:   11025282 :         if (IS_ERR_VALUE(addr))
    2221                 :            :                 return addr;
    2222                 :            : 
    2223         [ +  + ]:   11025238 :         if (addr > TASK_SIZE - len)
    2224                 :            :                 return -ENOMEM;
    2225         [ +  + ]:   11025038 :         if (offset_in_page(addr))
    2226                 :            :                 return -EINVAL;
    2227                 :            : 
    2228                 :   11025276 :         error = security_mmap_addr(addr);
    2229         [ +  + ]:   11025184 :         return error ? error : addr;
    2230                 :            : }
    2231                 :            : 
    2232                 :            : EXPORT_SYMBOL(get_unmapped_area);
    2233                 :            : 
    2234                 :            : /* Look up the first VMA which satisfies  addr < vm_end,  NULL if none. */
    2235                 :   93445772 : struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
    2236                 :            : {
    2237                 :            :         struct rb_node *rb_node;
    2238                 :            :         struct vm_area_struct *vma;
    2239                 :            : 
    2240                 :            :         /* Check the cache first. */
    2241                 :   93445772 :         vma = vmacache_find(mm, addr);
    2242         [ +  + ]:   93445986 :         if (likely(vma))
    2243                 :            :                 return vma;
    2244                 :            : 
    2245                 :   52724814 :         rb_node = mm->mm_rb.rb_node;
    2246                 :            : 
    2247         [ +  + ]:  325943758 :         while (rb_node) {
    2248                 :            :                 struct vm_area_struct *tmp;
    2249                 :            : 
    2250                 :  270598692 :                 tmp = rb_entry(rb_node, struct vm_area_struct, vm_rb);
    2251                 :            : 
    2252         [ +  + ]:  270598692 :                 if (tmp->vm_end > addr) {
    2253                 :            :                         vma = tmp;
    2254         [ +  + ]:  182922788 :                         if (tmp->vm_start <= addr)
    2255                 :            :                                 break;
    2256                 :  132818226 :                         rb_node = rb_node->rb_left;
    2257                 :            :                 } else
    2258                 :   87675904 :                         rb_node = rb_node->rb_right;
    2259                 :            :         }
    2260                 :            : 
    2261         [ +  + ]:   52724814 :         if (vma)
    2262                 :   52276356 :                 vmacache_update(addr, vma);
    2263                 :   52725130 :         return vma;
    2264                 :            : }
    2265                 :            : 
    2266                 :            : EXPORT_SYMBOL(find_vma);
    2267                 :            : 
    2268                 :            : /*
    2269                 :            :  * Same as find_vma, but also return a pointer to the previous VMA in *pprev.
    2270                 :            :  */
    2271                 :            : struct vm_area_struct *
    2272                 :       9460 : find_vma_prev(struct mm_struct *mm, unsigned long addr,
    2273                 :            :                         struct vm_area_struct **pprev)
    2274                 :            : {
    2275                 :            :         struct vm_area_struct *vma;
    2276                 :            : 
    2277                 :       9460 :         vma = find_vma(mm, addr);
    2278         [ +  - ]:       9460 :         if (vma) {
    2279                 :       9460 :                 *pprev = vma->vm_prev;
    2280                 :            :         } else {
    2281                 :          0 :                 struct rb_node *rb_node = rb_last(&mm->mm_rb);
    2282                 :            : 
    2283         [ #  # ]:          0 :                 *pprev = rb_node ? rb_entry(rb_node, struct vm_area_struct, vm_rb) : NULL;
    2284                 :            :         }
    2285                 :       9460 :         return vma;
    2286                 :            : }
    2287                 :            : 
    2288                 :            : /*
    2289                 :            :  * Verify that the stack growth is acceptable and
    2290                 :            :  * update accounting. This is shared with both the
    2291                 :            :  * grow-up and grow-down cases.
    2292                 :            :  */
    2293                 :     449194 : static int acct_stack_growth(struct vm_area_struct *vma,
    2294                 :            :                              unsigned long size, unsigned long grow)
    2295                 :            : {
    2296                 :     449194 :         struct mm_struct *mm = vma->vm_mm;
    2297                 :            :         unsigned long new_start;
    2298                 :            : 
    2299                 :            :         /* address space limit tests */
    2300         [ +  + ]:     449194 :         if (!may_expand_vm(mm, vma->vm_flags, grow))
    2301                 :            :                 return -ENOMEM;
    2302                 :            : 
    2303                 :            :         /* Stack limit test */
    2304         [ +  + ]:     449198 :         if (size > rlimit(RLIMIT_STACK))
    2305                 :            :                 return -ENOMEM;
    2306                 :            : 
    2307                 :            :         /* mlock limit tests */
    2308         [ -  + ]:     449200 :         if (vma->vm_flags & VM_LOCKED) {
    2309                 :            :                 unsigned long locked;
    2310                 :            :                 unsigned long limit;
    2311                 :          0 :                 locked = mm->locked_vm + grow;
    2312                 :            :                 limit = rlimit(RLIMIT_MEMLOCK);
    2313                 :          0 :                 limit >>= PAGE_SHIFT;
    2314   [ #  #  #  # ]:          0 :                 if (locked > limit && !capable(CAP_IPC_LOCK))
    2315                 :            :                         return -ENOMEM;
    2316                 :            :         }
    2317                 :            : 
    2318                 :            :         /* Check to ensure the stack will not grow into a hugetlb-only region */
    2319                 :            :         new_start = (vma->vm_flags & VM_GROWSUP) ? vma->vm_start :
    2320                 :            :                         vma->vm_end - size;
    2321                 :            :         if (is_hugepage_only_range(vma->vm_mm, new_start, size))
    2322                 :            :                 return -EFAULT;
    2323                 :            : 
    2324                 :            :         /*
    2325                 :            :          * Overcommit..  This must be the final test, as it will
    2326                 :            :          * update security statistics.
    2327                 :            :          */
    2328         [ +  + ]:     449200 :         if (security_vm_enough_memory_mm(mm, grow))
    2329                 :            :                 return -ENOMEM;
    2330                 :            : 
    2331                 :     449190 :         return 0;
    2332                 :            : }
    2333                 :            : 
    2334                 :            : #if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
    2335                 :            : /*
    2336                 :            :  * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
    2337                 :            :  * vma is the last one with address > vma->vm_end.  Have to extend vma.
    2338                 :            :  */
    2339                 :            : int expand_upwards(struct vm_area_struct *vma, unsigned long address)
    2340                 :            : {
    2341                 :            :         struct mm_struct *mm = vma->vm_mm;
    2342                 :            :         struct vm_area_struct *next;
    2343                 :            :         unsigned long gap_addr;
    2344                 :            :         int error = 0;
    2345                 :            : 
    2346                 :            :         if (!(vma->vm_flags & VM_GROWSUP))
    2347                 :            :                 return -EFAULT;
    2348                 :            : 
    2349                 :            :         /* Guard against exceeding limits of the address space. */
    2350                 :            :         address &= PAGE_MASK;
    2351                 :            :         if (address >= (TASK_SIZE & PAGE_MASK))
    2352                 :            :                 return -ENOMEM;
    2353                 :            :         address += PAGE_SIZE;
    2354                 :            : 
    2355                 :            :         /* Enforce stack_guard_gap */
    2356                 :            :         gap_addr = address + stack_guard_gap;
    2357                 :            : 
    2358                 :            :         /* Guard against overflow */
    2359                 :            :         if (gap_addr < address || gap_addr > TASK_SIZE)
    2360                 :            :                 gap_addr = TASK_SIZE;
    2361                 :            : 
    2362                 :            :         next = vma->vm_next;
    2363                 :            :         if (next && next->vm_start < gap_addr &&
    2364                 :            :                         (next->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
    2365                 :            :                 if (!(next->vm_flags & VM_GROWSUP))
    2366                 :            :                         return -ENOMEM;
    2367                 :            :                 /* Check that both stack segments have the same anon_vma? */
    2368                 :            :         }
    2369                 :            : 
    2370                 :            :         /* We must make sure the anon_vma is allocated. */
    2371                 :            :         if (unlikely(anon_vma_prepare(vma)))
    2372                 :            :                 return -ENOMEM;
    2373                 :            : 
    2374                 :            :         /*
    2375                 :            :          * vma->vm_start/vm_end cannot change under us because the caller
    2376                 :            :          * is required to hold the mmap_sem in read mode.  We need the
    2377                 :            :          * anon_vma lock to serialize against concurrent expand_stacks.
    2378                 :            :          */
    2379                 :            :         anon_vma_lock_write(vma->anon_vma);
    2380                 :            : 
    2381                 :            :         /* Somebody else might have raced and expanded it already */
    2382                 :            :         if (address > vma->vm_end) {
    2383                 :            :                 unsigned long size, grow;
    2384                 :            : 
    2385                 :            :                 size = address - vma->vm_start;
    2386                 :            :                 grow = (address - vma->vm_end) >> PAGE_SHIFT;
    2387                 :            : 
    2388                 :            :                 error = -ENOMEM;
    2389                 :            :                 if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) {
    2390                 :            :                         error = acct_stack_growth(vma, size, grow);
    2391                 :            :                         if (!error) {
    2392                 :            :                                 /*
    2393                 :            :                                  * vma_gap_update() doesn't support concurrent
    2394                 :            :                                  * updates, but we only hold a shared mmap_sem
    2395                 :            :                                  * lock here, so we need to protect against
    2396                 :            :                                  * concurrent vma expansions.
    2397                 :            :                                  * anon_vma_lock_write() doesn't help here, as
    2398                 :            :                                  * we don't guarantee that all growable vmas
    2399                 :            :                                  * in a mm share the same root anon vma.
    2400                 :            :                                  * So, we reuse mm->page_table_lock to guard
    2401                 :            :                                  * against concurrent vma expansions.
    2402                 :            :                                  */
    2403                 :            :                                 spin_lock(&mm->page_table_lock);
    2404                 :            :                                 if (vma->vm_flags & VM_LOCKED)
    2405                 :            :                                         mm->locked_vm += grow;
    2406                 :            :                                 vm_stat_account(mm, vma->vm_flags, grow);
    2407                 :            :                                 anon_vma_interval_tree_pre_update_vma(vma);
    2408                 :            :                                 vma->vm_end = address;
    2409                 :            :                                 anon_vma_interval_tree_post_update_vma(vma);
    2410                 :            :                                 if (vma->vm_next)
    2411                 :            :                                         vma_gap_update(vma->vm_next);
    2412                 :            :                                 else
    2413                 :            :                                         mm->highest_vm_end = vm_end_gap(vma);
    2414                 :            :                                 spin_unlock(&mm->page_table_lock);
    2415                 :            : 
    2416                 :            :                                 perf_event_mmap(vma);
    2417                 :            :                         }
    2418                 :            :                 }
    2419                 :            :         }
    2420                 :            :         anon_vma_unlock_write(vma->anon_vma);
    2421                 :            :         khugepaged_enter_vma_merge(vma, vma->vm_flags);
    2422                 :            :         validate_mm(mm);
    2423                 :            :         return error;
    2424                 :            : }
    2425                 :            : #endif /* CONFIG_STACK_GROWSUP || CONFIG_IA64 */
    2426                 :            : 
    2427                 :            : /*
    2428                 :            :  * vma is the first one with address < vma->vm_start.  Have to extend vma.
    2429                 :            :  */
    2430                 :     449204 : int expand_downwards(struct vm_area_struct *vma,
    2431                 :            :                                    unsigned long address)
    2432                 :            : {
    2433                 :     449204 :         struct mm_struct *mm = vma->vm_mm;
    2434                 :            :         struct vm_area_struct *prev;
    2435                 :            :         int error = 0;
    2436                 :            : 
    2437                 :     449204 :         address &= PAGE_MASK;
    2438         [ +  + ]:     449204 :         if (address < mmap_min_addr)
    2439                 :            :                 return -EPERM;
    2440                 :            : 
    2441                 :            :         /* Enforce stack_guard_gap */
    2442                 :     449202 :         prev = vma->vm_prev;
    2443                 :            :         /* Check that both stack segments have the same anon_vma? */
    2444   [ -  +  #  #  :     449202 :         if (prev && !(prev->vm_flags & VM_GROWSDOWN) &&
                   #  # ]
    2445                 :          0 :                         (prev->vm_flags & (VM_WRITE|VM_READ|VM_EXEC))) {
    2446         [ #  # ]:          0 :                 if (address - prev->vm_end < stack_guard_gap)
    2447                 :            :                         return -ENOMEM;
    2448                 :            :         }
    2449                 :            : 
    2450                 :            :         /* We must make sure the anon_vma is allocated. */
    2451         [ +  - ]:     449198 :         if (unlikely(anon_vma_prepare(vma)))
    2452                 :            :                 return -ENOMEM;
    2453                 :            : 
    2454                 :            :         /*
    2455                 :            :          * vma->vm_start/vm_end cannot change under us because the caller
    2456                 :            :          * is required to hold the mmap_sem in read mode.  We need the
    2457                 :            :          * anon_vma lock to serialize against concurrent expand_stacks.
    2458                 :            :          */
    2459                 :     449198 :         anon_vma_lock_write(vma->anon_vma);
    2460                 :            : 
    2461                 :            :         /* Somebody else might have raced and expanded it already */
    2462         [ +  + ]:     449202 :         if (address < vma->vm_start) {
    2463                 :            :                 unsigned long size, grow;
    2464                 :            : 
    2465                 :     449196 :                 size = vma->vm_end - address;
    2466                 :     449196 :                 grow = (vma->vm_start - address) >> PAGE_SHIFT;
    2467                 :            : 
    2468                 :            :                 error = -ENOMEM;
    2469         [ +  + ]:     449196 :                 if (grow <= vma->vm_pgoff) {
    2470                 :     449194 :                         error = acct_stack_growth(vma, size, grow);
    2471         [ +  + ]:     449190 :                         if (!error) {
    2472                 :            :                                 /*
    2473                 :            :                                  * vma_gap_update() doesn't support concurrent
    2474                 :            :                                  * updates, but we only hold a shared mmap_sem
    2475                 :            :                                  * lock here, so we need to protect against
    2476                 :            :                                  * concurrent vma expansions.
    2477                 :            :                                  * anon_vma_lock_write() doesn't help here, as
    2478                 :            :                                  * we don't guarantee that all growable vmas
    2479                 :            :                                  * in a mm share the same root anon vma.
    2480                 :            :                                  * So, we reuse mm->page_table_lock to guard
    2481                 :            :                                  * against concurrent vma expansions.
    2482                 :            :                                  */
    2483                 :            :                                 spin_lock(&mm->page_table_lock);
    2484         [ -  + ]:     449200 :                                 if (vma->vm_flags & VM_LOCKED)
    2485                 :          0 :                                         mm->locked_vm += grow;
    2486                 :     449200 :                                 vm_stat_account(mm, vma->vm_flags, grow);
    2487                 :     449198 :                                 anon_vma_interval_tree_pre_update_vma(vma);
    2488                 :     449188 :                                 vma->vm_start = address;
    2489                 :     449188 :                                 vma->vm_pgoff -= grow;
    2490                 :     449188 :                                 anon_vma_interval_tree_post_update_vma(vma);
    2491                 :            :                                 vma_gap_update(vma);
    2492                 :            :                                 spin_unlock(&mm->page_table_lock);
    2493                 :            : 
    2494                 :     449196 :                                 perf_event_mmap(vma);
    2495                 :            :                         }
    2496                 :            :                 }
    2497                 :            :         }
    2498                 :     449206 :         anon_vma_unlock_write(vma->anon_vma);
    2499                 :            :         khugepaged_enter_vma_merge(vma, vma->vm_flags);
    2500                 :            :         validate_mm(mm);
    2501                 :     449202 :         return error;
    2502                 :            : }
    2503                 :            : 
    2504                 :            : /* enforced gap between the expanding stack and other mappings. */
    2505                 :            : unsigned long stack_guard_gap = 256UL<<PAGE_SHIFT;
    2506                 :            : 
    2507                 :          0 : static int __init cmdline_parse_stack_guard_gap(char *p)
    2508                 :            : {
    2509                 :            :         unsigned long val;
    2510                 :            :         char *endptr;
    2511                 :            : 
    2512                 :          0 :         val = simple_strtoul(p, &endptr, 10);
    2513         [ #  # ]:          0 :         if (!*endptr)
    2514                 :          0 :                 stack_guard_gap = val << PAGE_SHIFT;
    2515                 :            : 
    2516                 :          0 :         return 0;
    2517                 :            : }
    2518                 :            : __setup("stack_guard_gap=", cmdline_parse_stack_guard_gap);
    2519                 :            : 
    2520                 :            : #ifdef CONFIG_STACK_GROWSUP
    2521                 :            : int expand_stack(struct vm_area_struct *vma, unsigned long address)
    2522                 :            : {
    2523                 :            :         return expand_upwards(vma, address);
    2524                 :            : }
    2525                 :            : 
    2526                 :            : struct vm_area_struct *
    2527                 :            : find_extend_vma(struct mm_struct *mm, unsigned long addr)
    2528                 :            : {
    2529                 :            :         struct vm_area_struct *vma, *prev;
    2530                 :            : 
    2531                 :            :         addr &= PAGE_MASK;
    2532                 :            :         vma = find_vma_prev(mm, addr, &prev);
    2533                 :            :         if (vma && (vma->vm_start <= addr))
    2534                 :            :                 return vma;
    2535                 :            :         /* don't alter vm_end if the coredump is running */
    2536                 :            :         if (!prev || !mmget_still_valid(mm) || expand_stack(prev, addr))
    2537                 :            :                 return NULL;
    2538                 :            :         if (prev->vm_flags & VM_LOCKED)
    2539                 :            :                 populate_vma_page_range(prev, addr, prev->vm_end, NULL);
    2540                 :            :         return prev;
    2541                 :            : }
    2542                 :            : #else
    2543                 :     448964 : int expand_stack(struct vm_area_struct *vma, unsigned long address)
    2544                 :            : {
    2545                 :     449204 :         return expand_downwards(vma, address);
    2546                 :            : }
    2547                 :            : 
    2548                 :            : struct vm_area_struct *
    2549                 :    2040346 : find_extend_vma(struct mm_struct *mm, unsigned long addr)
    2550                 :            : {
    2551                 :            :         struct vm_area_struct *vma;
    2552                 :            :         unsigned long start;
    2553                 :            : 
    2554                 :    2040346 :         addr &= PAGE_MASK;
    2555                 :    2040346 :         vma = find_vma(mm, addr);
    2556         [ +  + ]:    2040382 :         if (!vma)
    2557                 :            :                 return NULL;
    2558         [ +  + ]:    2040310 :         if (vma->vm_start <= addr)
    2559                 :            :                 return vma;
    2560         [ +  + ]:       3256 :         if (!(vma->vm_flags & VM_GROWSDOWN))
    2561                 :            :                 return NULL;
    2562                 :            :         /* don't alter vm_start if the coredump is running */
    2563         [ +  - ]:        240 :         if (!mmget_still_valid(mm))
    2564                 :            :                 return NULL;
    2565                 :            :         start = vma->vm_start;
    2566         [ +  - ]:        240 :         if (expand_stack(vma, addr))
    2567                 :            :                 return NULL;
    2568         [ -  + ]:        240 :         if (vma->vm_flags & VM_LOCKED)
    2569                 :          0 :                 populate_vma_page_range(vma, addr, start, NULL);
    2570                 :        240 :         return vma;
    2571                 :            : }
    2572                 :            : #endif
    2573                 :            : 
    2574                 :            : EXPORT_SYMBOL_GPL(find_extend_vma);
    2575                 :            : 
    2576                 :            : /*
    2577                 :            :  * Ok - we have the memory areas we should free on the vma list,
    2578                 :            :  * so release them, and do the vma updates.
    2579                 :            :  *
    2580                 :            :  * Called with the mm semaphore held.
    2581                 :            :  */
    2582                 :    5079758 : static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
    2583                 :            : {
    2584                 :            :         unsigned long nr_accounted = 0;
    2585                 :            : 
    2586                 :            :         /* Update high watermark before we lower total_vm */
    2587                 :            :         update_hiwater_vm(mm);
    2588                 :            :         do {
    2589                 :    5262596 :                 long nrpages = vma_pages(vma);
    2590                 :            : 
    2591         [ +  + ]:    5262596 :                 if (vma->vm_flags & VM_ACCOUNT)
    2592                 :     803136 :                         nr_accounted += nrpages;
    2593                 :    5262596 :                 vm_stat_account(mm, vma->vm_flags, -nrpages);
    2594                 :    5262772 :                 vma = remove_vma(vma);
    2595         [ +  + ]:    5262290 :         } while (vma);
    2596                 :    5079452 :         vm_unacct_memory(nr_accounted);
    2597                 :            :         validate_mm(mm);
    2598                 :    5079876 : }
    2599                 :            : 
    2600                 :            : /*
    2601                 :            :  * Get rid of page table information in the indicated region.
    2602                 :            :  *
    2603                 :            :  * Called with the mm semaphore held.
    2604                 :            :  */
    2605                 :    5079730 : static void unmap_region(struct mm_struct *mm,
    2606                 :            :                 struct vm_area_struct *vma, struct vm_area_struct *prev,
    2607                 :            :                 unsigned long start, unsigned long end)
    2608                 :            : {
    2609         [ +  - ]:    5079730 :         struct vm_area_struct *next = prev ? prev->vm_next : mm->mmap;
    2610                 :            :         struct mmu_gather tlb;
    2611                 :            : 
    2612                 :    5079730 :         lru_add_drain();
    2613                 :    5079978 :         tlb_gather_mmu(&tlb, mm, start, end);
    2614                 :            :         update_hiwater_rss(mm);
    2615                 :    5079972 :         unmap_vmas(&tlb, vma, start, end);
    2616   [ +  +  +  + ]:    5079826 :         free_pgtables(&tlb, vma, prev ? prev->vm_end : FIRST_USER_ADDRESS,
    2617                 :            :                                  next ? next->vm_start : USER_PGTABLES_CEILING);
    2618                 :    5079862 :         tlb_finish_mmu(&tlb, start, end);
    2619                 :    5079932 : }
    2620                 :            : 
    2621                 :            : /*
    2622                 :            :  * Create a list of vma's touched by the unmap, removing them from the mm's
    2623                 :            :  * vma list as we go..
    2624                 :            :  */
    2625                 :            : static bool
    2626                 :    5079826 : detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
    2627                 :            :         struct vm_area_struct *prev, unsigned long end)
    2628                 :            : {
    2629                 :            :         struct vm_area_struct **insertion_point;
    2630                 :            :         struct vm_area_struct *tail_vma = NULL;
    2631                 :            : 
    2632         [ +  - ]:    5079826 :         insertion_point = (prev ? &prev->vm_next : &mm->mmap);
    2633                 :    5079826 :         vma->vm_prev = NULL;
    2634                 :            :         do {
    2635                 :    5262662 :                 vma_rb_erase(vma, &mm->mm_rb);
    2636                 :    5262728 :                 mm->map_count--;
    2637                 :            :                 tail_vma = vma;
    2638                 :    5262728 :                 vma = vma->vm_next;
    2639   [ +  +  +  + ]:    5262728 :         } while (vma && vma->vm_start < end);
    2640                 :    5079892 :         *insertion_point = vma;
    2641         [ +  - ]:    5079892 :         if (vma) {
    2642                 :    5079892 :                 vma->vm_prev = prev;
    2643                 :            :                 vma_gap_update(vma);
    2644                 :            :         } else
    2645         [ #  # ]:          0 :                 mm->highest_vm_end = prev ? vm_end_gap(prev) : 0;
    2646                 :    5079850 :         tail_vma->vm_next = NULL;
    2647                 :            : 
    2648                 :            :         /* Kill the cache */
    2649                 :            :         vmacache_invalidate(mm);
    2650                 :            : 
    2651                 :            :         /*
    2652                 :            :          * Do not downgrade mmap_lock if we are next to VM_GROWSDOWN or
    2653                 :            :          * VM_GROWSUP VMA. Such VMAs can change their size under
    2654                 :            :          * down_read(mmap_lock) and collide with the VMA we are about to unmap.
    2655                 :            :          */
    2656   [ +  +  +  + ]:    5079850 :         if (vma && (vma->vm_flags & VM_GROWSDOWN))
    2657                 :            :                 return false;
    2658                 :            :         if (prev && (prev->vm_flags & VM_GROWSUP))
    2659                 :            :                 return false;
    2660                 :    4612368 :         return true;
    2661                 :            : }
    2662                 :            : 
    2663                 :            : /*
    2664                 :            :  * __split_vma() bypasses sysctl_max_map_count checking.  We use this where it
    2665                 :            :  * has already been checked or doesn't make sense to fail.
    2666                 :            :  */
    2667                 :    9626396 : int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
    2668                 :            :                 unsigned long addr, int new_below)
    2669                 :            : {
    2670                 :            :         struct vm_area_struct *new;
    2671                 :            :         int err;
    2672                 :            : 
    2673   [ +  +  -  + ]:    9626396 :         if (vma->vm_ops && vma->vm_ops->split) {
    2674                 :          0 :                 err = vma->vm_ops->split(vma, addr);
    2675         [ #  # ]:          0 :                 if (err)
    2676                 :            :                         return err;
    2677                 :            :         }
    2678                 :            : 
    2679                 :    9626396 :         new = vm_area_dup(vma);
    2680         [ +  + ]:    9626540 :         if (!new)
    2681                 :            :                 return -ENOMEM;
    2682                 :            : 
    2683         [ +  + ]:    9626450 :         if (new_below)
    2684                 :    3338044 :                 new->vm_end = addr;
    2685                 :            :         else {
    2686                 :    6288406 :                 new->vm_start = addr;
    2687                 :    6288406 :                 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
    2688                 :            :         }
    2689                 :            : 
    2690                 :            :         err = vma_dup_policy(vma, new);
    2691                 :            :         if (err)
    2692                 :            :                 goto out_free_vma;
    2693                 :            : 
    2694                 :    9626450 :         err = anon_vma_clone(new, vma);
    2695         [ +  + ]:    9626498 :         if (err)
    2696                 :            :                 goto out_free_mpol;
    2697                 :            : 
    2698         [ +  + ]:    9626486 :         if (new->vm_file)
    2699                 :            :                 get_file(new->vm_file);
    2700                 :            : 
    2701   [ +  +  -  + ]:    9626324 :         if (new->vm_ops && new->vm_ops->open)
    2702                 :          0 :                 new->vm_ops->open(new);
    2703                 :            : 
    2704         [ +  + ]:    9626324 :         if (new_below)
    2705                 :    6675920 :                 err = vma_adjust(vma, addr, vma->vm_end, vma->vm_pgoff +
    2706                 :    3337960 :                         ((addr - new->vm_start) >> PAGE_SHIFT), new);
    2707                 :            :         else
    2708                 :    6288364 :                 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
    2709                 :            : 
    2710                 :            :         /* Success. */
    2711         [ -  + ]:    9626524 :         if (!err)
    2712                 :            :                 return 0;
    2713                 :            : 
    2714                 :            :         /* Clean everything up if vma_adjust failed. */
    2715   [ #  #  #  # ]:          0 :         if (new->vm_ops && new->vm_ops->close)
    2716                 :          0 :                 new->vm_ops->close(new);
    2717         [ #  # ]:          0 :         if (new->vm_file)
    2718                 :          0 :                 fput(new->vm_file);
    2719                 :          0 :         unlink_anon_vmas(new);
    2720                 :            :  out_free_mpol:
    2721                 :            :         mpol_put(vma_policy(new));
    2722                 :            :  out_free_vma:
    2723                 :         46 :         vm_area_free(new);
    2724                 :          0 :         return err;
    2725                 :            : }
    2726                 :            : 
    2727                 :            : /*
    2728                 :            :  * Split a vma into two pieces at address 'addr', a new vma is allocated
    2729                 :            :  * either for the first part or the tail.
    2730                 :            :  */
    2731                 :    8143162 : int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
    2732                 :            :               unsigned long addr, int new_below)
    2733                 :            : {
    2734         [ +  + ]:    8143162 :         if (mm->map_count >= sysctl_max_map_count)
    2735                 :            :                 return -ENOMEM;
    2736                 :            : 
    2737                 :    8143274 :         return __split_vma(mm, vma, addr, new_below);
    2738                 :            : }
    2739                 :            : 
    2740                 :            : /* Munmap is split into 2 main parts -- this part which finds
    2741                 :            :  * what needs doing, and the areas themselves, which do the
    2742                 :            :  * work.  This now handles partial unmappings.
    2743                 :            :  * Jeremy Fitzhardinge <jeremy@goop.org>
    2744                 :            :  */
    2745                 :    5079904 : int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len,
    2746                 :            :                 struct list_head *uf, bool downgrade)
    2747                 :            : {
    2748                 :            :         unsigned long end;
    2749                 :            :         struct vm_area_struct *vma, *prev, *last;
    2750                 :            : 
    2751   [ +  +  +  +  :    5079904 :         if ((offset_in_page(start)) || start > TASK_SIZE || len > TASK_SIZE-start)
                   +  + ]
    2752                 :            :                 return -EINVAL;
    2753                 :            : 
    2754                 :    5079878 :         len = PAGE_ALIGN(len);
    2755                 :    5079878 :         end = start + len;
    2756         [ +  + ]:    5079878 :         if (len == 0)
    2757                 :            :                 return -EINVAL;
    2758                 :            : 
    2759                 :            :         /*
    2760                 :            :          * arch_unmap() might do unmaps itself.  It must be called
    2761                 :            :          * and finish any rbtree manipulation before this code
    2762                 :            :          * runs and also starts to manipulate the rbtree.
    2763                 :            :          */
    2764                 :            :         arch_unmap(mm, start, end);
    2765                 :            : 
    2766                 :            :         /* Find the first overlapping VMA */
    2767                 :    5079848 :         vma = find_vma(mm, start);
    2768         [ +  + ]:    5079884 :         if (!vma)
    2769                 :            :                 return 0;
    2770                 :    5079840 :         prev = vma->vm_prev;
    2771                 :            :         /* we have  start < vma->vm_end  */
    2772                 :            : 
    2773                 :            :         /* if it doesn't overlap, we have nothing.. */
    2774         [ +  + ]:    5079840 :         if (vma->vm_start >= end)
    2775                 :            :                 return 0;
    2776                 :            : 
    2777                 :            :         /*
    2778                 :            :          * If we need to split any vma, do it now to save pain later.
    2779                 :            :          *
    2780                 :            :          * Note: mremap's move_vma VM_ACCOUNT handling assumes a partially
    2781                 :            :          * unmapped vm_area_struct will remain in use: so lower split_vma
    2782                 :            :          * places tmp vma above, and higher split_vma places tmp vma below.
    2783                 :            :          */
    2784         [ +  + ]:    5079884 :         if (start > vma->vm_start) {
    2785                 :            :                 int error;
    2786                 :            : 
    2787                 :            :                 /*
    2788                 :            :                  * Make sure that map_count on return from munmap() will
    2789                 :            :                  * not exceed its limit; but let map_count go just above
    2790                 :            :                  * its limit temporarily, to help free resources as expected.
    2791                 :            :                  */
    2792   [ +  +  +  - ]:     571592 :                 if (end < vma->vm_end && mm->map_count >= sysctl_max_map_count)
    2793                 :            :                         return -ENOMEM;
    2794                 :            : 
    2795                 :     571592 :                 error = __split_vma(mm, vma, start, 0);
    2796         [ +  + ]:     571596 :                 if (error)
    2797                 :            :                         return error;
    2798                 :            :                 prev = vma;
    2799                 :            :         }
    2800                 :            : 
    2801                 :            :         /* Does it split the last one? */
    2802                 :    5079886 :         last = find_vma(mm, end);
    2803   [ +  +  +  + ]:    5079904 :         if (last && end > last->vm_start) {
    2804                 :     911608 :                 int error = __split_vma(mm, last, end, 1);
    2805         [ +  + ]:     911614 :                 if (error)
    2806                 :            :                         return error;
    2807                 :            :         }
    2808         [ +  - ]:    5079836 :         vma = prev ? prev->vm_next : mm->mmap;
    2809                 :            : 
    2810                 :            :         if (unlikely(uf)) {
    2811                 :            :                 /*
    2812                 :            :                  * If userfaultfd_unmap_prep returns an error the vmas
    2813                 :            :                  * will remain splitted, but userland will get a
    2814                 :            :                  * highly unexpected error anyway. This is no
    2815                 :            :                  * different than the case where the first of the two
    2816                 :            :                  * __split_vma fails, but we don't undo the first
    2817                 :            :                  * split, despite we could. This is unlikely enough
    2818                 :            :                  * failure that it's not worth optimizing it for.
    2819                 :            :                  */
    2820                 :            :                 int error = userfaultfd_unmap_prep(vma, start, end, uf);
    2821                 :            :                 if (error)
    2822                 :            :                         return error;
    2823                 :            :         }
    2824                 :            : 
    2825                 :            :         /*
    2826                 :            :          * unlock any mlock()ed ranges before detaching vmas
    2827                 :            :          */
    2828         [ +  + ]:    5079836 :         if (mm->locked_vm) {
    2829                 :            :                 struct vm_area_struct *tmp = vma;
    2830   [ +  -  +  + ]:       3232 :                 while (tmp && tmp->vm_start < end) {
    2831         [ +  + ]:       1616 :                         if (tmp->vm_flags & VM_LOCKED) {
    2832                 :        808 :                                 mm->locked_vm -= vma_pages(tmp);
    2833                 :            :                                 munlock_vma_pages_all(tmp);
    2834                 :            :                         }
    2835                 :            : 
    2836                 :       1616 :                         tmp = tmp->vm_next;
    2837                 :            :                 }
    2838                 :            :         }
    2839                 :            : 
    2840                 :            :         /* Detach vmas from rbtree */
    2841         [ +  + ]:    5079836 :         if (!detach_vmas_to_be_unmapped(mm, vma, prev, end))
    2842                 :            :                 downgrade = false;
    2843                 :            : 
    2844         [ +  + ]:    5079680 :         if (downgrade)
    2845                 :    1362400 :                 downgrade_write(&mm->mmap_sem);
    2846                 :            : 
    2847                 :    5079762 :         unmap_region(mm, vma, prev, start, end);
    2848                 :            : 
    2849                 :            :         /* Fix up all other VM information */
    2850                 :    5079956 :         remove_vma_list(mm, vma);
    2851                 :            : 
    2852                 :    5079852 :         return downgrade ? 1 : 0;
    2853                 :            : }
    2854                 :            : 
    2855                 :       4056 : int do_munmap(struct mm_struct *mm, unsigned long start, size_t len,
    2856                 :            :               struct list_head *uf)
    2857                 :            : {
    2858                 :    3249914 :         return __do_munmap(mm, start, len, uf, false);
    2859                 :            : }
    2860                 :            : 
    2861                 :    1762062 : static int __vm_munmap(unsigned long start, size_t len, bool downgrade)
    2862                 :            : {
    2863                 :            :         int ret;
    2864                 :    1762062 :         struct mm_struct *mm = current->mm;
    2865                 :    1762062 :         LIST_HEAD(uf);
    2866                 :            : 
    2867         [ +  + ]:    1762062 :         if (down_write_killable(&mm->mmap_sem))
    2868                 :            :                 return -EINTR;
    2869                 :            : 
    2870                 :    1762042 :         ret = __do_munmap(mm, start, len, &uf, downgrade);
    2871                 :            :         /*
    2872                 :            :          * Returning 1 indicates mmap_sem is downgraded.
    2873                 :            :          * But 1 is not legal return value of vm_munmap() and munmap(), reset
    2874                 :            :          * it to 0 before return.
    2875                 :            :          */
    2876         [ +  + ]:    1762086 :         if (ret == 1) {
    2877                 :    1294538 :                 up_read(&mm->mmap_sem);
    2878                 :            :                 ret = 0;
    2879                 :            :         } else
    2880                 :     467548 :                 up_write(&mm->mmap_sem);
    2881                 :            : 
    2882                 :            :         userfaultfd_unmap_complete(mm, &uf);
    2883                 :    1762108 :         return ret;
    2884                 :            : }
    2885                 :            : 
    2886                 :     467554 : int vm_munmap(unsigned long start, size_t len)
    2887                 :            : {
    2888                 :     467554 :         return __vm_munmap(start, len, false);
    2889                 :            : }
    2890                 :            : EXPORT_SYMBOL(vm_munmap);
    2891                 :            : 
    2892                 :    2589090 : SYSCALL_DEFINE2(munmap, unsigned long, addr, size_t, len)
    2893                 :            : {
    2894                 :            :         addr = untagged_addr(addr);
    2895                 :    1294540 :         profile_munmap(addr);
    2896                 :    1294522 :         return __vm_munmap(addr, len, true);
    2897                 :            : }
    2898                 :            : 
    2899                 :            : 
    2900                 :            : /*
    2901                 :            :  * Emulation of deprecated remap_file_pages() syscall.
    2902                 :            :  */
    2903                 :          0 : SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
    2904                 :            :                 unsigned long, prot, unsigned long, pgoff, unsigned long, flags)
    2905                 :            : {
    2906                 :            : 
    2907                 :          0 :         struct mm_struct *mm = current->mm;
    2908                 :            :         struct vm_area_struct *vma;
    2909                 :          0 :         unsigned long populate = 0;
    2910                 :            :         unsigned long ret = -EINVAL;
    2911                 :            :         struct file *file;
    2912                 :            : 
    2913         [ #  # ]:          0 :         pr_warn_once("%s (%d) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.\n",
    2914                 :            :                      current->comm, current->pid);
    2915                 :            : 
    2916         [ #  # ]:          0 :         if (prot)
    2917                 :            :                 return ret;
    2918                 :          0 :         start = start & PAGE_MASK;
    2919                 :          0 :         size = size & PAGE_MASK;
    2920                 :            : 
    2921         [ #  # ]:          0 :         if (start + size <= start)
    2922                 :            :                 return ret;
    2923                 :            : 
    2924                 :            :         /* Does pgoff wrap? */
    2925         [ #  # ]:          0 :         if (pgoff + (size >> PAGE_SHIFT) < pgoff)
    2926                 :            :                 return ret;
    2927                 :            : 
    2928         [ #  # ]:          0 :         if (down_write_killable(&mm->mmap_sem))
    2929                 :            :                 return -EINTR;
    2930                 :            : 
    2931                 :          0 :         vma = find_vma(mm, start);
    2932                 :            : 
    2933   [ #  #  #  # ]:          0 :         if (!vma || !(vma->vm_flags & VM_SHARED))
    2934                 :            :                 goto out;
    2935                 :            : 
    2936         [ #  # ]:          0 :         if (start < vma->vm_start)
    2937                 :            :                 goto out;
    2938                 :            : 
    2939         [ #  # ]:          0 :         if (start + size > vma->vm_end) {
    2940                 :            :                 struct vm_area_struct *next;
    2941                 :            : 
    2942         [ #  # ]:          0 :                 for (next = vma->vm_next; next; next = next->vm_next) {
    2943                 :            :                         /* hole between vmas ? */
    2944         [ #  # ]:          0 :                         if (next->vm_start != next->vm_prev->vm_end)
    2945                 :            :                                 goto out;
    2946                 :            : 
    2947         [ #  # ]:          0 :                         if (next->vm_file != vma->vm_file)
    2948                 :            :                                 goto out;
    2949                 :            : 
    2950         [ #  # ]:          0 :                         if (next->vm_flags != vma->vm_flags)
    2951                 :            :                                 goto out;
    2952                 :            : 
    2953         [ #  # ]:          0 :                         if (start + size <= next->vm_end)
    2954                 :            :                                 break;
    2955                 :            :                 }
    2956                 :            : 
    2957         [ #  # ]:          0 :                 if (!next)
    2958                 :            :                         goto out;
    2959                 :            :         }
    2960                 :            : 
    2961                 :          0 :         prot |= vma->vm_flags & VM_READ ? PROT_READ : 0;
    2962                 :          0 :         prot |= vma->vm_flags & VM_WRITE ? PROT_WRITE : 0;
    2963                 :          0 :         prot |= vma->vm_flags & VM_EXEC ? PROT_EXEC : 0;
    2964                 :            : 
    2965                 :          0 :         flags &= MAP_NONBLOCK;
    2966                 :          0 :         flags |= MAP_SHARED | MAP_FIXED | MAP_POPULATE;
    2967         [ #  # ]:          0 :         if (vma->vm_flags & VM_LOCKED) {
    2968                 :            :                 struct vm_area_struct *tmp;
    2969                 :          0 :                 flags |= MAP_LOCKED;
    2970                 :            : 
    2971                 :            :                 /* drop PG_Mlocked flag for over-mapped range */
    2972         [ #  # ]:          0 :                 for (tmp = vma; tmp->vm_start >= start + size;
    2973                 :          0 :                                 tmp = tmp->vm_next) {
    2974                 :            :                         /*
    2975                 :            :                          * Split pmd and munlock page on the border
    2976                 :            :                          * of the range.
    2977                 :            :                          */
    2978                 :            :                         vma_adjust_trans_huge(tmp, start, start + size, 0);
    2979                 :            : 
    2980                 :          0 :                         munlock_vma_pages_range(tmp,
    2981                 :          0 :                                         max(tmp->vm_start, start),
    2982                 :          0 :                                         min(tmp->vm_end, start + size));
    2983                 :            :                 }
    2984                 :            :         }
    2985                 :            : 
    2986                 :          0 :         file = get_file(vma->vm_file);
    2987                 :          0 :         ret = do_mmap_pgoff(vma->vm_file, start, size,
    2988                 :            :                         prot, flags, pgoff, &populate, NULL);
    2989                 :          0 :         fput(file);
    2990                 :            : out:
    2991                 :          0 :         up_write(&mm->mmap_sem);
    2992         [ #  # ]:          0 :         if (populate)
    2993                 :            :                 mm_populate(ret, populate);
    2994         [ #  # ]:          0 :         if (!IS_ERR_VALUE(ret))
    2995                 :            :                 ret = 0;
    2996                 :          0 :         return ret;
    2997                 :            : }
    2998                 :            : 
    2999                 :            : /*
    3000                 :            :  *  this is really a simplified "do_mmap".  it only handles
    3001                 :            :  *  anonymous maps.  eventually we may be able to do some
    3002                 :            :  *  brk-specific accounting here.
    3003                 :            :  */
    3004                 :     690582 : static int do_brk_flags(unsigned long addr, unsigned long len, unsigned long flags, struct list_head *uf)
    3005                 :            : {
    3006                 :     690582 :         struct mm_struct *mm = current->mm;
    3007                 :            :         struct vm_area_struct *vma, *prev;
    3008                 :            :         struct rb_node **rb_link, *rb_parent;
    3009                 :     690582 :         pgoff_t pgoff = addr >> PAGE_SHIFT;
    3010                 :            :         int error;
    3011                 :            : 
    3012                 :            :         /* Until we need other flags, refuse anything except VM_EXEC. */
    3013         [ +  + ]:     690582 :         if ((flags & (~VM_EXEC)) != 0)
    3014                 :            :                 return -EINVAL;
    3015         [ +  - ]:     690580 :         flags |= VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
    3016                 :            : 
    3017                 :     690580 :         error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
    3018         [ +  - ]:     690580 :         if (offset_in_page(error))
    3019                 :            :                 return error;
    3020                 :            : 
    3021                 :     690580 :         error = mlock_future_check(mm, mm->def_flags, len);
    3022         [ +  + ]:     690576 :         if (error)
    3023                 :            :                 return error;
    3024                 :            : 
    3025                 :            :         /*
    3026                 :            :          * Clear old maps.  this also does some error checking for us
    3027                 :            :          */
    3028         [ -  + ]:    1381156 :         while (find_vma_links(mm, addr, addr + len, &prev, &rb_link,
    3029                 :            :                               &rb_parent)) {
    3030         [ #  # ]:          0 :                 if (do_munmap(mm, addr, len, uf))
    3031                 :            :                         return -ENOMEM;
    3032                 :            :         }
    3033                 :            : 
    3034                 :            :         /* Check against address space limits *after* clearing old maps... */
    3035         [ +  + ]:     690578 :         if (!may_expand_vm(mm, flags, len >> PAGE_SHIFT))
    3036                 :            :                 return -ENOMEM;
    3037                 :            : 
    3038         [ +  - ]:     690576 :         if (mm->map_count > sysctl_max_map_count)
    3039                 :            :                 return -ENOMEM;
    3040                 :            : 
    3041         [ +  + ]:     690576 :         if (security_vm_enough_memory_mm(mm, len >> PAGE_SHIFT))
    3042                 :            :                 return -ENOMEM;
    3043                 :            : 
    3044                 :            :         /* Can we just expand an old private anonymous mapping? */
    3045                 :     690572 :         vma = vma_merge(mm, prev, addr, addr + len, flags,
    3046                 :            :                         NULL, NULL, pgoff, NULL, NULL_VM_UFFD_CTX);
    3047         [ +  + ]:     690580 :         if (vma)
    3048                 :            :                 goto out;
    3049                 :            : 
    3050                 :            :         /*
    3051                 :            :          * create a vma struct for an anonymous mapping
    3052                 :            :          */
    3053                 :     621396 :         vma = vm_area_alloc(mm);
    3054         [ -  + ]:     621396 :         if (!vma) {
    3055                 :            :                 vm_unacct_memory(len >> PAGE_SHIFT);
    3056                 :          0 :                 return -ENOMEM;
    3057                 :            :         }
    3058                 :            : 
    3059                 :            :         vma_set_anonymous(vma);
    3060                 :     621396 :         vma->vm_start = addr;
    3061                 :     621396 :         vma->vm_end = addr + len;
    3062                 :     621396 :         vma->vm_pgoff = pgoff;
    3063                 :     621396 :         vma->vm_flags = flags;
    3064                 :     621396 :         vma->vm_page_prot = vm_get_page_prot(flags);
    3065                 :     621396 :         vma_link(mm, vma, prev, rb_link, rb_parent);
    3066                 :            : out:
    3067                 :     690584 :         perf_event_mmap(vma);
    3068                 :     690578 :         mm->total_vm += len >> PAGE_SHIFT;
    3069                 :     690578 :         mm->data_vm += len >> PAGE_SHIFT;
    3070         [ -  + ]:     690578 :         if (flags & VM_LOCKED)
    3071                 :          0 :                 mm->locked_vm += (len >> PAGE_SHIFT);
    3072                 :            :         vma->vm_flags |= VM_SOFTDIRTY;
    3073                 :            :         return 0;
    3074                 :            : }
    3075                 :            : 
    3076                 :     169298 : int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
    3077                 :            : {
    3078                 :     169298 :         struct mm_struct *mm = current->mm;
    3079                 :            :         unsigned long len;
    3080                 :            :         int ret;
    3081                 :            :         bool populate;
    3082                 :     169298 :         LIST_HEAD(uf);
    3083                 :            : 
    3084                 :     169298 :         len = PAGE_ALIGN(request);
    3085         [ +  - ]:     169298 :         if (len < request)
    3086                 :            :                 return -ENOMEM;
    3087         [ +  + ]:     169300 :         if (!len)
    3088                 :            :                 return 0;
    3089                 :            : 
    3090         [ +  - ]:     169298 :         if (down_write_killable(&mm->mmap_sem))
    3091                 :            :                 return -EINTR;
    3092                 :            : 
    3093                 :     169298 :         ret = do_brk_flags(addr, len, flags, &uf);
    3094                 :     169300 :         populate = ((mm->def_flags & VM_LOCKED) != 0);
    3095                 :     169300 :         up_write(&mm->mmap_sem);
    3096                 :            :         userfaultfd_unmap_complete(mm, &uf);
    3097         [ -  + ]:     169300 :         if (populate && !ret)
    3098                 :            :                 mm_populate(addr, len);
    3099                 :     169300 :         return ret;
    3100                 :            : }
    3101                 :            : EXPORT_SYMBOL(vm_brk_flags);
    3102                 :            : 
    3103                 :          0 : int vm_brk(unsigned long addr, unsigned long len)
    3104                 :            : {
    3105                 :          0 :         return vm_brk_flags(addr, len, 0);
    3106                 :            : }
    3107                 :            : EXPORT_SYMBOL(vm_brk);
    3108                 :            : 
    3109                 :            : /* Release all mmaps. */
    3110                 :     915708 : void exit_mmap(struct mm_struct *mm)
    3111                 :            : {
    3112                 :            :         struct mmu_gather tlb;
    3113                 :            :         struct vm_area_struct *vma;
    3114                 :            :         unsigned long nr_accounted = 0;
    3115                 :            : 
    3116                 :            :         /* mm's last user has gone, and its about to be pulled down */
    3117                 :            :         mmu_notifier_release(mm);
    3118                 :            : 
    3119         [ -  + ]:     915708 :         if (unlikely(mm_is_oom_victim(mm))) {
    3120                 :            :                 /*
    3121                 :            :                  * Manually reap the mm to free as much memory as possible.
    3122                 :            :                  * Then, as the oom reaper does, set MMF_OOM_SKIP to disregard
    3123                 :            :                  * this mm from further consideration.  Taking mm->mmap_sem for
    3124                 :            :                  * write after setting MMF_OOM_SKIP will guarantee that the oom
    3125                 :            :                  * reaper will not run on this mm again after mmap_sem is
    3126                 :            :                  * dropped.
    3127                 :            :                  *
    3128                 :            :                  * Nothing can be holding mm->mmap_sem here and the above call
    3129                 :            :                  * to mmu_notifier_release(mm) ensures mmu notifier callbacks in
    3130                 :            :                  * __oom_reap_task_mm() will not block.
    3131                 :            :                  *
    3132                 :            :                  * This needs to be done before calling munlock_vma_pages_all(),
    3133                 :            :                  * which clears VM_LOCKED, otherwise the oom reaper cannot
    3134                 :            :                  * reliably test it.
    3135                 :            :                  */
    3136                 :          0 :                 (void)__oom_reap_task_mm(mm);
    3137                 :            : 
    3138                 :          0 :                 set_bit(MMF_OOM_SKIP, &mm->flags);
    3139                 :          0 :                 down_write(&mm->mmap_sem);
    3140                 :          0 :                 up_write(&mm->mmap_sem);
    3141                 :            :         }
    3142                 :            : 
    3143         [ -  + ]:     915684 :         if (mm->locked_vm) {
    3144                 :          0 :                 vma = mm->mmap;
    3145         [ #  # ]:          0 :                 while (vma) {
    3146         [ #  # ]:          0 :                         if (vma->vm_flags & VM_LOCKED)
    3147                 :            :                                 munlock_vma_pages_all(vma);
    3148                 :          0 :                         vma = vma->vm_next;
    3149                 :            :                 }
    3150                 :            :         }
    3151                 :            : 
    3152                 :            :         arch_exit_mmap(mm);
    3153                 :            : 
    3154                 :     915684 :         vma = mm->mmap;
    3155         [ +  - ]:     915684 :         if (!vma)       /* Can happen if dup_mmap() received an OOM */
    3156                 :          0 :                 return;
    3157                 :            : 
    3158                 :     915684 :         lru_add_drain();
    3159                 :     915734 :         flush_cache_mm(mm);
    3160                 :     915734 :         tlb_gather_mmu(&tlb, mm, 0, -1);
    3161                 :            :         /* update_hiwater_rss(mm) here? but nobody should be looking */
    3162                 :            :         /* Use -1 here to ensure all VMAs in the mm are unmapped */
    3163                 :     915730 :         unmap_vmas(&tlb, vma, 0, -1);
    3164                 :     915730 :         free_pgtables(&tlb, vma, FIRST_USER_ADDRESS, USER_PGTABLES_CEILING);
    3165                 :     915734 :         tlb_finish_mmu(&tlb, 0, -1);
    3166                 :            : 
    3167                 :            :         /*
    3168                 :            :          * Walk the list again, actually closing and freeing it,
    3169                 :            :          * with preemption enabled, without holding any MM locks.
    3170                 :            :          */
    3171         [ +  + ]:   42872792 :         while (vma) {
    3172         [ +  + ]:   41041334 :                 if (vma->vm_flags & VM_ACCOUNT)
    3173                 :   22109004 :                         nr_accounted += vma_pages(vma);
    3174                 :   41041334 :                 vma = remove_vma(vma);
    3175                 :   41042784 :                 cond_resched();
    3176                 :            :         }
    3177                 :     915726 :         vm_unacct_memory(nr_accounted);
    3178                 :            : }
    3179                 :            : 
    3180                 :            : /* Insert vm structure into process list sorted by address
    3181                 :            :  * and into the inode's i_mmap tree.  If vm_file is non-NULL
    3182                 :            :  * then i_mmap_rwsem is taken here.
    3183                 :            :  */
    3184                 :    1795818 : int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
    3185                 :            : {
    3186                 :            :         struct vm_area_struct *prev;
    3187                 :            :         struct rb_node **rb_link, *rb_parent;
    3188                 :            : 
    3189         [ +  + ]:    3591636 :         if (find_vma_links(mm, vma->vm_start, vma->vm_end,
    3190                 :            :                            &prev, &rb_link, &rb_parent))
    3191                 :            :                 return -ENOMEM;
    3192   [ +  +  +  + ]:    2244804 :         if ((vma->vm_flags & VM_ACCOUNT) &&
    3193                 :     448952 :              security_vm_enough_memory_mm(mm, vma_pages(vma)))
    3194                 :            :                 return -ENOMEM;
    3195                 :            : 
    3196                 :            :         /*
    3197                 :            :          * The vm_pgoff of a purely anonymous vma should be irrelevant
    3198                 :            :          * until its first write fault, when page's anon_vma and index
    3199                 :            :          * are set.  But now set the vm_pgoff it will almost certainly
    3200                 :            :          * end up with (unless mremap moves it elsewhere before that
    3201                 :            :          * first wfault), so /proc/pid/maps tells a consistent story.
    3202                 :            :          *
    3203                 :            :          * By setting it to reflect the virtual start address of the
    3204                 :            :          * vma, merges and splits can happen in a seamless way, just
    3205                 :            :          * using the existing file pgoff checks and manipulations.
    3206                 :            :          * Similarly in do_mmap_pgoff and in do_brk.
    3207                 :            :          */
    3208         [ +  + ]:    1795822 :         if (vma_is_anonymous(vma)) {
    3209         [ -  + ]:     448936 :                 BUG_ON(vma->anon_vma);
    3210                 :     448936 :                 vma->vm_pgoff = vma->vm_start >> PAGE_SHIFT;
    3211                 :            :         }
    3212                 :            : 
    3213                 :    1795822 :         vma_link(mm, vma, prev, rb_link, rb_parent);
    3214                 :    1795846 :         return 0;
    3215                 :            : }
    3216                 :            : 
    3217                 :            : /*
    3218                 :            :  * Copy the vma structure to a new location in the same mm,
    3219                 :            :  * prior to moving page table entries, to effect an mremap move.
    3220                 :            :  */
    3221                 :        810 : struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
    3222                 :            :         unsigned long addr, unsigned long len, pgoff_t pgoff,
    3223                 :            :         bool *need_rmap_locks)
    3224                 :            : {
    3225                 :        810 :         struct vm_area_struct *vma = *vmap;
    3226                 :        810 :         unsigned long vma_start = vma->vm_start;
    3227                 :        810 :         struct mm_struct *mm = vma->vm_mm;
    3228                 :            :         struct vm_area_struct *new_vma, *prev;
    3229                 :            :         struct rb_node **rb_link, *rb_parent;
    3230                 :            :         bool faulted_in_anon_vma = true;
    3231                 :            : 
    3232                 :            :         /*
    3233                 :            :          * If anonymous vma has not yet been faulted, update new pgoff
    3234                 :            :          * to match new location, to increase its chance of merging.
    3235                 :            :          */
    3236   [ +  -  -  + ]:        810 :         if (unlikely(vma_is_anonymous(vma) && !vma->anon_vma)) {
    3237                 :          0 :                 pgoff = addr >> PAGE_SHIFT;
    3238                 :            :                 faulted_in_anon_vma = false;
    3239                 :            :         }
    3240                 :            : 
    3241         [ +  - ]:       1620 :         if (find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent))
    3242                 :            :                 return NULL;    /* should never get here */
    3243                 :        810 :         new_vma = vma_merge(mm, prev, addr, addr + len, vma->vm_flags,
    3244                 :            :                             vma->anon_vma, vma->vm_file, pgoff, vma_policy(vma),
    3245                 :            :                             vma->vm_userfaultfd_ctx);
    3246         [ -  + ]:        810 :         if (new_vma) {
    3247                 :            :                 /*
    3248                 :            :                  * Source vma may have been merged into new_vma
    3249                 :            :                  */
    3250   [ #  #  #  # ]:          0 :                 if (unlikely(vma_start >= new_vma->vm_start &&
    3251                 :            :                              vma_start < new_vma->vm_end)) {
    3252                 :            :                         /*
    3253                 :            :                          * The only way we can get a vma_merge with
    3254                 :            :                          * self during an mremap is if the vma hasn't
    3255                 :            :                          * been faulted in yet and we were allowed to
    3256                 :            :                          * reset the dst vma->vm_pgoff to the
    3257                 :            :                          * destination address of the mremap to allow
    3258                 :            :                          * the merge to happen. mremap must change the
    3259                 :            :                          * vm_pgoff linearity between src and dst vmas
    3260                 :            :                          * (in turn preventing a vma_merge) to be
    3261                 :            :                          * safe. It is only safe to keep the vm_pgoff
    3262                 :            :                          * linear if there are no pages mapped yet.
    3263                 :            :                          */
    3264                 :            :                         VM_BUG_ON_VMA(faulted_in_anon_vma, new_vma);
    3265                 :          0 :                         *vmap = vma = new_vma;
    3266                 :            :                 }
    3267                 :          0 :                 *need_rmap_locks = (new_vma->vm_pgoff <= vma->vm_pgoff);
    3268                 :            :         } else {
    3269                 :        810 :                 new_vma = vm_area_dup(vma);
    3270         [ +  - ]:        810 :                 if (!new_vma)
    3271                 :            :                         goto out;
    3272                 :        810 :                 new_vma->vm_start = addr;
    3273                 :        810 :                 new_vma->vm_end = addr + len;
    3274                 :        810 :                 new_vma->vm_pgoff = pgoff;
    3275                 :            :                 if (vma_dup_policy(vma, new_vma))
    3276                 :            :                         goto out_free_vma;
    3277         [ +  - ]:        810 :                 if (anon_vma_clone(new_vma, vma))
    3278                 :            :                         goto out_free_mempol;
    3279         [ -  + ]:        810 :                 if (new_vma->vm_file)
    3280                 :            :                         get_file(new_vma->vm_file);
    3281   [ -  +  #  # ]:        810 :                 if (new_vma->vm_ops && new_vma->vm_ops->open)
    3282                 :          0 :                         new_vma->vm_ops->open(new_vma);
    3283                 :        810 :                 vma_link(mm, new_vma, prev, rb_link, rb_parent);
    3284                 :        810 :                 *need_rmap_locks = false;
    3285                 :            :         }
    3286                 :        810 :         return new_vma;
    3287                 :            : 
    3288                 :            : out_free_mempol:
    3289                 :            :         mpol_put(vma_policy(new_vma));
    3290                 :            : out_free_vma:
    3291                 :          0 :         vm_area_free(new_vma);
    3292                 :            : out:
    3293                 :            :         return NULL;
    3294                 :            : }
    3295                 :            : 
    3296                 :            : /*
    3297                 :            :  * Return true if the calling process may expand its vm space by the passed
    3298                 :            :  * number of pages
    3299                 :            :  */
    3300                 :   11127160 : bool may_expand_vm(struct mm_struct *mm, vm_flags_t flags, unsigned long npages)
    3301                 :            : {
    3302         [ +  + ]:   22254320 :         if (mm->total_vm + npages > rlimit(RLIMIT_AS) >> PAGE_SHIFT)
    3303                 :            :                 return false;
    3304                 :            : 
    3305   [ +  +  -  + ]:   17402888 :         if (is_data_mapping(flags) &&
    3306                 :   12551244 :             mm->data_vm + npages > rlimit(RLIMIT_DATA) >> PAGE_SHIFT) {
    3307                 :            :                 /* Workaround for Valgrind */
    3308   [ #  #  #  # ]:          0 :                 if (rlimit(RLIMIT_DATA) == 0 &&
    3309                 :          0 :                     mm->data_vm + npages <= rlimit_max(RLIMIT_DATA) >> PAGE_SHIFT)
    3310                 :            :                         return true;
    3311                 :            : 
    3312   [ #  #  #  # ]:          0 :                 pr_warn_once("%s (%d): VmData %lu exceed data ulimit %lu. Update limits%s.\n",
    3313                 :            :                              current->comm, current->pid,
    3314                 :            :                              (mm->data_vm + npages) << PAGE_SHIFT,
    3315                 :            :                              rlimit(RLIMIT_DATA),
    3316                 :            :                              ignore_rlimit_data ? "" : " or use boot option ignore_rlimit_data");
    3317                 :            : 
    3318         [ #  # ]:          0 :                 if (!ignore_rlimit_data)
    3319                 :            :                         return false;
    3320                 :            :         }
    3321                 :            : 
    3322                 :            :         return true;
    3323                 :            : }
    3324                 :            : 
    3325                 :   28515666 : void vm_stat_account(struct mm_struct *mm, vm_flags_t flags, long npages)
    3326                 :            : {
    3327                 :   28515666 :         mm->total_vm += npages;
    3328                 :            : 
    3329         [ +  + ]:   28515666 :         if (is_exec_mapping(flags))
    3330                 :   10356568 :                 mm->exec_vm += npages;
    3331         [ +  + ]:   18159098 :         else if (is_stack_mapping(flags))
    3332                 :     449206 :                 mm->stack_vm += npages;
    3333         [ +  + ]:   17709892 :         else if (is_data_mapping(flags))
    3334                 :    9619590 :                 mm->data_vm += npages;
    3335                 :   28515666 : }
    3336                 :            : 
    3337                 :            : static vm_fault_t special_mapping_fault(struct vm_fault *vmf);
    3338                 :            : 
    3339                 :            : /*
    3340                 :            :  * Having a close hook prevents vma merging regardless of flags.
    3341                 :            :  */
    3342                 :    2747198 : static void special_mapping_close(struct vm_area_struct *vma)
    3343                 :            : {
    3344                 :    2747198 : }
    3345                 :            : 
    3346                 :          2 : static const char *special_mapping_name(struct vm_area_struct *vma)
    3347                 :            : {
    3348                 :          2 :         return ((struct vm_special_mapping *)vma->vm_private_data)->name;
    3349                 :            : }
    3350                 :            : 
    3351                 :          0 : static int special_mapping_mremap(struct vm_area_struct *new_vma)
    3352                 :            : {
    3353                 :          0 :         struct vm_special_mapping *sm = new_vma->vm_private_data;
    3354                 :            : 
    3355   [ #  #  #  #  :          0 :         if (WARN_ON_ONCE(current->mm != new_vma->vm_mm))
                   #  # ]
    3356                 :            :                 return -EFAULT;
    3357                 :            : 
    3358         [ #  # ]:          0 :         if (sm->mremap)
    3359                 :          0 :                 return sm->mremap(sm, new_vma);
    3360                 :            : 
    3361                 :            :         return 0;
    3362                 :            : }
    3363                 :            : 
    3364                 :            : static const struct vm_operations_struct special_mapping_vmops = {
    3365                 :            :         .close = special_mapping_close,
    3366                 :            :         .fault = special_mapping_fault,
    3367                 :            :         .mremap = special_mapping_mremap,
    3368                 :            :         .name = special_mapping_name,
    3369                 :            : };
    3370                 :            : 
    3371                 :            : static const struct vm_operations_struct legacy_special_mapping_vmops = {
    3372                 :            :         .close = special_mapping_close,
    3373                 :            :         .fault = special_mapping_fault,
    3374                 :            : };
    3375                 :            : 
    3376                 :     512920 : static vm_fault_t special_mapping_fault(struct vm_fault *vmf)
    3377                 :            : {
    3378                 :     512920 :         struct vm_area_struct *vma = vmf->vma;
    3379                 :            :         pgoff_t pgoff;
    3380                 :            :         struct page **pages;
    3381                 :            : 
    3382         [ -  + ]:     512920 :         if (vma->vm_ops == &legacy_special_mapping_vmops) {
    3383                 :          0 :                 pages = vma->vm_private_data;
    3384                 :            :         } else {
    3385                 :     512922 :                 struct vm_special_mapping *sm = vma->vm_private_data;
    3386                 :            : 
    3387         [ -  + ]:     512922 :                 if (sm->fault)
    3388                 :          0 :                         return sm->fault(sm, vmf->vma, vmf);
    3389                 :            : 
    3390                 :     512922 :                 pages = sm->pages;
    3391                 :            :         }
    3392                 :            : 
    3393   [ -  +  #  # ]:     512920 :         for (pgoff = vmf->pgoff; pgoff && *pages; ++pages)
    3394                 :          0 :                 pgoff--;
    3395                 :            : 
    3396         [ +  + ]:     512920 :         if (*pages) {
    3397                 :            :                 struct page *page = *pages;
    3398                 :     512910 :                 get_page(page);
    3399                 :     512926 :                 vmf->page = page;
    3400                 :     512926 :                 return 0;
    3401                 :            :         }
    3402                 :            : 
    3403                 :            :         return VM_FAULT_SIGBUS;
    3404                 :            : }
    3405                 :            : 
    3406                 :    1346890 : static struct vm_area_struct *__install_special_mapping(
    3407                 :            :         struct mm_struct *mm,
    3408                 :            :         unsigned long addr, unsigned long len,
    3409                 :            :         unsigned long vm_flags, void *priv,
    3410                 :            :         const struct vm_operations_struct *ops)
    3411                 :            : {
    3412                 :            :         int ret;
    3413                 :            :         struct vm_area_struct *vma;
    3414                 :            : 
    3415                 :    1346890 :         vma = vm_area_alloc(mm);
    3416         [ +  + ]:    1346890 :         if (unlikely(vma == NULL))
    3417                 :            :                 return ERR_PTR(-ENOMEM);
    3418                 :            : 
    3419                 :    1346886 :         vma->vm_start = addr;
    3420                 :    1346886 :         vma->vm_end = addr + len;
    3421                 :            : 
    3422                 :    1346886 :         vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND | VM_SOFTDIRTY;
    3423                 :    1346886 :         vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
    3424                 :            : 
    3425                 :    1346886 :         vma->vm_ops = ops;
    3426                 :    1346886 :         vma->vm_private_data = priv;
    3427                 :            : 
    3428                 :    1346886 :         ret = insert_vm_struct(mm, vma);
    3429         [ +  - ]:    1346884 :         if (ret)
    3430                 :            :                 goto out;
    3431                 :            : 
    3432                 :    1346884 :         vm_stat_account(mm, vma->vm_flags, len >> PAGE_SHIFT);
    3433                 :            : 
    3434                 :    1346886 :         perf_event_mmap(vma);
    3435                 :            : 
    3436                 :    1346890 :         return vma;
    3437                 :            : 
    3438                 :            : out:
    3439                 :          0 :         vm_area_free(vma);
    3440                 :          0 :         return ERR_PTR(ret);
    3441                 :            : }
    3442                 :            : 
    3443                 :          0 : bool vma_is_special_mapping(const struct vm_area_struct *vma,
    3444                 :            :         const struct vm_special_mapping *sm)
    3445                 :            : {
    3446   [ #  #  #  # ]:          0 :         return vma->vm_private_data == sm &&
    3447         [ #  # ]:          0 :                 (vma->vm_ops == &special_mapping_vmops ||
    3448                 :            :                  vma->vm_ops == &legacy_special_mapping_vmops);
    3449                 :            : }
    3450                 :            : 
    3451                 :            : /*
    3452                 :            :  * Called with mm->mmap_sem held for writing.
    3453                 :            :  * Insert a new vma covering the given region, with the given flags.
    3454                 :            :  * Its pages are supplied by the given array of struct page *.
    3455                 :            :  * The array can be shorter than len >> PAGE_SHIFT if it's null-terminated.
    3456                 :            :  * The region past the last page supplied will always produce SIGBUS.
    3457                 :            :  * The array pointer and the pages it points to are assumed to stay alive
    3458                 :            :  * for as long as this mapping might exist.
    3459                 :            :  */
    3460                 :    1346890 : struct vm_area_struct *_install_special_mapping(
    3461                 :            :         struct mm_struct *mm,
    3462                 :            :         unsigned long addr, unsigned long len,
    3463                 :            :         unsigned long vm_flags, const struct vm_special_mapping *spec)
    3464                 :            : {
    3465                 :    1346890 :         return __install_special_mapping(mm, addr, len, vm_flags, (void *)spec,
    3466                 :            :                                         &special_mapping_vmops);
    3467                 :            : }
    3468                 :            : 
    3469                 :          0 : int install_special_mapping(struct mm_struct *mm,
    3470                 :            :                             unsigned long addr, unsigned long len,
    3471                 :            :                             unsigned long vm_flags, struct page **pages)
    3472                 :            : {
    3473                 :          0 :         struct vm_area_struct *vma = __install_special_mapping(
    3474                 :            :                 mm, addr, len, vm_flags, (void *)pages,
    3475                 :            :                 &legacy_special_mapping_vmops);
    3476                 :            : 
    3477                 :          0 :         return PTR_ERR_OR_ZERO(vma);
    3478                 :            : }
    3479                 :            : 
    3480                 :            : static DEFINE_MUTEX(mm_all_locks_mutex);
    3481                 :            : 
    3482                 :          0 : static void vm_lock_anon_vma(struct mm_struct *mm, struct anon_vma *anon_vma)
    3483                 :            : {
    3484         [ #  # ]:          0 :         if (!test_bit(0, (unsigned long *) &anon_vma->root->rb_root.rb_root.rb_node)) {
    3485                 :            :                 /*
    3486                 :            :                  * The LSB of head.next can't change from under us
    3487                 :            :                  * because we hold the mm_all_locks_mutex.
    3488                 :            :                  */
    3489                 :          0 :                 down_write_nest_lock(&anon_vma->root->rwsem, &mm->mmap_sem);
    3490                 :            :                 /*
    3491                 :            :                  * We can safely modify head.next after taking the
    3492                 :            :                  * anon_vma->root->rwsem. If some other vma in this mm shares
    3493                 :            :                  * the same anon_vma we won't take it again.
    3494                 :            :                  *
    3495                 :            :                  * No need of atomic instructions here, head.next
    3496                 :            :                  * can't change from under us thanks to the
    3497                 :            :                  * anon_vma->root->rwsem.
    3498                 :            :                  */
    3499         [ #  # ]:          0 :                 if (__test_and_set_bit(0, (unsigned long *)
    3500                 :          0 :                                        &anon_vma->root->rb_root.rb_root.rb_node))
    3501                 :          0 :                         BUG();
    3502                 :            :         }
    3503                 :          0 : }
    3504                 :            : 
    3505                 :          0 : static void vm_lock_mapping(struct mm_struct *mm, struct address_space *mapping)
    3506                 :            : {
    3507         [ #  # ]:          0 :         if (!test_bit(AS_MM_ALL_LOCKS, &mapping->flags)) {
    3508                 :            :                 /*
    3509                 :            :                  * AS_MM_ALL_LOCKS can't change from under us because
    3510                 :            :                  * we hold the mm_all_locks_mutex.
    3511                 :            :                  *
    3512                 :            :                  * Operations on ->flags have to be atomic because
    3513                 :            :                  * even if AS_MM_ALL_LOCKS is stable thanks to the
    3514                 :            :                  * mm_all_locks_mutex, there may be other cpus
    3515                 :            :                  * changing other bitflags in parallel to us.
    3516                 :            :                  */
    3517         [ #  # ]:          0 :                 if (test_and_set_bit(AS_MM_ALL_LOCKS, &mapping->flags))
    3518                 :          0 :                         BUG();
    3519                 :          0 :                 down_write_nest_lock(&mapping->i_mmap_rwsem, &mm->mmap_sem);
    3520                 :            :         }
    3521                 :          0 : }
    3522                 :            : 
    3523                 :            : /*
    3524                 :            :  * This operation locks against the VM for all pte/vma/mm related
    3525                 :            :  * operations that could ever happen on a certain mm. This includes
    3526                 :            :  * vmtruncate, try_to_unmap, and all page faults.
    3527                 :            :  *
    3528                 :            :  * The caller must take the mmap_sem in write mode before calling
    3529                 :            :  * mm_take_all_locks(). The caller isn't allowed to release the
    3530                 :            :  * mmap_sem until mm_drop_all_locks() returns.
    3531                 :            :  *
    3532                 :            :  * mmap_sem in write mode is required in order to block all operations
    3533                 :            :  * that could modify pagetables and free pages without need of
    3534                 :            :  * altering the vma layout. It's also needed in write mode to avoid new
    3535                 :            :  * anon_vmas to be associated with existing vmas.
    3536                 :            :  *
    3537                 :            :  * A single task can't take more than one mm_take_all_locks() in a row
    3538                 :            :  * or it would deadlock.
    3539                 :            :  *
    3540                 :            :  * The LSB in anon_vma->rb_root.rb_node and the AS_MM_ALL_LOCKS bitflag in
    3541                 :            :  * mapping->flags avoid to take the same lock twice, if more than one
    3542                 :            :  * vma in this mm is backed by the same anon_vma or address_space.
    3543                 :            :  *
    3544                 :            :  * We take locks in following order, accordingly to comment at beginning
    3545                 :            :  * of mm/rmap.c:
    3546                 :            :  *   - all hugetlbfs_i_mmap_rwsem_key locks (aka mapping->i_mmap_rwsem for
    3547                 :            :  *     hugetlb mapping);
    3548                 :            :  *   - all i_mmap_rwsem locks;
    3549                 :            :  *   - all anon_vma->rwseml
    3550                 :            :  *
    3551                 :            :  * We can take all locks within these types randomly because the VM code
    3552                 :            :  * doesn't nest them and we protected from parallel mm_take_all_locks() by
    3553                 :            :  * mm_all_locks_mutex.
    3554                 :            :  *
    3555                 :            :  * mm_take_all_locks() and mm_drop_all_locks are expensive operations
    3556                 :            :  * that may have to take thousand of locks.
    3557                 :            :  *
    3558                 :            :  * mm_take_all_locks() can fail if it's interrupted by signals.
    3559                 :            :  */
    3560                 :          0 : int mm_take_all_locks(struct mm_struct *mm)
    3561                 :            : {
    3562                 :            :         struct vm_area_struct *vma;
    3563                 :            :         struct anon_vma_chain *avc;
    3564                 :            : 
    3565         [ #  # ]:          0 :         BUG_ON(down_read_trylock(&mm->mmap_sem));
    3566                 :            : 
    3567                 :          0 :         mutex_lock(&mm_all_locks_mutex);
    3568                 :            : 
    3569         [ #  # ]:          0 :         for (vma = mm->mmap; vma; vma = vma->vm_next) {
    3570         [ #  # ]:          0 :                 if (signal_pending(current))
    3571                 :            :                         goto out_unlock;
    3572                 :            :                 if (vma->vm_file && vma->vm_file->f_mapping &&
    3573                 :            :                                 is_vm_hugetlb_page(vma))
    3574                 :            :                         vm_lock_mapping(mm, vma->vm_file->f_mapping);
    3575                 :            :         }
    3576                 :            : 
    3577         [ #  # ]:          0 :         for (vma = mm->mmap; vma; vma = vma->vm_next) {
    3578         [ #  # ]:          0 :                 if (signal_pending(current))
    3579                 :            :                         goto out_unlock;
    3580   [ #  #  #  # ]:          0 :                 if (vma->vm_file && vma->vm_file->f_mapping &&
    3581                 :            :                                 !is_vm_hugetlb_page(vma))
    3582                 :          0 :                         vm_lock_mapping(mm, vma->vm_file->f_mapping);
    3583                 :            :         }
    3584                 :            : 
    3585         [ #  # ]:          0 :         for (vma = mm->mmap; vma; vma = vma->vm_next) {
    3586         [ #  # ]:          0 :                 if (signal_pending(current))
    3587                 :            :                         goto out_unlock;
    3588         [ #  # ]:          0 :                 if (vma->anon_vma)
    3589         [ #  # ]:          0 :                         list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
    3590                 :          0 :                                 vm_lock_anon_vma(mm, avc->anon_vma);
    3591                 :            :         }
    3592                 :            : 
    3593                 :            :         return 0;
    3594                 :            : 
    3595                 :            : out_unlock:
    3596                 :          0 :         mm_drop_all_locks(mm);
    3597                 :          0 :         return -EINTR;
    3598                 :            : }
    3599                 :            : 
    3600                 :          0 : static void vm_unlock_anon_vma(struct anon_vma *anon_vma)
    3601                 :            : {
    3602         [ #  # ]:          0 :         if (test_bit(0, (unsigned long *) &anon_vma->root->rb_root.rb_root.rb_node)) {
    3603                 :            :                 /*
    3604                 :            :                  * The LSB of head.next can't change to 0 from under
    3605                 :            :                  * us because we hold the mm_all_locks_mutex.
    3606                 :            :                  *
    3607                 :            :                  * We must however clear the bitflag before unlocking
    3608                 :            :                  * the vma so the users using the anon_vma->rb_root will
    3609                 :            :                  * never see our bitflag.
    3610                 :            :                  *
    3611                 :            :                  * No need of atomic instructions here, head.next
    3612                 :            :                  * can't change from under us until we release the
    3613                 :            :                  * anon_vma->root->rwsem.
    3614                 :            :                  */
    3615         [ #  # ]:          0 :                 if (!__test_and_clear_bit(0, (unsigned long *)
    3616                 :            :                                           &anon_vma->root->rb_root.rb_root.rb_node))
    3617                 :          0 :                         BUG();
    3618                 :            :                 anon_vma_unlock_write(anon_vma);
    3619                 :            :         }
    3620                 :          0 : }
    3621                 :            : 
    3622                 :          0 : static void vm_unlock_mapping(struct address_space *mapping)
    3623                 :            : {
    3624         [ #  # ]:          0 :         if (test_bit(AS_MM_ALL_LOCKS, &mapping->flags)) {
    3625                 :            :                 /*
    3626                 :            :                  * AS_MM_ALL_LOCKS can't change to 0 from under us
    3627                 :            :                  * because we hold the mm_all_locks_mutex.
    3628                 :            :                  */
    3629                 :            :                 i_mmap_unlock_write(mapping);
    3630         [ #  # ]:          0 :                 if (!test_and_clear_bit(AS_MM_ALL_LOCKS,
    3631                 :            :                                         &mapping->flags))
    3632                 :          0 :                         BUG();
    3633                 :            :         }
    3634                 :          0 : }
    3635                 :            : 
    3636                 :            : /*
    3637                 :            :  * The mmap_sem cannot be released by the caller until
    3638                 :            :  * mm_drop_all_locks() returns.
    3639                 :            :  */
    3640                 :          0 : void mm_drop_all_locks(struct mm_struct *mm)
    3641                 :            : {
    3642                 :            :         struct vm_area_struct *vma;
    3643                 :            :         struct anon_vma_chain *avc;
    3644                 :            : 
    3645         [ #  # ]:          0 :         BUG_ON(down_read_trylock(&mm->mmap_sem));
    3646         [ #  # ]:          0 :         BUG_ON(!mutex_is_locked(&mm_all_locks_mutex));
    3647                 :            : 
    3648         [ #  # ]:          0 :         for (vma = mm->mmap; vma; vma = vma->vm_next) {
    3649         [ #  # ]:          0 :                 if (vma->anon_vma)
    3650         [ #  # ]:          0 :                         list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
    3651                 :          0 :                                 vm_unlock_anon_vma(avc->anon_vma);
    3652   [ #  #  #  # ]:          0 :                 if (vma->vm_file && vma->vm_file->f_mapping)
    3653                 :          0 :                         vm_unlock_mapping(vma->vm_file->f_mapping);
    3654                 :            :         }
    3655                 :            : 
    3656                 :          0 :         mutex_unlock(&mm_all_locks_mutex);
    3657                 :          0 : }
    3658                 :            : 
    3659                 :            : /*
    3660                 :            :  * initialise the percpu counter for VM
    3661                 :            :  */
    3662                 :        404 : void __init mmap_init(void)
    3663                 :            : {
    3664                 :            :         int ret;
    3665                 :            : 
    3666                 :        404 :         ret = percpu_counter_init(&vm_committed_as, 0, GFP_KERNEL);
    3667                 :            :         VM_BUG_ON(ret);
    3668                 :        404 : }
    3669                 :            : 
    3670                 :            : /*
    3671                 :            :  * Initialise sysctl_user_reserve_kbytes.
    3672                 :            :  *
    3673                 :            :  * This is intended to prevent a user from starting a single memory hogging
    3674                 :            :  * process, such that they cannot recover (kill the hog) in OVERCOMMIT_NEVER
    3675                 :            :  * mode.
    3676                 :            :  *
    3677                 :            :  * The default value is min(3% of free memory, 128MB)
    3678                 :            :  * 128MB is enough to recover with sshd/login, bash, and top/kill.
    3679                 :            :  */
    3680                 :        404 : static int init_user_reserve(void)
    3681                 :            : {
    3682                 :            :         unsigned long free_kbytes;
    3683                 :            : 
    3684                 :        404 :         free_kbytes = global_zone_page_state(NR_FREE_PAGES) << (PAGE_SHIFT - 10);
    3685                 :            : 
    3686                 :        404 :         sysctl_user_reserve_kbytes = min(free_kbytes / 32, 1UL << 17);
    3687                 :        404 :         return 0;
    3688                 :            : }
    3689                 :            : subsys_initcall(init_user_reserve);
    3690                 :            : 
    3691                 :            : /*
    3692                 :            :  * Initialise sysctl_admin_reserve_kbytes.
    3693                 :            :  *
    3694                 :            :  * The purpose of sysctl_admin_reserve_kbytes is to allow the sys admin
    3695                 :            :  * to log in and kill a memory hogging process.
    3696                 :            :  *
    3697                 :            :  * Systems with more than 256MB will reserve 8MB, enough to recover
    3698                 :            :  * with sshd, bash, and top in OVERCOMMIT_GUESS. Smaller systems will
    3699                 :            :  * only reserve 3% of free pages by default.
    3700                 :            :  */
    3701                 :        404 : static int init_admin_reserve(void)
    3702                 :            : {
    3703                 :            :         unsigned long free_kbytes;
    3704                 :            : 
    3705                 :        404 :         free_kbytes = global_zone_page_state(NR_FREE_PAGES) << (PAGE_SHIFT - 10);
    3706                 :            : 
    3707                 :        404 :         sysctl_admin_reserve_kbytes = min(free_kbytes / 32, 1UL << 13);
    3708                 :        404 :         return 0;
    3709                 :            : }
    3710                 :            : subsys_initcall(init_admin_reserve);
    3711                 :            : 
    3712                 :            : /*
    3713                 :            :  * Reinititalise user and admin reserves if memory is added or removed.
    3714                 :            :  *
    3715                 :            :  * The default user reserve max is 128MB, and the default max for the
    3716                 :            :  * admin reserve is 8MB. These are usually, but not always, enough to
    3717                 :            :  * enable recovery from a memory hogging process using login/sshd, a shell,
    3718                 :            :  * and tools like top. It may make sense to increase or even disable the
    3719                 :            :  * reserve depending on the existence of swap or variations in the recovery
    3720                 :            :  * tools. So, the admin may have changed them.
    3721                 :            :  *
    3722                 :            :  * If memory is added and the reserves have been eliminated or increased above
    3723                 :            :  * the default max, then we'll trust the admin.
    3724                 :            :  *
    3725                 :            :  * If memory is removed and there isn't enough free memory, then we
    3726                 :            :  * need to reset the reserves.
    3727                 :            :  *
    3728                 :            :  * Otherwise keep the reserve set by the admin.
    3729                 :            :  */
    3730                 :            : static int reserve_mem_notifier(struct notifier_block *nb,
    3731                 :            :                              unsigned long action, void *data)
    3732                 :            : {
    3733                 :            :         unsigned long tmp, free_kbytes;
    3734                 :            : 
    3735                 :            :         switch (action) {
    3736                 :            :         case MEM_ONLINE:
    3737                 :            :                 /* Default max is 128MB. Leave alone if modified by operator. */
    3738                 :            :                 tmp = sysctl_user_reserve_kbytes;
    3739                 :            :                 if (0 < tmp && tmp < (1UL << 17))
    3740                 :            :                         init_user_reserve();
    3741                 :            : 
    3742                 :            :                 /* Default max is 8MB.  Leave alone if modified by operator. */
    3743                 :            :                 tmp = sysctl_admin_reserve_kbytes;
    3744                 :            :                 if (0 < tmp && tmp < (1UL << 13))
    3745                 :            :                         init_admin_reserve();
    3746                 :            : 
    3747                 :            :                 break;
    3748                 :            :         case MEM_OFFLINE:
    3749                 :            :                 free_kbytes = global_zone_page_state(NR_FREE_PAGES) << (PAGE_SHIFT - 10);
    3750                 :            : 
    3751                 :            :                 if (sysctl_user_reserve_kbytes > free_kbytes) {
    3752                 :            :                         init_user_reserve();
    3753                 :            :                         pr_info("vm.user_reserve_kbytes reset to %lu\n",
    3754                 :            :                                 sysctl_user_reserve_kbytes);
    3755                 :            :                 }
    3756                 :            : 
    3757                 :            :                 if (sysctl_admin_reserve_kbytes > free_kbytes) {
    3758                 :            :                         init_admin_reserve();
    3759                 :            :                         pr_info("vm.admin_reserve_kbytes reset to %lu\n",
    3760                 :            :                                 sysctl_admin_reserve_kbytes);
    3761                 :            :                 }
    3762                 :            :                 break;
    3763                 :            :         default:
    3764                 :            :                 break;
    3765                 :            :         }
    3766                 :            :         return NOTIFY_OK;
    3767                 :            : }
    3768                 :            : 
    3769                 :            : static struct notifier_block reserve_mem_nb = {
    3770                 :            :         .notifier_call = reserve_mem_notifier,
    3771                 :            : };
    3772                 :            : 
    3773                 :        404 : static int __meminit init_reserve_notifier(void)
    3774                 :            : {
    3775                 :            :         if (register_hotmemory_notifier(&reserve_mem_nb))
    3776                 :            :                 pr_err("Failed registering memory add/remove notifier for admin reserve\n");
    3777                 :            : 
    3778                 :        404 :         return 0;
    3779                 :            : }
    3780                 :            : subsys_initcall(init_reserve_notifier);

Generated by: LCOV version 1.14