lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse"

Browse Source 
This reverts commit 2fe3eee488 which is
commit 2555283eb40df89945557273121e9393ef9b542b upstream.

It currently breaks the Android kernel ABI.  If it needs to come back,
it should be done in an ABI-safe way.

Bug: 161946584
Cc: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I46a7a4ffc5d2725146787ea7273a42a5cf062ed4
This commit is contained in:
Greg Kroah-Hartman 2022-09-21 11:10:07 +02:00
parent 51223c9db5
commit d52832d985
2 changed files with 16 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
include/linux/rmap.h
View File

@ -39,15 +39,12 @@ struct anon_vma {
atomic_t refcount; atomic_t refcount;
/* /*
* Count of child anon_vmas. Equals to the count of all anon_vmas that * Count of child anon_vmas and VMAs which points to this anon_vma.
* have ->parent pointing to this one, including itself.
* *
* This counter is used for making decision about reusing anon_vma * This counter is used for making decision about reusing anon_vma
* instead of forking new one. See comments in function anon_vma_clone. * instead of forking new one. See comments in function anon_vma_clone.
*/ */
unsigned long num_children; unsigned degree;
/* Count of VMAs whose ->anon_vma pointer points to this object. */
unsigned long num_active_vmas;
struct anon_vma *parent; /* Parent of this anon_vma */ struct anon_vma *parent; /* Parent of this anon_vma */

31
mm/rmap.c
View File

@ -83,8 +83,7 @@ static inline struct anon_vma *anon_vma_alloc(void)
anon_vma = kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL); anon_vma = kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL);
if (anon_vma) { if (anon_vma) {
atomic_set(&anon_vma->refcount, 1); atomic_set(&anon_vma->refcount, 1);
anon_vma->num_children = 0; anon_vma->degree = 1; /* Reference for first vma */
anon_vma->num_active_vmas = 0;
anon_vma->parent = anon_vma; anon_vma->parent = anon_vma;
/* /*
* Initialise the anon_vma root to point to itself. If called * Initialise the anon_vma root to point to itself. If called
@ -192,7 +191,6 @@ int __anon_vma_prepare(struct vm_area_struct *vma)
anon_vma = anon_vma_alloc(); anon_vma = anon_vma_alloc();
if (unlikely(!anon_vma)) if (unlikely(!anon_vma))
goto out_enomem_free_avc; goto out_enomem_free_avc;
anon_vma->num_children++; /* self-parent link for new root */
allocated = anon_vma; allocated = anon_vma;
} }
@ -202,7 +200,8 @@ int __anon_vma_prepare(struct vm_area_struct *vma)
if (likely(!vma->anon_vma)) { if (likely(!vma->anon_vma)) {
vma->anon_vma = anon_vma; vma->anon_vma = anon_vma;
anon_vma_chain_link(vma, avc, anon_vma); anon_vma_chain_link(vma, avc, anon_vma);
anon_vma->num_active_vmas++; /* vma reference or self-parent link for new root */
anon_vma->degree++;
allocated = NULL; allocated = NULL;
avc = NULL; avc = NULL;
} }
@ -281,19 +280,19 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
anon_vma_chain_link(dst, avc, anon_vma); anon_vma_chain_link(dst, avc, anon_vma);
/* /*
* Reuse existing anon_vma if it has no vma and only one * Reuse existing anon_vma if its degree lower than two,
* anon_vma child. * that means it has no vma and only one anon_vma child.
* *
* Root anon_vma is never reused: * Do not chose parent anon_vma, otherwise first child
* will always reuse it. Root anon_vma is never reused:
* it has self-parent reference and at least one child. * it has self-parent reference and at least one child.
*/ */
if (!dst->anon_vma && if (!dst->anon_vma && anon_vma != src->anon_vma &&
anon_vma->num_children < 2 && anon_vma->degree < 2)
anon_vma->num_active_vmas == 0)
dst->anon_vma = anon_vma; dst->anon_vma = anon_vma;
} }
if (dst->anon_vma) if (dst->anon_vma)
dst->anon_vma->num_active_vmas++; dst->anon_vma->degree++;
unlock_anon_vma_root(root); unlock_anon_vma_root(root);
return 0; return 0;
@ -343,7 +342,6 @@ int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
anon_vma = anon_vma_alloc(); anon_vma = anon_vma_alloc();
if (!anon_vma) if (!anon_vma)
goto out_error; goto out_error;
anon_vma->num_active_vmas++;
avc = anon_vma_chain_alloc(GFP_KERNEL); avc = anon_vma_chain_alloc(GFP_KERNEL);
if (!avc) if (!avc)
goto out_error_free_anon_vma; goto out_error_free_anon_vma;
@ -364,7 +362,7 @@ int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
vma->anon_vma = anon_vma; vma->anon_vma = anon_vma;
anon_vma_lock_write(anon_vma); anon_vma_lock_write(anon_vma);
anon_vma_chain_link(vma, avc, anon_vma); anon_vma_chain_link(vma, avc, anon_vma);
anon_vma->parent->num_children++; anon_vma->parent->degree++;
anon_vma_unlock_write(anon_vma); anon_vma_unlock_write(anon_vma);
return 0; return 0;
@ -396,7 +394,7 @@ void unlink_anon_vmas(struct vm_area_struct *vma)
* to free them outside the lock. * to free them outside the lock.
*/ */
if (RB_EMPTY_ROOT(&anon_vma->rb_root.rb_root)) { if (RB_EMPTY_ROOT(&anon_vma->rb_root.rb_root)) {
anon_vma->parent->num_children--; anon_vma->parent->degree--;
continue; continue;
} }
@ -404,7 +402,7 @@ void unlink_anon_vmas(struct vm_area_struct *vma)
anon_vma_chain_free(avc); anon_vma_chain_free(avc);
} }
if (vma->anon_vma) if (vma->anon_vma)
vma->anon_vma->num_active_vmas--; vma->anon_vma->degree--;
unlock_anon_vma_root(root); unlock_anon_vma_root(root);
/* /*
@ -415,8 +413,7 @@ void unlink_anon_vmas(struct vm_area_struct *vma)
list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) { list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) {
struct anon_vma *anon_vma = avc->anon_vma; struct anon_vma *anon_vma = avc->anon_vma;
VM_WARN_ON(anon_vma->num_children); VM_WARN_ON(anon_vma->degree);
VM_WARN_ON(anon_vma->num_active_vmas);
put_anon_vma(anon_vma); put_anon_vma(anon_vma);
list_del(&avc->same_vma); list_del(&avc->same_vma);