1 files changed, 17 insertions, 0 deletions

diff --git a/mm/mremap.c b/mm/mremap.c
index 3320616ed93f..e3edef6b7a12 100644
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -516,6 +516,23 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
         if (addr + old_len > new_addr && new_addr + new_len > addr)
                 goto out;
 
+        /*
+         * move_vma() need us to stay 4 maps below the threshold, otherwise
+         * it will bail out at the very beginning.
+         * That is a problem if we have already unmaped the regions here
+         * (new_addr, and old_addr), because userspace will not know the
+         * state of the vma's after it gets -ENOMEM.
+         * So, to avoid such scenario we can pre-compute if the whole
+         * operation has high chances to success map-wise.
+         * Worst-scenario case is when both vma's (new_addr and old_addr) get
+         * split in 3 before unmaping it.
+         * That means 2 more maps (1 for each) to the ones we already hold.
+         * Check whether current map count plus 2 still leads us to 4 maps below
+         * the threshold, otherwise return -ENOMEM here to be more safe.
+         */
+        if ((mm->map_count + 2) >= sysctl_max_map_count - 3)
+                return -ENOMEM;
+
         ret = do_munmap(mm, new_addr, new_len, uf_unmap_early);
         if (ret)
                 goto out;