1 files changed, 31 insertions, 8 deletions

diff --git a/mm/mmap.c b/mm/mmap.c
index 3f758c7f4c81..6f3766b57803 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -936,6 +936,19 @@ void vm_stat_account(struct mm_struct *mm, unsigned long flags,
 #endif /* CONFIG_PROC_FS */
 
 /*
+ * If a hint addr is less than mmap_min_addr change hint to be as
+ * low as possible but still greater than mmap_min_addr
+ */
+static inline unsigned long round_hint_to_min(unsigned long hint)
+{
+        hint &= PAGE_MASK;
+        if (((void *)hint != NULL) &&
+            (hint < mmap_min_addr))
+                return PAGE_ALIGN(mmap_min_addr);
+        return hint;
+}
+
+/*
  * The caller must hold down_write(&current->mm->mmap_sem).
  */
 
@@ -1235,7 +1248,7 @@ munmap_back:
          */
         if (accountable_mapping(file, vm_flags)) {
                 charged = len >> PAGE_SHIFT;
-                if (security_vm_enough_memory(charged))
+                if (security_vm_enough_memory_mm(mm, charged))
                         return -ENOMEM;
                 vm_flags |= VM_ACCOUNT;
         }
@@ -1266,8 +1279,9 @@ munmap_back:
         vma->vm_pgoff = pgoff;
         INIT_LIST_HEAD(&vma->anon_vma_chain);
 
+        error = -EINVAL;        /* when rejecting VM_GROWSDOWN|VM_GROWSUP */
+
         if (file) {
-                error = -EINVAL;
                 if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
                         goto free_vma;
                 if (vm_flags & VM_DENYWRITE) {
@@ -1293,6 +1307,8 @@ munmap_back:
                 pgoff = vma->vm_pgoff;
                 vm_flags = vma->vm_flags;
         } else if (vm_flags & VM_SHARED) {
+                if (unlikely(vm_flags & (VM_GROWSDOWN|VM_GROWSUP)))
+                        goto free_vma;
                 error = shmem_zero_setup(vma);
                 if (error)
                         goto free_vma;
@@ -1605,7 +1621,6 @@ EXPORT_SYMBOL(find_vma);
 
 /*
  * Same as find_vma, but also return a pointer to the previous VMA in *pprev.
- * Note: pprev is set to NULL when return value is NULL.
  */
 struct vm_area_struct *
 find_vma_prev(struct mm_struct *mm, unsigned long addr,
@@ -1614,7 +1629,16 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
         struct vm_area_struct *vma;
 
         vma = find_vma(mm, addr);
-        *pprev = vma ? vma->vm_prev : NULL;
+        if (vma) {
+                *pprev = vma->vm_prev;
+        } else {
+                struct rb_node *rb_node = mm->mm_rb.rb_node;
+                *pprev = NULL;
+                while (rb_node) {
+                        *pprev = rb_entry(rb_node, struct vm_area_struct, vm_rb);
+                        rb_node = rb_node->rb_right;
+                }
+        }
         return vma;
 }
 
@@ -2169,7 +2193,7 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
         if (mm->map_count > sysctl_max_map_count)
                 return -ENOMEM;
 
-        if (security_vm_enough_memory(len >> PAGE_SHIFT))
+        if (security_vm_enough_memory_mm(mm, len >> PAGE_SHIFT))
                 return -ENOMEM;
 
         /* Can we just expand an old private anonymous mapping? */
@@ -2213,7 +2237,6 @@ void exit_mmap(struct mm_struct *mm)
         struct mmu_gather tlb;
         struct vm_area_struct *vma;
         unsigned long nr_accounted = 0;
-        unsigned long end;
 
         /* mm's last user has gone, and its about to be pulled down */
         mmu_notifier_release(mm);
@@ -2238,11 +2261,11 @@ void exit_mmap(struct mm_struct *mm)
         tlb_gather_mmu(&tlb, mm, 1);
         /* update_hiwater_rss(mm) here? but nobody should be looking */
         /* Use -1 here to ensure all VMAs in the mm are unmapped */
-        end = unmap_vmas(&tlb, vma, 0, -1, &nr_accounted, NULL);
+        unmap_vmas(&tlb, vma, 0, -1, &nr_accounted, NULL);
         vm_unacct_memory(nr_accounted);
 
         free_pgtables(&tlb, vma, FIRST_USER_ADDRESS, 0);
-        tlb_finish_mmu(&tlb, 0, end);
+        tlb_finish_mmu(&tlb, 0, -1);
 
         /*
          * Walk the list again, actually closing and freeing it,