1 files changed, 52 insertions, 44 deletions

diff --git a/mm/mmap.c b/mm/mmap.c
index 73f5e4b64010..d9c77b2dbe9d 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -20,7 +20,6 @@
 #include <linux/fs.h>
 #include <linux/personality.h>
 #include <linux/security.h>
-#include <linux/ima.h>
 #include <linux/hugetlb.h>
 #include <linux/profile.h>
 #include <linux/module.h>
@@ -932,13 +931,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
         if (!(flags & MAP_FIXED))
                 addr = round_hint_to_min(addr);
 
-        error = arch_mmap_check(addr, len, flags);
-        if (error)
-                return error;
-
         /* Careful about overflows.. */
         len = PAGE_ALIGN(len);
-        if (!len || len > TASK_SIZE)
+        if (!len)
                 return -ENOMEM;
 
         /* offset overflow? */
@@ -949,24 +944,6 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
         if (mm->map_count > sysctl_max_map_count)
                 return -ENOMEM;
 
-        if (flags & MAP_HUGETLB) {
-                struct user_struct *user = NULL;
-                if (file)
-                        return -EINVAL;
-
-                /*
-                 * VM_NORESERVE is used because the reservations will be
-                 * taken when vm_ops->mmap() is called
-                 * A dummy user value is used because we are not locking
-                 * memory so no accounting is necessary
-                 */
-                len = ALIGN(len, huge_page_size(&default_hstate));
-                file = hugetlb_file_setup(HUGETLB_ANON_FILE, len, VM_NORESERVE,
-                                                &user, HUGETLB_ANONHUGE_INODE);
-                if (IS_ERR(file))
-                        return PTR_ERR(file);
-        }
-
         /* Obtain the address to map to. we verify (or select) it and ensure
          * that it represents a valid section of the address space.
          */
@@ -1061,9 +1038,6 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
         error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
         if (error)
                 return error;
-        error = ima_file_mmap(file, prot);
-        if (error)
-                return error;
 
         return mmap_region(file, addr, len, flags, vm_flags, pgoff);
 }
@@ -1224,8 +1198,20 @@ munmap_back:
                         goto free_vma;
         }
 
-        if (vma_wants_writenotify(vma))
+        if (vma_wants_writenotify(vma)) {
+                pgprot_t pprot = vma->vm_page_prot;
+
+                /* Can vma->vm_page_prot have changed??
+                 *
+                 * Answer: Yes, drivers may have changed it in their
+                 *         f_op->mmap method.
+                 *
+                 * Ensures that vmas marked as uncached stay that way.
+                 */
                 vma->vm_page_prot = vm_get_page_prot(vm_flags & ~VM_SHARED);
+                if (pgprot_val(pprot) == pgprot_val(pgprot_noncached(pprot)))
+                        vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+        }
 
         vma_link(mm, vma, prev, rb_link, rb_parent);
         file = vma->vm_file;
@@ -1459,6 +1445,14 @@ get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
         unsigned long (*get_area)(struct file *, unsigned long,
                                   unsigned long, unsigned long, unsigned long);
 
+        unsigned long error = arch_mmap_check(addr, len, flags);
+        if (error)
+                return error;
+
+        /* Careful about overflows.. */
+        if (len > TASK_SIZE)
+                return -ENOMEM;
+
         get_area = current->mm->get_unmapped_area;
         if (file && file->f_op && file->f_op->get_unmapped_area)
                 get_area = file->f_op->get_unmapped_area;
@@ -1829,10 +1823,10 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
 }
 
 /*
- * Split a vma into two pieces at address 'addr', a new vma is allocated
- * either for the first part or the tail.
+ * __split_vma() bypasses sysctl_max_map_count checking.  We use this on the
+ * munmap path where it doesn't make sense to fail.
  */
-int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
+static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
               unsigned long addr, int new_below)
 {
         struct mempolicy *pol;
@@ -1842,9 +1836,6 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
                                         ~(huge_page_mask(hstate_vma(vma)))))
                 return -EINVAL;
 
-        if (mm->map_count >= sysctl_max_map_count)
-                return -ENOMEM;
-
         new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
         if (!new)
                 return -ENOMEM;
@@ -1884,6 +1875,19 @@ int split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
         return 0;
 }
 
+/*
+ * Split a vma into two pieces at address 'addr', a new vma is allocated
+ * either for the first part or the tail.
+ */
+int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
+              unsigned long addr, int new_below)
+{
+        if (mm->map_count >= sysctl_max_map_count)
+                return -ENOMEM;
+
+        return __split_vma(mm, vma, addr, new_below);
+}
+
 /* Munmap is split into 2 main parts -- this part which finds
  * what needs doing, and the areas themselves, which do the
  * work.  This now handles partial unmappings.
@@ -1919,7 +1923,17 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
          * places tmp vma above, and higher split_vma places tmp vma below.
          */
         if (start > vma->vm_start) {
-                int error = split_vma(mm, vma, start, 0);
+                int error;
+
+                /*
+                 * Make sure that map_count on return from munmap() will
+                 * not exceed its limit; but let map_count go just above
+                 * its limit temporarily, to help free resources as expected.
+                 */
+                if (end < vma->vm_end && mm->map_count >= sysctl_max_map_count)
+                        return -ENOMEM;
+
+                error = __split_vma(mm, vma, start, 0);
                 if (error)
                         return error;
                 prev = vma;
@@ -1928,7 +1942,7 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
         /* Does it split the last one? */
         last = find_vma(mm, end);
         if (last && end > last->vm_start) {
-                int error = split_vma(mm, last, end, 1);
+                int error = __split_vma(mm, last, end, 1);
                 if (error)
                         return error;
         }
@@ -2003,20 +2017,14 @@ unsigned long do_brk(unsigned long addr, unsigned long len)
         if (!len)
                 return addr;
 
-        if ((addr + len) > TASK_SIZE || (addr + len) < addr)
-                return -EINVAL;
-
-        if (is_hugepage_only_range(mm, addr, len))
-                return -EINVAL;
-
         error = security_file_mmap(NULL, 0, 0, 0, addr, 1);
         if (error)
                 return error;
 
         flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
 
-        error = arch_mmap_check(addr, len, flags);
-        if (error)
+        error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
+        if (error & ~PAGE_MASK)
                 return error;
 
         /*