1 files changed, 29 insertions, 31 deletions
diff --git a/mm/mmap.c b/mm/mmap.c
index eae90af60ea6..3f758c7f4c81 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1603,39 +1603,19 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
 EXPORT_SYMBOL(find_vma);
-/* Same as find_vma, but also return a pointer to the previous VMA in *pprev. */
+/*
+ * Same as find_vma, but also return a pointer to the previous VMA in *pprev.
+ * Note: pprev is set to NULL when return value is NULL.
+ */
 struct vm_area_struct *
 find_vma_prev(struct mm_struct *mm, unsigned long addr,
                        struct vm_area_struct **pprev)
 {
-        struct vm_area_struct *vma = NULL, *prev = NULL;
+        struct vm_area_struct *vma;
-        struct rb_node *rb_node;
-        if (!mm)
-                goto out;
-        /* Guard against addr being lower than the first VMA */
-        vma = mm->mmap;
-        /* Go through the RB tree quickly. */
-        rb_node = mm->mm_rb.rb_node;
-        while (rb_node) {
-                struct vm_area_struct *vma_tmp;
-                vma_tmp = rb_entry(rb_node, struct vm_area_struct, vm_rb);
-                if (addr < vma_tmp->vm_end) {
-                        rb_node = rb_node->rb_left;
-                } else {
-                        prev = vma_tmp;
-                        if (!prev->vm_next || (addr < prev->vm_next->vm_end))
-                                break;
-                        rb_node = rb_node->rb_right;
-                }
-        }
-out:
+        vma = find_vma(mm, addr);
-        *pprev = prev;
+        *pprev = vma ? vma->vm_prev : NULL;
-        return prev ? prev->vm_next : vma;
+        return vma;
 }
 /*
@@ -2322,13 +2302,16 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
        struct vm_area_struct *new_vma, *prev;
        struct rb_node **rb_link, *rb_parent;
        struct mempolicy *pol;
+        bool faulted_in_anon_vma = true;
        /*
         * If anonymous vma has not yet been faulted, update new pgoff
         * to match new location, to increase its chance of merging.
         */
-        if (!vma->vm_file && !vma->anon_vma)
+        if (unlikely(!vma->vm_file && !vma->anon_vma)) {
                pgoff = addr >> PAGE_SHIFT;
+                faulted_in_anon_vma = false;
+        }
        find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
        new_vma = vma_merge(mm, prev, addr, addr + len, vma->vm_flags,
@@ -2337,9 +2320,24 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
                /*
                 * Source vma may have been merged into new_vma
                 */
-                if (vma_start >= new_vma->vm_start &&
+                if (unlikely(vma_start >= new_vma->vm_start &&
-                    vma_start < new_vma->vm_end)
+                             vma_start < new_vma->vm_end)) {
+                        /*
+                         * The only way we can get a vma_merge with
+                         * self during an mremap is if the vma hasn't
+                         * been faulted in yet and we were allowed to
+                         * reset the dst vma->vm_pgoff to the
+                         * destination address of the mremap to allow
+                         * the merge to happen. mremap must change the
+                         * vm_pgoff linearity between src and dst vmas
+                         * (in turn preventing a vma_merge) to be
+                         * safe. It is only safe to keep the vm_pgoff
+                         * linear if there are no pages mapped yet.
+                         */
+                        VM_BUG_ON(faulted_in_anon_vma);
                        *vmap = new_vma;
+                } else
+                        anon_vma_moveto_tail(new_vma);
        } else {
                new_vma = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
                if (new_vma) {