4 files changed, 33 insertions, 71 deletions
diff --git a/mm/mlock.c b/mm/mlock.c
index 2904a347e476..028ec482fdd4 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -294,14 +294,10 @@ static inline int __mlock_posix_error_return(long retval)
 *
 * return number of pages [> 0] to be removed from locked_vm on success
 * of "special" vmas.
- *
- * return negative error if vma spanning @start-@range disappears while
- * mmap semaphore is dropped.  Unlikely?
 */
 long mlock_vma_pages_range(struct vm_area_struct *vma,
                        unsigned long start, unsigned long end)
 {
-        struct mm_struct *mm = vma->vm_mm;
        int nr_pages = (end - start) / PAGE_SIZE;
        BUG_ON(!(vma->vm_flags & VM_LOCKED));
@@ -314,20 +310,8 @@ long mlock_vma_pages_range(struct vm_area_struct *vma,
        if (!((vma->vm_flags & (VM_DONTEXPAND | VM_RESERVED)) ||
                        is_vm_hugetlb_page(vma) ||
                        vma == get_gate_vma(current))) {
-                long error;
-                downgrade_write(&mm->mmap_sem);
-                error = __mlock_vma_pages_range(vma, start, end, 1);
-                up_read(&mm->mmap_sem);
+                return __mlock_vma_pages_range(vma, start, end, 1);
-                /* vma can change or disappear */
-                down_write(&mm->mmap_sem);
-                vma = find_vma(mm, start);
-                /* non-NULL vma must contain @start, but need to check @end */
-                if (!vma ||  end > vma->vm_end)
-                        return -ENOMEM;
-                return 0;       /* hide other errors from mmap(), et al */
        }
        /*
@@ -438,41 +422,14 @@ success:
        vma->vm_flags = newflags;
        if (lock) {
-                /*
-                 * mmap_sem is currently held for write.  Downgrade the write
-                 * lock to a read lock so that other faults, mmap scans, ...
-                 * while we fault in all pages.
-                 */
-                downgrade_write(&mm->mmap_sem);
                ret = __mlock_vma_pages_range(vma, start, end, 1);
-                /*
+                if (ret > 0) {
-                 * Need to reacquire mmap sem in write mode, as our callers
-                 * expect this.  We have no support for atomically upgrading
-                 * a sem to write, so we need to check for ranges while sem
-                 * is unlocked.
-                 */
-                up_read(&mm->mmap_sem);
-                /* vma can change or disappear */
-                down_write(&mm->mmap_sem);
-                *prev = find_vma(mm, start);
-                /* non-NULL *prev must contain @start, but need to check @end */
-                if (!(*prev) || end > (*prev)->vm_end)
-                        ret = -ENOMEM;
-                else if (ret > 0) {
                        mm->locked_vm -= ret;
                        ret = 0;
                } else
                        ret = __mlock_posix_error_return(ret); /* translate if needed */
        } else {
-                /*
-                 * TODO:  for unlocking, pages will already be resident, so
-                 * we don't need to wait for allocations/reclaim/pagein, ...
-                 * However, unlocking a very large region can still take a
-                 * while.  Should we downgrade the semaphore for both lock
-                 * AND unlock ?
-                 */
                __mlock_vma_pages_range(vma, start, end, 0);
        }
diff --git a/mm/mmap.c b/mm/mmap.c
index d3fa10a726cf..214b6a258eeb 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -658,6 +658,9 @@ again:			remove_next = 1 + (end > next->vm_end);
        validate_mm(mm);
 }
+/* Flags that can be inherited from an existing mapping when merging */
+#define VM_MERGEABLE_FLAGS (VM_CAN_NONLINEAR)
 /*
 * If the vma has a ->close operation then the driver probably needs to release
 * per-vma resources, so we don't attempt to merge those.
@@ -665,7 +668,7 @@ again:			remove_next = 1 + (end > next->vm_end);
 static inline int is_mergeable_vma(struct vm_area_struct *vma,
                        struct file *file, unsigned long vm_flags)
 {
-        if (vma->vm_flags != vm_flags)
+        if ((vma->vm_flags ^ vm_flags) & ~VM_MERGEABLE_FLAGS)
                return 0;
        if (vma->vm_file != file)
                return 0;
@@ -1087,6 +1090,15 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
                mapping_cap_account_dirty(vma->vm_file->f_mapping);
 }
+/*
+ * We account for memory if it's a private writeable mapping,
+ * and VM_NORESERVE wasn't set.
+ */
+static inline int accountable_mapping(unsigned int vm_flags)
+{
+        return (vm_flags & (VM_NORESERVE | VM_SHARED | VM_WRITE)) == VM_WRITE;
+}
 unsigned long mmap_region(struct file *file, unsigned long addr,
                          unsigned long len, unsigned long flags,
                          unsigned int vm_flags, unsigned long pgoff,
@@ -1114,23 +1126,24 @@ munmap_back:
        if (!may_expand_vm(mm, len >> PAGE_SHIFT))
                return -ENOMEM;
-        if (flags & MAP_NORESERVE)
+        /*
+         * Set 'VM_NORESERVE' if we should not account for the
+         * memory use of this mapping. We only honor MAP_NORESERVE
+         * if we're allowed to overcommit memory.
+         */
+        if ((flags & MAP_NORESERVE) && sysctl_overcommit_memory != OVERCOMMIT_NEVER)
+                vm_flags |= VM_NORESERVE;
+        if (!accountable)
                vm_flags |= VM_NORESERVE;
-        if (accountable && (!(flags & MAP_NORESERVE) ||
+        /*
-                            sysctl_overcommit_memory == OVERCOMMIT_NEVER)) {
+         * Private writable mapping: check memory availability
-                if (vm_flags & VM_SHARED) {
+         */
-                        /* Check memory availability in shmem_file_setup? */
+        if (accountable_mapping(vm_flags)) {
-                        vm_flags |= VM_ACCOUNT;
+                charged = len >> PAGE_SHIFT;
-                } else if (vm_flags & VM_WRITE) {
+                if (security_vm_enough_memory(charged))
-                        /*
+                        return -ENOMEM;
-                         * Private writable mapping: check memory availability
+                vm_flags |= VM_ACCOUNT;
-                         */
-                        charged = len >> PAGE_SHIFT;
-                        if (security_vm_enough_memory(charged))
-                                return -ENOMEM;
-                        vm_flags |= VM_ACCOUNT;
-                }
        }
        /*
@@ -1181,14 +1194,6 @@ munmap_back:
                        goto free_vma;
        }
-        /* We set VM_ACCOUNT in a shared mapping's vm_flags, to inform
-         * shmem_zero_setup (perhaps called through /dev/zero's ->mmap)
-         * that memory reservation must be checked; but that reservation
-         * belongs to shared memory object, not to vma: so now clear it.
-         */
-        if ((vm_flags & (VM_SHARED|VM_ACCOUNT)) == (VM_SHARED|VM_ACCOUNT))
-                vma->vm_flags &= ~VM_ACCOUNT;
        /* Can addr have changed??
         *
         * Answer: Yes, several device drivers can do it in their
diff --git a/mm/shmem.c b/mm/shmem.c
index 5d0de96c9789..19d566ccdeea 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2628,7 +2628,7 @@ struct file *shmem_file_setup(char *name, loff_t size, unsigned long flags)
                goto close_file;
 #ifdef CONFIG_SHMEM
-        SHMEM_I(inode)->flags = flags & VM_ACCOUNT;
+        SHMEM_I(inode)->flags = (flags & VM_NORESERVE) ? 0 : VM_ACCOUNT;
 #endif
        d_instantiate(dentry, inode);
        inode->i_size = size;
diff --git a/mm/slub.c b/mm/slub.c
index 6392ae5cc6b1..bdc9abb08a23 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1996,7 +1996,7 @@ static struct kmem_cache_cpu *alloc_kmem_cache_cpu(struct kmem_cache *s,
 static void free_kmem_cache_cpu(struct kmem_cache_cpu *c, int cpu)
 {
        if (c < per_cpu(kmem_cache_cpu, cpu) ||
-                        c > per_cpu(kmem_cache_cpu, cpu) + NR_KMEM_CACHE_CPU) {
+                        c >= per_cpu(kmem_cache_cpu, cpu) + NR_KMEM_CACHE_CPU) {
                kfree(c);
                return;
        }