From: "Lorenzo Stoakes (Oracle)" <ljs@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: "Liam R . Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@kernel.org>,
Mike Rapoport <rppt@kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Michal Hocko <mhocko@suse.com>, Jann Horn <jannh@google.com>,
Pedro Falcato <pfalcato@suse.de>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Jianzhou Zhao <luckd0g@163.com>,
Oscar Salvador <osalvador@suse.de>
Subject: [PATCH 0/3] mm: improve map count checks
Date: Wed, 11 Mar 2026 17:24:35 +0000 [thread overview]
Message-ID: <cover.1773249037.git.ljs@kernel.org> (raw)
Firstly, in mremap(), it appears that our map count checks have been overly
conservative - there is simply no reason to require that we have headroom
of 4 mappings prior to moving the VMA, we only need headroom of 2 VMAs
since commit 659ace584e7a ("mmap: don't return ENOMEM when mapcount is
temporarily exceeded in munmap()").
Likely the original headroom of 4 mappings was a mistake, and 3 was
actually intended.
Next, we access sysctl_max_map_count in a number of places without being
all that careful about how we do so.
We introduces a simple helper that READ_ONCE()'s the field
(get_sysctl_max_map_count()) to ensure that the field is accessed
correctly. The WRITE_ONCE() side is already handled by the sysctl procfs
code in proc_int_conv().
We also move this field to internal.h as there's no reason for anybody else
to access it outside of mm. Unfortunately we have to maintain the extern
variable, as mmap.c implements the procfs code.
Finally, we are accessing current->mm->map_count without holding the mmap
write lock, which is also not correct, so this series ensures the lock is
head before we access it.
We also abstract the check to a helper function, and add ASCII diagrams to
explain why we're doing what we're doing.
Lorenzo Stoakes (Oracle) (3):
mm/mremap: correct invalid map count check
mm: abstract reading sysctl_max_map_count, and READ_ONCE()
mm/mremap: check map count under mmap write lock and abstract
include/linux/mm.h | 2 -
mm/internal.h | 6 ++
mm/mmap.c | 2 +-
mm/mremap.c | 98 ++++++++++++++++++++++++------
mm/nommu.c | 2 +-
mm/vma.c | 6 +-
tools/testing/vma/include/custom.h | 3 -
tools/testing/vma/include/dup.h | 9 +++
tools/testing/vma/main.c | 2 +
9 files changed, 100 insertions(+), 30 deletions(-)
--
2.53.0
next reply other threads:[~2026-03-11 17:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 17:24 Lorenzo Stoakes (Oracle) [this message]
2026-03-11 17:24 ` [PATCH 1/3] mm/mremap: correct invalid map count check Lorenzo Stoakes (Oracle)
2026-03-11 17:24 ` [PATCH 2/3] mm: abstract reading sysctl_max_map_count, and READ_ONCE() Lorenzo Stoakes (Oracle)
2026-03-11 17:24 ` [PATCH 3/3] mm/mremap: check map count under mmap write lock and abstract Lorenzo Stoakes (Oracle)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1773249037.git.ljs@kernel.org \
--to=ljs@kernel.org \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luckd0g@163.com \
--cc=mhocko@suse.com \
--cc=osalvador@suse.de \
--cc=pfalcato@suse.de \
--cc=rppt@kernel.org \
--cc=surenb@google.com \
--cc=vbabka@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox