From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1E0831E856
	for <linux-kernel@vger.kernel.org>; Wed, 11 Mar 2026 17:25:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773249955; cv=none; b=ujJWFk4kdv4rU0GhLW2q6l28yew5XlVafA5GelQFu0mG2se1wqlIT+wwuZNQMdVBwoLdEuyOTeUx+YJdkKp1NfstyHKgYSyU1gFyJ7Ru1tJ5JD3/H3UtOumhJTWopS/K0L/3qKqAgOsqPP48/SC2b/sHuvf0VfAdAY3eDg+0JhA=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773249955; c=relaxed/simple;
	bh=aUye9KyAnijpM8t7yxcnEfZ0jMtzTOhR9HCsDeyezjc=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=puwpS2eEzSQL6pEpG/B9lTaLyBRWITbLnh44l/P1otPwyOyP6+DOl12CriUu5V8+SJ7CtDaicJF17AboRlbgr2IGgXYtE6GYtfbuvMIU5FGRXwFAo+Z+xjag1HxAr1J/tN/cfG2zWekhlZwsHCAYtsKR8T3J7jEeDZGpOJ/KCsQ=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KPLPa2CU; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KPLPa2CU"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5183BC4CEF7;
	Wed, 11 Mar 2026 17:25:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1773249955;
	bh=aUye9KyAnijpM8t7yxcnEfZ0jMtzTOhR9HCsDeyezjc=;
	h=From:To:Cc:Subject:Date:From;
	b=KPLPa2CUmTcJ/Xw/KOnEKshZF90ialrN0hcYgGIHwwPmnG2WGPys4IwEaqv4HMYRP
	 rQ6CIc9ptLaXS/hYCQ2XygZzluExwhRygmY12nXriHv8p1DcNkhW5ti799gmA65dnd
	 KENAG2CeJPzUGE7mSbe6Jo1yO17mZQv2cHTyYeLkbTZChwBlEOjVV1XiCrgOtfNxL7
	 7Fnb7Mxl3ypSh3jyCq22Kw3IyyZ/OnjwjPvKCwmcWt8rzgDoskQ+u3n0+pP+WR8HLm
	 I1snb6c4rVJ5zSh8HOp8b8Xp1s2ZeaN5i2LV8Gb2OdDlHR2aJIT7b9OE2Y7VKJ8R1y
	 kdnWdbkYa7hIg==
From: "Lorenzo Stoakes (Oracle)" <ljs@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: "Liam R . Howlett" <Liam.Howlett@oracle.com>,
	Vlastimil Babka <vbabka@kernel.org>,
	Mike Rapoport <rppt@kernel.org>,
	Suren Baghdasaryan <surenb@google.com>,
	Michal Hocko <mhocko@suse.com>,
	Jann Horn <jannh@google.com>,
	Pedro Falcato <pfalcato@suse.de>,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Jianzhou Zhao <luckd0g@163.com>,
	Oscar Salvador <osalvador@suse.de>
Subject: [PATCH 0/3] mm: improve map count checks
Date: Wed, 11 Mar 2026 17:24:35 +0000
Message-ID: <cover.1773249037.git.ljs@kernel.org>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Firstly, in mremap(), it appears that our map count checks have been overly
conservative - there is simply no reason to require that we have headroom
of 4 mappings prior to moving the VMA, we only need headroom of 2 VMAs
since commit 659ace584e7a ("mmap: don't return ENOMEM when mapcount is
temporarily exceeded in munmap()").

Likely the original headroom of 4 mappings was a mistake, and 3 was
actually intended.

Next, we access sysctl_max_map_count in a number of places without being
all that careful about how we do so.

We introduces a simple helper that READ_ONCE()'s the field
(get_sysctl_max_map_count()) to ensure that the field is accessed
correctly. The WRITE_ONCE() side is already handled by the sysctl procfs
code in proc_int_conv().

We also move this field to internal.h as there's no reason for anybody else
to access it outside of mm. Unfortunately we have to maintain the extern
variable, as mmap.c implements the procfs code.

Finally, we are accessing current->mm->map_count without holding the mmap
write lock, which is also not correct, so this series ensures the lock is
head before we access it.

We also abstract the check to a helper function, and add ASCII diagrams to
explain why we're doing what we're doing.

Lorenzo Stoakes (Oracle) (3):
  mm/mremap: correct invalid map count check
  mm: abstract reading sysctl_max_map_count, and READ_ONCE()
  mm/mremap: check map count under mmap write lock and abstract

 include/linux/mm.h                 |  2 -
 mm/internal.h                      |  6 ++
 mm/mmap.c                          |  2 +-
 mm/mremap.c                        | 98 ++++++++++++++++++++++++------
 mm/nommu.c                         |  2 +-
 mm/vma.c                           |  6 +-
 tools/testing/vma/include/custom.h |  3 -
 tools/testing/vma/include/dup.h    |  9 +++
 tools/testing/vma/main.c           |  2 +
 9 files changed, 100 insertions(+), 30 deletions(-)

--
2.53.0