mmap: call unlink_anon_vmas() in __split_vma() in case of error

If __split_vma fails because of an out of memory condition the anon_vma_chain isn't teardown and freed potentially leading to rmap walks accessing freed vma information plus there's a memleak. Signed-off-by: Andrea Arcangeli <[email protected]> Acked-by: Johannes Weiner <[email protected]> Acked-by: Rik van Riel <[email protected]> Acked-by: Hugh Dickins <[email protected]> Cc: Marcelo Tosatti <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
yshchan · Sep 23, 2010 · 2aeadc3 · 2aeadc3
1 parent a247c3a
commit 2aeadc3
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/mm/mmap.c b/mm/mmap.c
@@ -2009,6 +2009,7 @@ static int __split_vma(struct mm_struct * mm, struct vm_area_struct * vma,
 			removed_exe_file_vma(mm);
 		fput(new->vm_file);
 	}
+	unlink_anon_vmas(new);
  out_free_mpol:
 	mpol_put(pol);
  out_free_vma: