mmap: fix copy_vma() failure path

The anon vma was not unlinked and the file was not closed in the failure
path when the machine runs out of memory during the maple tree
modification.  This caused a memory leak of the anon vma chain and vma
since neither would be freed.

Link: https://lkml.kernel.org/r/20221011203621.1446507-1-Liam.Howlett@oracle.com
Fixes: 524e00b36e8c ("mm: remove rb tree")
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reported-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Tested-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/mm/mmap.c b/mm/mmap.c
index 6e44754..fc8581c 100644 (file)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -3240,6 +3240,11 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
 out_vma_link:
        if (new_vma->vm_ops && new_vma->vm_ops->close)
                new_vma->vm_ops->close(new_vma);
+
+       if (new_vma->vm_file)
+               fput(new_vma->vm_file);
+
+       unlink_anon_vmas(new_vma);
 out_free_mempol:
        mpol_put(vma_policy(new_vma));
 out_free_vma: