@@ -1698,6 +1698,11 @@ struct block_device_operations;
#define NOMMU_VMFLAGS \
(NOMMU_MAP_READ | NOMMU_MAP_WRITE | NOMMU_MAP_EXEC)
+enum mmap_hook {
+ MMAP_HOOK_PREPARE,
+ MMAP_HOOK_ROLLBACK,
+ MMAP_HOOK_COMMIT,
+};
struct iov_iter;
@@ -1714,6 +1719,7 @@ struct file_operations {
long (*unlocked_ioctl) (struct file *, unsigned int, unsigned long);
long (*compat_ioctl) (struct file *, unsigned int, unsigned long);
int (*mmap) (struct file *, struct vm_area_struct *);
+ int (*mmap_hook) (struct file *, enum mmap_hook);
unsigned long mmap_supported_flags;
int (*open) (struct inode *, struct file *);
int (*flush) (struct file *, fl_owner_t id);
@@ -350,11 +350,28 @@ unsigned long vm_mmap_pgoff(struct file *file, unsigned long addr,
ret = security_mmap_file(file, prot, flag);
if (!ret) {
- if (down_write_killable(&mm->mmap_sem))
+ int (*mmap_hook)(struct file *, enum mmap_hook) = NULL;
+
+ if (file) {
+ mmap_hook = file->f_op->mmap_hook;
+
+ if (mmap_hook) {
+ ret = mmap_hook(file, MMAP_HOOK_PREPARE);
+ if (ret)
+ return ret;
+ }
+ }
+ if (down_write_killable(&mm->mmap_sem)) {
+ if (mmap_hook)
+ mmap_hook(file, MMAP_HOOK_ROLLBACK);
return -EINTR;
+ }
ret = do_mmap_pgoff(file, addr, len, prot, flag, pgoff,
&populate, &uf);
up_write(&mm->mmap_sem);
+ if (mmap_hook)
+ mmap_hook(file, IS_ERR(ret) ? MMAP_HOOK_ROLLBACK :
+ MMAP_HOOK_COMMIT);
userfaultfd_unmap_complete(mm, &uf);
if (populate)
mm_populate(ret, populate);
When adding tcp mmap() implementation, I forgot that socket lock had to be taken before current->mm->mmap_sem. syzbot eventually caught the bug. This patch provides a new mmap_hook() method in struct file_operations that might be provided by fs to implement a finer control of whats to be done before and after do_mmap_pgoff() and/or the mm->mmap_sem acquire/release. This is used in following patches by networking and TCP stacks to solve the lockdep issue, and also allows some preparation and cleanup work being done before/after mmap_sem is held, allowing better scalability in multi-threading programs. Fixes: 93ab6cc69162 ("tcp: implement mmap() for zero copy receive") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> --- include/linux/fs.h | 6 ++++++ mm/util.c | 19 ++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-)