// SPDX-License-Identifier: GPL-2.0-only

  /*
   * mm/mmap.c
   *
   * Written by obz.
   *

   * Address space accounting code	<alan@lxorguk.ukuu.org.uk>

   */

  #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

  #include <linux/kernel.h>

  #include <linux/slab.h>

  #include <linux/backing-dev.h>

  #include <linux/mm.h>

  #include <linux/vmacache.h>

  #include <linux/shm.h>
  #include <linux/mman.h>
  #include <linux/pagemap.h>
  #include <linux/swap.h>
  #include <linux/syscalls.h>

  #include <linux/capability.h>

  #include <linux/init.h>
  #include <linux/file.h>
  #include <linux/fs.h>
  #include <linux/personality.h>
  #include <linux/security.h>
  #include <linux/hugetlb.h>

  #include <linux/shmem_fs.h>

  #include <linux/profile.h>

  #include <linux/export.h>

  #include <linux/mount.h>
  #include <linux/mempolicy.h>
  #include <linux/rmap.h>

  #include <linux/mmu_notifier.h>

  #include <linux/mmdebug.h>

  #include <linux/perf_event.h>

  #include <linux/audit.h>

  #include <linux/khugepaged.h>

  #include <linux/uprobes.h>

  #include <linux/rbtree_augmented.h>

  #include <linux/notifier.h>
  #include <linux/memory.h>

  #include <linux/printk.h>

  #include <linux/userfaultfd_k.h>

  #include <linux/moduleparam.h>

  #include <linux/pkeys.h>

  #include <linux/oom.h>

  #include <linux/sched/mm.h>

  #include <linux/uaccess.h>

  #include <asm/cacheflush.h>
  #include <asm/tlb.h>

  #include <asm/mmu_context.h>

  #define CREATE_TRACE_POINTS
  #include <trace/events/mmap.h>

  #include "internal.h"

  #ifndef arch_mmap_check
  #define arch_mmap_check(addr, len, flags)	(0)
  #endif

  #ifdef CONFIG_HAVE_ARCH_MMAP_RND_BITS
  const int mmap_rnd_bits_min = CONFIG_ARCH_MMAP_RND_BITS_MIN;
  const int mmap_rnd_bits_max = CONFIG_ARCH_MMAP_RND_BITS_MAX;
  int mmap_rnd_bits __read_mostly = CONFIG_ARCH_MMAP_RND_BITS;
  #endif
  #ifdef CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS
  const int mmap_rnd_compat_bits_min = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN;
  const int mmap_rnd_compat_bits_max = CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX;
  int mmap_rnd_compat_bits __read_mostly = CONFIG_ARCH_MMAP_RND_COMPAT_BITS;
  #endif

  static bool ignore_rlimit_data;

  core_param(ignore_rlimit_data, ignore_rlimit_data, bool, 0644);

  static void unmap_region(struct mm_struct *mm,
  		struct vm_area_struct *vma, struct vm_area_struct *prev,
  		unsigned long start, unsigned long end);

  /* description of effects of mapping type and prot in current implementation.
   * this is due to the limited x86 page protection hardware.  The expected
   * behavior is in parens:
   *
   * map_type	prot
   *		PROT_NONE	PROT_READ	PROT_WRITE	PROT_EXEC
   * MAP_SHARED	r: (no) no	r: (yes) yes	r: (no) yes	r: (no) yes
   *		w: (no) no	w: (no) no	w: (yes) yes	w: (no) no
   *		x: (no) no	x: (no) yes	x: (no) yes	x: (yes) yes

   *

   * MAP_PRIVATE	r: (no) no	r: (yes) yes	r: (no) yes	r: (no) yes
   *		w: (no) no	w: (no) no	w: (copy) copy	w: (no) no
   *		x: (no) no	x: (no) yes	x: (no) yes	x: (yes) yes

   */

  pgprot_t protection_map[16] __ro_after_init = {

  	__P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
  	__S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
  };

  #ifndef CONFIG_ARCH_HAS_FILTER_PGPROT
  static inline pgprot_t arch_filter_pgprot(pgprot_t prot)
  {
  	return prot;
  }
  #endif

  pgprot_t vm_get_page_prot(unsigned long vm_flags)
  {

  	pgprot_t ret = __pgprot(pgprot_val(protection_map[vm_flags &

  				(VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
  			pgprot_val(arch_vm_get_page_prot(vm_flags)));

  
  	return arch_filter_pgprot(ret);

  }
  EXPORT_SYMBOL(vm_get_page_prot);

  static pgprot_t vm_pgprot_modify(pgprot_t oldprot, unsigned long vm_flags)
  {
  	return pgprot_modify(oldprot, vm_get_page_prot(vm_flags));
  }
  
  /* Update vma->vm_page_prot to reflect vma->vm_flags. */
  void vma_set_page_prot(struct vm_area_struct *vma)
  {
  	unsigned long vm_flags = vma->vm_flags;

  	pgprot_t vm_page_prot;

  	vm_page_prot = vm_pgprot_modify(vma->vm_page_prot, vm_flags);
  	if (vma_wants_writenotify(vma, vm_page_prot)) {

  		vm_flags &= ~VM_SHARED;

  		vm_page_prot = vm_pgprot_modify(vm_page_prot, vm_flags);

  	}

  	/* remove_protection_ptes reads vma->vm_page_prot without mmap_lock */

  	WRITE_ONCE(vma->vm_page_prot, vm_page_prot);

  }

  /*

   * Requires inode->i_mapping->i_mmap_rwsem

   */
  static void __remove_shared_vm_struct(struct vm_area_struct *vma,
  		struct file *file, struct address_space *mapping)
  {
  	if (vma->vm_flags & VM_DENYWRITE)

  		allow_write_access(file);

  	if (vma->vm_flags & VM_SHARED)

  		mapping_unmap_writable(mapping);

  
  	flush_dcache_mmap_lock(mapping);

  	vma_interval_tree_remove(vma, &mapping->i_mmap);

  	flush_dcache_mmap_unlock(mapping);
  }
  
  /*

   * Unlink a file-based vm structure from its interval tree, to hide

   * vma from rmap and vmtruncate before freeing its page tables.

   */

  void unlink_file_vma(struct vm_area_struct *vma)

  {
  	struct file *file = vma->vm_file;

  	if (file) {
  		struct address_space *mapping = file->f_mapping;

  		i_mmap_lock_write(mapping);

  		__remove_shared_vm_struct(vma, file, mapping);

  		i_mmap_unlock_write(mapping);

  	}

  }
  
  /*
   * Close a vm structure and free it, returning the next.
   */
  static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
  {
  	struct vm_area_struct *next = vma->vm_next;

  	might_sleep();

  	if (vma->vm_ops && vma->vm_ops->close)
  		vma->vm_ops->close(vma);

  	if (vma->vm_file)

  		fput(vma->vm_file);

  	mpol_put(vma_policy(vma));

  	vm_area_free(vma);

  	return next;

  }

  static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags,
  		struct list_head *uf);

  SYSCALL_DEFINE1(brk, unsigned long, brk)

  {

  	unsigned long retval;

  	unsigned long newbrk, oldbrk, origbrk;

  	struct mm_struct *mm = current->mm;

  	struct vm_area_struct *next;

  	unsigned long min_brk;

  	bool populate;

  	bool downgraded = false;

  	LIST_HEAD(uf);

  	if (mmap_write_lock_killable(mm))

  		return -EINTR;

  	origbrk = mm->brk;

  #ifdef CONFIG_COMPAT_BRK

  	/*
  	 * CONFIG_COMPAT_BRK can still be overridden by setting
  	 * randomize_va_space to 2, which will still cause mm->start_brk
  	 * to be arbitrarily shifted
  	 */

  	if (current->brk_randomized)

  		min_brk = mm->start_brk;
  	else
  		min_brk = mm->end_data;

  #else
  	min_brk = mm->start_brk;
  #endif
  	if (brk < min_brk)

  		goto out;

  
  	/*
  	 * Check against rlimit here. If this check is done later after the test
  	 * of oldbrk with newbrk then it can escape the test and let the data
  	 * segment grow beyond its set limit the in case where the limit is
  	 * not page aligned -Ram Gupta
  	 */

  	if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
  			      mm->end_data, mm->start_data))

  		goto out;

  	newbrk = PAGE_ALIGN(brk);
  	oldbrk = PAGE_ALIGN(mm->brk);

  	if (oldbrk == newbrk) {
  		mm->brk = brk;
  		goto success;
  	}

  	/*
  	 * Always allow shrinking brk.

  	 * __do_munmap() may downgrade mmap_lock to read.

  	 */

  	if (brk <= mm->brk) {

  		int ret;
  
  		/*

  		 * mm->brk must to be protected by write mmap_lock so update it
  		 * before downgrading mmap_lock. When __do_munmap() fails,

  		 * mm->brk will be restored from origbrk.
  		 */
  		mm->brk = brk;
  		ret = __do_munmap(mm, newbrk, oldbrk-newbrk, &uf, true);
  		if (ret < 0) {
  			mm->brk = origbrk;
  			goto out;
  		} else if (ret == 1) {
  			downgraded = true;
  		}
  		goto success;

  	}

  	/* Check against existing mmap mappings. */

  	next = find_vma(mm, oldbrk);
  	if (next && newbrk + PAGE_SIZE > vm_start_gap(next))

  		goto out;
  
  	/* Ok, looks good - let it rip. */

  	if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0)

  		goto out;

  	mm->brk = brk;

  
  success:

  	populate = newbrk > oldbrk && (mm->def_flags & VM_LOCKED) != 0;

  	if (downgraded)

  		mmap_read_unlock(mm);

  	else

  		mmap_write_unlock(mm);

  	userfaultfd_unmap_complete(mm, &uf);

  	if (populate)
  		mm_populate(oldbrk, newbrk - oldbrk);
  	return brk;

  out:

  	retval = origbrk;

  	mmap_write_unlock(mm);

  	return retval;
  }

  static inline unsigned long vma_compute_gap(struct vm_area_struct *vma)

  {

  	unsigned long gap, prev_end;

  
  	/*
  	 * Note: in the rare case of a VM_GROWSDOWN above a VM_GROWSUP, we
  	 * allow two stack_guard_gaps between them here, and when choosing
  	 * an unmapped area; whereas when expanding we only require one.
  	 * That's a little inconsistent, but keeps the code here simpler.
  	 */

  	gap = vm_start_gap(vma);

  	if (vma->vm_prev) {
  		prev_end = vm_end_gap(vma->vm_prev);

  		if (gap > prev_end)
  			gap -= prev_end;

  		else

  			gap = 0;

  	}

  	return gap;
  }
  
  #ifdef CONFIG_DEBUG_VM_RB
  static unsigned long vma_compute_subtree_gap(struct vm_area_struct *vma)
  {
  	unsigned long max = vma_compute_gap(vma), subtree_gap;

  	if (vma->vm_rb.rb_left) {
  		subtree_gap = rb_entry(vma->vm_rb.rb_left,
  				struct vm_area_struct, vm_rb)->rb_subtree_gap;
  		if (subtree_gap > max)
  			max = subtree_gap;
  	}
  	if (vma->vm_rb.rb_right) {
  		subtree_gap = rb_entry(vma->vm_rb.rb_right,
  				struct vm_area_struct, vm_rb)->rb_subtree_gap;
  		if (subtree_gap > max)
  			max = subtree_gap;
  	}
  	return max;
  }

  static int browse_rb(struct mm_struct *mm)

  {

  	struct rb_root *root = &mm->mm_rb;

  	int i = 0, j, bug = 0;

  	struct rb_node *nd, *pn = NULL;
  	unsigned long prev = 0, pend = 0;
  
  	for (nd = rb_first(root); nd; nd = rb_next(nd)) {
  		struct vm_area_struct *vma;
  		vma = rb_entry(nd, struct vm_area_struct, vm_rb);

  		if (vma->vm_start < prev) {

  			pr_emerg("vm_start %lx < prev %lx
  ",
  				  vma->vm_start, prev);

  			bug = 1;
  		}
  		if (vma->vm_start < pend) {

  			pr_emerg("vm_start %lx < pend %lx
  ",
  				  vma->vm_start, pend);

  			bug = 1;
  		}
  		if (vma->vm_start > vma->vm_end) {

  			pr_emerg("vm_start %lx > vm_end %lx
  ",
  				  vma->vm_start, vma->vm_end);

  			bug = 1;
  		}

  		spin_lock(&mm->page_table_lock);

  		if (vma->rb_subtree_gap != vma_compute_subtree_gap(vma)) {

  			pr_emerg("free gap %lx, correct %lx
  ",

  			       vma->rb_subtree_gap,
  			       vma_compute_subtree_gap(vma));
  			bug = 1;
  		}

  		spin_unlock(&mm->page_table_lock);

  		i++;
  		pn = nd;

  		prev = vma->vm_start;
  		pend = vma->vm_end;

  	}
  	j = 0;

  	for (nd = pn; nd; nd = rb_prev(nd))

  		j++;

  	if (i != j) {

  		pr_emerg("backwards %d, forwards %d
  ", j, i);

  		bug = 1;

  	}

  	return bug ? -1 : i;

  }

  static void validate_mm_rb(struct rb_root *root, struct vm_area_struct *ignore)
  {
  	struct rb_node *nd;
  
  	for (nd = rb_first(root); nd; nd = rb_next(nd)) {
  		struct vm_area_struct *vma;
  		vma = rb_entry(nd, struct vm_area_struct, vm_rb);

  		VM_BUG_ON_VMA(vma != ignore &&
  			vma->rb_subtree_gap != vma_compute_subtree_gap(vma),
  			vma);

  	}

  }

  static void validate_mm(struct mm_struct *mm)

  {
  	int bug = 0;
  	int i = 0;

  	unsigned long highest_address = 0;

  	struct vm_area_struct *vma = mm->mmap;

  	while (vma) {

  		struct anon_vma *anon_vma = vma->anon_vma;

  		struct anon_vma_chain *avc;

  		if (anon_vma) {
  			anon_vma_lock_read(anon_vma);
  			list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
  				anon_vma_interval_tree_verify(avc);
  			anon_vma_unlock_read(anon_vma);
  		}

  		highest_address = vm_end_gap(vma);

  		vma = vma->vm_next;

  		i++;
  	}

  	if (i != mm->map_count) {

  		pr_emerg("map_count %d vm_next %d
  ", mm->map_count, i);

  		bug = 1;
  	}
  	if (highest_address != mm->highest_vm_end) {

  		pr_emerg("mm->highest_vm_end %lx, found %lx
  ",

  			  mm->highest_vm_end, highest_address);

  		bug = 1;
  	}

  	i = browse_rb(mm);

  	if (i != mm->map_count) {

  		if (i != -1)
  			pr_emerg("map_count %d rb %d
  ", mm->map_count, i);

  		bug = 1;
  	}

  	VM_BUG_ON_MM(bug, mm);

  }
  #else

  #define validate_mm_rb(root, ignore) do { } while (0)

  #define validate_mm(mm) do { } while (0)
  #endif

  RB_DECLARE_CALLBACKS_MAX(static, vma_gap_callbacks,
  			 struct vm_area_struct, vm_rb,
  			 unsigned long, rb_subtree_gap, vma_compute_gap)

  
  /*
   * Update augmented rbtree rb_subtree_gap values after vma->vm_start or
   * vma->vm_prev->vm_end values changed, without modifying the vma's position
   * in the rbtree.
   */
  static void vma_gap_update(struct vm_area_struct *vma)
  {
  	/*

  	 * As it turns out, RB_DECLARE_CALLBACKS_MAX() already created
  	 * a callback function that does exactly what we want.

  	 */
  	vma_gap_callbacks_propagate(&vma->vm_rb, NULL);
  }
  
  static inline void vma_rb_insert(struct vm_area_struct *vma,
  				 struct rb_root *root)
  {
  	/* All rb_subtree_gap values must be consistent prior to insertion */
  	validate_mm_rb(root, NULL);
  
  	rb_insert_augmented(&vma->vm_rb, root, &vma_gap_callbacks);
  }

  static void __vma_rb_erase(struct vm_area_struct *vma, struct rb_root *root)

  {
  	/*

  	 * Note rb_erase_augmented is a fairly large inline function,
  	 * so make sure we instantiate it only once with our desired
  	 * augmented rbtree callbacks.
  	 */
  	rb_erase_augmented(&vma->vm_rb, root, &vma_gap_callbacks);
  }

  static __always_inline void vma_rb_erase_ignore(struct vm_area_struct *vma,
  						struct rb_root *root,
  						struct vm_area_struct *ignore)
  {
  	/*
  	 * All rb_subtree_gap values must be consistent prior to erase,

  	 * with the possible exception of
  	 *
  	 * a. the "next" vma being erased if next->vm_start was reduced in
  	 *    __vma_adjust() -> __vma_unlink()
  	 * b. the vma being erased in detach_vmas_to_be_unmapped() ->
  	 *    vma_rb_erase()

  	 */
  	validate_mm_rb(root, ignore);
  
  	__vma_rb_erase(vma, root);
  }
  
  static __always_inline void vma_rb_erase(struct vm_area_struct *vma,
  					 struct rb_root *root)
  {

  	vma_rb_erase_ignore(vma, root, vma);

  }

  /*
   * vma has some anon_vma assigned, and is already inserted on that
   * anon_vma's interval trees.
   *
   * Before updating the vma's vm_start / vm_end / vm_pgoff fields, the
   * vma must be removed from the anon_vma's interval trees using
   * anon_vma_interval_tree_pre_update_vma().
   *
   * After the update, the vma will be reinserted using
   * anon_vma_interval_tree_post_update_vma().
   *

   * The entire update must be protected by exclusive mmap_lock and by

   * the root anon_vma's mutex.
   */
  static inline void
  anon_vma_interval_tree_pre_update_vma(struct vm_area_struct *vma)
  {
  	struct anon_vma_chain *avc;
  
  	list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
  		anon_vma_interval_tree_remove(avc, &avc->anon_vma->rb_root);
  }
  
  static inline void
  anon_vma_interval_tree_post_update_vma(struct vm_area_struct *vma)
  {
  	struct anon_vma_chain *avc;
  
  	list_for_each_entry(avc, &vma->anon_vma_chain, same_vma)
  		anon_vma_interval_tree_insert(avc, &avc->anon_vma->rb_root);
  }

  static int find_vma_links(struct mm_struct *mm, unsigned long addr,
  		unsigned long end, struct vm_area_struct **pprev,
  		struct rb_node ***rb_link, struct rb_node **rb_parent)

  {

  	struct rb_node **__rb_link, *__rb_parent, *rb_prev;

  
  	__rb_link = &mm->mm_rb.rb_node;
  	rb_prev = __rb_parent = NULL;

  
  	while (*__rb_link) {
  		struct vm_area_struct *vma_tmp;
  
  		__rb_parent = *__rb_link;
  		vma_tmp = rb_entry(__rb_parent, struct vm_area_struct, vm_rb);
  
  		if (vma_tmp->vm_end > addr) {

  			/* Fail if an existing vma overlaps the area */
  			if (vma_tmp->vm_start < end)
  				return -ENOMEM;

  			__rb_link = &__rb_parent->rb_left;
  		} else {
  			rb_prev = __rb_parent;
  			__rb_link = &__rb_parent->rb_right;
  		}
  	}
  
  	*pprev = NULL;
  	if (rb_prev)
  		*pprev = rb_entry(rb_prev, struct vm_area_struct, vm_rb);
  	*rb_link = __rb_link;
  	*rb_parent = __rb_parent;

  	return 0;

  }

  /*
   * vma_next() - Get the next VMA.
   * @mm: The mm_struct.
   * @vma: The current vma.
   *
   * If @vma is NULL, return the first vma in the mm.
   *
   * Returns: The next VMA after @vma.
   */
  static inline struct vm_area_struct *vma_next(struct mm_struct *mm,
  					 struct vm_area_struct *vma)
  {
  	if (!vma)
  		return mm->mmap;
  
  	return vma->vm_next;
  }

  
  /*
   * munmap_vma_range() - munmap VMAs that overlap a range.
   * @mm: The mm struct
   * @start: The start of the range.
   * @len: The length of the range.
   * @pprev: pointer to the pointer that will be set to previous vm_area_struct
   * @rb_link: the rb_node
   * @rb_parent: the parent rb_node
   *
   * Find all the vm_area_struct that overlap from @start to
   * @end and munmap them.  Set @pprev to the previous vm_area_struct.
   *
   * Returns: -ENOMEM on munmap failure or 0 on success.
   */
  static inline int
  munmap_vma_range(struct mm_struct *mm, unsigned long start, unsigned long len,
  		 struct vm_area_struct **pprev, struct rb_node ***link,
  		 struct rb_node **parent, struct list_head *uf)
  {
  
  	while (find_vma_links(mm, start, start + len, pprev, link, parent))
  		if (do_munmap(mm, start, len, uf))
  			return -ENOMEM;
  
  	return 0;
  }

  static unsigned long count_vma_pages_range(struct mm_struct *mm,
  		unsigned long addr, unsigned long end)
  {
  	unsigned long nr_pages = 0;
  	struct vm_area_struct *vma;
  
  	/* Find first overlaping mapping */
  	vma = find_vma_intersection(mm, addr, end);
  	if (!vma)
  		return 0;
  
  	nr_pages = (min(end, vma->vm_end) -
  		max(addr, vma->vm_start)) >> PAGE_SHIFT;
  
  	/* Iterate over the rest of the overlaps */
  	for (vma = vma->vm_next; vma; vma = vma->vm_next) {
  		unsigned long overlap_len;
  
  		if (vma->vm_start > end)
  			break;
  
  		overlap_len = min(end, vma->vm_end) - vma->vm_start;
  		nr_pages += overlap_len >> PAGE_SHIFT;
  	}
  
  	return nr_pages;
  }

  void __vma_link_rb(struct mm_struct *mm, struct vm_area_struct *vma,
  		struct rb_node **rb_link, struct rb_node *rb_parent)
  {

  	/* Update tracking information for the gap following the new vma. */
  	if (vma->vm_next)
  		vma_gap_update(vma->vm_next);
  	else

  		mm->highest_vm_end = vm_end_gap(vma);

  
  	/*
  	 * vma->vm_prev wasn't known when we followed the rbtree to find the
  	 * correct insertion point for that vma. As a result, we could not
  	 * update the vma vm_rb parents rb_subtree_gap values on the way down.
  	 * So, we first insert the vma with a zero rb_subtree_gap value
  	 * (to be consistent with what we did on the way down), and then
  	 * immediately update the gap to the correct value. Finally we
  	 * rebalance the rbtree after all augmented values have been set.
  	 */

  	rb_link_node(&vma->vm_rb, rb_parent, rb_link);

  	vma->rb_subtree_gap = 0;
  	vma_gap_update(vma);
  	vma_rb_insert(vma, &mm->mm_rb);

  }

  static void __vma_link_file(struct vm_area_struct *vma)

  {

  	struct file *file;

  
  	file = vma->vm_file;
  	if (file) {
  		struct address_space *mapping = file->f_mapping;
  
  		if (vma->vm_flags & VM_DENYWRITE)

  			put_write_access(file_inode(file));

  		if (vma->vm_flags & VM_SHARED)

  			mapping_allow_writable(mapping);

  
  		flush_dcache_mmap_lock(mapping);

  		vma_interval_tree_insert(vma, &mapping->i_mmap);

  		flush_dcache_mmap_unlock(mapping);
  	}
  }
  
  static void
  __vma_link(struct mm_struct *mm, struct vm_area_struct *vma,
  	struct vm_area_struct *prev, struct rb_node **rb_link,
  	struct rb_node *rb_parent)
  {

  	__vma_link_list(mm, vma, prev);

  	__vma_link_rb(mm, vma, rb_link, rb_parent);

  }
  
  static void vma_link(struct mm_struct *mm, struct vm_area_struct *vma,
  			struct vm_area_struct *prev, struct rb_node **rb_link,
  			struct rb_node *rb_parent)
  {
  	struct address_space *mapping = NULL;

  	if (vma->vm_file) {

  		mapping = vma->vm_file->f_mapping;

  		i_mmap_lock_write(mapping);

  	}

  
  	__vma_link(mm, vma, prev, rb_link, rb_parent);
  	__vma_link_file(vma);

  	if (mapping)

  		i_mmap_unlock_write(mapping);

  
  	mm->map_count++;
  	validate_mm(mm);
  }
  
  /*

   * Helper for vma_adjust() in the split_vma insert case: insert a vma into the

   * mm's list and rbtree.  It has already been inserted into the interval tree.

   */

  static void __insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)

  {

  	struct vm_area_struct *prev;

  	struct rb_node **rb_link, *rb_parent;

  	if (find_vma_links(mm, vma->vm_start, vma->vm_end,
  			   &prev, &rb_link, &rb_parent))
  		BUG();

  	__vma_link(mm, vma, prev, rb_link, rb_parent);
  	mm->map_count++;
  }

  static __always_inline void __vma_unlink(struct mm_struct *mm,

  						struct vm_area_struct *vma,

  						struct vm_area_struct *ignore)

  {

  	vma_rb_erase_ignore(vma, &mm->mm_rb, ignore);

  	__vma_unlink_list(mm, vma);

  	/* Kill the cache */
  	vmacache_invalidate(mm);

  }
  
  /*
   * We cannot adjust vm_start, vm_end, vm_pgoff fields of a vma that
   * is already present in an i_mmap tree without adjusting the tree.
   * The following helper function should be used when such adjustments
   * are necessary.  The "insert" vma (if any) is to be inserted
   * before we drop the necessary locks.
   */

  int __vma_adjust(struct vm_area_struct *vma, unsigned long start,
  	unsigned long end, pgoff_t pgoff, struct vm_area_struct *insert,
  	struct vm_area_struct *expand)

  {
  	struct mm_struct *mm = vma->vm_mm;

  	struct vm_area_struct *next = vma->vm_next, *orig_vma = vma;

  	struct address_space *mapping = NULL;

  	struct rb_root_cached *root = NULL;

  	struct anon_vma *anon_vma = NULL;

  	struct file *file = vma->vm_file;

  	bool start_changed = false, end_changed = false;

  	long adjust_next = 0;
  	int remove_next = 0;
  
  	if (next && !insert) {

  		struct vm_area_struct *exporter = NULL, *importer = NULL;

  		if (end >= next->vm_end) {
  			/*
  			 * vma expands, overlapping all the next, and
  			 * perhaps the one after too (mprotect case 6).

  			 * The only other cases that gets here are

  			 * case 1, case 7 and case 8.

  			 */

  			if (next == expand) {
  				/*
  				 * The only case where we don't expand "vma"
  				 * and we expand "next" instead is case 8.
  				 */
  				VM_WARN_ON(end != next->vm_end);
  				/*
  				 * remove_next == 3 means we're
  				 * removing "vma" and that to do so we
  				 * swapped "vma" and "next".
  				 */
  				remove_next = 3;
  				VM_WARN_ON(file != next->vm_file);
  				swap(vma, next);
  			} else {
  				VM_WARN_ON(expand != vma);
  				/*
  				 * case 1, 6, 7, remove_next == 2 is case 6,
  				 * remove_next == 1 is case 1 or 7.
  				 */
  				remove_next = 1 + (end > next->vm_end);
  				VM_WARN_ON(remove_next == 2 &&
  					   end != next->vm_next->vm_end);

  				/* trim end to next, for case 6 first pass */
  				end = next->vm_end;
  			}

  			exporter = next;

  			importer = vma;

  
  			/*
  			 * If next doesn't have anon_vma, import from vma after
  			 * next, if the vma overlaps with it.
  			 */

  			if (remove_next == 2 && !next->anon_vma)

  				exporter = next->vm_next;

  		} else if (end > next->vm_start) {
  			/*
  			 * vma expands, overlapping part of the next:
  			 * mprotect case 5 shifting the boundary up.
  			 */

  			adjust_next = (end - next->vm_start);

  			exporter = next;

  			importer = vma;

  			VM_WARN_ON(expand != importer);

  		} else if (end < vma->vm_end) {
  			/*
  			 * vma shrinks, and !insert tells it's not
  			 * split_vma inserting another: so it must be
  			 * mprotect case 4 shifting the boundary down.
  			 */

  			adjust_next = -(vma->vm_end - end);

  			exporter = vma;

  			importer = next;

  			VM_WARN_ON(expand != importer);

  		}

  		/*
  		 * Easily overlooked: when mprotect shifts the boundary,
  		 * make sure the expanding vma has anon_vma set if the
  		 * shrinking vma had, to cover any anon pages imported.
  		 */

  		if (exporter && exporter->anon_vma && !importer->anon_vma) {

  			int error;

  			importer->anon_vma = exporter->anon_vma;

  			error = anon_vma_clone(importer, exporter);

  			if (error)

  				return error;

  		}
  	}

  again:

  	vma_adjust_trans_huge(orig_vma, start, end, adjust_next);

  	if (file) {
  		mapping = file->f_mapping;

  		root = &mapping->i_mmap;
  		uprobe_munmap(vma, vma->vm_start, vma->vm_end);

  		if (adjust_next)
  			uprobe_munmap(next, next->vm_start, next->vm_end);

  		i_mmap_lock_write(mapping);

  		if (insert) {

  			/*

  			 * Put into interval tree now, so instantiated pages

  			 * are visible to arm/parisc __flush_dcache_page
  			 * throughout; but we cannot insert into address
  			 * space until vma start or end is updated.
  			 */
  			__vma_link_file(insert);
  		}
  	}

  	anon_vma = vma->anon_vma;
  	if (!anon_vma && adjust_next)
  		anon_vma = next->anon_vma;
  	if (anon_vma) {

  		VM_WARN_ON(adjust_next && next->anon_vma &&
  			   anon_vma != next->anon_vma);

  		anon_vma_lock_write(anon_vma);

  		anon_vma_interval_tree_pre_update_vma(vma);
  		if (adjust_next)
  			anon_vma_interval_tree_pre_update_vma(next);
  	}

  	if (file) {

  		flush_dcache_mmap_lock(mapping);

  		vma_interval_tree_remove(vma, root);

  		if (adjust_next)

  			vma_interval_tree_remove(next, root);

  	}

  	if (start != vma->vm_start) {
  		vma->vm_start = start;
  		start_changed = true;
  	}
  	if (end != vma->vm_end) {
  		vma->vm_end = end;
  		end_changed = true;
  	}

  	vma->vm_pgoff = pgoff;
  	if (adjust_next) {

  		next->vm_start += adjust_next;
  		next->vm_pgoff += adjust_next >> PAGE_SHIFT;

  	}

  	if (file) {

  		if (adjust_next)

  			vma_interval_tree_insert(next, root);
  		vma_interval_tree_insert(vma, root);

  		flush_dcache_mmap_unlock(mapping);
  	}
  
  	if (remove_next) {
  		/*
  		 * vma_merge has merged next into vma, and needs
  		 * us to remove next before dropping the locks.
  		 */

  		if (remove_next != 3)

  			__vma_unlink(mm, next, next);

  		else

  			/*
  			 * vma is not before next if they've been
  			 * swapped.
  			 *
  			 * pre-swap() next->vm_start was reduced so
  			 * tell validate_mm_rb to ignore pre-swap()
  			 * "next" (which is stored in post-swap()
  			 * "vma").
  			 */

  			__vma_unlink(mm, next, vma);

  		if (file)
  			__remove_shared_vm_struct(next, file, mapping);

  	} else if (insert) {
  		/*
  		 * split_vma has split insert from vma, and needs
  		 * us to insert it before dropping the locks
  		 * (it may either follow vma or precede it).
  		 */
  		__insert_vm_struct(mm, insert);

  	} else {
  		if (start_changed)
  			vma_gap_update(vma);
  		if (end_changed) {
  			if (!next)

  				mm->highest_vm_end = vm_end_gap(vma);

  			else if (!adjust_next)
  				vma_gap_update(next);
  		}

  	}

  	if (anon_vma) {
  		anon_vma_interval_tree_post_update_vma(vma);
  		if (adjust_next)
  			anon_vma_interval_tree_post_update_vma(next);

  		anon_vma_unlock_write(anon_vma);

  	}

  	if (file) {

  		i_mmap_unlock_write(mapping);

  		uprobe_mmap(vma);

  
  		if (adjust_next)

  			uprobe_mmap(next);

  	}

  	if (remove_next) {

  		if (file) {

  			uprobe_munmap(next, next->vm_start, next->vm_end);

  			fput(file);

  		}

  		if (next->anon_vma)
  			anon_vma_merge(vma, next);

  		mm->map_count--;

  		mpol_put(vma_policy(next));

  		vm_area_free(next);

  		/*
  		 * In mprotect's case 6 (see comments on vma_merge),
  		 * we must remove another next too. It would clutter
  		 * up the code too much to do both in one go.
  		 */

  		if (remove_next != 3) {
  			/*
  			 * If "next" was removed and vma->vm_end was
  			 * expanded (up) over it, in turn
  			 * "next->vm_prev->vm_end" changed and the
  			 * "vma->vm_next" gap must be updated.
  			 */
  			next = vma->vm_next;
  		} else {
  			/*
  			 * For the scope of the comment "next" and
  			 * "vma" considered pre-swap(): if "vma" was
  			 * removed, next->vm_start was expanded (down)
  			 * over it and the "next" gap must be updated.
  			 * Because of the swap() the post-swap() "vma"
  			 * actually points to pre-swap() "next"
  			 * (post-swap() "next" as opposed is now a
  			 * dangling pointer).
  			 */
  			next = vma;
  		}

  		if (remove_next == 2) {
  			remove_next = 1;
  			end = next->vm_end;

  			goto again;

  		}

  		else if (next)
  			vma_gap_update(next);

  		else {
  			/*
  			 * If remove_next == 2 we obviously can't
  			 * reach this path.
  			 *
  			 * If remove_next == 3 we can't reach this
  			 * path because pre-swap() next is always not
  			 * NULL. pre-swap() "next" is not being
  			 * removed and its next->vm_end is not altered
  			 * (and furthermore "end" already matches
  			 * next->vm_end in remove_next == 3).
  			 *
  			 * We reach this only in the remove_next == 1
  			 * case if the "next" vma that was removed was
  			 * the highest vma of the mm. However in such
  			 * case next->vm_end == "end" and the extended
  			 * "vma" has vma->vm_end == next->vm_end so
  			 * mm->highest_vm_end doesn't need any update
  			 * in remove_next == 1 case.
  			 */

  			VM_WARN_ON(mm->highest_vm_end != vm_end_gap(vma));

  		}

  	}

  	if (insert && file)

  		uprobe_mmap(insert);

  
  	validate_mm(mm);

  
  	return 0;

  }
  
  /*
   * If the vma has a ->close operation then the driver probably needs to release
   * per-vma resources, so we don't attempt to merge those.
   */

  static inline int is_mergeable_vma(struct vm_area_struct *vma,

  				struct file *file, unsigned long vm_flags,

  				struct vm_userfaultfd_ctx vm_userfaultfd_ctx,
  				const char __user *anon_name)

  {

  	/*
  	 * VM_SOFTDIRTY should not prevent from VMA merging, if we
  	 * match the flags but dirty bit -- the caller should mark
  	 * merged VMA as dirty. If dirty bit won't be excluded from

  	 * comparison, we increase pressure on the memory system forcing

  	 * the kernel to generate new VMAs when old one could be
  	 * extended instead.
  	 */
  	if ((vma->vm_flags ^ vm_flags) & ~VM_SOFTDIRTY)

  		return 0;
  	if (vma->vm_file != file)
  		return 0;
  	if (vma->vm_ops && vma->vm_ops->close)
  		return 0;

  	if (!is_mergeable_vm_userfaultfd_ctx(vma, vm_userfaultfd_ctx))
  		return 0;

  	if (vma_get_anon_name(vma) != anon_name)
  		return 0;

  	return 1;
  }
  
  static inline int is_mergeable_anon_vma(struct anon_vma *anon_vma1,

  					struct anon_vma *anon_vma2,
  					struct vm_area_struct *vma)

  {

  	/*
  	 * The list_is_singular() test is to avoid merging VMA cloned from
  	 * parents. This can improve scalability caused by anon_vma lock.
  	 */
  	if ((!anon_vma1 || !anon_vma2) && (!vma ||
  		list_is_singular(&vma->anon_vma_chain)))
  		return 1;
  	return anon_vma1 == anon_vma2;

  }
  
  /*
   * Return true if we can merge this (vm_flags,anon_vma,file,vm_pgoff)
   * in front of (at a lower virtual address and file offset than) the vma.
   *
   * We cannot merge two vmas if they have differently assigned (non-NULL)
   * anon_vmas, nor if same anon_vma is assigned but offsets incompatible.
   *
   * We don't check here for the merged mmap wrapping around the end of pagecache

   * indices (16TB on ia32) because do_mmap() does not permit mmap's which

   * wrap, nor mmaps which cover the final page at index -1UL.
   */
  static int
  can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,

  		     struct anon_vma *anon_vma, struct file *file,
  		     pgoff_t vm_pgoff,

  		     struct vm_userfaultfd_ctx vm_userfaultfd_ctx,
  		     const char __user *anon_name)

  {

  	if (is_mergeable_vma(vma, file, vm_flags, vm_userfaultfd_ctx, anon_name) &&

  	    is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {

  		if (vma->vm_pgoff == vm_pgoff)
  			return 1;
  	}
  	return 0;
  }
  
  /*
   * Return true if we can merge this (vm_flags,anon_vma,file,vm_pgoff)
   * beyond (at a higher virtual address and file offset than) the vma.
   *
   * We cannot merge two vmas if they have differently assigned (non-NULL)
   * anon_vmas, nor if same anon_vma is assigned but offsets incompatible.
   */
  static int
  can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,

  		    struct anon_vma *anon_vma, struct file *file,
  		    pgoff_t vm_pgoff,

  		    struct vm_userfaultfd_ctx vm_userfaultfd_ctx,
  		    const char __user *anon_name)

  {

  	if (is_mergeable_vma(vma, file, vm_flags, vm_userfaultfd_ctx, anon_name) &&

  	    is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {

  		pgoff_t vm_pglen;

  		vm_pglen = vma_pages(vma);

  		if (vma->vm_pgoff + vm_pglen == vm_pgoff)
  			return 1;
  	}
  	return 0;
  }
  
  /*

   * Given a mapping request (addr,end,vm_flags,file,pgoff,anon_name),
   * figure out whether that can be merged with its predecessor or its
   * successor.  Or both (it neatly fills a hole).

   *
   * In most cases - when called for mmap, brk or mremap - [addr,end) is
   * certain not to be mapped by the time vma_merge is called; but when
   * called for mprotect, it is certain to be already mapped (either at
   * an offset within prev, or at the start of next), and the flags of
   * this area are about to be changed to vm_flags - and the no-change
   * case has already been eliminated.
   *
   * The following mprotect cases have to be considered, where AAAA is
   * the area passed down from mprotect_fixup, never extending beyond one
   * vma, PPPPPP is the prev vma specified, and NNNNNN the next vma after:
   *

   *     AAAA             AAAA                   AAAA
   *    PPPPPPNNNNNN    PPPPPPNNNNNN       PPPPPPNNNNNN
   *    cannot merge    might become       might become
   *                    PPNNNNNNNNNN       PPPPPPPPPPNN
   *    mmap, brk or    case 4 below       case 5 below
   *    mremap move:
   *                        AAAA               AAAA
   *                    PPPP    NNNN       PPPPNNNNXXXX
   *                    might become       might become
   *                    PPPPPPPPPPPP 1 or  PPPPPPPPPPPP 6 or
   *                    PPPPPPPPNNNN 2 or  PPPPPPPPXXXX 7 or
   *                    PPPPNNNNNNNN 3     PPPPXXXXXXXX 8

   *

   * It is important for case 8 that the vma NNNN overlapping the

   * region AAAA is never going to extended over XXXX. Instead XXXX must
   * be extended in region AAAA and NNNN must be removed. This way in
   * all cases where vma_merge succeeds, the moment vma_adjust drops the
   * rmap_locks, the properties of the merged vma will be already
   * correct for the whole merged range. Some of those properties like
   * vm_page_prot/vm_flags may be accessed by rmap_walks and they must
   * be correct for the whole merged range immediately after the
   * rmap_locks are released. Otherwise if XXXX would be removed and
   * NNNN would be extended over the XXXX range, remove_migration_ptes
   * or other rmap walkers (if working on addresses beyond the "end"
   * parameter) may establish ptes with the wrong permissions of NNNN
   * instead of the right permissions of XXXX.

   */
  struct vm_area_struct *vma_merge(struct mm_struct *mm,
  			struct vm_area_struct *prev, unsigned long addr,
  			unsigned long end, unsigned long vm_flags,

  			struct anon_vma *anon_vma, struct file *file,

  			pgoff_t pgoff, struct mempolicy *policy,

  			struct vm_userfaultfd_ctx vm_userfaultfd_ctx,
  			const char __user *anon_name)

  {
  	pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
  	struct vm_area_struct *area, *next;

  	int err;

  
  	/*
  	 * We later require that vma->vm_flags == vm_flags,
  	 * so this tests vma->vm_flags & VM_SPECIAL, too.
  	 */
  	if (vm_flags & VM_SPECIAL)
  		return NULL;

  	next = vma_next(mm, prev);

  	area = next;

  	if (area && area->vm_end == end)		/* cases 6, 7, 8 */

  		next = next->vm_next;

  	/* verify some invariant that must be enforced by the caller */
  	VM_WARN_ON(prev && addr <= prev->vm_start);
  	VM_WARN_ON(area && end > area->vm_end);
  	VM_WARN_ON(addr >= end);

  	/*
  	 * Can it merge with the predecessor?
  	 */
  	if (prev && prev->vm_end == addr &&

  			mpol_equal(vma_policy(prev), policy) &&

  			can_vma_merge_after(prev, vm_flags,

  					    anon_vma, file, pgoff,

  					    vm_userfaultfd_ctx,
  					    anon_name)) {

  		/*
  		 * OK, it can.  Can we now merge in the successor as well?
  		 */
  		if (next && end == next->vm_start &&
  				mpol_equal(policy, vma_policy(next)) &&
  				can_vma_merge_before(next, vm_flags,

  						     anon_vma, file,
  						     pgoff+pglen,

  						     vm_userfaultfd_ctx,
  						     anon_name) &&

  				is_mergeable_anon_vma(prev->anon_vma,

  						      next->anon_vma, NULL)) {

  							/* cases 1, 6 */

  			err = __vma_adjust(prev, prev->vm_start,
  					 next->vm_end, prev->vm_pgoff, NULL,
  					 prev);

  		} else					/* cases 2, 5, 7 */

  			err = __vma_adjust(prev, prev->vm_start,
  					 end, prev->vm_pgoff, NULL, prev);

  		if (err)
  			return NULL;

  		khugepaged_enter_vma_merge(prev, vm_flags);

  		return prev;
  	}
  
  	/*
  	 * Can this new request be merged in front of next?
  	 */
  	if (next && end == next->vm_start &&

  			mpol_equal(policy, vma_policy(next)) &&

  			can_vma_merge_before(next, vm_flags,

  					     anon_vma, file, pgoff+pglen,

  					     vm_userfaultfd_ctx,
  					     anon_name)) {

  		if (prev && addr < prev->vm_end)	/* case 4 */

  			err = __vma_adjust(prev, prev->vm_start,
  					 addr, prev->vm_pgoff, NULL, next);
  		else {					/* cases 3, 8 */
  			err = __vma_adjust(area, addr, next->vm_end,
  					 next->vm_pgoff - pglen, NULL, next);
  			/*
  			 * In case 3 area is already equal to next and
  			 * this is a noop, but in case 8 "area" has
  			 * been removed and next was expanded over it.
  			 */
  			area = next;
  		}

  		if (err)
  			return NULL;

  		khugepaged_enter_vma_merge(area, vm_flags);

  		return area;
  	}
  
  	return NULL;
  }
  
  /*

   * Rough compatibility check to quickly see if it's even worth looking

   * at sharing an anon_vma.
   *
   * They need to have the same vm_file, and the flags can only differ
   * in things that mprotect may change.
   *
   * NOTE! The fact that we share an anon_vma doesn't _have_ to mean that
   * we can merge the two vma's. For example, we refuse to merge a vma if
   * there is a vm_ops->close() function, because that indicates that the
   * driver is doing some kind of reference counting. But that doesn't
   * really matter for the anon_vma sharing case.
   */
  static int anon_vma_compatible(struct vm_area_struct *a, struct vm_area_struct *b)
  {
  	return a->vm_end == b->vm_start &&
  		mpol_equal(vma_policy(a), vma_policy(b)) &&
  		a->vm_file == b->vm_file &&

  		!((a->vm_flags ^ b->vm_flags) & ~(VM_ACCESS_FLAGS | VM_SOFTDIRTY)) &&

  		b->vm_pgoff == a->vm_pgoff + ((b->vm_start - a->vm_start) >> PAGE_SHIFT);
  }
  
  /*
   * Do some basic sanity checking to see if we can re-use the anon_vma
   * from 'old'. The 'a'/'b' vma's are in VM order - one of them will be
   * the same as 'old', the other will be the new one that is trying
   * to share the anon_vma.
   *
   * NOTE! This runs with mm_sem held for reading, so it is possible that
   * the anon_vma of 'old' is concurrently in the process of being set up
   * by another page fault trying to merge _that_. But that's ok: if it
   * is being set up, that automatically means that it will be a singleton
   * acceptable for merging, so we can do all of this optimistically. But

   * we do that READ_ONCE() to make sure that we never re-load the pointer.

   *
   * IOW: that the "list_is_singular()" test on the anon_vma_chain only
   * matters for the 'stable anon_vma' case (ie the thing we want to avoid
   * is to return an anon_vma that is "complex" due to having gone through
   * a fork).
   *
   * We also make sure that the two vma's are compatible (adjacent,
   * and with the same memory policies). That's all stable, even with just
   * a read lock on the mm_sem.
   */
  static struct anon_vma *reusable_anon_vma(struct vm_area_struct *old, struct vm_area_struct *a, struct vm_area_struct *b)
  {
  	if (anon_vma_compatible(a, b)) {

  		struct anon_vma *anon_vma = READ_ONCE(old->anon_vma);

  
  		if (anon_vma && list_is_singular(&old->anon_vma_chain))
  			return anon_vma;
  	}
  	return NULL;
  }
  
  /*

   * find_mergeable_anon_vma is used by anon_vma_prepare, to check
   * neighbouring vmas for a suitable anon_vma, before it goes off
   * to allocate a new anon_vma.  It checks because a repetitive
   * sequence of mprotects and faults may otherwise lead to distinct
   * anon_vmas being allocated, preventing vma merge in subsequent
   * mprotect.
   */
  struct anon_vma *find_mergeable_anon_vma(struct vm_area_struct *vma)
  {

  	struct anon_vma *anon_vma = NULL;
  
  	/* Try next first. */
  	if (vma->vm_next) {
  		anon_vma = reusable_anon_vma(vma->vm_next, vma, vma->vm_next);
  		if (anon_vma)
  			return anon_vma;
  	}
  
  	/* Try prev next. */
  	if (vma->vm_prev)
  		anon_vma = reusable_anon_vma(vma->vm_prev, vma->vm_prev, vma);

  	/*

  	 * We might reach here with anon_vma == NULL if we can't find
  	 * any reusable anon_vma.

  	 * There's no absolute need to look only at touching neighbours:
  	 * we could search further afield for "compatible" anon_vmas.
  	 * But it would probably just be a waste of time searching,
  	 * or lead to too many vmas hanging off the same anon_vma.
  	 * We're trying to allow mprotect remerging later on,
  	 * not trying to minimize memory used for anon_vmas.
  	 */

  	return anon_vma;

  }

  /*

   * If a hint addr is less than mmap_min_addr change hint to be as
   * low as possible but still greater than mmap_min_addr
   */
  static inline unsigned long round_hint_to_min(unsigned long hint)
  {
  	hint &= PAGE_MASK;
  	if (((void *)hint != NULL) &&
  	    (hint < mmap_min_addr))
  		return PAGE_ALIGN(mmap_min_addr);
  	return hint;
  }

  static inline int mlock_future_check(struct mm_struct *mm,
  				     unsigned long flags,
  				     unsigned long len)
  {
  	unsigned long locked, lock_limit;
  
  	/*  mlock MCL_FUTURE? */
  	if (flags & VM_LOCKED) {
  		locked = len >> PAGE_SHIFT;
  		locked += mm->locked_vm;
  		lock_limit = rlimit(RLIMIT_MEMLOCK);
  		lock_limit >>= PAGE_SHIFT;
  		if (locked > lock_limit && !capable(CAP_IPC_LOCK))
  			return -EAGAIN;
  	}
  	return 0;
  }

  static inline u64 file_mmap_size_max(struct file *file, struct inode *inode)
  {
  	if (S_ISREG(inode->i_mode))

  		return MAX_LFS_FILESIZE;

  
  	if (S_ISBLK(inode->i_mode))
  		return MAX_LFS_FILESIZE;

  	if (S_ISSOCK(inode->i_mode))
  		return MAX_LFS_FILESIZE;

  	/* Special "we do even unsigned file positions" case */
  	if (file->f_mode & FMODE_UNSIGNED_OFFSET)
  		return 0;
  
  	/* Yes, random drivers might want more. But I'm tired of buggy drivers */
  	return ULONG_MAX;
  }
  
  static inline bool file_mmap_ok(struct file *file, struct inode *inode,
  				unsigned long pgoff, unsigned long len)
  {
  	u64 maxsize = file_mmap_size_max(file, inode);
  
  	if (maxsize && len > maxsize)
  		return false;
  	maxsize -= len;
  	if (pgoff > maxsize >> PAGE_SHIFT)
  		return false;
  	return true;
  }

  /*

   * The caller must write-lock current->mm->mmap_lock.

   */

  unsigned long do_mmap(struct file *file, unsigned long addr,

  			unsigned long len, unsigned long prot,

  			unsigned long flags, unsigned long pgoff,
  			unsigned long *populate, struct list_head *uf)

  {

  	struct mm_struct *mm = current->mm;

  	vm_flags_t vm_flags;

  	int pkey = 0;

  	*populate = 0;

  	if (!len)
  		return -EINVAL;

  	/*
  	 * Does the application expect PROT_READ to imply PROT_EXEC?
  	 *
  	 * (the exception is when the underlying filesystem is noexec
  	 *  mounted, in which case we dont add PROT_EXEC.)
  	 */
  	if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))

  		if (!(file && path_noexec(&file->f_path)))

  			prot |= PROT_EXEC;

  	/* force arch specific MAP_FIXED handling in get_unmapped_area */
  	if (flags & MAP_FIXED_NOREPLACE)
  		flags |= MAP_FIXED;

  	if (!(flags & MAP_FIXED))
  		addr = round_hint_to_min(addr);

  	/* Careful about overflows.. */
  	len = PAGE_ALIGN(len);

  	if (!len)

  		return -ENOMEM;
  
  	/* offset overflow? */
  	if ((pgoff + (len >> PAGE_SHIFT)) < pgoff)

  		return -EOVERFLOW;

  
  	/* Too many mappings? */
  	if (mm->map_count > sysctl_max_map_count)
  		return -ENOMEM;
  
  	/* Obtain the address to map to. we verify (or select) it and ensure
  	 * that it represents a valid section of the address space.
  	 */
  	addr = get_unmapped_area(file, addr, len, pgoff, flags);

  	if (IS_ERR_VALUE(addr))

  		return addr;

  	if (flags & MAP_FIXED_NOREPLACE) {
  		struct vm_area_struct *vma = find_vma(mm, addr);

  		if (vma && vma->vm_start < addr + len)

  			return -EEXIST;
  	}

  	if (prot == PROT_EXEC) {
  		pkey = execute_only_pkey(mm);
  		if (pkey < 0)
  			pkey = 0;
  	}

  	/* Do simple checking here so the lower-level routines won't have
  	 * to. we assume access permissions have been handled by the open
  	 * of the memory object, so we don't do any here.
  	 */

  	vm_flags = calc_vm_prot_bits(prot, pkey) | calc_vm_flag_bits(flags) |

  			mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;

  	if (flags & MAP_LOCKED)

  		if (!can_do_mlock())
  			return -EPERM;

  	if (mlock_future_check(mm, vm_flags, len))
  		return -EAGAIN;

  	if (file) {

  		struct inode *inode = file_inode(file);

  		unsigned long flags_mask;

  		if (!file_mmap_ok(file, inode, pgoff, len))
  			return -EOVERFLOW;

  		flags_mask = LEGACY_MAP_MASK | file->f_op->mmap_supported_flags;

  		switch (flags & MAP_TYPE) {
  		case MAP_SHARED:

  			/*
  			 * Force use of MAP_SHARED_VALIDATE with non-legacy
  			 * flags. E.g. MAP_SYNC is dangerous to use with
  			 * MAP_SHARED as you don't know which consistency model
  			 * you will get. We silently ignore unsupported flags
  			 * with MAP_SHARED to preserve backward compatibility.
  			 */
  			flags &= LEGACY_MAP_MASK;

  			fallthrough;

  		case MAP_SHARED_VALIDATE:
  			if (flags & ~flags_mask)
  				return -EOPNOTSUPP;

  			if (prot & PROT_WRITE) {
  				if (!(file->f_mode & FMODE_WRITE))
  					return -EACCES;
  				if (IS_SWAPFILE(file->f_mapping->host))
  					return -ETXTBSY;
  			}

  
  			/*
  			 * Make sure we don't allow writing to an append-only
  			 * file..
  			 */
  			if (IS_APPEND(inode) && (file->f_mode & FMODE_WRITE))
  				return -EACCES;
  
  			/*
  			 * Make sure there are no mandatory locks on the file.
  			 */

  			if (locks_verify_locked(file))

  				return -EAGAIN;
  
  			vm_flags |= VM_SHARED | VM_MAYSHARE;
  			if (!(file->f_mode & FMODE_WRITE))
  				vm_flags &= ~(VM_MAYWRITE | VM_SHARED);

  			fallthrough;

  		case MAP_PRIVATE:
  			if (!(file->f_mode & FMODE_READ))
  				return -EACCES;

  			if (path_noexec(&file->f_path)) {

  				if (vm_flags & VM_EXEC)
  					return -EPERM;
  				vm_flags &= ~VM_MAYEXEC;
  			}

  			if (!file->f_op->mmap)

  				return -ENODEV;

  			if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
  				return -EINVAL;

  			break;
  
  		default:
  			return -EINVAL;
  		}
  	} else {
  		switch (flags & MAP_TYPE) {
  		case MAP_SHARED:

  			if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
  				return -EINVAL;

  			/*
  			 * Ignore pgoff.
  			 */
  			pgoff = 0;

  			vm_flags |= VM_SHARED | VM_MAYSHARE;
  			break;
  		case MAP_PRIVATE:
  			/*
  			 * Set pgoff according to addr for anon_vma.
  			 */
  			pgoff = addr >> PAGE_SHIFT;
  			break;
  		default:
  			return -EINVAL;
  		}
  	}

  	/*
  	 * Set 'VM_NORESERVE' if we should not account for the
  	 * memory use of this mapping.
  	 */
  	if (flags & MAP_NORESERVE) {
  		/* We honor MAP_NORESERVE if allowed to overcommit */
  		if (sysctl_overcommit_memory != OVERCOMMIT_NEVER)
  			vm_flags |= VM_NORESERVE;
  
  		/* hugetlb applies strict overcommit unless MAP_NORESERVE */
  		if (file && is_file_hugepages(file))
  			vm_flags |= VM_NORESERVE;
  	}

  	addr = mmap_region(file, addr, len, vm_flags, pgoff, uf);

  	if (!IS_ERR_VALUE(addr) &&
  	    ((vm_flags & VM_LOCKED) ||
  	     (flags & (MAP_POPULATE | MAP_NONBLOCK)) == MAP_POPULATE))

  		*populate = len;

  	return addr;

  }

  unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len,
  			      unsigned long prot, unsigned long flags,
  			      unsigned long fd, unsigned long pgoff)

  {
  	struct file *file = NULL;

  	unsigned long retval;

  
  	if (!(flags & MAP_ANONYMOUS)) {

  		audit_mmap_fd(fd, flags);

  		file = fget(fd);
  		if (!file)

  			return -EBADF;

  		if (is_file_hugepages(file)) {

  			len = ALIGN(len, huge_page_size(hstate_file(file)));

  		} else if (unlikely(flags & MAP_HUGETLB)) {
  			retval = -EINVAL;

  			goto out_fput;

  		}

  	} else if (flags & MAP_HUGETLB) {
  		struct user_struct *user = NULL;

  		struct hstate *hs;

  		hs = hstate_sizelog((flags >> MAP_HUGE_SHIFT) & MAP_HUGE_MASK);

  		if (!hs)
  			return -EINVAL;
  
  		len = ALIGN(len, huge_page_size(hs));

  		/*
  		 * VM_NORESERVE is used because the reservations will be
  		 * taken when vm_ops->mmap() is called
  		 * A dummy user value is used because we are not locking
  		 * memory so no accounting is necessary
  		 */

  		file = hugetlb_file_setup(HUGETLB_ANON_FILE, len,

  				VM_NORESERVE,
  				&user, HUGETLB_ANONHUGE_INODE,
  				(flags >> MAP_HUGE_SHIFT) & MAP_HUGE_MASK);

  		if (IS_ERR(file))
  			return PTR_ERR(file);
  	}
  
  	flags &= ~(MAP_EXECUTABLE | MAP_DENYWRITE);

  	retval = vm_mmap_pgoff(file, addr, len, prot, flags, pgoff);

  out_fput:

  	if (file)
  		fput(file);

  	return retval;
  }

  SYSCALL_DEFINE6(mmap_pgoff, unsigned long, addr, unsigned long, len,
  		unsigned long, prot, unsigned long, flags,
  		unsigned long, fd, unsigned long, pgoff)
  {
  	return ksys_mmap_pgoff(addr, len, prot, flags, fd, pgoff);
  }

  #ifdef __ARCH_WANT_SYS_OLD_MMAP
  struct mmap_arg_struct {
  	unsigned long addr;
  	unsigned long len;
  	unsigned long prot;
  	unsigned long flags;
  	unsigned long fd;
  	unsigned long offset;
  };
  
  SYSCALL_DEFINE1(old_mmap, struct mmap_arg_struct __user *, arg)
  {
  	struct mmap_arg_struct a;
  
  	if (copy_from_user(&a, arg, sizeof(a)))
  		return -EFAULT;

  	if (offset_in_page(a.offset))

  		return -EINVAL;

  	return ksys_mmap_pgoff(a.addr, a.len, a.prot, a.flags, a.fd,
  			       a.offset >> PAGE_SHIFT);

  }
  #endif /* __ARCH_WANT_SYS_OLD_MMAP */

  /*

   * Some shared mappings will want the pages marked read-only

   * to track write events. If so, we'll downgrade vm_page_prot
   * to the private version (using protection_map[] without the
   * VM_SHARED bit).
   */

  int vma_wants_writenotify(struct vm_area_struct *vma, pgprot_t vm_page_prot)

  {

  	vm_flags_t vm_flags = vma->vm_flags;

  	const struct vm_operations_struct *vm_ops = vma->vm_ops;

  
  	/* If it was private or non-writable, the write bit is already clear */
  	if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
  		return 0;
  
  	/* The backer wishes to know when pages are first written to? */

  	if (vm_ops && (vm_ops->page_mkwrite || vm_ops->pfn_mkwrite))

  		return 1;

  	/* The open routine did something to the protections that pgprot_modify
  	 * won't preserve? */

  	if (pgprot_val(vm_page_prot) !=
  	    pgprot_val(vm_pgprot_modify(vm_page_prot, vm_flags)))

  		return 0;

  	/* Do we need to track softdirty? */
  	if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY))
  		return 1;

  	/* Specialty mapping? */

  	if (vm_flags & VM_PFNMAP)

  		return 0;
  
  	/* Can the mapping track the dirty pages? */
  	return vma->vm_file && vma->vm_file->f_mapping &&

  		mapping_can_writeback(vma->vm_file->f_mapping);

  }

  /*
   * We account for memory if it's a private writeable mapping,

   * not hugepages and VM_NORESERVE wasn't set.

   */

  static inline int accountable_mapping(struct file *file, vm_flags_t vm_flags)

  {

  	/*
  	 * hugetlb has its own accounting separate from the core VM
  	 * VM_HUGETLB may not be set yet so we cannot check for that flag.
  	 */
  	if (file && is_file_hugepages(file))
  		return 0;

  	return (vm_flags & (VM_NORESERVE | VM_SHARED | VM_WRITE)) == VM_WRITE;
  }

  unsigned long mmap_region(struct file *file, unsigned long addr,

  		unsigned long len, vm_flags_t vm_flags, unsigned long pgoff,
  		struct list_head *uf)

  {
  	struct mm_struct *mm = current->mm;

  	struct vm_area_struct *vma, *prev, *merge;

  	int error;
  	struct rb_node **rb_link, *rb_parent;
  	unsigned long charged = 0;

  	/* Check against address space limit. */

  	if (!may_expand_vm(mm, vm_flags, len >> PAGE_SHIFT)) {

  		unsigned long nr_pages;
  
  		/*
  		 * MAP_FIXED may remove pages of mappings that intersects with
  		 * requested mapping. Account for the pages it would unmap.
  		 */

  		nr_pages = count_vma_pages_range(mm, addr, addr + len);

  		if (!may_expand_vm(mm, vm_flags,
  					(len >> PAGE_SHIFT) - nr_pages))

  			return -ENOMEM;
  	}

  	/* Clear old maps, set up prev, rb_link, rb_parent, and uf */
  	if (munmap_vma_range(mm, addr, len, &prev, &rb_link, &rb_parent, uf))
  		return -ENOMEM;

  	/*

  	 * Private writable mapping: check memory availability
  	 */

  	if (accountable_mapping(file, vm_flags)) {

  		charged = len >> PAGE_SHIFT;

  		if (security_vm_enough_memory_mm(mm, charged))

  			return -ENOMEM;
  		vm_flags |= VM_ACCOUNT;

  	}
  
  	/*

  	 * Can we just expand an old mapping?

  	 */

  	vma = vma_merge(mm, prev, addr, addr + len, vm_flags,

  			NULL, file, pgoff, NULL, NULL_VM_UFFD_CTX, NULL);

  	if (vma)
  		goto out;

  
  	/*
  	 * Determine the object being mapped and call the appropriate
  	 * specific mapper. the address has already been validated, but
  	 * not unmapped, but the maps are removed from the list.
  	 */