On 15.09.25 18:36, Kalesh Singh wrote:
The VMA count limit check in do_mmap() and do_brk_flags() uses a strict inequality (>), which allows a process's VMA count to exceed the configured sysctl_max_map_count limit by one.A process with mm->map_count == sysctl_max_map_count will incorrectly pass this check and then exceed the limit upon allocation of a new VMA when its map_count is incremented. Other VMA allocation paths, such as split_vma(), already use the correct, inclusive (>=) comparison. Fix this bug by changing the comparison to be inclusive in do_mmap() and do_brk_flags(), bringing them in line with the correct behavior of other allocation paths. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: <[email protected]> Cc: Andrew Morton <[email protected]> Cc: David Hildenbrand <[email protected]> Cc: "Liam R. Howlett" <[email protected]> Cc: Lorenzo Stoakes <[email protected]> Cc: Mike Rapoport <[email protected]> Cc: Minchan Kim <[email protected]> Cc: Pedro Falcato <[email protected]> Signed-off-by: Kalesh Singh <[email protected]> ---
Reviewed-by: David Hildenbrand <[email protected]> -- Cheers David / dhildenb
