mmap: fix copy_vma() failure path

The anon vma was not unlinked and the file was not closed in the failure
path when the machine runs out of memory during the maple tree
modification.  This caused a memory leak of the anon vma chain and vma
since neither would be freed.

Link: https://lkml.kernel.org/r/[email protected]
Fixes: 524e00b ("mm: remove rb tree")
Signed-off-by: Liam R. Howlett <[email protected]>
Reported-by: Lukas Bulwahn <[email protected]>
Tested-by: Lukas Bulwahn <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>

Author: howlett

mm/mmap.c

@@ -3240,6 +3240,11 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
 out_vma_link:
 	if (new_vma->vm_ops && new_vma->vm_ops->close)
 		new_vma->vm_ops->close(new_vma);
+
+	if (new_vma->vm_file)
+		fput(new_vma->vm_file);
+
+	unlink_anon_vmas(new_vma);
 out_free_mempol:
 	mpol_put(vma_policy(new_vma));
 out_free_vma: