aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOleg Nesterov <oleg@redhat.com>2012-01-31 11:15:11 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2012-02-01 17:39:01 -0500
commit6d08f2c7139790c268820a2e590795cb8333181a (patch)
tree78b2773b8ca6949f9561af641908e4086ba193cb
parent572d34b946bae070debd42db1143034d9687e13f (diff)
proc: make sure mem_open() doesn't pin the target's memory
Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--fs/proc/base.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index be1909041685..d9512bd03e6c 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -711,6 +711,13 @@ static int mem_open(struct inode* inode, struct file* file)
711 if (IS_ERR(mm)) 711 if (IS_ERR(mm))
712 return PTR_ERR(mm); 712 return PTR_ERR(mm);
713 713
714 if (mm) {
715 /* ensure this mm_struct can't be freed */
716 atomic_inc(&mm->mm_count);
717 /* but do not pin its memory */
718 mmput(mm);
719 }
720
714 /* OK to pass negative loff_t, we can catch out-of-range */ 721 /* OK to pass negative loff_t, we can catch out-of-range */
715 file->f_mode |= FMODE_UNSIGNED_OFFSET; 722 file->f_mode |= FMODE_UNSIGNED_OFFSET;
716 file->private_data = mm; 723 file->private_data = mm;
@@ -734,6 +741,9 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
734 return -ENOMEM; 741 return -ENOMEM;
735 742
736 copied = 0; 743 copied = 0;
744 if (!atomic_inc_not_zero(&mm->mm_users))
745 goto free;
746
737 while (count > 0) { 747 while (count > 0) {
738 int this_len = min_t(int, count, PAGE_SIZE); 748 int this_len = min_t(int, count, PAGE_SIZE);
739 749
@@ -761,6 +771,8 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
761 } 771 }
762 *ppos = addr; 772 *ppos = addr;
763 773
774 mmput(mm);
775free:
764 free_page((unsigned long) page); 776 free_page((unsigned long) page);
765 return copied; 777 return copied;
766} 778}
@@ -797,7 +809,7 @@ static int mem_release(struct inode *inode, struct file *file)
797{ 809{
798 struct mm_struct *mm = file->private_data; 810 struct mm_struct *mm = file->private_data;
799 if (mm) 811 if (mm)
800 mmput(mm); 812 mmdrop(mm);
801 return 0; 813 return 0;
802} 814}
803 815