diff options
author | Hugh Dickins <hugh@veritas.com> | 2005-09-14 01:13:02 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-09-14 14:18:13 -0400 |
commit | 2fd4ef85e0db9ed75c98e13953257a967ea55e03 (patch) | |
tree | 119dfe9f88a832f3db6ff66e631112626f268f18 /arch | |
parent | fb085cf1d4294824571815d487daccc0609543f0 (diff) |
[PATCH] error path in setup_arg_pages() misses vm_unacct_memory()
Pavel Emelianov and Kirill Korotaev observe that fs and arch users of
security_vm_enough_memory tend to forget to vm_unacct_memory when a
failure occurs further down (typically in setup_arg_pages variants).
These are all users of insert_vm_struct, and that reservation will only
be unaccounted on exit if the vma is marked VM_ACCOUNT: which in some
cases it is (hidden inside VM_STACK_FLAGS) and in some cases it isn't.
So x86_64 32-bit and ppc64 vDSO ELFs have been leaking memory into
Committed_AS each time they're run. But don't add VM_ACCOUNT to them,
it's inappropriate to reserve against the very unlikely case that gdb
be used to COW a vDSO page - we ought to do something about that in
do_wp_page, but there are yet other inconsistencies to be resolved.
The safe and economical way to fix this is to let insert_vm_struct do
the security_vm_enough_memory check when it finds VM_ACCOUNT is set.
And the MIPS irix_brk has been calling security_vm_enough_memory before
calling do_brk which repeats it, doubly accounting and so also leaking.
Remove that, and all the fs and arch calls to security_vm_enough_memory:
give it a less misleading name later on.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-Off-By: Kirill Korotaev <dev@sw.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'arch')
-rw-r--r-- | arch/ia64/ia32/binfmt_elf32.c | 6 | ||||
-rw-r--r-- | arch/mips/kernel/sysirix.c | 9 | ||||
-rw-r--r-- | arch/ppc64/kernel/vdso.c | 15 | ||||
-rw-r--r-- | arch/x86_64/ia32/ia32_binfmt.c | 5 | ||||
-rw-r--r-- | arch/x86_64/ia32/syscall32.c | 6 |
5 files changed, 12 insertions, 29 deletions
diff --git a/arch/ia64/ia32/binfmt_elf32.c b/arch/ia64/ia32/binfmt_elf32.c index 31de70b7c67f..a7280d9f6c16 100644 --- a/arch/ia64/ia32/binfmt_elf32.c +++ b/arch/ia64/ia32/binfmt_elf32.c | |||
@@ -216,12 +216,6 @@ ia32_setup_arg_pages (struct linux_binprm *bprm, int executable_stack) | |||
216 | if (!mpnt) | 216 | if (!mpnt) |
217 | return -ENOMEM; | 217 | return -ENOMEM; |
218 | 218 | ||
219 | if (security_vm_enough_memory((IA32_STACK_TOP - (PAGE_MASK & (unsigned long) bprm->p)) | ||
220 | >> PAGE_SHIFT)) { | ||
221 | kmem_cache_free(vm_area_cachep, mpnt); | ||
222 | return -ENOMEM; | ||
223 | } | ||
224 | |||
225 | memset(mpnt, 0, sizeof(*mpnt)); | 219 | memset(mpnt, 0, sizeof(*mpnt)); |
226 | 220 | ||
227 | down_write(¤t->mm->mmap_sem); | 221 | down_write(¤t->mm->mmap_sem); |
diff --git a/arch/mips/kernel/sysirix.c b/arch/mips/kernel/sysirix.c index 4de155699c4f..7ae4af476974 100644 --- a/arch/mips/kernel/sysirix.c +++ b/arch/mips/kernel/sysirix.c | |||
@@ -581,18 +581,13 @@ asmlinkage int irix_brk(unsigned long brk) | |||
581 | } | 581 | } |
582 | 582 | ||
583 | /* | 583 | /* |
584 | * Check if we have enough memory.. | 584 | * Ok, looks good - let it rip. |
585 | */ | 585 | */ |
586 | if (security_vm_enough_memory((newbrk-oldbrk) >> PAGE_SHIFT)) { | 586 | if (do_brk(oldbrk, newbrk-oldbrk) != oldbrk) { |
587 | ret = -ENOMEM; | 587 | ret = -ENOMEM; |
588 | goto out; | 588 | goto out; |
589 | } | 589 | } |
590 | |||
591 | /* | ||
592 | * Ok, looks good - let it rip. | ||
593 | */ | ||
594 | mm->brk = brk; | 590 | mm->brk = brk; |
595 | do_brk(oldbrk, newbrk-oldbrk); | ||
596 | ret = 0; | 591 | ret = 0; |
597 | 592 | ||
598 | out: | 593 | out: |
diff --git a/arch/ppc64/kernel/vdso.c b/arch/ppc64/kernel/vdso.c index 4777676365fe..efa985f05aca 100644 --- a/arch/ppc64/kernel/vdso.c +++ b/arch/ppc64/kernel/vdso.c | |||
@@ -224,10 +224,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int executable_stack) | |||
224 | vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL); | 224 | vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL); |
225 | if (vma == NULL) | 225 | if (vma == NULL) |
226 | return -ENOMEM; | 226 | return -ENOMEM; |
227 | if (security_vm_enough_memory(vdso_pages)) { | 227 | |
228 | kmem_cache_free(vm_area_cachep, vma); | ||
229 | return -ENOMEM; | ||
230 | } | ||
231 | memset(vma, 0, sizeof(*vma)); | 228 | memset(vma, 0, sizeof(*vma)); |
232 | 229 | ||
233 | /* | 230 | /* |
@@ -237,8 +234,10 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int executable_stack) | |||
237 | */ | 234 | */ |
238 | vdso_base = get_unmapped_area(NULL, vdso_base, | 235 | vdso_base = get_unmapped_area(NULL, vdso_base, |
239 | vdso_pages << PAGE_SHIFT, 0, 0); | 236 | vdso_pages << PAGE_SHIFT, 0, 0); |
240 | if (vdso_base & ~PAGE_MASK) | 237 | if (vdso_base & ~PAGE_MASK) { |
238 | kmem_cache_free(vm_area_cachep, vma); | ||
241 | return (int)vdso_base; | 239 | return (int)vdso_base; |
240 | } | ||
242 | 241 | ||
243 | current->thread.vdso_base = vdso_base; | 242 | current->thread.vdso_base = vdso_base; |
244 | 243 | ||
@@ -266,7 +265,11 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int executable_stack) | |||
266 | vma->vm_ops = &vdso_vmops; | 265 | vma->vm_ops = &vdso_vmops; |
267 | 266 | ||
268 | down_write(&mm->mmap_sem); | 267 | down_write(&mm->mmap_sem); |
269 | insert_vm_struct(mm, vma); | 268 | if (insert_vm_struct(mm, vma)) { |
269 | up_write(&mm->mmap_sem); | ||
270 | kmem_cache_free(vm_area_cachep, vma); | ||
271 | return -ENOMEM; | ||
272 | } | ||
270 | mm->total_vm += (vma->vm_end - vma->vm_start) >> PAGE_SHIFT; | 273 | mm->total_vm += (vma->vm_end - vma->vm_start) >> PAGE_SHIFT; |
271 | up_write(&mm->mmap_sem); | 274 | up_write(&mm->mmap_sem); |
272 | 275 | ||
diff --git a/arch/x86_64/ia32/ia32_binfmt.c b/arch/x86_64/ia32/ia32_binfmt.c index c8131f342cfc..d9161e395978 100644 --- a/arch/x86_64/ia32/ia32_binfmt.c +++ b/arch/x86_64/ia32/ia32_binfmt.c | |||
@@ -353,11 +353,6 @@ int setup_arg_pages(struct linux_binprm *bprm, unsigned long stack_top, int exec | |||
353 | mpnt = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL); | 353 | mpnt = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL); |
354 | if (!mpnt) | 354 | if (!mpnt) |
355 | return -ENOMEM; | 355 | return -ENOMEM; |
356 | |||
357 | if (security_vm_enough_memory((IA32_STACK_TOP - (PAGE_MASK & (unsigned long) bprm->p))>>PAGE_SHIFT)) { | ||
358 | kmem_cache_free(vm_area_cachep, mpnt); | ||
359 | return -ENOMEM; | ||
360 | } | ||
361 | 356 | ||
362 | memset(mpnt, 0, sizeof(*mpnt)); | 357 | memset(mpnt, 0, sizeof(*mpnt)); |
363 | 358 | ||
diff --git a/arch/x86_64/ia32/syscall32.c b/arch/x86_64/ia32/syscall32.c index adbc5f8089e9..3a01329473ab 100644 --- a/arch/x86_64/ia32/syscall32.c +++ b/arch/x86_64/ia32/syscall32.c | |||
@@ -52,17 +52,13 @@ int syscall32_setup_pages(struct linux_binprm *bprm, int exstack) | |||
52 | vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL); | 52 | vma = kmem_cache_alloc(vm_area_cachep, SLAB_KERNEL); |
53 | if (!vma) | 53 | if (!vma) |
54 | return -ENOMEM; | 54 | return -ENOMEM; |
55 | if (security_vm_enough_memory(npages)) { | ||
56 | kmem_cache_free(vm_area_cachep, vma); | ||
57 | return -ENOMEM; | ||
58 | } | ||
59 | 55 | ||
60 | memset(vma, 0, sizeof(struct vm_area_struct)); | 56 | memset(vma, 0, sizeof(struct vm_area_struct)); |
61 | /* Could randomize here */ | 57 | /* Could randomize here */ |
62 | vma->vm_start = VSYSCALL32_BASE; | 58 | vma->vm_start = VSYSCALL32_BASE; |
63 | vma->vm_end = VSYSCALL32_END; | 59 | vma->vm_end = VSYSCALL32_END; |
64 | /* MAYWRITE to allow gdb to COW and set breakpoints */ | 60 | /* MAYWRITE to allow gdb to COW and set breakpoints */ |
65 | vma->vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYEXEC|VM_MAYEXEC|VM_MAYWRITE; | 61 | vma->vm_flags = VM_READ|VM_EXEC|VM_MAYREAD|VM_MAYEXEC|VM_MAYWRITE; |
66 | vma->vm_flags |= mm->def_flags; | 62 | vma->vm_flags |= mm->def_flags; |
67 | vma->vm_page_prot = protection_map[vma->vm_flags & 7]; | 63 | vma->vm_page_prot = protection_map[vma->vm_flags & 7]; |
68 | vma->vm_ops = &syscall32_vm_ops; | 64 | vma->vm_ops = &syscall32_vm_ops; |