aboutsummaryrefslogtreecommitdiffstats
path: root/fs/proc/base.c
diff options
context:
space:
mode:
authorKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>2011-05-26 19:25:52 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2011-05-26 20:12:37 -0400
commit30cd8903913dac7b0918807cac46be3ecde5a5a7 (patch)
tree64022195d9a384c11b93a4b1299aa944b8293deb /fs/proc/base.c
parenta4dbf0ec2aa3e8aca6e63f598095750c232d50f1 (diff)
proc: put check_mem_permission after __get_free_page in mem_write
It whould be better if put check_mem_permission after __get_free_page in mem_write, to be same as function mem_read. Hugh Dickins explained the reason. check_mem_permission gets a reference to the mm. If we __get_free_page after check_mem_permission, imagine what happens if the system is out of memory, and the mm we're looking at is selected for killing by the OOM killer: while we wait in __get_free_page for more memory, no memory is freed from the selected mm because it cannot reach exit_mmap while we hold that reference. Reported-by: Jovi Zhang <bookjovi@gmail.com> Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Acked-by: Hugh Dickins <hughd@google.com> Reviewed-by: Stephen Wilson <wilsons@start.ca> Cc: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/proc/base.c')
-rw-r--r--fs/proc/base.c16
1 files changed, 9 insertions, 7 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 0c2c50cc2cca..4ede550517a6 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -894,20 +894,20 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
894 if (!task) 894 if (!task)
895 goto out_no_task; 895 goto out_no_task;
896 896
897 copied = -ENOMEM;
898 page = (char *)__get_free_page(GFP_TEMPORARY);
899 if (!page)
900 goto out_task;
901
897 mm = check_mem_permission(task); 902 mm = check_mem_permission(task);
898 copied = PTR_ERR(mm); 903 copied = PTR_ERR(mm);
899 if (IS_ERR(mm)) 904 if (IS_ERR(mm))
900 goto out_task; 905 goto out_free;
901 906
902 copied = -EIO; 907 copied = -EIO;
903 if (file->private_data != (void *)((long)current->self_exec_id)) 908 if (file->private_data != (void *)((long)current->self_exec_id))
904 goto out_mm; 909 goto out_mm;
905 910
906 copied = -ENOMEM;
907 page = (char *)__get_free_page(GFP_TEMPORARY);
908 if (!page)
909 goto out_mm;
910
911 copied = 0; 911 copied = 0;
912 while (count > 0) { 912 while (count > 0) {
913 int this_len, retval; 913 int this_len, retval;
@@ -929,9 +929,11 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
929 count -= retval; 929 count -= retval;
930 } 930 }
931 *ppos = dst; 931 *ppos = dst;
932 free_page((unsigned long) page); 932
933out_mm: 933out_mm:
934 mmput(mm); 934 mmput(mm);
935out_free:
936 free_page((unsigned long) page);
935out_task: 937out_task:
936 put_task_struct(task); 938 put_task_struct(task);
937out_no_task: 939out_no_task: