diff options
| author | KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> | 2011-05-26 19:25:52 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-05-26 20:12:37 -0400 |
| commit | 30cd8903913dac7b0918807cac46be3ecde5a5a7 (patch) | |
| tree | 64022195d9a384c11b93a4b1299aa944b8293deb /fs/proc | |
| parent | a4dbf0ec2aa3e8aca6e63f598095750c232d50f1 (diff) | |
proc: put check_mem_permission after __get_free_page in mem_write
It whould be better if put check_mem_permission after __get_free_page in
mem_write, to be same as function mem_read.
Hugh Dickins explained the reason.
check_mem_permission gets a reference to the mm. If we __get_free_page
after check_mem_permission, imagine what happens if the system is out
of memory, and the mm we're looking at is selected for killing by the
OOM killer: while we wait in __get_free_page for more memory, no memory
is freed from the selected mm because it cannot reach exit_mmap while
we hold that reference.
Reported-by: Jovi Zhang <bookjovi@gmail.com>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Stephen Wilson <wilsons@start.ca>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/proc')
| -rw-r--r-- | fs/proc/base.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c index 0c2c50cc2cca..4ede550517a6 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c | |||
| @@ -894,20 +894,20 @@ static ssize_t mem_write(struct file * file, const char __user *buf, | |||
| 894 | if (!task) | 894 | if (!task) |
| 895 | goto out_no_task; | 895 | goto out_no_task; |
| 896 | 896 | ||
| 897 | copied = -ENOMEM; | ||
| 898 | page = (char *)__get_free_page(GFP_TEMPORARY); | ||
| 899 | if (!page) | ||
| 900 | goto out_task; | ||
| 901 | |||
| 897 | mm = check_mem_permission(task); | 902 | mm = check_mem_permission(task); |
| 898 | copied = PTR_ERR(mm); | 903 | copied = PTR_ERR(mm); |
| 899 | if (IS_ERR(mm)) | 904 | if (IS_ERR(mm)) |
| 900 | goto out_task; | 905 | goto out_free; |
| 901 | 906 | ||
| 902 | copied = -EIO; | 907 | copied = -EIO; |
| 903 | if (file->private_data != (void *)((long)current->self_exec_id)) | 908 | if (file->private_data != (void *)((long)current->self_exec_id)) |
| 904 | goto out_mm; | 909 | goto out_mm; |
| 905 | 910 | ||
| 906 | copied = -ENOMEM; | ||
| 907 | page = (char *)__get_free_page(GFP_TEMPORARY); | ||
| 908 | if (!page) | ||
| 909 | goto out_mm; | ||
| 910 | |||
| 911 | copied = 0; | 911 | copied = 0; |
| 912 | while (count > 0) { | 912 | while (count > 0) { |
| 913 | int this_len, retval; | 913 | int this_len, retval; |
| @@ -929,9 +929,11 @@ static ssize_t mem_write(struct file * file, const char __user *buf, | |||
| 929 | count -= retval; | 929 | count -= retval; |
| 930 | } | 930 | } |
| 931 | *ppos = dst; | 931 | *ppos = dst; |
| 932 | free_page((unsigned long) page); | 932 | |
| 933 | out_mm: | 933 | out_mm: |
| 934 | mmput(mm); | 934 | mmput(mm); |
| 935 | out_free: | ||
| 936 | free_page((unsigned long) page); | ||
| 935 | out_task: | 937 | out_task: |
| 936 | put_task_struct(task); | 938 | put_task_struct(task); |
| 937 | out_no_task: | 939 | out_no_task: |