aboutsummaryrefslogtreecommitdiffstats
path: root/fs/proc
diff options
context:
space:
mode:
authorOleg Nesterov <oleg@redhat.com>2012-01-31 17:15:11 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-02-13 11:06:06 -0800
commit0053779e04bbfabe31287245d89ad10bb66e758a (patch)
treeae6f94741a12acee80124e25beb0cd62d3990cfb /fs/proc
parentb49767a65a6454f7d546068a785e25dbb0eabbcd (diff)
downloadkernel_samsung_aries-0053779e04bbfabe31287245d89ad10bb66e758a.zip
kernel_samsung_aries-0053779e04bbfabe31287245d89ad10bb66e758a.tar.gz
kernel_samsung_aries-0053779e04bbfabe31287245d89ad10bb66e758a.tar.bz2
proc: make sure mem_open() doesn't pin the target's memory
commit 6d08f2c7139790c268820a2e590795cb8333181a upstream. Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/proc')
-rw-r--r--fs/proc/base.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 49b82be..22794e8 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -775,6 +775,13 @@ static int mem_open(struct inode* inode, struct file* file)
if (IS_ERR(mm))
return PTR_ERR(mm);
+ if (mm) {
+ /* ensure this mm_struct can't be freed */
+ atomic_inc(&mm->mm_count);
+ /* but do not pin its memory */
+ mmput(mm);
+ }
+
/* OK to pass negative loff_t, we can catch out-of-range */
file->f_mode |= FMODE_UNSIGNED_OFFSET;
file->private_data = mm;
@@ -798,6 +805,9 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
return -ENOMEM;
copied = 0;
+ if (!atomic_inc_not_zero(&mm->mm_users))
+ goto free;
+
while (count > 0) {
int this_len = min_t(int, count, PAGE_SIZE);
@@ -825,6 +835,8 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
}
*ppos = addr;
+ mmput(mm);
+free:
free_page((unsigned long) page);
return copied;
}
@@ -861,7 +873,7 @@ static int mem_release(struct inode *inode, struct file *file)
{
struct mm_struct *mm = file->private_data;
if (mm)
- mmput(mm);
+ mmdrop(mm);
return 0;
}