Commit 43904e95 authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Greg Kroah-Hartman

proc: make sure mem_open() doesn't pin the target's memory

commit 6d08f2c7 upstream.

Once /proc/pid/mem is opened, the memory can't be released until
mem_release() even if its owner exits.

Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
before access_remote_vm(), this verifies that this mm is still alive.

I am not sure what should mem_rw() return if atomic_inc_not_zero()
fails. With this patch it returns zero to match the "mm == NULL" case,
may be it should return -EINVAL like it did before e268337d.

Perhaps it makes sense to add the additional fatal_signal_pending()
check into the main loop, to ensure we do not hold this memory if
the target task was oom-killed.
Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 034089b6
...@@ -775,6 +775,13 @@ static int mem_open(struct inode* inode, struct file* file) ...@@ -775,6 +775,13 @@ static int mem_open(struct inode* inode, struct file* file)
if (IS_ERR(mm)) if (IS_ERR(mm))
return PTR_ERR(mm); return PTR_ERR(mm);
if (mm) {
/* ensure this mm_struct can't be freed */
atomic_inc(&mm->mm_count);
/* but do not pin its memory */
mmput(mm);
}
/* OK to pass negative loff_t, we can catch out-of-range */ /* OK to pass negative loff_t, we can catch out-of-range */
file->f_mode |= FMODE_UNSIGNED_OFFSET; file->f_mode |= FMODE_UNSIGNED_OFFSET;
file->private_data = mm; file->private_data = mm;
...@@ -798,6 +805,9 @@ static ssize_t mem_rw(struct file *file, char __user *buf, ...@@ -798,6 +805,9 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
return -ENOMEM; return -ENOMEM;
copied = 0; copied = 0;
if (!atomic_inc_not_zero(&mm->mm_users))
goto free;
while (count > 0) { while (count > 0) {
int this_len = min_t(int, count, PAGE_SIZE); int this_len = min_t(int, count, PAGE_SIZE);
...@@ -825,6 +835,8 @@ static ssize_t mem_rw(struct file *file, char __user *buf, ...@@ -825,6 +835,8 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
} }
*ppos = addr; *ppos = addr;
mmput(mm);
free:
free_page((unsigned long) page); free_page((unsigned long) page);
return copied; return copied;
} }
...@@ -861,7 +873,7 @@ static int mem_release(struct inode *inode, struct file *file) ...@@ -861,7 +873,7 @@ static int mem_release(struct inode *inode, struct file *file)
{ {
struct mm_struct *mm = file->private_data; struct mm_struct *mm = file->private_data;
if (mm) if (mm)
mmput(mm); mmdrop(mm);
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment