This is a note to let you know that I've just added the patch titled
proc: make sure mem_open() doesn't pin the target's memory
to the 3.2-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
proc-make-sure-mem_open-doesn-t-pin-the-target-s-memory.patch
and it can be found in the queue-3.2 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 6d08f2c7139790c268820a2e590795cb8333181a Mon Sep 17 00:00:00 2001
From: Oleg Nesterov <[email protected]>
Date: Tue, 31 Jan 2012 17:15:11 +0100
Subject: proc: make sure mem_open() doesn't pin the target's memory
From: Oleg Nesterov <[email protected]>
commit 6d08f2c7139790c268820a2e590795cb8333181a upstream.
Once /proc/pid/mem is opened, the memory can't be released until
mem_release() even if its owner exits.
Change mem_open() to do atomic_inc(mm_count) + mmput(), this only
pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count)
before access_remote_vm(), this verifies that this mm is still alive.
I am not sure what should mem_rw() return if atomic_inc_not_zero()
fails. With this patch it returns zero to match the "mm == NULL" case,
may be it should return -EINVAL like it did before e268337d.
Perhaps it makes sense to add the additional fatal_signal_pending()
check into the main loop, to ensure we do not hold this memory if
the target task was oom-killed.
Signed-off-by: Oleg Nesterov <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/proc/base.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -775,6 +775,13 @@ static int mem_open(struct inode* inode,
if (IS_ERR(mm))
return PTR_ERR(mm);
+ if (mm) {
+ /* ensure this mm_struct can't be freed */
+ atomic_inc(&mm->mm_count);
+ /* but do not pin its memory */
+ mmput(mm);
+ }
+
/* OK to pass negative loff_t, we can catch out-of-range */
file->f_mode |= FMODE_UNSIGNED_OFFSET;
file->private_data = mm;
@@ -798,6 +805,9 @@ static ssize_t mem_rw(struct file *file,
return -ENOMEM;
copied = 0;
+ if (!atomic_inc_not_zero(&mm->mm_users))
+ goto free;
+
while (count > 0) {
int this_len = min_t(int, count, PAGE_SIZE);
@@ -825,6 +835,8 @@ static ssize_t mem_rw(struct file *file,
}
*ppos = addr;
+ mmput(mm);
+free:
free_page((unsigned long) page);
return copied;
}
@@ -861,7 +873,7 @@ static int mem_release(struct inode *ino
{
struct mm_struct *mm = file->private_data;
if (mm)
- mmput(mm);
+ mmdrop(mm);
return 0;
}
Patches currently in stable-queue which might be from [email protected] are
queue-3.2/proc-make-sure-mem_open-doesn-t-pin-the-target-s-memory.patch
queue-3.2/proc-mem_release-should-check-mm-null.patch
queue-3.2/proc-unify-mem_read-and-mem_write.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
