[PATCH] [PATCH] proc: put check_mem_permission after __get_free_page in mem_write

From: KOSAKI Motohiro
Date: Tue Apr 26 2011 - 00:57:02 EST

Next message: Cheng Xu: "real-time scheduler problem"
Previous message: Koul, Vinod: "Re: [PATCH v2 1/5] dmaengine: at_hdmac: modify way to useinterrupts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It should be better if put check_mem_permission after __get_free_page
in mem_write, to be same as function mem_read.

Hugh Dickins explained the reason.

check_mem_permission gets a reference to the mm. If we __get_free_page
after check_mem_permission, imagine what happens if the system is out
of memory, and the mm we're looking at is selected for killing by the
OOM killer: while we wait in __get_free_page for more memory, no memory
is freed from the selected mm because it cannot reach exit_mmap while
we hold that reference.

Reported-by: Jovi Zhang <bookjovi@xxxxxxxxx>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@xxxxxxxxxxxxxx>
Cc: Hugh Dickins <hughd@xxxxxxxxxx>
Cc: Stephen Wilson <wilsons@xxxxxxxx>
---
fs/proc/base.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 4deef2e..e93be6e 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -894,20 +894,20 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
if (!task)
goto out_no_task;

+ copied = -ENOMEM;
+ page = (char *)__get_free_page(GFP_TEMPORARY);
+ if (!page)
+ goto out_task;
+
mm = check_mem_permission(task);
copied = PTR_ERR(mm);
if (IS_ERR(mm))
- goto out_task;
+ goto out_free;

copied = -EIO;
if (file->private_data != (void *)((long)current->self_exec_id))
goto out_mm;

- copied = -ENOMEM;
- page = (char *)__get_free_page(GFP_TEMPORARY);
- if (!page)
- goto out_mm;
-
copied = 0;
while (count > 0) {
int this_len, retval;
@@ -929,9 +929,11 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
count -= retval;
}
*ppos = dst;
- free_page((unsigned long) page);
+
out_mm:
mmput(mm);
+out_free:
+ free_page((unsigned long) page);
out_task:
put_task_struct(task);
out_no_task:
--
1.7.3.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Cheng Xu: "real-time scheduler problem"
Previous message: Koul, Vinod: "Re: [PATCH v2 1/5] dmaengine: at_hdmac: modify way to useinterrupts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]