Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f0ec1aaf authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Linus Torvalds
Browse files

[PATCH] xacct_add_tsk: fix pure theoretical ->mm use-after-free 



Paranoid fix. The task can free its ->mm after the 'if (p->mm)' check.

Signed-off-by: default avatarOleg Nesterov <oleg@tv-sign.ru>
Cc: Shailabh Nagar <nagar@watson.ibm.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Cc: Jay Lan <jlan@sgi.com>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent d45e44d4

kernel/tsacct.c

+7 −3
Original line number Diff line number Diff line
@@ -80,13 +80,17 @@ void bacct_add_tsk(struct taskstats *stats, struct task_struct *tsk) 
 */

void xacct_add_tsk(struct taskstats *stats, struct task_struct *p)

{

	struct mm_struct *mm;



	/* convert pages-jiffies to Mbyte-usec */

	stats->coremem = jiffies_to_usecs(p->acct_rss_mem1) * PAGE_SIZE / MB;

	stats->virtmem = jiffies_to_usecs(p->acct_vm_mem1) * PAGE_SIZE / MB;

	if (p->mm) {

	mm = get_task_mm(p);

	if (mm) {

		/* adjust to KB unit */

		stats->hiwater_rss   = p->mm->hiwater_rss * PAGE_SIZE / KB;

		stats->hiwater_vm    = p->mm->hiwater_vm * PAGE_SIZE / KB;

		stats->hiwater_rss   = mm->hiwater_rss * PAGE_SIZE / KB;

		stats->hiwater_vm    = mm->hiwater_vm * PAGE_SIZE / KB;

		mmput(mm);

	}

	stats->read_char	= p->rchar;

	stats->write_char	= p->wchar;