Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 30cd8903 authored by KOSAKI Motohiro's avatar KOSAKI Motohiro Committed by Linus Torvalds
Browse files

proc: put check_mem_permission after __get_free_page in mem_write 



It whould be better if put check_mem_permission after __get_free_page in
mem_write, to be same as function mem_read.

Hugh Dickins explained the reason.

    check_mem_permission gets a reference to the mm.  If we __get_free_page
    after check_mem_permission, imagine what happens if the system is out
    of memory, and the mm we're looking at is selected for killing by the
    OOM killer: while we wait in __get_free_page for more memory, no memory
    is freed from the selected mm because it cannot reach exit_mmap while
    we hold that reference.

Reported-by: default avatarJovi Zhang <bookjovi@gmail.com>
Signed-off-by: default avatarKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: default avatarHugh Dickins <hughd@google.com>
Reviewed-by: default avatarStephen Wilson <wilsons@start.ca>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent a4dbf0ec

fs/proc/base.c

+9 −7
Original line number Diff line number Diff line
@@ -894,20 +894,20 @@ static ssize_t mem_write(struct file * file, const char __user *buf, 
	if (!task)

		goto out_no_task;



	copied = -ENOMEM;

	page = (char *)__get_free_page(GFP_TEMPORARY);

	if (!page)

		goto out_task;



	mm = check_mem_permission(task);

	copied = PTR_ERR(mm);

	if (IS_ERR(mm))

		goto out_task;

		goto out_free;



	copied = -EIO;

	if (file->private_data != (void *)((long)current->self_exec_id))

		goto out_mm;



	copied = -ENOMEM;

	page = (char *)__get_free_page(GFP_TEMPORARY);

	if (!page)

		goto out_mm;



	copied = 0;

	while (count > 0) {

		int this_len, retval;
@@ -929,9 +929,11 @@ static ssize_t mem_write(struct file * file, const char __user *buf, 
		count -= retval;			

	}

	*ppos = dst;

	free_page((unsigned long) page);



out_mm:

	mmput(mm);

out_free:

	free_page((unsigned long) page);

out_task:

	put_task_struct(task);

out_no_task: