proc: make sure mem_open() doesn't pin the target's memory (6d08f2c7) · Commits · e / devices / android_kernel_xiaomi_markw

Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before . Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by:

Oleg Nesterov <oleg@redhat.com> Signed-off-by:

Linus Torvalds <torvalds@linux-foundation.org>

fs/proc/base.c

+13 −1

Original line number	Diff line number	Diff line
		@@ -711,6 +711,13 @@ static int mem_open(struct inode* inode, struct file* file)
		if (IS_ERR(mm))
		return PTR_ERR(mm);

		if (mm) {
		/* ensure this mm_struct can't be freed */
		atomic_inc(&mm->mm_count);
		/* but do not pin its memory */
		mmput(mm);
		}

		/* OK to pass negative loff_t, we can catch out-of-range */
		file->f_mode \|= FMODE_UNSIGNED_OFFSET;
		file->private_data = mm;
		@@ -734,6 +741,9 @@ static ssize_t mem_rw(struct file file, char __user buf,
		return -ENOMEM;

		copied = 0;
		if (!atomic_inc_not_zero(&mm->mm_users))
		goto free;

		while (count > 0) {
		int this_len = min_t(int, count, PAGE_SIZE);

		@@ -761,6 +771,8 @@ static ssize_t mem_rw(struct file file, char __user buf,
		}
		*ppos = addr;

		mmput(mm);
		free:
		free_page((unsigned long) page);
		return copied;
		}
		@@ -797,7 +809,7 @@ static int mem_release(struct inode inode, struct file file)
		{
		struct mm_struct *mm = file->private_data;
		if (mm)
		mmput(mm);
		mmdrop(mm);
		return 0;
		}