www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Oleg Nesterov <oleg@redhat.com>
	Fri, 20 May 2016 23:58:36 +0000 (16:58 -0700)
committer	Dhaval Giani <dhaval.giani@oracle.com>
	Fri, 20 Jan 2017 18:55:44 +0000 (13:55 -0500)
commit	751c0360869f1e1918b4b0855cf19afbc82523f6
tree	72728b37fa6c9f077f296c0e0168c3dce0857a0b	tree
parent	05ac7fe138bcac08248f692d77b2c743340d6cda	commit \| diff

userfaultfd: don't pin the user memory in userfaultfd_file_create()

Orabug: 21685254

userfaultfd_file_create() increments mm->mm_users; this means that the
memory won't be unmapped/freed if mm owner exits/execs, and UFFDIO_COPY
after that can populate the orphaned mm more.

Change userfaultfd_file_create() and userfaultfd_ctx_put() to use
mm->mm_count to pin mm_struct. This means that
atomic_inc_not_zero(mm->mm_users) is needed when we are going to
actually play with this memory. Except handle_userfault() path doesn't
need this, the caller must already have a reference.

The patch adds the new trivial helper, mmget_not_zero(), it can have
more users.

Link: http://lkml.kernel.org/r/20160516172254.GA8595@redhat.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Michal Hocko <mhocko@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit d2005e3f41d4f9299e2df6a967c8beb5086967a9)
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Dhaval Giani <dhaval.giani@oracle.com>
Signed-off-by: Dhaval Giani <dhaval.giani@oracle.com>

fs/userfaultfd.c		diff \| blob \| history
include/linux/sched.h		diff \| blob \| history