| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 Aug 2016 18:59:38 +0800
From: wei.guo.simon@...il.com
To: linux-mm@...ck.org
Cc: Alexey Klimov <klimov.linux@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Eric B Munson <emunson@...mai.com>,
Geert Uytterhoeven <geert@...ux-m68k.org>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
Mel Gorman <mgorman@...hsingularity.net>,
Michal Hocko <mhocko@...e.com>, Shuah Khan <shuah@...nel.org>,
Simon Guo <wei.guo.simon@...il.com>,
Thierry Reding <treding@...dia.com>,
Vlastimil Babka <vbabka@...e.cz>
Subject: [PATCH 1/4] mm: mlock: check against vma for actual mlock() size
From: Simon Guo <wei.guo.simon@...il.com>
In do_mlock(), the check against locked memory limitation
has a hole which will fail following cases at step 3):
1) User has a memory chunk from addressA with 50k, and user
mem lock rlimit is 64k.
2) mlock(addressA, 30k)
3) mlock(addressA, 40k)
The 3rd step should have been allowed since the 40k request
is intersected with the previous 30k at step 2), and the
3rd step is actually for mlock on the extra 10k memory.
This patch checks vma to caculate the actual "new" mlock
size, if necessary, and ajust the logic to fix this issue.
Signed-off-by: Simon Guo <wei.guo.simon@...il.com>
---
mm/mlock.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/mm/mlock.c b/mm/mlock.c
index 14645be..9283187 100644
--- a/mm/mlock.c
+++ b/mm/mlock.c
@@ -617,6 +617,43 @@ static int apply_vma_lock_flags(unsigned long start, size_t len,
return error;
}
+/*
+ * Go through vma areas and sum size of mlocked
+ * vma pages, as return value.
+ * Note deferred memory locking case(mlock2(,,MLOCK_ONFAULT)
+ * is also counted.
+ * Return value: previously mlocked page counts
+ */
+static int count_mm_mlocked_page_nr(struct mm_struct *mm,
+ unsigned long start, size_t len)
+{
+ struct vm_area_struct *vma;
+ int count = 0;
+
+ if (mm == NULL)
+ mm = current->mm;
+
+ vma = find_vma(mm, start);
+ if (vma == NULL)
+ vma = mm->mmap;
+
+ for (; vma ; vma = vma->vm_next) {
+ if (start + len <= vma->vm_start)
+ break;
+ if (vma->vm_flags && VM_LOCKED) {
+ if (start > vma->vm_start)
+ count -= (start - vma->vm_start);
+ if (start + len < vma->vm_end) {
+ count += start + len - vma->vm_start;
+ break;
+ }
+ count += vma->vm_end - vma->vm_start;
+ }
+ }
+
+ return (PAGE_ALIGN(count) >> PAGE_SHIFT);
+}
+
static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t flags)
{
unsigned long locked;
@@ -639,6 +676,18 @@ static __must_check int do_mlock(unsigned long start, size_t len, vm_flags_t fla
return -EINTR;
locked += current->mm->locked_vm;
+ if ((locked > lock_limit) && (!capable(CAP_IPC_LOCK))) {
+ /*
+ * It is possible that the regions requested
+ * intersect with previously mlocked areas,
+ * that part area in "mm->locked_vm" should
+ * not be counted to new mlock increment
+ * count. So check and adjust locked count
+ * if necessary.
+ */
+ locked -= count_mm_mlocked_page_nr(current->mm,
+ start, len);
+ }
/* check against resource limits */
if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
--
1.8.3.1
Powered by blists - more mailing lists