From: Andrea Arcangeli <aarcange@redhat.com>
To: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>
Cc: Michael Rapoport <RAPOPORT@il.ibm.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Mike Kravetz <mike.kravetz@oracle.com>,
Pavel Emelyanov <xemul@parallels.com>,
Hillf Danton <hillf.zj@alibaba-inc.com>
Subject: [PATCH 36/42] userfaultfd: shmem: avoid leaking blocks and used blocks in UFFDIO_COPY
Date: Fri, 16 Dec 2016 15:48:15 +0100 [thread overview]
Message-ID: <20161216144821.5183-37-aarcange@redhat.com> (raw)
In-Reply-To: <20161216144821.5183-1-aarcange@redhat.com>
If the atomic copy_user fails because of a real dangling userland
pointer, we won't go back into the shmem method, so when the method
returns it must not leave anything charged up, except the page itself.
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
---
mm/shmem.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index f0f1431..9f3941b 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2210,17 +2210,17 @@ int shmem_mcopy_atomic_pte(struct mm_struct *dst_mm,
pte_t _dst_pte, *dst_pte;
int ret;
- if (!*pagep) {
- ret = -ENOMEM;
- if (shmem_acct_block(info->flags, 1))
- goto out;
- if (sbinfo->max_blocks) {
- if (percpu_counter_compare(&sbinfo->used_blocks,
- sbinfo->max_blocks) >= 0)
- goto out_unacct_blocks;
- percpu_counter_inc(&sbinfo->used_blocks);
- }
+ ret = -ENOMEM;
+ if (shmem_acct_block(info->flags, 1))
+ goto out;
+ if (sbinfo->max_blocks) {
+ if (percpu_counter_compare(&sbinfo->used_blocks,
+ sbinfo->max_blocks) >= 0)
+ goto out_unacct_blocks;
+ percpu_counter_inc(&sbinfo->used_blocks);
+ }
+ if (!*pagep) {
page = shmem_alloc_page(gfp, info, pgoff);
if (!page)
goto out_dec_used_blocks;
@@ -2233,6 +2233,9 @@ int shmem_mcopy_atomic_pte(struct mm_struct *dst_mm,
/* fallback to copy_from_user outside mmap_sem */
if (unlikely(ret)) {
*pagep = page;
+ if (sbinfo->max_blocks)
+ percpu_counter_add(&sbinfo->used_blocks, -1);
+ shmem_unacct_blocks(info->flags, 1);
/* don't free the page */
return -EFAULT;
}
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-12-16 14:48 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-16 14:47 [PATCH 00/42] userfaultfd tmpfs/hugetlbfs/non-cooperative v2 Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 01/42] userfaultfd: document _IOR/_IOW Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 02/42] userfaultfd: correct comment about UFFD_FEATURE_PAGEFAULT_FLAG_WP Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 03/42] userfaultfd: convert BUG() to WARN_ON_ONCE() Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 04/42] userfaultfd: use vma_is_anonymous Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 05/42] userfaultfd: non-cooperative: Split the find_userfault() routine Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 06/42] userfaultfd: non-cooperative: Add ability to report non-PF events from uffd descriptor Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 07/42] userfaultfd: non-cooperative: report all available features to userland Andrea Arcangeli
2017-01-04 23:01 ` Andrew Morton
2017-01-05 12:56 ` Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 08/42] userfaultfd: non-cooperative: Add fork() event Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 09/42] userfaultfd: non-cooperative: Add fork() event, build warning fix Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 10/42] userfaultfd: non-cooperative: dup_userfaultfd: use mm_count instead of mm_users Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 11/42] userfaultfd: non-cooperative: Add mremap() event Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 12/42] userfaultfd: non-cooperative: optimize mremap_userfaultfd_complete() Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 13/42] userfaultfd: non-cooperative: Add madvise() event for MADV_DONTNEED request Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 14/42] userfaultfd: non-cooperative: avoid MADV_DONTNEED race condition Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 15/42] userfaultfd: non-cooperative: wake userfaults after UFFDIO_UNREGISTER Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 16/42] userfaultfd: hugetlbfs: add copy_huge_page_from_user for hugetlb userfaultfd support Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 17/42] userfaultfd: hugetlbfs: add hugetlb_mcopy_atomic_pte for " Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 18/42] userfaultfd: hugetlbfs: add __mcopy_atomic_hugetlb for huge page UFFDIO_COPY Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 19/42] userfaultfd: hugetlbfs: fix __mcopy_atomic_hugetlb retry/error processing Andrea Arcangeli
2016-12-16 14:47 ` [PATCH 20/42] userfaultfd: hugetlbfs: add userfaultfd hugetlb hook Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 21/42] userfaultfd: hugetlbfs: allow registration of ranges containing huge pages Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 22/42] userfaultfd: hugetlbfs: add userfaultfd_hugetlb test Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 23/42] userfaultfd: hugetlbfs: userfaultfd_huge_must_wait for hugepmd ranges Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 24/42] userfaultfd: hugetlbfs: gup: support VM_FAULT_RETRY Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 25/42] userfaultfd: hugetlbfs: reserve count on error in __mcopy_atomic_hugetlb Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 26/42] userfaultfd: hugetlbfs: UFFD_FEATURE_MISSING_HUGETLBFS Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 27/42] userfaultfd: introduce vma_can_userfault Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 28/42] userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 29/42] userfaultfd: shmem: introduce vma_is_shmem Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 30/42] userfaultfd: shmem: add tlbflush.h header for microblaze Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 31/42] userfaultfd: shmem: use shmem_mcopy_atomic_pte for shared memory Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 32/42] userfaultfd: shmem: add userfaultfd hook for shared memory faults Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 33/42] userfaultfd: shmem: allow registration of shared memory ranges Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 34/42] userfaultfd: shmem: add userfaultfd_shmem test Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 35/42] userfaultfd: shmem: lock the page before adding it to pagecache Andrea Arcangeli
2016-12-16 14:48 ` Andrea Arcangeli [this message]
2016-12-16 14:48 ` [PATCH 37/42] userfaultfd: hugetlbfs: UFFD_FEATURE_MISSING_SHMEM Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 38/42] userfaultfd: non-cooperative: selftest: introduce userfaultfd_open Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 39/42] userfaultfd: non-cooperative: selftest: add ufd parameter to copy_page Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 40/42] userfaultfd: non-cooperative: selftest: add test for FORK, MADVDONTNEED and REMAP events Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 41/42] userfaultfd: selftest: test UFFDIO_ZEROPAGE on all memory types Andrea Arcangeli
2016-12-16 14:48 ` [PATCH 42/42] mm: mprotect: use pmd_trans_unstable instead of taking the pmd_lock Andrea Arcangeli
2017-01-06 19:02 ` [PATCH 00/42] userfaultfd tmpfs/hugetlbfs/non-cooperative v2 Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161216144821.5183-37-aarcange@redhat.com \
--to=aarcange@redhat.com \
--cc=RAPOPORT@il.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=dgilbert@redhat.com \
--cc=hillf.zj@alibaba-inc.com \
--cc=linux-mm@kvack.org \
--cc=mike.kravetz@oracle.com \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).