proc: make sure mem_open() doesn't pin the target's memory

[pandora-kernel.git] / fs / proc / base.c

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 0d3a4d1..1ace83d 100644 (file)
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -775,6 +775,13 @@ static int mem_open(struct inode* inode, struct file* file)
        if (IS_ERR(mm))
                return PTR_ERR(mm);
 
+       if (mm) {
+               /* ensure this mm_struct can't be freed */
+               atomic_inc(&mm->mm_count);
+               /* but do not pin its memory */
+               mmput(mm);
+       }
+
        /* OK to pass negative loff_t, we can catch out-of-range */
        file->f_mode |= FMODE_UNSIGNED_OFFSET;
        file->private_data = mm;
@@ -798,6 +805,9 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
                return -ENOMEM;
 
        copied = 0;
+       if (!atomic_inc_not_zero(&mm->mm_users))
+               goto free;
+
        while (count > 0) {
                int this_len = min_t(int, count, PAGE_SIZE);
 
@@ -825,6 +835,8 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
        }
        *ppos = addr;
 
+       mmput(mm);
+free:
        free_page((unsigned long) page);
        return copied;
 }
@@ -861,7 +873,7 @@ static int mem_release(struct inode *inode, struct file *file)
 {
        struct mm_struct *mm = file->private_data;
        if (mm)
-               mmput(mm);
+               mmdrop(mm);
        return 0;
 }