diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-04-14 19:13:32 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-04-14 19:27:24 -0400 |
commit | caae24b57e5a2420a374e5d515ba7a712ea36c2c (patch) | |
tree | 139b8dea04655226a281506106fd512c86eb2955 | |
parent | 68433f6b0cb72b9842c6a55a7f958d1e80ae8d36 (diff) | |
download | longterm-queue-2.6.34-caae24b57e5a2420a374e5d515ba7a712ea36c2c.tar.gz |
use pre-36 version of exec argv oom patch
Per discussion on stable list (Apr 14, 2011):
----
This only works starting from 2.6.36.
before 2.6.36 kernel, oom-killer's badness() uses mm->total_vm. Please
see the patch for pre2.6.36 kernel below.
Oleg.
----
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/exec-make-argv-envp-memory-visible-to-oom-killer.patch | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/queue/exec-make-argv-envp-memory-visible-to-oom-killer.patch b/queue/exec-make-argv-envp-memory-visible-to-oom-killer.patch index 1975989..4001275 100644 --- a/queue/exec-make-argv-envp-memory-visible-to-oom-killer.patch +++ b/queue/exec-make-argv-envp-memory-visible-to-oom-killer.patch @@ -1,9 +1,9 @@ -From e9875b9472a67ead4a1c1c13a99a4264d085b765 Mon Sep 17 00:00:00 2001 +From 00127771ad9835577fb77a47eafe363f59a46c8c Mon Sep 17 00:00:00 2001 From: Oleg Nesterov <oleg@redhat.com> -Date: Tue, 30 Nov 2010 20:55:34 +0100 +Date: Thu, 14 Apr 2011 20:19:36 +0200 Subject: [PATCH] exec: make argv/envp memory visible to oom-killer -commit 3c77f845722158206a7209c45ccddc264d19319c upstream +commit 3c77f845722158206a7209c45ccddc264d19319c upstream. Brad Spengler published a local memory-allocation DoS that evades the OOM-killer (though not the virtual memory RLIMIT): @@ -22,17 +22,24 @@ page is swapped out and turn MM_ANONPAGES into MM_SWAPENTS, but I don't think this really matters and everything becomes correct once exec changes ->mm or fails. +Compared to upstream: + + before 2.6.36 kernel, oom-killer's badness() takes + mm->total_vm into account and nothing else. So + acct_arg_size() has to play with this counter too. + Reported-by: Brad Spengler <spender@grsecurity.net> Reviewed-and-discussed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- diff --git a/fs/exec.c b/fs/exec.c -index afd9977..8d4912f 100644 +index afd9977..3ab279c 100644 --- a/fs/exec.c +++ b/fs/exec.c -@@ -158,6 +158,25 @@ out: +@@ -158,6 +158,21 @@ out: #ifdef CONFIG_MMU @@ -46,19 +53,15 @@ index afd9977..8d4912f 100644 + + bprm->vma_pages = pages; + -+#ifdef SPLIT_RSS_COUNTING -+ add_mm_counter(mm, MM_ANONPAGES, diff); -+#else -+ spin_lock(&mm->page_table_lock); -+ add_mm_counter(mm, MM_ANONPAGES, diff); -+ spin_unlock(&mm->page_table_lock); -+#endif ++ down_write(&mm->mmap_sem); ++ mm->total_vm += diff; ++ up_write(&mm->mmap_sem); +} + static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, int write) { -@@ -180,6 +199,8 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, +@@ -180,6 +195,8 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; struct rlimit *rlim; @@ -67,7 +70,7 @@ index afd9977..8d4912f 100644 /* * We've historically supported up to 32 pages (ARG_MAX) * of argument strings even with small stacks -@@ -269,6 +290,10 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len) +@@ -269,6 +286,10 @@ static bool valid_arg_len(struct linux_binprm *bprm, long len) #else @@ -78,7 +81,7 @@ index afd9977..8d4912f 100644 static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, int write) { -@@ -987,6 +1012,7 @@ int flush_old_exec(struct linux_binprm * bprm) +@@ -987,6 +1008,7 @@ int flush_old_exec(struct linux_binprm * bprm) /* * Release all of the old mmap stuff */ @@ -86,7 +89,7 @@ index afd9977..8d4912f 100644 retval = exec_mmap(bprm->mm); if (retval) goto out; -@@ -1411,8 +1437,10 @@ int do_execve(char * filename, +@@ -1411,8 +1433,10 @@ int do_execve(char * filename, return retval; out: |