From: Mateusz Guzik <mguzik@redhat.com>
To: robert.foss@collabora.com
Cc: akpm@linux-foundation.org, keescook@chromium.org,
viro@zeniv.linux.org.uk, gorcunov@openvz.org,
john.stultz@linaro.org, plaguedbypenguins@gmail.com,
sonnyrao@chromium.org, adobriyan@gmail.com, jdanis@google.com,
calvinowens@fb.com, jann@thejh.net, mhocko@suse.com,
koct9i@gmail.com, vbabka@suse.cz, n-horiguchi@ah.jp.nec.com,
kirill.shutemov@linux.intel.com, ldufour@linux.vnet.ibm.com,
hannes@cmpxchg.org, linux-kernel@vger.kernel.org,
Ben Zhang <benzh@chromium.org>, Bryan Freed <bfreed@chromium.org>,
Filipe Brandenburger <filbranden@chromium.org>
Subject: Re: [PACTH v1] mm, proc: Implement /proc/<pid>/totmaps
Date: Tue, 9 Aug 2016 18:29:47 +0200 [thread overview]
Message-ID: <20160809162946.gznxgsgfzndinkay@mguzik> (raw)
In-Reply-To: <1470758743-17685-1-git-send-email-robert.foss@collabora.com>
On Tue, Aug 09, 2016 at 12:05:43PM -0400, robert.foss@collabora.com wrote:
> From: Sonny Rao <sonnyrao@chromium.org>
>
> This is based on earlier work by Thiago Goncales. It implements a new
> per process proc file which summarizes the contents of the smaps file
> but doesn't display any addresses. It gives more detailed information
> than statm like the PSS (proprotional set size). It differs from the
> original implementation in that it doesn't use the full blown set of
> seq operations, uses a different termination condition, and doesn't
> displayed "Locked" as that was broken on the original implemenation.
>
> This new proc file provides information faster than parsing the potentially
> huge smaps file.
I have no idea about usefulness of this.
The patch is definitely buggy with respect to how it implements actual
access to mm.
> +static int totmaps_proc_show(struct seq_file *m, void *data)
> +{
> + struct proc_maps_private *priv = m->private;
> + struct mm_struct *mm;
> + struct vm_area_struct *vma;
> + struct mem_size_stats *mss_sum = priv->mss;
> +
> + /* reference to priv->task already taken */
> + /* but need to get the mm here because */
> + /* task could be in the process of exiting */
> + mm = get_task_mm(priv->task);
> + if (!mm || IS_ERR(mm))
> + return -EINVAL;
> +
That's not how it's done in smaps.
> +static int totmaps_open(struct inode *inode, struct file *file)
> +{
> + struct proc_maps_private *priv;
> + int ret = -ENOMEM;
> + priv = kzalloc(sizeof(*priv), GFP_KERNEL);
> + if (priv) {
> + priv->mss = kzalloc(sizeof(*priv->mss), GFP_KERNEL);
> + if (!priv->mss)
> + return -ENOMEM;
Cases below explicitly kfree(priv). I can't remember whether the close
routine gets called if this one fails. Either way, something is wrong
here.
> +
> + /* we need to grab references to the task_struct */
> + /* at open time, because there's a potential information */
> + /* leak where the totmaps file is opened and held open */
> + /* while the underlying pid to task mapping changes */
> + /* underneath it */
> + priv->task = get_pid_task(proc_pid(inode), PIDTYPE_PID);
This performs no permission checks that I would see. If you take a look
at smaps you will see the user ends up in proc_maps_open which performs
proc_mem_open(inode, PTRACE_MODE_READ) and gets a mm from there.
> + if (!priv->task) {
> + kfree(priv->mss);
> + kfree(priv);
> + return -ESRCH;
> + }
> +
> + ret = single_open(file, totmaps_proc_show, priv);
> + if (ret) {
> + put_task_struct(priv->task);
> + kfree(priv->mss);
> + kfree(priv);
> + }
> + }
> + return ret;
> +}
> +
--
Mateusz Guzik
next prev parent reply other threads:[~2016-08-09 16:30 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-09 16:05 [PACTH v1] mm, proc: Implement /proc/<pid>/totmaps robert.foss
2016-08-09 16:29 ` Mateusz Guzik [this message]
2016-08-09 16:56 ` Sonny Rao
2016-08-09 20:17 ` Robert Foss
2016-08-10 15:39 ` Robert Foss
2016-08-10 15:42 ` Mateusz Guzik
2016-08-10 15:50 ` Robert Foss
2016-08-09 16:58 ` Alexey Dobriyan
2016-08-09 18:28 ` Sonny Rao
2016-08-09 19:16 ` Konstantin Khlebnikov
2016-08-10 0:30 ` Sonny Rao
2016-08-09 19:24 ` Jann Horn
2016-08-09 21:01 ` Robert Foss
2016-08-09 22:30 ` Jann Horn
2016-08-10 14:16 ` Robert Foss
2016-08-10 15:02 ` Jann Horn
2016-08-10 16:24 ` Robert Foss
2016-08-10 17:23 ` Sonny Rao
2016-08-10 17:37 ` Jann Horn
2016-08-10 17:45 ` Sonny Rao
2016-08-10 18:05 ` Jann Horn
2016-08-12 16:28 ` Robert Foss
2016-08-13 12:39 ` Jann Horn
2016-08-13 12:39 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160809162946.gznxgsgfzndinkay@mguzik \
--to=mguzik@redhat.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=benzh@chromium.org \
--cc=bfreed@chromium.org \
--cc=calvinowens@fb.com \
--cc=filbranden@chromium.org \
--cc=gorcunov@openvz.org \
--cc=hannes@cmpxchg.org \
--cc=jann@thejh.net \
--cc=jdanis@google.com \
--cc=john.stultz@linaro.org \
--cc=keescook@chromium.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=koct9i@gmail.com \
--cc=ldufour@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
--cc=n-horiguchi@ah.jp.nec.com \
--cc=plaguedbypenguins@gmail.com \
--cc=robert.foss@collabora.com \
--cc=sonnyrao@chromium.org \
--cc=vbabka@suse.cz \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.