On 05/20, Minchan Kim wrote:
>
> + rcu_read_lock();
> + tsk = pid_task(pid, PIDTYPE_PID);
> + if (!tsk) {
> + rcu_read_unlock();
> + goto err;
> + }
> + get_task_struct(tsk);
> + rcu_read_unlock();
> + mm = mm_access(tsk, PTRACE_MODE_ATTACH_REALCREDS);
> + if (!mm || IS_ERR(mm)) {
> + ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
> + if (ret == -EACCES)
> + ret = -EPERM;
> + goto err;
> + }
> + ret = madvise_core(tsk, start, len_in, behavior);
IIUC, madvise_core(tsk) plays with tsk->mm->mmap_sem. But this tsk can exit and
nullify its ->mm right after mm_access() succeeds.
another problem is that pid_task(pid) can return a zombie leader, in this case
mm_access() will fail while it shouldn't.
Oleg.
