On Sat, 26 Sep 2015 13:45:54 +0300 Vladimir Davydov <vdavydov@xxxxxxxxxxxxx> wrote:
> Pipe buffers can be generated unrestrictedly by an unprivileged
> userspace process, so they shouldn't go unaccounted.
>
> ...
>
> --- a/fs/pipe.c
> +++ b/fs/pipe.c
> @@ -400,7 +400,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
> int copied;
>
> if (!page) {
> - page = alloc_page(GFP_HIGHUSER);
> + page = alloc_kmem_pages(GFP_HIGHUSER, 0);
> if (unlikely(!page)) {
> ret = ret ? : -ENOMEM;
> break;
This seems broken. We have a page buffer page which has a weird
->mapcount. Now it gets stolen (generic_pipe_buf_steal()) and spliced
into pagecache. Then the page gets mmapped and MM starts playing with
its ->_mapcount?
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>