On Sat, 26 Sep 2015 13:45:54 +0300 Vladimir Davydov <vdavy...@parallels.com>
wrote:
> Pipe buffers can be generated unrestrictedly by an unprivileged
> userspace process, so they shouldn't go unaccounted.
>
> ...
>
> --- a/fs/pipe.c
> +++ b/fs/pipe.c
> @@ -400,7 +400,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
> int copied;
>
> if (!page) {
> - page = alloc_page(GFP_HIGHUSER);
> + page = alloc_kmem_pages(GFP_HIGHUSER, 0);
> if (unlikely(!page)) {
> ret = ret ? : -ENOMEM;
> break;
This seems broken. We have a page buffer page which has a weird
->mapcount. Now it gets stolen (generic_pipe_buf_steal()) and spliced
into pagecache. Then the page gets mmapped and MM starts playing with
its ->_mapcount?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
