1 files changed, 50 insertions, 20 deletions

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 60316b52d659..9298324325ed 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -75,6 +75,7 @@
 #include <linux/ptrace.h>
 #include <linux/tracehook.h>
 #include <linux/printk.h>
+#include <linux/cache.h>
 #include <linux/cgroup.h>
 #include <linux/cpuset.h>
 #include <linux/audit.h>
@@ -100,6 +101,8 @@
 #include "internal.h"
 #include "fd.h"
 
+#include "../../lib/kstrtox.h"
+
 /* NOTE:
  *      Implementing inode permission operations in /proc is almost
  *      certainly an error.  Permission checks need to happen during
@@ -110,8 +113,8 @@
  *      in /proc for a task before it execs a suid executable.
  */
 
-static u8 nlink_tid;
-static u8 nlink_tgid;
+static u8 nlink_tid __ro_after_init;
+static u8 nlink_tgid __ro_after_init;
 
 struct pid_entry {
         const char *name;
@@ -1370,7 +1373,7 @@ static ssize_t proc_fail_nth_write(struct file *file, const char __user *buf,
         task = get_proc_task(file_inode(file));
         if (!task)
                 return -ESRCH;
-        WRITE_ONCE(task->fail_nth, n);
+        task->fail_nth = n;
         put_task_struct(task);
 
         return count;
@@ -1386,8 +1389,7 @@ static ssize_t proc_fail_nth_read(struct file *file, char __user *buf,
         task = get_proc_task(file_inode(file));
         if (!task)
                 return -ESRCH;
-        len = snprintf(numbuf, sizeof(numbuf), "%u\n",
-                        READ_ONCE(task->fail_nth));
+        len = snprintf(numbuf, sizeof(numbuf), "%u\n", task->fail_nth);
         len = simple_read_from_buffer(buf, count, ppos, numbuf, len);
         put_task_struct(task);
 
@@ -1907,8 +1909,33 @@ end_instantiate:
 static int dname_to_vma_addr(struct dentry *dentry,
                              unsigned long *start, unsigned long *end)
 {
-        if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2)
+        const char *str = dentry->d_name.name;
+        unsigned long long sval, eval;
+        unsigned int len;
+
+        len = _parse_integer(str, 16, &sval);
+        if (len & KSTRTOX_OVERFLOW)
+                return -EINVAL;
+        if (sval != (unsigned long)sval)
                 return -EINVAL;
+        str += len;
+
+        if (*str != '-')
+                return -EINVAL;
+        str++;
+
+        len = _parse_integer(str, 16, &eval);
+        if (len & KSTRTOX_OVERFLOW)
+                return -EINVAL;
+        if (eval != (unsigned long)eval)
+                return -EINVAL;
+        str += len;
+
+        if (*str != '\0')
+                return -EINVAL;
+
+        *start = sval;
+        *end = eval;
 
         return 0;
 }
@@ -2000,9 +2027,9 @@ out:
 }
 
 struct map_files_info {
+        unsigned long   start;
+        unsigned long   end;
         fmode_t         mode;
-        unsigned int    len;
-        unsigned char   name[4*sizeof(long)+2]; /* max: %lx-%lx\0 */
 };
 
 /*
@@ -2172,10 +2199,9 @@ proc_map_files_readdir(struct file *file, struct dir_context *ctx)
                         if (++pos <= ctx->pos)
                                 continue;
 
+                        info.start = vma->vm_start;
+                        info.end = vma->vm_end;
                         info.mode = vma->vm_file->f_mode;
-                        info.len = snprintf(info.name,
-                                        sizeof(info.name), "%lx-%lx",
-                                        vma->vm_start, vma->vm_end);
                         if (flex_array_put(fa, i++, &info, GFP_KERNEL))
                                 BUG();
                 }
@@ -2183,9 +2209,13 @@ proc_map_files_readdir(struct file *file, struct dir_context *ctx)
         up_read(&mm->mmap_sem);
 
         for (i = 0; i < nr_files; i++) {
+                char buf[4 * sizeof(long) + 2]; /* max: %lx-%lx\0 */
+                unsigned int len;
+
                 p = flex_array_get(fa, i);
+                len = snprintf(buf, sizeof(buf), "%lx-%lx", p->start, p->end);
                 if (!proc_fill_cache(file, ctx,
-                                      p->name, p->len,
+                                      buf, len,
                                       proc_map_files_instantiate,
                                       task,
                                       (void *)(unsigned long)p->mode))
@@ -3018,11 +3048,11 @@ static const struct inode_operations proc_tgid_base_inode_operations = {
 static void proc_flush_task_mnt(struct vfsmount *mnt, pid_t pid, pid_t tgid)
 {
         struct dentry *dentry, *leader, *dir;
-        char buf[PROC_NUMBUF];
+        char buf[10 + 1];
         struct qstr name;
 
         name.name = buf;
-        name.len = snprintf(buf, sizeof(buf), "%d", pid);
+        name.len = snprintf(buf, sizeof(buf), "%u", pid);
         /* no ->d_hash() rejects on procfs */
         dentry = d_hash_and_lookup(mnt->mnt_root, &name);
         if (dentry) {
@@ -3034,7 +3064,7 @@ static void proc_flush_task_mnt(struct vfsmount *mnt, pid_t pid, pid_t tgid)
                 return;
 
         name.name = buf;
-        name.len = snprintf(buf, sizeof(buf), "%d", tgid);
+        name.len = snprintf(buf, sizeof(buf), "%u", tgid);
         leader = d_hash_and_lookup(mnt->mnt_root, &name);
         if (!leader)
                 goto out;
@@ -3046,7 +3076,7 @@ static void proc_flush_task_mnt(struct vfsmount *mnt, pid_t pid, pid_t tgid)
                 goto out_put_leader;
 
         name.name = buf;
-        name.len = snprintf(buf, sizeof(buf), "%d", pid);
+        name.len = snprintf(buf, sizeof(buf), "%u", pid);
         dentry = d_hash_and_lookup(dir, &name);
         if (dentry) {
                 d_invalidate(dentry);
@@ -3225,14 +3255,14 @@ int proc_pid_readdir(struct file *file, struct dir_context *ctx)
         for (iter = next_tgid(ns, iter);
              iter.task;
              iter.tgid += 1, iter = next_tgid(ns, iter)) {
-                char name[PROC_NUMBUF];
+                char name[10 + 1];
                 int len;
 
                 cond_resched();
                 if (!has_pid_permissions(ns, iter.task, HIDEPID_INVISIBLE))
                         continue;
 
-                len = snprintf(name, sizeof(name), "%d", iter.tgid);
+                len = snprintf(name, sizeof(name), "%u", iter.tgid);
                 ctx->pos = iter.tgid + TGID_OFFSET;
                 if (!proc_fill_cache(file, ctx, name, len,
                                      proc_pid_instantiate, iter.task, NULL)) {
@@ -3560,10 +3590,10 @@ static int proc_task_readdir(struct file *file, struct dir_context *ctx)
         for (task = first_tid(proc_pid(inode), tid, ctx->pos - 2, ns);
              task;
              task = next_tid(task), ctx->pos++) {
-                char name[PROC_NUMBUF];
+                char name[10 + 1];
                 int len;
                 tid = task_pid_nr_ns(task, ns);
-                len = snprintf(name, sizeof(name), "%d", tid);
+                len = snprintf(name, sizeof(name), "%u", tid);
                 if (!proc_fill_cache(file, ctx, name, len,
                                 proc_task_instantiate, task, NULL)) {
                         /* returning this tgid failed, save it as the first