Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: mm_for_maps: take ->cred_guard_mutex to fix the race with exec mm_for_maps: shift down_read(mmap_sem) to the caller mm_for_maps: simplify, use ptrace_may_access()
author: Linus Torvalds <torvalds@linux-foundation.org> 2009-08-10 12:00:47 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2009-08-10 12:00:47 -0400
commit: 9bcf73f48280ef8cd7f2e38e674da47c409b9906 (patch)
tree: 8f2c8de4dc437ce901c8b15f437a0394481ef44a
parent: 2c661a669b3e2e34311d7965271a628671191e45 (diff)
parent: 704b836cbf19e885f8366bccb2e4b0474346c02d (diff)
3 files changed, 14 insertions, 15 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 3ce5ae9e3d2d..175db258942f 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -234,23 +234,20 @@ static int check_mem_permission(struct task_struct *task)
 struct mm_struct *mm_for_maps(struct task_struct *task)
 {
-        struct mm_struct *mm = get_task_mm(task);
+        struct mm_struct *mm;
-        if (!mm)
+        if (mutex_lock_killable(&task->cred_guard_mutex))
                return NULL;
-        down_read(&mm->mmap_sem);
-        task_lock(task);
+        mm = get_task_mm(task);
-        if (task->mm != mm)
+        if (mm && mm != current->mm &&
-                goto out;
+                        !ptrace_may_access(task, PTRACE_MODE_READ)) {
-        if (task->mm != current->mm &&
+                mmput(mm);
-            __ptrace_may_access(task, PTRACE_MODE_READ) < 0)
+                mm = NULL;
-                goto out;
+        }
-        task_unlock(task);
+        mutex_unlock(&task->cred_guard_mutex);
        return mm;
-out:
-        task_unlock(task);
-        up_read(&mm->mmap_sem);
-        mmput(mm);
-        return NULL;
 }
 static int proc_pid_cmdline(struct task_struct *task, char * buffer)
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 6f61b7cc32e0..9bd8be1d235c 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -119,6 +119,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
        mm = mm_for_maps(priv->task);
        if (!mm)
                return NULL;
+        down_read(&mm->mmap_sem);
        tail_vma = get_gate_vma(priv->task);
        priv->tail_vma = tail_vma;
diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
index 64a72e2e7650..8f5c05d3dbd3 100644
--- a/fs/proc/task_nommu.c
+++ b/fs/proc/task_nommu.c
@@ -189,6 +189,7 @@ static void *m_start(struct seq_file *m, loff_t *pos)
                priv->task = NULL;
                return NULL;
        }
+        down_read(&mm->mmap_sem);
        /* start from the Nth VMA */
        for (p = rb_first(&mm->mm_rb); p; p = rb_next(p))
author	Linus Torvalds <torvalds@linux-foundation.org>	2009-08-10 12:00:47 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2009-08-10 12:00:47 -0400
commit	9bcf73f48280ef8cd7f2e38e674da47c409b9906 (patch)
tree	8f2c8de4dc437ce901c8b15f437a0394481ef44a
parent	2c661a669b3e2e34311d7965271a628671191e45 (diff)
parent	704b836cbf19e885f8366bccb2e4b0474346c02d (diff)

diff --git a/fs/proc/base.c b/fs/proc/base.c index 3ce5ae9e3d2d..175db258942f 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c
@@ -234,23 +234,20 @@ static int check_mem_permission(struct task_struct *task)
234		234
235	struct mm_struct mm_for_maps(struct task_struct task)	235	struct mm_struct mm_for_maps(struct task_struct task)
236	{	236	{
237	struct mm_struct *mm = get_task_mm(task);	237	struct mm_struct *mm;
238	if (!mm)	238
		239	if (mutex_lock_killable(&task->cred_guard_mutex))
239	return NULL;	240	return NULL;
240	down_read(&mm->mmap_sem);	241
241	task_lock(task);	242	mm = get_task_mm(task);
242	if (task->mm != mm)	243	if (mm && mm != current->mm &&
243	goto out;	244	!ptrace_may_access(task, PTRACE_MODE_READ)) {
244	if (task->mm != current->mm &&	245	mmput(mm);
245	__ptrace_may_access(task, PTRACE_MODE_READ) < 0)	246	mm = NULL;
246	goto out;	247	}
247	task_unlock(task);	248	mutex_unlock(&task->cred_guard_mutex);
		249
248	return mm;	250	return mm;
249	out:
250	task_unlock(task);
251	up_read(&mm->mmap_sem);
252	mmput(mm);
253	return NULL;
254	}	251	}
255		252
256	static int proc_pid_cmdline(struct task_struct task, char buffer)	253	static int proc_pid_cmdline(struct task_struct task, char buffer)


diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 6f61b7cc32e0..9bd8be1d235c 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c
@@ -119,6 +119,7 @@ static void m_start(struct seq_file m, loff_t *pos)
119	mm = mm_for_maps(priv->task);	119	mm = mm_for_maps(priv->task);
120	if (!mm)	120	if (!mm)
121	return NULL;	121	return NULL;
		122	down_read(&mm->mmap_sem);
122		123
123	tail_vma = get_gate_vma(priv->task);	124	tail_vma = get_gate_vma(priv->task);
124	priv->tail_vma = tail_vma;	125	priv->tail_vma = tail_vma;


diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c index 64a72e2e7650..8f5c05d3dbd3 100644 --- a/fs/proc/task_nommu.c +++ b/fs/proc/task_nommu.c
@@ -189,6 +189,7 @@ static void m_start(struct seq_file m, loff_t *pos)
189	priv->task = NULL;	189	priv->task = NULL;
190	return NULL;	190	return NULL;
191	}	191	}
		192	down_read(&mm->mmap_sem);
192		193
193	/* start from the Nth VMA */	194	/* start from the Nth VMA */
194	for (p = rb_first(&mm->mm_rb); p; p = rb_next(p))	195	for (p = rb_first(&mm->mm_rb); p; p = rb_next(p))