Fix race in process_vm_rw_core

This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh <yeohc@au1.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Christopher Yeoh <cyeoh@au1.ibm.com> 2012-02-01 20:04:09 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-02-02 15:55:17 -0500
commit: 8cdb878dcb359fd1137e9abdee9322f5e9bcfdf8 (patch)
tree: 146afc01f3c1d7cbc944328484d077032bc53bfd /kernel
parent: 24b36da33c64368775f4ef9386d44dce1d2bc8cf (diff)
1 files changed, 20 insertions, 0 deletions
diff --git a/kernel/fork.c b/kernel/fork.c
index 051f090d40c1..1b2ef3c23ae4 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -647,6 +647,26 @@ struct mm_struct *get_task_mm(struct task_struct *task)
 }
 EXPORT_SYMBOL_GPL(get_task_mm);
+struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
+{
+        struct mm_struct *mm;
+        int err;
+        err =  mutex_lock_killable(&task->signal->cred_guard_mutex);
+        if (err)
+                return ERR_PTR(err);
+        mm = get_task_mm(task);
+        if (mm && mm != current->mm &&
+                        !ptrace_may_access(task, mode)) {
+                mmput(mm);
+                mm = ERR_PTR(-EACCES);
+        }
+        mutex_unlock(&task->signal->cred_guard_mutex);
+        return mm;
+}
 /* Please note the differences between mmput and mm_release.
 * mmput is called whenever we stop holding onto a mm_struct,
 * error success whatever.
author	Christopher Yeoh <cyeoh@au1.ibm.com>	2012-02-01 20:04:09 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-02-02 15:55:17 -0500
commit	8cdb878dcb359fd1137e9abdee9322f5e9bcfdf8 (patch)
tree	146afc01f3c1d7cbc944328484d077032bc53bfd /kernel
parent	24b36da33c64368775f4ef9386d44dce1d2bc8cf (diff)

diff --git a/kernel/fork.c b/kernel/fork.c index 051f090d40c1..1b2ef3c23ae4 100644 --- a/kernel/fork.c +++ b/kernel/fork.c
@@ -647,6 +647,26 @@ struct mm_struct get_task_mm(struct task_struct task)
647	}	647	}
648	EXPORT_SYMBOL_GPL(get_task_mm);	648	EXPORT_SYMBOL_GPL(get_task_mm);
649		649
		650	struct mm_struct mm_access(struct task_struct task, unsigned int mode)
		651	{
		652	struct mm_struct *mm;
		653	int err;
		654
		655	err = mutex_lock_killable(&task->signal->cred_guard_mutex);
		656	if (err)
		657	return ERR_PTR(err);
		658
		659	mm = get_task_mm(task);
		660	if (mm && mm != current->mm &&
		661	!ptrace_may_access(task, mode)) {
		662	mmput(mm);
		663	mm = ERR_PTR(-EACCES);
		664	}
		665	mutex_unlock(&task->signal->cred_guard_mutex);
		666
		667	return mm;
		668	}
		669
650	/* Please note the differences between mmput and mm_release.	670	/* Please note the differences between mmput and mm_release.
651	* mmput is called whenever we stop holding onto a mm_struct,	671	* mmput is called whenever we stop holding onto a mm_struct,
652	* error success whatever.	672	* error success whatever.