1 files changed, 126 insertions, 63 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index d49c4b5d2c3e..dfa532730e55 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -191,17 +191,20 @@ static int proc_root_link(struct inode *inode, struct path *path)
        return result;
 }
-/*
+static struct mm_struct *__check_mem_permission(struct task_struct *task)
- * Return zero if current may access user memory in @task, -error if not.
- */
-static int check_mem_permission(struct task_struct *task)
 {
+        struct mm_struct *mm;
+        mm = get_task_mm(task);
+        if (!mm)
+                return ERR_PTR(-EINVAL);
        /*
         * A task can always look at itself, in case it chooses
         * to use system calls instead of load instructions.
         */
        if (task == current)
-                return 0;
+                return mm;
        /*
         * If current is actively ptrace'ing, and would also be
@@ -213,27 +216,53 @@ static int check_mem_permission(struct task_struct *task)
                match = (tracehook_tracer_task(task) == current);
                rcu_read_unlock();
                if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))
-                        return 0;
+                        return mm;
        }
        /*
-         * Noone else is allowed.
+         * No one else is allowed.
+         */
+        mmput(mm);
+        return ERR_PTR(-EPERM);
+}
+/*
+ * If current may access user memory in @task return a reference to the
+ * corresponding mm, otherwise ERR_PTR.
+ */
+static struct mm_struct *check_mem_permission(struct task_struct *task)
+{
+        struct mm_struct *mm;
+        int err;
+        /*
+         * Avoid racing if task exec's as we might get a new mm but validate
+         * against old credentials.
         */
-        return -EPERM;
+        err = mutex_lock_killable(&task->signal->cred_guard_mutex);
+        if (err)
+                return ERR_PTR(err);
+        mm = __check_mem_permission(task);
+        mutex_unlock(&task->signal->cred_guard_mutex);
+        return mm;
 }
 struct mm_struct *mm_for_maps(struct task_struct *task)
 {
        struct mm_struct *mm;
+        int err;
-        if (mutex_lock_killable(&task->signal->cred_guard_mutex))
+        err =  mutex_lock_killable(&task->signal->cred_guard_mutex);
-                return NULL;
+        if (err)
+                return ERR_PTR(err);
        mm = get_task_mm(task);
        if (mm && mm != current->mm &&
                        !ptrace_may_access(task, PTRACE_MODE_READ)) {
                mmput(mm);
-                mm = NULL;
+                mm = ERR_PTR(-EACCES);
        }
        mutex_unlock(&task->signal->cred_guard_mutex);
@@ -279,9 +308,9 @@ out:
 static int proc_pid_auxv(struct task_struct *task, char *buffer)
 {
-        int res = 0;
+        struct mm_struct *mm = mm_for_maps(task);
-        struct mm_struct *mm = get_task_mm(task);
+        int res = PTR_ERR(mm);
-        if (mm) {
+        if (mm && !IS_ERR(mm)) {
                unsigned int nwords = 0;
                do {
                        nwords += 2;
@@ -318,6 +347,23 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer)
 }
 #endif /* CONFIG_KALLSYMS */
+static int lock_trace(struct task_struct *task)
+{
+        int err = mutex_lock_killable(&task->signal->cred_guard_mutex);
+        if (err)
+                return err;
+        if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) {
+                mutex_unlock(&task->signal->cred_guard_mutex);
+                return -EPERM;
+        }
+        return 0;
+}
+static void unlock_trace(struct task_struct *task)
+{
+        mutex_unlock(&task->signal->cred_guard_mutex);
+}
 #ifdef CONFIG_STACKTRACE
 #define MAX_STACK_TRACE_DEPTH   64
@@ -327,6 +373,7 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
 {
        struct stack_trace trace;
        unsigned long *entries;
+        int err;
        int i;
        entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
@@ -337,15 +384,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
        trace.max_entries       = MAX_STACK_TRACE_DEPTH;
        trace.entries           = entries;
        trace.skip              = 0;
-        save_stack_trace_tsk(task, &trace);
-        for (i = 0; i < trace.nr_entries; i++) {
+        err = lock_trace(task);
-                seq_printf(m, "[<%p>] %pS\n",
+        if (!err) {
-                           (void *)entries[i], (void *)entries[i]);
+                save_stack_trace_tsk(task, &trace);
+                for (i = 0; i < trace.nr_entries; i++) {
+                        seq_printf(m, "[<%pK>] %pS\n",
+                                   (void *)entries[i], (void *)entries[i]);
+                }
+                unlock_trace(task);
        }
        kfree(entries);
-        return 0;
+        return err;
 }
 #endif
@@ -508,18 +560,22 @@ static int proc_pid_syscall(struct task_struct *task, char *buffer)
 {
        long nr;
        unsigned long args[6], sp, pc;
+        int res = lock_trace(task);
+        if (res)
+                return res;
        if (task_current_syscall(task, &nr, args, 6, &sp, &pc))
-                return sprintf(buffer, "running\n");
+                res = sprintf(buffer, "running\n");
+        else if (nr < 0)
-        if (nr < 0)
+                res = sprintf(buffer, "%ld 0x%lx 0x%lx\n", nr, sp, pc);
-                return sprintf(buffer, "%ld 0x%lx 0x%lx\n", nr, sp, pc);
+        else
+                res = sprintf(buffer,
-        return sprintf(buffer,
                       "%ld 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx\n",
                       nr,
                       args[0], args[1], args[2], args[3], args[4], args[5],
                       sp, pc);
+        unlock_trace(task);
+        return res;
 }
 #endif /* CONFIG_HAVE_ARCH_TRACEHOOK */
@@ -775,18 +831,14 @@ static ssize_t mem_read(struct file * file, char __user * buf,
        if (!task)
                goto out_no_task;
-        if (check_mem_permission(task))
-                goto out;
        ret = -ENOMEM;
        page = (char *)__get_free_page(GFP_TEMPORARY);
        if (!page)
                goto out;
-        ret = 0;
+        mm = check_mem_permission(task);
- 
+        ret = PTR_ERR(mm);
-        mm = get_task_mm(task);
+        if (IS_ERR(mm))
-        if (!mm)
                goto out_free;
        ret = -EIO;
@@ -800,8 +852,8 @@ static ssize_t mem_read(struct file * file, char __user * buf,
                int this_len, retval;
                this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count;
-                retval = access_process_vm(task, src, page, this_len, 0);
+                retval = access_remote_vm(mm, src, page, this_len, 0);
-                if (!retval || check_mem_permission(task)) {
+                if (!retval) {
                        if (!ret)
                                ret = -EIO;
                        break;
@@ -829,10 +881,6 @@ out_no_task:
        return ret;
 }
-#define mem_write NULL
-#ifndef mem_write
-/* This is a security hazard */
 static ssize_t mem_write(struct file * file, const char __user *buf,
                         size_t count, loff_t *ppos)
 {
@@ -840,18 +888,25 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
        char *page;
        struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
        unsigned long dst = *ppos;
+        struct mm_struct *mm;
        copied = -ESRCH;
        if (!task)
                goto out_no_task;
-        if (check_mem_permission(task))
+        mm = check_mem_permission(task);
-                goto out;
+        copied = PTR_ERR(mm);
+        if (IS_ERR(mm))
+                goto out_task;
+        copied = -EIO;
+        if (file->private_data != (void *)((long)current->self_exec_id))
+                goto out_mm;
        copied = -ENOMEM;
        page = (char *)__get_free_page(GFP_TEMPORARY);
        if (!page)
-                goto out;
+                goto out_mm;
        copied = 0;
        while (count > 0) {
@@ -862,7 +917,7 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
                        copied = -EFAULT;
                        break;
                }
-                retval = access_process_vm(task, dst, page, this_len, 1);
+                retval = access_remote_vm(mm, dst, page, this_len, 1);
                if (!retval) {
                        if (!copied)
                                copied = -EIO;
@@ -875,12 +930,13 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
        }
        *ppos = dst;
        free_page((unsigned long) page);
-out:
+out_mm:
+        mmput(mm);
+out_task:
        put_task_struct(task);
 out_no_task:
        return copied;
 }
-#endif
 loff_t mem_lseek(struct file *file, loff_t offset, int orig)
 {
@@ -917,20 +973,18 @@ static ssize_t environ_read(struct file *file, char __user *buf,
        if (!task)
                goto out_no_task;
-        if (!ptrace_may_access(task, PTRACE_MODE_READ))
-                goto out;
        ret = -ENOMEM;
        page = (char *)__get_free_page(GFP_TEMPORARY);
        if (!page)
                goto out;
-        ret = 0;
-        mm = get_task_mm(task);
+        mm = mm_for_maps(task);
-        if (!mm)
+        ret = PTR_ERR(mm);
+        if (!mm || IS_ERR(mm))
                goto out_free;
+        ret = 0;
        while (count > 0) {
                int this_len, retval, max_len;
@@ -2748,8 +2802,12 @@ static int proc_tgid_io_accounting(struct task_struct *task, char *buffer)
 static int proc_pid_personality(struct seq_file *m, struct pid_namespace *ns,
                                struct pid *pid, struct task_struct *task)
 {
-        seq_printf(m, "%08x\n", task->personality);
+        int err = lock_trace(task);
-        return 0;
+        if (!err) {
+                seq_printf(m, "%08x\n", task->personality);
+                unlock_trace(task);
+        }
+        return err;
 }
 /*
@@ -2768,7 +2826,7 @@ static const struct pid_entry tgid_base_stuff[] = {
        REG("environ",    S_IRUSR, proc_environ_operations),
        INF("auxv",       S_IRUSR, proc_pid_auxv),
        ONE("status",     S_IRUGO, proc_pid_status),
-        ONE("personality", S_IRUSR, proc_pid_personality),
+        ONE("personality", S_IRUGO, proc_pid_personality),
        INF("limits",     S_IRUGO, proc_pid_limits),
 #ifdef CONFIG_SCHED_DEBUG
        REG("sched",      S_IRUGO|S_IWUSR, proc_pid_sched_operations),
@@ -2778,7 +2836,7 @@ static const struct pid_entry tgid_base_stuff[] = {
 #endif
        REG("comm",      S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
 #ifdef CONFIG_HAVE_ARCH_TRACEHOOK
-        INF("syscall",    S_IRUSR, proc_pid_syscall),
+        INF("syscall",    S_IRUGO, proc_pid_syscall),
 #endif
        INF("cmdline",    S_IRUGO, proc_pid_cmdline),
        ONE("stat",       S_IRUGO, proc_tgid_stat),
@@ -2797,7 +2855,7 @@ static const struct pid_entry tgid_base_stuff[] = {
 #ifdef CONFIG_PROC_PAGE_MONITOR
        REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
        REG("smaps",      S_IRUGO, proc_smaps_operations),
-        REG("pagemap",    S_IRUSR, proc_pagemap_operations),
+        REG("pagemap",    S_IRUGO, proc_pagemap_operations),
 #endif
 #ifdef CONFIG_SECURITY
        DIR("attr",       S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
@@ -2806,7 +2864,7 @@ static const struct pid_entry tgid_base_stuff[] = {
        INF("wchan",      S_IRUGO, proc_pid_wchan),
 #endif
 #ifdef CONFIG_STACKTRACE
-        ONE("stack",      S_IRUSR, proc_pid_stack),
+        ONE("stack",      S_IRUGO, proc_pid_stack),
 #endif
 #ifdef CONFIG_SCHEDSTATS
        INF("schedstat",  S_IRUGO, proc_pid_schedstat),
@@ -3066,11 +3124,16 @@ static int proc_pid_fill_cache(struct file *filp, void *dirent, filldir_t filldi
 /* for the /proc/ directory itself, after non-process stuff has been done */
 int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
 {
-        unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+        unsigned int nr;
-        struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);
+        struct task_struct *reaper;
        struct tgid_iter iter;
        struct pid_namespace *ns;
+        if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
+                goto out_no_task;
+        nr = filp->f_pos - FIRST_PROCESS_ENTRY;
+        reaper = get_proc_task(filp->f_path.dentry->d_inode);
        if (!reaper)
                goto out_no_task;
@@ -3108,14 +3171,14 @@ static const struct pid_entry tid_base_stuff[] = {
        REG("environ",   S_IRUSR, proc_environ_operations),
        INF("auxv",      S_IRUSR, proc_pid_auxv),
        ONE("status",    S_IRUGO, proc_pid_status),
-        ONE("personality", S_IRUSR, proc_pid_personality),
+        ONE("personality", S_IRUGO, proc_pid_personality),
        INF("limits",    S_IRUGO, proc_pid_limits),
 #ifdef CONFIG_SCHED_DEBUG
        REG("sched",     S_IRUGO|S_IWUSR, proc_pid_sched_operations),
 #endif
        REG("comm",      S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
 #ifdef CONFIG_HAVE_ARCH_TRACEHOOK
-        INF("syscall",   S_IRUSR, proc_pid_syscall),
+        INF("syscall",   S_IRUGO, proc_pid_syscall),
 #endif
        INF("cmdline",   S_IRUGO, proc_pid_cmdline),
        ONE("stat",      S_IRUGO, proc_tid_stat),
@@ -3133,7 +3196,7 @@ static const struct pid_entry tid_base_stuff[] = {
 #ifdef CONFIG_PROC_PAGE_MONITOR
        REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
        REG("smaps",     S_IRUGO, proc_smaps_operations),
-        REG("pagemap",    S_IRUSR, proc_pagemap_operations),
+        REG("pagemap",    S_IRUGO, proc_pagemap_operations),
 #endif
 #ifdef CONFIG_SECURITY
        DIR("attr",      S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
@@ -3142,7 +3205,7 @@ static const struct pid_entry tid_base_stuff[] = {
        INF("wchan",     S_IRUGO, proc_pid_wchan),
 #endif
 #ifdef CONFIG_STACKTRACE
-        ONE("stack",      S_IRUSR, proc_pid_stack),
+        ONE("stack",      S_IRUGO, proc_pid_stack),
 #endif
 #ifdef CONFIG_SCHEDSTATS
        INF("schedstat", S_IRUGO, proc_pid_schedstat),
@@ -3161,7 +3224,7 @@ static const struct pid_entry tid_base_stuff[] = {
        REG("oom_score_adj", S_IRUGO|S_IWUSR, proc_oom_score_adj_operations),
 #ifdef CONFIG_AUDITSYSCALL
        REG("loginuid",  S_IWUSR|S_IRUGO, proc_loginuid_operations),
-        REG("sessionid",  S_IRUSR, proc_sessionid_operations),
+        REG("sessionid",  S_IRUGO, proc_sessionid_operations),
 #endif
 #ifdef CONFIG_FAULT_INJECTION
        REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations),

diff --git a/fs/proc/base.c b/fs/proc/base.c index d49c4b5d2c3e..dfa532730e55 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c
@@ -191,17 +191,20 @@ static int proc_root_link(struct inode inode, struct path path)
191	return result;	191	return result;
192	}	192	}
193		193
194	/*	194	static struct mm_struct __check_mem_permission(struct task_struct task)
195	* Return zero if current may access user memory in @task, -error if not.
196	*/
197	static int check_mem_permission(struct task_struct *task)
198	{	195	{
		196	struct mm_struct *mm;
		197
		198	mm = get_task_mm(task);
		199	if (!mm)
		200	return ERR_PTR(-EINVAL);
		201
199	/*	202	/*
200	* A task can always look at itself, in case it chooses	203	* A task can always look at itself, in case it chooses
201	* to use system calls instead of load instructions.	204	* to use system calls instead of load instructions.
202	*/	205	*/
203	if (task == current)	206	if (task == current)
204	return 0;	207	return mm;
205		208
206	/*	209	/*
207	* If current is actively ptrace'ing, and would also be	210	* If current is actively ptrace'ing, and would also be
@@ -213,27 +216,53 @@ static int check_mem_permission(struct task_struct *task)
213	match = (tracehook_tracer_task(task) == current);	216	match = (tracehook_tracer_task(task) == current);
214	rcu_read_unlock();	217	rcu_read_unlock();
215	if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))	218	if (match && ptrace_may_access(task, PTRACE_MODE_ATTACH))
216	return 0;	219	return mm;
217	}	220	}
218		221
219	/*	222	/*
220	* Noone else is allowed.	223	* No one else is allowed.
		224	*/
		225	mmput(mm);
		226	return ERR_PTR(-EPERM);
		227	}
		228
		229	/*
		230	* If current may access user memory in @task return a reference to the
		231	* corresponding mm, otherwise ERR_PTR.
		232	*/
		233	static struct mm_struct check_mem_permission(struct task_struct task)
		234	{
		235	struct mm_struct *mm;
		236	int err;
		237
		238	/*
		239	* Avoid racing if task exec's as we might get a new mm but validate
		240	* against old credentials.
221	*/	241	*/
222	return -EPERM;	242	err = mutex_lock_killable(&task->signal->cred_guard_mutex);
		243	if (err)
		244	return ERR_PTR(err);
		245
		246	mm = __check_mem_permission(task);
		247	mutex_unlock(&task->signal->cred_guard_mutex);
		248
		249	return mm;
223	}	250	}
224		251
225	struct mm_struct mm_for_maps(struct task_struct task)	252	struct mm_struct mm_for_maps(struct task_struct task)
226	{	253	{
227	struct mm_struct *mm;	254	struct mm_struct *mm;
		255	int err;
228		256
229	if (mutex_lock_killable(&task->signal->cred_guard_mutex))	257	err = mutex_lock_killable(&task->signal->cred_guard_mutex);
230	return NULL;	258	if (err)
		259	return ERR_PTR(err);
231		260
232	mm = get_task_mm(task);	261	mm = get_task_mm(task);
233	if (mm && mm != current->mm &&	262	if (mm && mm != current->mm &&
234	!ptrace_may_access(task, PTRACE_MODE_READ)) {	263	!ptrace_may_access(task, PTRACE_MODE_READ)) {
235	mmput(mm);	264	mmput(mm);
236	mm = NULL;	265	mm = ERR_PTR(-EACCES);
237	}	266	}
238	mutex_unlock(&task->signal->cred_guard_mutex);	267	mutex_unlock(&task->signal->cred_guard_mutex);
239		268
@@ -279,9 +308,9 @@ out:
279		308
280	static int proc_pid_auxv(struct task_struct task, char buffer)	309	static int proc_pid_auxv(struct task_struct task, char buffer)
281	{	310	{
282	int res = 0;	311	struct mm_struct *mm = mm_for_maps(task);
283	struct mm_struct *mm = get_task_mm(task);	312	int res = PTR_ERR(mm);
284	if (mm) {	313	if (mm && !IS_ERR(mm)) {
285	unsigned int nwords = 0;	314	unsigned int nwords = 0;
286	do {	315	do {
287	nwords += 2;	316	nwords += 2;
@@ -318,6 +347,23 @@ static int proc_pid_wchan(struct task_struct task, char buffer)
318	}	347	}
319	#endif /* CONFIG_KALLSYMS */	348	#endif /* CONFIG_KALLSYMS */
320		349
		350	static int lock_trace(struct task_struct *task)
		351	{
		352	int err = mutex_lock_killable(&task->signal->cred_guard_mutex);
		353	if (err)
		354	return err;
		355	if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) {
		356	mutex_unlock(&task->signal->cred_guard_mutex);
		357	return -EPERM;
		358	}
		359	return 0;
		360	}
		361
		362	static void unlock_trace(struct task_struct *task)
		363	{
		364	mutex_unlock(&task->signal->cred_guard_mutex);
		365	}
		366
321	#ifdef CONFIG_STACKTRACE	367	#ifdef CONFIG_STACKTRACE
322		368
323	#define MAX_STACK_TRACE_DEPTH 64	369	#define MAX_STACK_TRACE_DEPTH 64
@@ -327,6 +373,7 @@ static int proc_pid_stack(struct seq_file m, struct pid_namespace ns,
327	{	373	{
328	struct stack_trace trace;	374	struct stack_trace trace;
329	unsigned long *entries;	375	unsigned long *entries;
		376	int err;
330	int i;	377	int i;
331		378
332	entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);	379	entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
@@ -337,15 +384,20 @@ static int proc_pid_stack(struct seq_file m, struct pid_namespace ns,
337	trace.max_entries = MAX_STACK_TRACE_DEPTH;	384	trace.max_entries = MAX_STACK_TRACE_DEPTH;
338	trace.entries = entries;	385	trace.entries = entries;
339	trace.skip = 0;	386	trace.skip = 0;
340	save_stack_trace_tsk(task, &trace);
341		387
342	for (i = 0; i < trace.nr_entries; i++) {	388	err = lock_trace(task);
343	seq_printf(m, "[<%p>] %pS\n",	389	if (!err) {
344	(void )entries[i], (void )entries[i]);	390	save_stack_trace_tsk(task, &trace);
		391
		392	for (i = 0; i < trace.nr_entries; i++) {
		393	seq_printf(m, "[<%pK>] %pS\n",
		394	(void )entries[i], (void )entries[i]);
		395	}
		396	unlock_trace(task);
345	}	397	}
346	kfree(entries);	398	kfree(entries);
347		399
348	return 0;	400	return err;
349	}	401	}
350	#endif	402	#endif
351		403
@@ -508,18 +560,22 @@ static int proc_pid_syscall(struct task_struct task, char buffer)
508	{	560	{
509	long nr;	561	long nr;
510	unsigned long args[6], sp, pc;	562	unsigned long args[6], sp, pc;
		563	int res = lock_trace(task);
		564	if (res)
		565	return res;
511		566
512	if (task_current_syscall(task, &nr, args, 6, &sp, &pc))	567	if (task_current_syscall(task, &nr, args, 6, &sp, &pc))
513	return sprintf(buffer, "running\n");	568	res = sprintf(buffer, "running\n");
514		569	else if (nr < 0)
515	if (nr < 0)	570	res = sprintf(buffer, "%ld 0x%lx 0x%lx\n", nr, sp, pc);
516	return sprintf(buffer, "%ld 0x%lx 0x%lx\n", nr, sp, pc);	571	else
517		572	res = sprintf(buffer,
518	return sprintf(buffer,
519	"%ld 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx\n",	573	"%ld 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx\n",
520	nr,	574	nr,
521	args[0], args[1], args[2], args[3], args[4], args[5],	575	args[0], args[1], args[2], args[3], args[4], args[5],
522	sp, pc);	576	sp, pc);
		577	unlock_trace(task);
		578	return res;
523	}	579	}
524	#endif /* CONFIG_HAVE_ARCH_TRACEHOOK */	580	#endif /* CONFIG_HAVE_ARCH_TRACEHOOK */
525		581
@@ -775,18 +831,14 @@ static ssize_t mem_read(struct file * file, char __user * buf,
775	if (!task)	831	if (!task)
776	goto out_no_task;	832	goto out_no_task;
777		833
778	if (check_mem_permission(task))
779	goto out;
780
781	ret = -ENOMEM;	834	ret = -ENOMEM;
782	page = (char *)__get_free_page(GFP_TEMPORARY);	835	page = (char *)__get_free_page(GFP_TEMPORARY);
783	if (!page)	836	if (!page)
784	goto out;	837	goto out;
785		838
786	ret = 0;	839	mm = check_mem_permission(task);
787		840	ret = PTR_ERR(mm);
788	mm = get_task_mm(task);	841	if (IS_ERR(mm))
789	if (!mm)
790	goto out_free;	842	goto out_free;
791		843
792	ret = -EIO;	844	ret = -EIO;
@@ -800,8 +852,8 @@ static ssize_t mem_read(struct file * file, char __user * buf,
800	int this_len, retval;	852	int this_len, retval;
801		853
802	this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count;	854	this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count;
803	retval = access_process_vm(task, src, page, this_len, 0);	855	retval = access_remote_vm(mm, src, page, this_len, 0);
804	if (!retval \|\| check_mem_permission(task)) {	856	if (!retval) {
805	if (!ret)	857	if (!ret)
806	ret = -EIO;	858	ret = -EIO;
807	break;	859	break;
@@ -829,10 +881,6 @@ out_no_task:
829	return ret;	881	return ret;
830	}	882	}
831		883
832	#define mem_write NULL
833
834	#ifndef mem_write
835	/* This is a security hazard */
836	static ssize_t mem_write(struct file * file, const char __user *buf,	884	static ssize_t mem_write(struct file * file, const char __user *buf,
837	size_t count, loff_t *ppos)	885	size_t count, loff_t *ppos)
838	{	886	{
@@ -840,18 +888,25 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
840	char *page;	888	char *page;
841	struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);	889	struct task_struct *task = get_proc_task(file->f_path.dentry->d_inode);
842	unsigned long dst = *ppos;	890	unsigned long dst = *ppos;
		891	struct mm_struct *mm;
843		892
844	copied = -ESRCH;	893	copied = -ESRCH;
845	if (!task)	894	if (!task)
846	goto out_no_task;	895	goto out_no_task;
847		896
848	if (check_mem_permission(task))	897	mm = check_mem_permission(task);
849	goto out;	898	copied = PTR_ERR(mm);
		899	if (IS_ERR(mm))
		900	goto out_task;
		901
		902	copied = -EIO;
		903	if (file->private_data != (void *)((long)current->self_exec_id))
		904	goto out_mm;
850		905
851	copied = -ENOMEM;	906	copied = -ENOMEM;
852	page = (char *)__get_free_page(GFP_TEMPORARY);	907	page = (char *)__get_free_page(GFP_TEMPORARY);
853	if (!page)	908	if (!page)
854	goto out;	909	goto out_mm;
855		910
856	copied = 0;	911	copied = 0;
857	while (count > 0) {	912	while (count > 0) {
@@ -862,7 +917,7 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
862	copied = -EFAULT;	917	copied = -EFAULT;
863	break;	918	break;
864	}	919	}
865	retval = access_process_vm(task, dst, page, this_len, 1);	920	retval = access_remote_vm(mm, dst, page, this_len, 1);
866	if (!retval) {	921	if (!retval) {
867	if (!copied)	922	if (!copied)
868	copied = -EIO;	923	copied = -EIO;
@@ -875,12 +930,13 @@ static ssize_t mem_write(struct file * file, const char __user *buf,
875	}	930	}
876	*ppos = dst;	931	*ppos = dst;
877	free_page((unsigned long) page);	932	free_page((unsigned long) page);
878	out:	933	out_mm:
		934	mmput(mm);
		935	out_task:
879	put_task_struct(task);	936	put_task_struct(task);
880	out_no_task:	937	out_no_task:
881	return copied;	938	return copied;
882	}	939	}
883	#endif
884		940
885	loff_t mem_lseek(struct file *file, loff_t offset, int orig)	941	loff_t mem_lseek(struct file *file, loff_t offset, int orig)
886	{	942	{
@@ -917,20 +973,18 @@ static ssize_t environ_read(struct file file, char __user buf,
917	if (!task)	973	if (!task)
918	goto out_no_task;	974	goto out_no_task;
919		975
920	if (!ptrace_may_access(task, PTRACE_MODE_READ))
921	goto out;
922
923	ret = -ENOMEM;	976	ret = -ENOMEM;
924	page = (char *)__get_free_page(GFP_TEMPORARY);	977	page = (char *)__get_free_page(GFP_TEMPORARY);
925	if (!page)	978	if (!page)
926	goto out;	979	goto out;
927		980
928	ret = 0;
929		981
930	mm = get_task_mm(task);	982	mm = mm_for_maps(task);
931	if (!mm)	983	ret = PTR_ERR(mm);
		984	if (!mm \|\| IS_ERR(mm))
932	goto out_free;	985	goto out_free;
933		986
		987	ret = 0;
934	while (count > 0) {	988	while (count > 0) {
935	int this_len, retval, max_len;	989	int this_len, retval, max_len;
936		990
@@ -2748,8 +2802,12 @@ static int proc_tgid_io_accounting(struct task_struct task, char buffer)
2748	static int proc_pid_personality(struct seq_file m, struct pid_namespace ns,	2802	static int proc_pid_personality(struct seq_file m, struct pid_namespace ns,
2749	struct pid pid, struct task_struct task)	2803	struct pid pid, struct task_struct task)
2750	{	2804	{
2751	seq_printf(m, "%08x\n", task->personality);	2805	int err = lock_trace(task);
2752	return 0;	2806	if (!err) {
		2807	seq_printf(m, "%08x\n", task->personality);
		2808	unlock_trace(task);
		2809	}
		2810	return err;
2753	}	2811	}
2754		2812
2755	/*	2813	/*
@@ -2768,7 +2826,7 @@ static const struct pid_entry tgid_base_stuff[] = {
2768	REG("environ", S_IRUSR, proc_environ_operations),	2826	REG("environ", S_IRUSR, proc_environ_operations),
2769	INF("auxv", S_IRUSR, proc_pid_auxv),	2827	INF("auxv", S_IRUSR, proc_pid_auxv),
2770	ONE("status", S_IRUGO, proc_pid_status),	2828	ONE("status", S_IRUGO, proc_pid_status),
2771	ONE("personality", S_IRUSR, proc_pid_personality),	2829	ONE("personality", S_IRUGO, proc_pid_personality),
2772	INF("limits", S_IRUGO, proc_pid_limits),	2830	INF("limits", S_IRUGO, proc_pid_limits),
2773	#ifdef CONFIG_SCHED_DEBUG	2831	#ifdef CONFIG_SCHED_DEBUG
2774	REG("sched", S_IRUGO\|S_IWUSR, proc_pid_sched_operations),	2832	REG("sched", S_IRUGO\|S_IWUSR, proc_pid_sched_operations),
@@ -2778,7 +2836,7 @@ static const struct pid_entry tgid_base_stuff[] = {
2778	#endif	2836	#endif
2779	REG("comm", S_IRUGO\|S_IWUSR, proc_pid_set_comm_operations),	2837	REG("comm", S_IRUGO\|S_IWUSR, proc_pid_set_comm_operations),
2780	#ifdef CONFIG_HAVE_ARCH_TRACEHOOK	2838	#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
2781	INF("syscall", S_IRUSR, proc_pid_syscall),	2839	INF("syscall", S_IRUGO, proc_pid_syscall),
2782	#endif	2840	#endif
2783	INF("cmdline", S_IRUGO, proc_pid_cmdline),	2841	INF("cmdline", S_IRUGO, proc_pid_cmdline),
2784	ONE("stat", S_IRUGO, proc_tgid_stat),	2842	ONE("stat", S_IRUGO, proc_tgid_stat),
@@ -2797,7 +2855,7 @@ static const struct pid_entry tgid_base_stuff[] = {
2797	#ifdef CONFIG_PROC_PAGE_MONITOR	2855	#ifdef CONFIG_PROC_PAGE_MONITOR
2798	REG("clear_refs", S_IWUSR, proc_clear_refs_operations),	2856	REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
2799	REG("smaps", S_IRUGO, proc_smaps_operations),	2857	REG("smaps", S_IRUGO, proc_smaps_operations),
2800	REG("pagemap", S_IRUSR, proc_pagemap_operations),	2858	REG("pagemap", S_IRUGO, proc_pagemap_operations),
2801	#endif	2859	#endif
2802	#ifdef CONFIG_SECURITY	2860	#ifdef CONFIG_SECURITY
2803	DIR("attr", S_IRUGO\|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),	2861	DIR("attr", S_IRUGO\|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
@@ -2806,7 +2864,7 @@ static const struct pid_entry tgid_base_stuff[] = {
2806	INF("wchan", S_IRUGO, proc_pid_wchan),	2864	INF("wchan", S_IRUGO, proc_pid_wchan),
2807	#endif	2865	#endif
2808	#ifdef CONFIG_STACKTRACE	2866	#ifdef CONFIG_STACKTRACE
2809	ONE("stack", S_IRUSR, proc_pid_stack),	2867	ONE("stack", S_IRUGO, proc_pid_stack),
2810	#endif	2868	#endif
2811	#ifdef CONFIG_SCHEDSTATS	2869	#ifdef CONFIG_SCHEDSTATS
2812	INF("schedstat", S_IRUGO, proc_pid_schedstat),	2870	INF("schedstat", S_IRUGO, proc_pid_schedstat),
@@ -3066,11 +3124,16 @@ static int proc_pid_fill_cache(struct file filp, void dirent, filldir_t filldi
3066	/* for the /proc/ directory itself, after non-process stuff has been done */	3124	/* for the /proc/ directory itself, after non-process stuff has been done */
3067	int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)	3125	int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir)
3068	{	3126	{
3069	unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;	3127	unsigned int nr;
3070	struct task_struct *reaper = get_proc_task(filp->f_path.dentry->d_inode);	3128	struct task_struct *reaper;
3071	struct tgid_iter iter;	3129	struct tgid_iter iter;
3072	struct pid_namespace *ns;	3130	struct pid_namespace *ns;
3073		3131
		3132	if (filp->f_pos >= PID_MAX_LIMIT + TGID_OFFSET)
		3133	goto out_no_task;
		3134	nr = filp->f_pos - FIRST_PROCESS_ENTRY;
		3135
		3136	reaper = get_proc_task(filp->f_path.dentry->d_inode);
3074	if (!reaper)	3137	if (!reaper)
3075	goto out_no_task;	3138	goto out_no_task;
3076		3139
@@ -3108,14 +3171,14 @@ static const struct pid_entry tid_base_stuff[] = {
3108	REG("environ", S_IRUSR, proc_environ_operations),	3171	REG("environ", S_IRUSR, proc_environ_operations),
3109	INF("auxv", S_IRUSR, proc_pid_auxv),	3172	INF("auxv", S_IRUSR, proc_pid_auxv),
3110	ONE("status", S_IRUGO, proc_pid_status),	3173	ONE("status", S_IRUGO, proc_pid_status),
3111	ONE("personality", S_IRUSR, proc_pid_personality),	3174	ONE("personality", S_IRUGO, proc_pid_personality),
3112	INF("limits", S_IRUGO, proc_pid_limits),	3175	INF("limits", S_IRUGO, proc_pid_limits),
3113	#ifdef CONFIG_SCHED_DEBUG	3176	#ifdef CONFIG_SCHED_DEBUG
3114	REG("sched", S_IRUGO\|S_IWUSR, proc_pid_sched_operations),	3177	REG("sched", S_IRUGO\|S_IWUSR, proc_pid_sched_operations),
3115	#endif	3178	#endif
3116	REG("comm", S_IRUGO\|S_IWUSR, proc_pid_set_comm_operations),	3179	REG("comm", S_IRUGO\|S_IWUSR, proc_pid_set_comm_operations),
3117	#ifdef CONFIG_HAVE_ARCH_TRACEHOOK	3180	#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
3118	INF("syscall", S_IRUSR, proc_pid_syscall),	3181	INF("syscall", S_IRUGO, proc_pid_syscall),
3119	#endif	3182	#endif
3120	INF("cmdline", S_IRUGO, proc_pid_cmdline),	3183	INF("cmdline", S_IRUGO, proc_pid_cmdline),
3121	ONE("stat", S_IRUGO, proc_tid_stat),	3184	ONE("stat", S_IRUGO, proc_tid_stat),
@@ -3133,7 +3196,7 @@ static const struct pid_entry tid_base_stuff[] = {
3133	#ifdef CONFIG_PROC_PAGE_MONITOR	3196	#ifdef CONFIG_PROC_PAGE_MONITOR
3134	REG("clear_refs", S_IWUSR, proc_clear_refs_operations),	3197	REG("clear_refs", S_IWUSR, proc_clear_refs_operations),
3135	REG("smaps", S_IRUGO, proc_smaps_operations),	3198	REG("smaps", S_IRUGO, proc_smaps_operations),
3136	REG("pagemap", S_IRUSR, proc_pagemap_operations),	3199	REG("pagemap", S_IRUGO, proc_pagemap_operations),
3137	#endif	3200	#endif
3138	#ifdef CONFIG_SECURITY	3201	#ifdef CONFIG_SECURITY
3139	DIR("attr", S_IRUGO\|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),	3202	DIR("attr", S_IRUGO\|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
@@ -3142,7 +3205,7 @@ static const struct pid_entry tid_base_stuff[] = {
3142	INF("wchan", S_IRUGO, proc_pid_wchan),	3205	INF("wchan", S_IRUGO, proc_pid_wchan),
3143	#endif	3206	#endif
3144	#ifdef CONFIG_STACKTRACE	3207	#ifdef CONFIG_STACKTRACE
3145	ONE("stack", S_IRUSR, proc_pid_stack),	3208	ONE("stack", S_IRUGO, proc_pid_stack),
3146	#endif	3209	#endif
3147	#ifdef CONFIG_SCHEDSTATS	3210	#ifdef CONFIG_SCHEDSTATS
3148	INF("schedstat", S_IRUGO, proc_pid_schedstat),	3211	INF("schedstat", S_IRUGO, proc_pid_schedstat),
@@ -3161,7 +3224,7 @@ static const struct pid_entry tid_base_stuff[] = {
3161	REG("oom_score_adj", S_IRUGO\|S_IWUSR, proc_oom_score_adj_operations),	3224	REG("oom_score_adj", S_IRUGO\|S_IWUSR, proc_oom_score_adj_operations),
3162	#ifdef CONFIG_AUDITSYSCALL	3225	#ifdef CONFIG_AUDITSYSCALL
3163	REG("loginuid", S_IWUSR\|S_IRUGO, proc_loginuid_operations),	3226	REG("loginuid", S_IWUSR\|S_IRUGO, proc_loginuid_operations),
3164	REG("sessionid", S_IRUSR, proc_sessionid_operations),	3227	REG("sessionid", S_IRUGO, proc_sessionid_operations),
3165	#endif	3228	#endif
3166	#ifdef CONFIG_FAULT_INJECTION	3229	#ifdef CONFIG_FAULT_INJECTION
3167	REG("make-it-fail", S_IRUGO\|S_IWUSR, proc_fault_inject_operations),	3230	REG("make-it-fail", S_IRUGO\|S_IWUSR, proc_fault_inject_operations),