[thirdparty/kernel/stable-queue.git] / releases / 3.10.34 / fs-proc-base.c-fix-gpf-in-proc-pid-map_files.patch

From 70335abb2689c8cd5df91bf2d95a65649addf50b Mon Sep 17 00:00:00 2001
From: Artem Fetishev <artem_fetishev@epam.com>
Date: Mon, 10 Mar 2014 15:49:45 -0700
Subject: fs/proc/base.c: fix GPF in /proc/$PID/map_files

From: Artem Fetishev <artem_fetishev@epam.com>

commit 70335abb2689c8cd5df91bf2d95a65649addf50b upstream.

The expected logic of proc_map_files_get_link() is either to return 0
and initialize 'path' or return an error and leave 'path' uninitialized.

By the time dname_to_vma_addr() returns 0 the corresponding vma may have
already be gone.  In this case the path is not initialized but the
return value is still 0.  This results in 'general protection fault'
inside d_path().

Steps to reproduce:

  CONFIG_CHECKPOINT_RESTORE=y

    fd = open(...);
    while (1) {
        mmap(fd, ...);
        munmap(fd, ...);
    }

  ls -la /proc/$PID/map_files

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=68991

Signed-off-by: Artem Fetishev <artem_fetishev@epam.com>
Signed-off-by: Aleksandr Terekhov <aleksandr_terekhov@epam.com>
Reported-by: <wiebittewas@gmail.com>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/proc/base.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1825,6 +1825,7 @@ static int proc_map_files_get_link(struc
 	if (rc)
 		goto out_mmput;
 
+	rc = -ENOENT;
 	down_read(&mm->mmap_sem);
 	vma = find_exact_vma(mm, vm_start, vm_end);
 	if (vma && vma->vm_file) {
Commit	Line	Data
99663375 GKH	1	From 70335abb2689c8cd5df91bf2d95a65649addf50b Mon Sep 17 00:00:00 2001
	2	From: Artem Fetishev <artem_fetishev@epam.com>
	3	Date: Mon, 10 Mar 2014 15:49:45 -0700
	4	Subject: fs/proc/base.c: fix GPF in /proc/$PID/map_files
	5
	6	From: Artem Fetishev <artem_fetishev@epam.com>
	7
	8	commit 70335abb2689c8cd5df91bf2d95a65649addf50b upstream.
	9
	10	The expected logic of proc_map_files_get_link() is either to return 0
	11	and initialize 'path' or return an error and leave 'path' uninitialized.
	12
	13	By the time dname_to_vma_addr() returns 0 the corresponding vma may have
	14	already be gone. In this case the path is not initialized but the
	15	return value is still 0. This results in 'general protection fault'
	16	inside d_path().
	17
	18	Steps to reproduce:
	19
	20	CONFIG_CHECKPOINT_RESTORE=y
	21
	22	fd = open(...);
	23	while (1) {
	24	mmap(fd, ...);
	25	munmap(fd, ...);
	26	}
	27
	28	ls -la /proc/$PID/map_files
	29
	30	Addresses https://bugzilla.kernel.org/show_bug.cgi?id=68991
	31
	32	Signed-off-by: Artem Fetishev <artem_fetishev@epam.com>
	33	Signed-off-by: Aleksandr Terekhov <aleksandr_terekhov@epam.com>
	34	Reported-by: <wiebittewas@gmail.com>
	35	Acked-by: Pavel Emelyanov <xemul@parallels.com>
	36	Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
	37	Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
	38	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	39	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	40	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	41
	42	---
	43	fs/proc/base.c \| 1 +
	44	1 file changed, 1 insertion(+)
	45
	46	--- a/fs/proc/base.c
	47	+++ b/fs/proc/base.c
	48	@@ -1825,6 +1825,7 @@ static int proc_map_files_get_link(struc
	49	if (rc)
	50	goto out_mmput;
	51
	52	+ rc = -ENOENT;
	53	down_read(&mm->mmap_sem);
	54	vma = find_exact_vma(mm, vm_start, vm_end);
	55	if (vma && vma->vm_file) {