taskstats: don't allow duplicate entries in listener mode, CVE-2011-2484

[linux-flexiantxendom0-natty.git] / kernel / taskstats.c

diff --git a/kernel/taskstats.c b/kernel/taskstats.c
index 3308fd7..30158f8 100644 (file)
--- a/kernel/taskstats.c
+++ b/kernel/taskstats.c
@@ -89,8 +89,7 @@ static int prepare_reply(struct genl_info *info, u8 cmd, struct sk_buff **skbp,
                return -ENOMEM;
 
        if (!info) {
-               int seq = get_cpu_var(taskstats_seqnum)++;
-               put_cpu_var(taskstats_seqnum);
+               int seq = this_cpu_inc_return(taskstats_seqnum) - 1;
 
                reply = genlmsg_put(skb, 0, seq, &family, 0, cmd);
        } else
@@ -286,16 +285,18 @@ ret:
 static int add_del_listener(pid_t pid, const struct cpumask *mask, int isadd)
 {
        struct listener_list *listeners;
-       struct listener *s, *tmp;
+       struct listener *s, *tmp, *s2;
        unsigned int cpu;
 
        if (!cpumask_subset(mask, cpu_possible_mask))
                return -EINVAL;
 
+       s = NULL;
        if (isadd == REGISTER) {
                for_each_cpu(cpu, mask) {
-                       s = kmalloc_node(sizeof(struct listener), GFP_KERNEL,
-                                        cpu_to_node(cpu));
+                       if (!s)
+                               s = kmalloc_node(sizeof(struct listener),
+                                                GFP_KERNEL, cpu_to_node(cpu));
                        if (!s)
                                goto cleanup;
                        s->pid = pid;
@@ -304,9 +305,16 @@ static int add_del_listener(pid_t pid, const struct cpumask *mask, int isadd)
 
                        listeners = &per_cpu(listener_array, cpu);
                        down_write(&listeners->sem);
+                       list_for_each_entry_safe(s2, tmp, &listeners->list, list) {
+                               if (s2->pid == pid)
+                                       goto next_cpu;
+                       }
                        list_add(&s->list, &listeners->list);
+                       s = NULL;
+next_cpu:
                        up_write(&listeners->sem);
                }
+               kfree(s);
                return 0;
        }
 
@@ -349,7 +357,7 @@ static int parse(struct nlattr *na, struct cpumask *mask)
        return ret;
 }
 
-#ifdef CONFIG_IA64
+#if defined(CONFIG_64BIT) && !defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
 #define TASKSTATS_NEEDS_PADDING 1
 #endif
 
@@ -612,7 +620,7 @@ void taskstats_exit(struct task_struct *tsk, int group_dead)
                fill_tgid_exit(tsk);
        }
 
-       listeners = &__raw_get_cpu_var(listener_array);
+       listeners = __this_cpu_ptr(&listener_array);
        if (list_empty(&listeners->list))
                return;