Merge branch 'stable-3.2' into pandora-3.2

[pandora-kernel.git] / arch / x86 / kernel / cpu / perf_event.c

diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
index 1c041e0..57cb4fa 100644 (file)
--- a/arch/x86/kernel/cpu/perf_event.c
+++ b/arch/x86/kernel/cpu/perf_event.c
@@ -1461,6 +1461,12 @@ perf_callchain_kernel(struct perf_callchain_entry *entry, struct pt_regs *regs)
        dump_trace(NULL, regs, NULL, 0, &backtrace_ops, entry);
 }
 
+static inline int
+valid_user_frame(const void __user *fp, unsigned long size)
+{
+       return (__range_not_ok(fp, size, TASK_SIZE) == 0);
+}
+
 #ifdef CONFIG_COMPAT
 static inline int
 perf_callchain_user32(struct pt_regs *regs, struct perf_callchain_entry *entry)
@@ -1485,6 +1491,9 @@ perf_callchain_user32(struct pt_regs *regs, struct perf_callchain_entry *entry)
                if (fp < compat_ptr(regs->sp))
                        break;
 
+               if (!valid_user_frame(fp, sizeof(frame)))
+                       break;
+
                perf_callchain_store(entry, frame.return_address);
                fp = compat_ptr(frame.next_frame);
        }
@@ -1531,6 +1540,9 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs)
                if ((unsigned long)fp < regs->sp)
                        break;
 
+               if (!valid_user_frame(fp, sizeof(frame)))
+                       break;
+
                perf_callchain_store(entry, frame.return_address);
                fp = frame.next_frame;
        }