| From 87ff3c11abc7d560f9f9b43ec576a4c7329ad4c4 Mon Sep 17 00:00:00 2001 |
| From: James Hogan <james.hogan@imgtec.com> |
| Date: Fri, 31 Mar 2017 11:23:18 +0100 |
| Subject: [PATCH] metag/usercopy: Fix alignment error checking |
| |
| commit 2257211942bbbf6c798ab70b487d7e62f7835a1a upstream. |
| |
| Fix the error checking of the alignment adjustment code in |
| raw_copy_from_user(), which mistakenly considers it safe to skip the |
| error check when aligning the source buffer on a 2 or 4 byte boundary. |
| |
| If the destination buffer was unaligned it may have started to copy |
| using byte or word accesses, which could well be at the start of a new |
| (valid) source page. This would result in it appearing to have copied 1 |
| or 2 bytes at the end of the first (invalid) page rather than none at |
| all. |
| |
| Fixes: 373cd784d0fc ("metag: Memory handling") |
| Signed-off-by: James Hogan <james.hogan@imgtec.com> |
| Cc: linux-metag@vger.kernel.org |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/arch/metag/lib/usercopy.c b/arch/metag/lib/usercopy.c |
| index b4eb1f17069f..a6ced9691ddb 100644 |
| --- a/arch/metag/lib/usercopy.c |
| +++ b/arch/metag/lib/usercopy.c |
| @@ -717,6 +717,8 @@ unsigned long __copy_user_zeroing(void *pdst, const void __user *psrc, |
| if ((unsigned long) src & 1) { |
| __asm_copy_from_user_1(dst, src, retn); |
| n--; |
| + if (retn) |
| + goto copy_exception_bytes; |
| } |
| if ((unsigned long) dst & 1) { |
| /* Worst case - byte copy */ |
| @@ -730,6 +732,8 @@ unsigned long __copy_user_zeroing(void *pdst, const void __user *psrc, |
| if (((unsigned long) src & 2) && n >= 2) { |
| __asm_copy_from_user_2(dst, src, retn); |
| n -= 2; |
| + if (retn) |
| + goto copy_exception_bytes; |
| } |
| if ((unsigned long) dst & 2) { |
| /* Second worst case - word copy */ |
| @@ -741,12 +745,6 @@ unsigned long __copy_user_zeroing(void *pdst, const void __user *psrc, |
| } |
| } |
| |
| - /* We only need one check after the unalignment-adjustments, |
| - because if both adjustments were done, either both or |
| - neither reference had an exception. */ |
| - if (retn != 0) |
| - goto copy_exception_bytes; |
| - |
| #ifdef USE_RAPF |
| /* 64 bit copy loop */ |
| if (!(((unsigned long) src | (unsigned long) dst) & 7)) { |
| -- |
| 2.12.0 |
| |