fix fault_in_multipages_...() on architectures with no-op access_ok()

Switching iov_iter fault-in to multipages variants has exposed an old
bug in underlying fault_in_multipages_...(); they break if the range
passed to them wraps around.  Normally access_ok() done by callers will
prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into
such a range and they should not point to any valid objects).

However, on architectures where userland and kernel live in different
MMU contexts (e.g. s390) access_ok() is a no-op and on those a range
with a wraparound can reach fault_in_multipages_...().

Since any wraparound means EFAULT there, the fix is trivial - turn

    while (uaddr <= end)

    if (unlikely(uaddr > end))
	    return -EFAULT;
    while (uaddr <= end);

Reported-by: Jan Stancek <>
Tested-by: Jan Stancek <>
Cc: # v3.5+
Signed-off-by: Al Viro <>
Signed-off-by: Linus Torvalds <>
1 file changed