fix fault_in_multipages_...() on architectures with no-op access_ok() - user/sven/linux.git

diff options

author	Al Viro <viro@ZenIV.linux.org.uk>	2016-09-20 20:07:42 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	2016-11-20 01:17:33 +0000
commit	d09dfcf6483cc6611ffb9923513a318ac58ebbe8 (patch)
tree	5742857f330d95f234dfa481a7764c9a271afea8 /include/linux/assoc_array_priv.h
parent	aca5f21e3a9bc8c143aab6c496a45ab4670b5899 (diff)

fix fault_in_multipages_...() on architectures with no-op access_ok()

commit e23d4159b109167126e5bcd7f3775c95de7fee47 upstream. Switching iov_iter fault-in to multipages variants has exposed an old bug in underlying fault_in_multipages_...(); they break if the range passed to them wraps around. Normally access_ok() done by callers will prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into such a range and they should not point to any valid objects). However, on architectures where userland and kernel live in different MMU contexts (e.g. s390) access_ok() is a no-op and on those a range with a wraparound can reach fault_in_multipages_...(). Since any wraparound means EFAULT there, the fix is trivial - turn those while (uaddr <= end) ... into if (unlikely(uaddr > end)) return -EFAULT; do ... while (uaddr <= end); Reported-by: Jan Stancek <jstancek@redhat.com> Tested-by: Jan Stancek <jstancek@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Diffstat (limited to 'include/linux/assoc_array_priv.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: