fix fault_in_multipages_...() on architectures with no-op access_ok() - kernel/linux.git

diff options

author	Al Viro <viro@ZenIV.linux.org.uk>	2016-09-20 22:07:42 +0300
committer	Linus Torvalds <torvalds@linux-foundation.org>	2016-09-21 02:44:28 +0300
commit	e23d4159b109167126e5bcd7f3775c95de7fee47 (patch)
tree	15a9480da60c53b2754ed8aa6cf57dab92e9df65 /scripts/extract-sys-certs.pl
parent	df04abfd181acc276ba6762c8206891ae10ae00d (diff)
download	linux-e23d4159b109167126e5bcd7f3775c95de7fee47.tar.xz

fix fault_in_multipages_...() on architectures with no-op access_ok()

Switching iov_iter fault-in to multipages variants has exposed an old bug in underlying fault_in_multipages_...(); they break if the range passed to them wraps around. Normally access_ok() done by callers will prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into such a range and they should not point to any valid objects). However, on architectures where userland and kernel live in different MMU contexts (e.g. s390) access_ok() is a no-op and on those a range with a wraparound can reach fault_in_multipages_...(). Since any wraparound means EFAULT there, the fix is trivial - turn those while (uaddr <= end) ... into if (unlikely(uaddr > end)) return -EFAULT; do ... while (uaddr <= end); Reported-by: Jan Stancek <jstancek@redhat.com> Tested-by: Jan Stancek <jstancek@redhat.com> Cc: stable@vger.kernel.org # v3.5+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Diffstat (limited to 'scripts/extract-sys-certs.pl')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: