git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Al Viro <viro@ZenIV.linux.org.uk>
	Tue, 20 Sep 2016 19:07:42 +0000 (20:07 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 30 Sep 2016 08:12:44 +0000 (10:12 +0200)
commit	206d4c6c0195a363e5a610878ae9d5354eec0f6b
tree	6bbe3de9e67707a02128156bda9bdea1b32d7ac3	tree
parent	02d35700208c7a13a75405018222646502608961	commit \| diff

fix fault_in_multipages_...() on architectures with no-op access_ok()

commit e23d4159b109167126e5bcd7f3775c95de7fee47 upstream.

Switching iov_iter fault-in to multipages variants has exposed an old
bug in underlying fault_in_multipages_...(); they break if the range
passed to them wraps around.  Normally access_ok() done by callers will
prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into
such a range and they should not point to any valid objects).

However, on architectures where userland and kernel live in different
MMU contexts (e.g. s390) access_ok() is a no-op and on those a range
with a wraparound can reach fault_in_multipages_...().

Since any wraparound means EFAULT there, the fix is trivial - turn
those

    while (uaddr <= end)
    ...
into

    if (unlikely(uaddr > end))
    return -EFAULT;
    do
    ...
    while (uaddr <= end);

Reported-by: Jan Stancek <jstancek@redhat.com>
Tested-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>