metag/usercopy: Add early abort to copy_to_user

James Hogan · gregkh · commit dde6f22c1e12 · 2017-04-12T12:38:34.000+02:00
commit fb8ea062a8f2e85256e13f55696c5c5f0dfdcc8b upstream. When copying to userland on Meta, if any faults are encountered immediately abort the copy instead of continuing on and repeatedly faulting, and worse potentially copying further bytes successfully to subsequent valid pages. Fixes: 373cd78 ("metag: Memory handling") Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: linux-metag@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/arch/metag/lib/usercopy.c b/arch/metag/lib/usercopy.c
@@ -538,23 +538,31 @@ unsigned long __copy_user(void __user *pdst, const void *psrc,
 	if ((unsigned long) src & 1) {
 		__asm_copy_to_user_1(dst, src, retn);
 		n--;
+		if (retn)
+			return retn + n;
 	}
 	if ((unsigned long) dst & 1) {
 		/* Worst case - byte copy */
 		while (n > 0) {
 			__asm_copy_to_user_1(dst, src, retn);
 			n--;
+			if (retn)
+				return retn + n;
 		}
 	}
 	if (((unsigned long) src & 2) && n >= 2) {
 		__asm_copy_to_user_2(dst, src, retn);
 		n -= 2;
+		if (retn)
+			return retn + n;
 	}
 	if ((unsigned long) dst & 2) {
 		/* Second worst case - word copy */
 		while (n >= 2) {
 			__asm_copy_to_user_2(dst, src, retn);
 			n -= 2;
+			if (retn)
+				return retn + n;
 		}
 	}
 
@@ -569,6 +577,8 @@ unsigned long __copy_user(void __user *pdst, const void *psrc,
 		while (n >= 8) {
 			__asm_copy_to_user_8x64(dst, src, retn);
 			n -= 8;
+			if (retn)
+				return retn + n;
 		}
 	}
 	if (n >= RAPF_MIN_BUF_SIZE) {
@@ -581,18 +591,24 @@ unsigned long __copy_user(void __user *pdst, const void *psrc,
 		while (n >= 8) {
 			__asm_copy_to_user_8x64(dst, src, retn);
 			n -= 8;
+			if (retn)
+				return retn + n;
 		}
 	}
 #endif
 
 	while (n >= 16) {
 		__asm_copy_to_user_16(dst, src, retn);
 		n -= 16;
+		if (retn)
+			return retn + n;
 	}
 
 	while (n >= 4) {
 		__asm_copy_to_user_4(dst, src, retn);
 		n -= 4;
+		if (retn)
+			return retn + n;
 	}
 
 	switch (n) {
@@ -609,6 +625,10 @@ unsigned long __copy_user(void __user *pdst, const void *psrc,
 		break;
 	}
 
+	/*
+	 * If we get here, retn correctly reflects the number of failing
+	 * bytes.
+	 */
 	return retn;
 }
 EXPORT_SYMBOL(__copy_user);

Original file line number	Diff line number	Diff line change
`@@ -538,23 +538,31 @@ unsigned long __copy_user(void __user pdst, const void psrc,`
`538`	`538`	`if ((unsigned long) src & 1) {`
`539`	`539`	`__asm_copy_to_user_1(dst, src, retn);`
`540`	`540`	`n--;`
	`541`	`+ if (retn)`
	`542`	`+ return retn + n;`
`541`	`543`	`}`
`542`	`544`	`if ((unsigned long) dst & 1) {`
`543`	`545`	`/* Worst case - byte copy */`
`544`	`546`	`while (n > 0) {`
`545`	`547`	`__asm_copy_to_user_1(dst, src, retn);`
`546`	`548`	`n--;`
	`549`	`+ if (retn)`
	`550`	`+ return retn + n;`
`547`	`551`	`}`
`548`	`552`	`}`
`549`	`553`	`if (((unsigned long) src & 2) && n >= 2) {`
`550`	`554`	`__asm_copy_to_user_2(dst, src, retn);`
`551`	`555`	`n -= 2;`
	`556`	`+ if (retn)`
	`557`	`+ return retn + n;`
`552`	`558`	`}`
`553`	`559`	`if ((unsigned long) dst & 2) {`
`554`	`560`	`/* Second worst case - word copy */`
`555`	`561`	`while (n >= 2) {`
`556`	`562`	`__asm_copy_to_user_2(dst, src, retn);`
`557`	`563`	`n -= 2;`
	`564`	`+ if (retn)`
	`565`	`+ return retn + n;`
`558`	`566`	`}`
`559`	`567`	`}`
`560`	`568`
`@@ -569,6 +577,8 @@ unsigned long __copy_user(void __user pdst, const void psrc,`
`569`	`577`	`while (n >= 8) {`
`570`	`578`	`__asm_copy_to_user_8x64(dst, src, retn);`
`571`	`579`	`n -= 8;`
	`580`	`+ if (retn)`
	`581`	`+ return retn + n;`
`572`	`582`	`}`
`573`	`583`	`}`
`574`	`584`	`if (n >= RAPF_MIN_BUF_SIZE) {`
`@@ -581,18 +591,24 @@ unsigned long __copy_user(void __user pdst, const void psrc,`
`581`	`591`	`while (n >= 8) {`
`582`	`592`	`__asm_copy_to_user_8x64(dst, src, retn);`
`583`	`593`	`n -= 8;`
	`594`	`+ if (retn)`
	`595`	`+ return retn + n;`
`584`	`596`	`}`
`585`	`597`	`}`
`586`	`598`	`#endif`
`587`	`599`
`588`	`600`	`while (n >= 16) {`
`589`	`601`	`__asm_copy_to_user_16(dst, src, retn);`
`590`	`602`	`n -= 16;`
	`603`	`+ if (retn)`
	`604`	`+ return retn + n;`
`591`	`605`	`}`
`592`	`606`
`593`	`607`	`while (n >= 4) {`
`594`	`608`	`__asm_copy_to_user_4(dst, src, retn);`
`595`	`609`	`n -= 4;`
	`610`	`+ if (retn)`
	`611`	`+ return retn + n;`
`596`	`612`	`}`
`597`	`613`
`598`	`614`	`switch (n) {`
`@@ -609,6 +625,10 @@ unsigned long __copy_user(void __user pdst, const void psrc,`
`609`	`625`	`break;`
`610`	`626`	`}`
`611`	`627`
	`628`	`+ /*`
	`629`	`+ * If we get here, retn correctly reflects the number of failing`
	`630`	`+ * bytes.`
	`631`	`+ */`
`612`	`632`	`return retn;`
`613`	`633`	`}`
`614`	`634`	`EXPORT_SYMBOL(__copy_user);`