arm64: futex: Mask __user pointers prior to dereference (1cd969fd) · Commits · e / devices / android_kernel_fairphone_FP3

arch/arm64/include/asm/futex.h

+6 −3

Original line number	Diff line number	Diff line
		@@ -51,13 +51,14 @@
		: "memory")

		static inline int
		futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
		futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *_uaddr)
		{
		int op = (encoded_op >> 28) & 7;
		int cmp = (encoded_op >> 24) & 15;
		int oparg = (int)(encoded_op << 8) >> 20;
		int cmparg = (int)(encoded_op << 20) >> 20;
		int oldval = 0, ret, tmp;
		u32 __user *uaddr = __uaccess_mask_ptr(_uaddr);

		if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
		oparg = 1U << (oparg & 0x1f);
		@@ -109,15 +110,17 @@ futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
		}

		static inline int
		futex_atomic_cmpxchg_inatomic(u32 uval, u32 __user uaddr,
		futex_atomic_cmpxchg_inatomic(u32 uval, u32 __user _uaddr,
		u32 oldval, u32 newval)
		{
		int ret = 0;
		u32 val, tmp;
		u32 __user *uaddr;

		if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
		if (!access_ok(VERIFY_WRITE, _uaddr, sizeof(u32)))
		return -EFAULT;

		uaddr = __uaccess_mask_ptr(_uaddr);
		asm volatile("// futex_atomic_cmpxchg_inatomic\n"
		ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, CONFIG_ARM64_PAN)
		" prfm pstl1strm, %2\n"