sh: __copy_user function can corrupt the stack in case of exception
The __copy_user function can corrupt the stack in the case of a
non-trivial length of data, and either of the first two move instructions
cause an exception. This is because the fixup for these two instructions
is mapped to the no_pop case, but these instructions execute after the
stack is pushed.
This change creates an explicit NO_POP exception mapping macro, and uses
it for the two instructions executed in the trivial case where no stack
pushes occur.
More information at ST Linux bugzilla:
https://bugzilla.stlinux.com/show_bug.cgi?id=4824
Signed-off-by: Dylan Reid <dylan_reid@bose.com>
Signed-off-by: Stuart Menefy <stuart.menefy@st.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
diff --git a/arch/sh/lib/copy_page.S b/arch/sh/lib/copy_page.S
index 5d12e65..43de7e8 100644
--- a/arch/sh/lib/copy_page.S
+++ b/arch/sh/lib/copy_page.S
@@ -80,6 +80,11 @@
.section __ex_table, "a"; \
.long 9999b, 6000f ; \
.previous
+#define EX_NO_POP(...) \
+ 9999: __VA_ARGS__ ; \
+ .section __ex_table, "a"; \
+ .long 9999b, 6005f ; \
+ .previous
ENTRY(__copy_user)
! Check if small number of bytes
mov #11,r0
@@ -139,9 +144,9 @@
bt 1f
2:
-EX( mov.b @r5+,r0 )
+EX_NO_POP( mov.b @r5+,r0 )
dt r6
-EX( mov.b r0,@r4 )
+EX_NO_POP( mov.b r0,@r4 )
bf/s 2b
add #1,r4
@@ -150,7 +155,7 @@
# Exception handler:
.section .fixup, "ax"
-6000:
+6005:
mov.l 8000f,r1
mov r3,r0
jmp @r1