From patchwork Tue May  6 07:11:51 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrey Ryabinin <a.ryabinin@samsung.com>
X-Patchwork-Id: 4119731
Return-Path: 
 <linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org>
X-Original-To: patchwork-linux-arm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 9DC1E9F1E1
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue,  6 May 2014 07:34:26 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id D9712201FB
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue,  6 May 2014 07:34:25 +0000 (UTC)
Received: from bombadil.infradead.org (bombadil.infradead.org
	[198.137.202.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 0B46D2015E
	for <patchwork-linux-arm@patchwork.kernel.org>;
	Tue,  6 May 2014 07:34:24 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WhZr2-00023t-J8; Tue, 06 May 2014 07:31:56 +0000
Received: from mailout2.w1.samsung.com ([210.118.77.12])
	by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat
	Linux)) id 1WhZr0-00021Y-1f
	for linux-arm-kernel@lists.infradead.org;
	Tue, 06 May 2014 07:31:55 +0000
Received: from eucpsbgm2.samsung.com (unknown [203.254.199.245])
	by mailout2.w1.samsung.com
	(Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit
	(built Nov
	17 2011)) with ESMTP id <0N5500H3J5QSF0A0@mailout2.w1.samsung.com>
	for linux-arm-kernel@lists.infradead.org;
	Tue, 06 May 2014 08:20:52 +0100 (BST)
X-AuditID: cbfec7f5-b7fae6d000004d6d-b0-53688d5f1f3b
Received: from eusync3.samsung.com ( [203.254.199.213])
	by eucpsbgm2.samsung.com (EUCPMTA) with SMTP id D9.35.19821.F5D88635;
	Tue, 06 May 2014 08:21:03 +0100 (BST)
Received: from localhost.localdomain ([106.109.128.4])
	by eusync3.samsung.com (Oracle Communications Messaging Server
	7u4-23.01 (7.0.4.23.0) 64bit (built Aug 10 2011))
	with ESMTPA id <0N5500MAI5MIZD40@eusync3.samsung.com>; Tue,
	06 May 2014 08:21:03 +0100 (BST)
From: Andrey Ryabinin <a.ryabinin@samsung.com>
To: linux@arm.linux.org.uk
Subject: [PATCHv2] arm: put_user: fix possible data corruption in put_user
Date: Tue, 06 May 2014 11:11:51 +0400
Message-id: <1399360312-13843-1-git-send-email-a.ryabinin@samsung.com>
X-Mailer: git-send-email 1.8.5.5
In-reply-to: <alpine.LFD.2.11.1405050950410.980@knanqh.ubzr>
References: <alpine.LFD.2.11.1405050950410.980@knanqh.ubzr>
X-Brightmail-Tracker: 
 H4sIAAAAAAAAA+NgFvrFJMWRmVeSWpSXmKPExsVy+t/xq7rxvRnBBpuXslls+/WIzWLT42us
	Fpd3zWGzuH2Z1+LTs3/sFgs2PmK0ePnxBIsDu8eaeWsYPVqae9g87lzbw+axeUm9R9+WVYwe
	nzfJBbBFcdmkpOZklqUW6dslcGX8XNvMWvCfq2Lmkk2MDYxfOLoYOTkkBEwktp//wQhhi0lc
	uLeerYuRi0NIYCmjxJLXbVBOD5PE+s99YFVsAnoS/2ZtZwOxRQSkJGbsXMoOUsQs0MgksfLt
	bLAiYQEviVd/H7CA2CwCqhKL1/4Gs3kF3CRmv37FCrFOQWLZ8plgNqeAjcTWb/1MILaQgLXE
	t1+trBMYeRcwMqxiFE0tTS4oTkrPNdIrTswtLs1L10vOz93ECAmvrzsYlx6zOsQowMGoxMO7
	QCYjWIg1say4MvcQowQHs5IIb30+UIg3JbGyKrUoP76oNCe1+BAjEwenVAOjw6ygHsUMhnVX
	gr7GZq+8pzv7lPlbk9f7fm000Ft09cD9+zuW35NZN8ezxUshS9h2sfxKpR3XM//82nj+Alvf
	ylsTw+pi5l99cqSrqtf6+DIrow+bnzpNC/JJLwuMSr+ltfXXJMZ7DVcdD4tO0l73Ktr8Xr6b
	5XRZ35ZdL+X/2VyfFfgoau+tlUosxRmJhlrMRcWJAItoSNwNAgAA
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20140506_003154_272739_44B0C633 
X-CRM114-Status: UNSURE (   8.92  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -5.7 (-----)
Cc: Nicolas Pitre <nicolas.pitre@linaro.org>,
	Andrey Ryabinin <a.ryabinin@samsung.com>,
	Will Deacon <will.deacon@arm.com>,
	open list <linux-kernel@vger.kernel.org>, stable@vger.kernel.org,
	"moderated list:ARM PORT" <linux-arm-kernel@lists.infradead.org>
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
	<mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

According to arm procedure call standart r2 register is call-cloberred.
So after the result of x expression was put into r2 any following
function call in p may overwrite r2. To fix this, the result of p
expression must be saved to the temporary variable before the
assigment x expression to __r2.

Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Reviewed-by: Nicolas Pitre <nico@linaro.org>
Cc: stable@vger.kernel.org
---
Since v1:
 - tmp_p variable renamed to __tmp_p
 - added Reviewed-by tag
 - added Cc: stable@vger.kernel.org

 arch/arm/include/asm/uaccess.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
index 12c3a5d..75d9579 100644
--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -171,8 +171,9 @@ extern int __put_user_8(void *, unsigned long long);
 #define __put_user_check(x,p)							\
 	({								\
 		unsigned long __limit = current_thread_info()->addr_limit - 1; \
+		const typeof(*(p)) __user *__tmp_p = (p);		\
 		register const typeof(*(p)) __r2 asm("r2") = (x);	\
-		register const typeof(*(p)) __user *__p asm("r0") = (p);\
+		register const typeof(*(p)) __user *__p asm("r0") = __tmp_p; \
 		register unsigned long __l asm("r1") = __limit;		\
 		register int __e asm("r0");				\
 		switch (sizeof(*(__p))) {				\