From d7587b1445c0087cfcaa03ceae79b52eef4e9e4b Mon Sep 17 00:00:00 2001 From: Paul Mundt Date: Fri, 11 Jan 2008 13:18:16 +0900 Subject: [PATCH] sh: Force __access_ok() to obey address space limit. When the thread_info->addr_limit changes were introduced, __access_ok() was missed in the conversion, allowing user processes to perform P1/P2 accesses under certain conditions. This has already been corrected with the nommu refactoring in later kernels. Signed-off-by: Paul Mundt --- include/asm-sh/uaccess.h | 42 ++++++++++++++-------------------------- 1 file changed, 15 insertions(+), 27 deletions(-) diff --git a/include/asm-sh/uaccess.h b/include/asm-sh/uaccess.h index f18a1a5c95..77c391fa93 100644 --- a/include/asm-sh/uaccess.h +++ b/include/asm-sh/uaccess.h @@ -73,38 +73,26 @@ static inline int __access_ok(unsigned long addr, unsigned long size) /* * __access_ok: Check if address with size is OK or not. * - * We do three checks: - * (1) is it user space? - * (2) addr + size --> carry? - * (3) addr + size >= 0x80000000 (PAGE_OFFSET) + * Uhhuh, this needs 33-bit arithmetic. We have a carry.. * - * (1) (2) (3) | RESULT - * 0 0 0 | ok - * 0 0 1 | ok - * 0 1 0 | bad - * 0 1 1 | bad - * 1 0 0 | ok - * 1 0 1 | bad - * 1 1 0 | bad - * 1 1 1 | bad + * sum := addr + size; carry? --> flag = true; + * if (sum >= addr_limit) flag = true; */ static inline int __access_ok(unsigned long addr, unsigned long size) { - unsigned long flag, tmp; - - __asm__("stc r7_bank, %0\n\t" - "mov.l @(8,%0), %0\n\t" - "clrt\n\t" - "addc %2, %1\n\t" - "and %1, %0\n\t" - "rotcl %0\n\t" - "rotcl %0\n\t" - "and #3, %0" - : "=&z" (flag), "=r" (tmp) - : "r" (addr), "1" (size) - : "t"); - + unsigned long flag, sum; + + __asm__("clrt\n\t" + "addc %3, %1\n\t" + "movt %0\n\t" + "cmp/hi %4, %1\n\t" + "rotcl %0" + :"=&r" (flag), "=r" (sum) + :"1" (addr), "r" (size), + "r" (current_thread_info()->addr_limit.seg) + :"t"); return flag == 0; + } #endif /* CONFIG_MMU */ -- 2.39.5