Commit 8c8484a1 authored by Russell King's avatar Russell King

ARM: oabi-compat: copy semops using __copy_from_user()

__get_user_error() is used as a fast accessor to make copying structure
members as efficient as possible.  However, with software PAN and the
recent Spectre variant 1, the efficiency is reduced as these are no
longer fast accessors.

In the case of software PAN, it has to switch the domain register around
each access, and with Spectre variant 1, it would have to repeat the
access_ok() check for each access.

Rather than using __get_user_error() to copy each semops element member,
copy each semops element in full using __copy_from_user().
Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
parent 42019fc5
...@@ -329,9 +329,11 @@ asmlinkage long sys_oabi_semtimedop(int semid, ...@@ -329,9 +329,11 @@ asmlinkage long sys_oabi_semtimedop(int semid,
return -ENOMEM; return -ENOMEM;
err = 0; err = 0;
for (i = 0; i < nsops; i++) { for (i = 0; i < nsops; i++) {
__get_user_error(sops[i].sem_num, &tsops->sem_num, err); struct oabi_sembuf osb;
__get_user_error(sops[i].sem_op, &tsops->sem_op, err); err |= __copy_from_user(&osb, tsops, sizeof(osb));
__get_user_error(sops[i].sem_flg, &tsops->sem_flg, err); sops[i].sem_num = osb.sem_num;
sops[i].sem_op = osb.sem_op;
sops[i].sem_flg = osb.sem_flg;
tsops++; tsops++;
} }
if (timeout) { if (timeout) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment