9dfb367a23
[ Upstream commit c26958cb5a0d9053d1358258827638773f3d36ed ]
We need to take the mmap lock around find_vma() and subsequent use of the
VMA. Otherwise, we can race with concurrent operations like munmap(), which
can lead to use-after-free accesses to freed VMAs.
Fixes: 1000197d80 ("nios2: System calls handling")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Ley Foon Tan <ley.foon.tan@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
61 lines
1.3 KiB
C
61 lines
1.3 KiB
C
/*
|
|
* Copyright (C) 2013 Altera Corporation
|
|
* Copyright (C) 2011-2012 Tobias Klauser <tklauser@distanz.ch>
|
|
* Copyright (C) 2004 Microtronix Datacom Ltd.
|
|
*
|
|
* This file is subject to the terms and conditions of the GNU General Public
|
|
* License. See the file "COPYING" in the main directory of this archive
|
|
* for more details.
|
|
*/
|
|
|
|
#include <linux/export.h>
|
|
#include <linux/file.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/syscalls.h>
|
|
|
|
#include <asm/cacheflush.h>
|
|
#include <asm/traps.h>
|
|
|
|
/* sys_cacheflush -- flush the processor cache. */
|
|
asmlinkage int sys_cacheflush(unsigned long addr, unsigned long len,
|
|
unsigned int op)
|
|
{
|
|
struct vm_area_struct *vma;
|
|
struct mm_struct *mm = current->mm;
|
|
|
|
if (len == 0)
|
|
return 0;
|
|
|
|
/* We only support op 0 now, return error if op is non-zero.*/
|
|
if (op)
|
|
return -EINVAL;
|
|
|
|
/* Check for overflow */
|
|
if (addr + len < addr)
|
|
return -EFAULT;
|
|
|
|
if (mmap_read_lock_killable(mm))
|
|
return -EINTR;
|
|
|
|
/*
|
|
* Verify that the specified address region actually belongs
|
|
* to this process.
|
|
*/
|
|
vma = find_vma(mm, addr);
|
|
if (vma == NULL || addr < vma->vm_start || addr + len > vma->vm_end) {
|
|
mmap_read_unlock(mm);
|
|
return -EFAULT;
|
|
}
|
|
|
|
flush_cache_range(vma, addr, addr + len);
|
|
|
|
mmap_read_unlock(mm);
|
|
return 0;
|
|
}
|
|
|
|
asmlinkage int sys_getpagesize(void)
|
|
{
|
|
return PAGE_SIZE;
|
|
}
|