mm/zsmalloc.c: fix race condition in zs_destroy_pool

[mirror_ubuntu-bionic-kernel.git] / mm / usercopy.c

diff --git a/mm/usercopy.c b/mm/usercopy.c
index a9852b24715d25598a7603560ffc042ca0153a2b..58d6b967ad26b57a806c9e5a2d0e930cc5ddc473 100644 (file)
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -121,7 +121,7 @@ static inline const char *check_kernel_text_object(const void *ptr,
 static inline const char *check_bogus_address(const void *ptr, unsigned long n)
 {
        /* Reject if object wraps past end of memory. */
-       if ((unsigned long)ptr + n < (unsigned long)ptr)
+       if ((unsigned long)ptr + (n - 1) < (unsigned long)ptr)
                return "<wrapped address>";
 
        /* Reject if NULL or ZERO-allocation. */
@@ -216,7 +216,8 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n,
 /*
  * Validates that the given object is:
  * - not bogus address
- * - known-safe heap or stack object
+ * - fully contained by stack (or stack frame, when available)
+ * - fully within SLAB object (or object whitelist area, when available)
  * - not in kernel text
  */
 void __check_object_size(const void *ptr, unsigned long n, bool to_user)
@@ -232,11 +233,6 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
        if (err)
                goto report;
 
-       /* Check for bad heap object. */
-       err = check_heap_object(ptr, n, to_user);
-       if (err)
-               goto report;
-
        /* Check for bad stack object. */
        switch (check_stack_object(ptr, n)) {
        case NOT_STACK:
@@ -255,6 +251,9 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
                goto report;
        }
 
+       /* Check for bad heap object. */
+       check_heap_object(ptr, n, to_user);
+
        /* Check for object in kernel to avoid text exposure. */
        err = check_kernel_text_object(ptr, n);
        if (!err)