On Fri, May 19, 2017 at 02:08:20PM +0800, kernel test robot wrote:
>
> FYI, we noticed the following commit:
>
> commit: 75f64d68f9816a1c244b8685f056389b24d97e98 ("waitid(): switch copyout
> of siginfo to unsafe_put_user()")
> url:
> https://github.com/0day-ci/linux/commits/Al-Viro/move-compat-wait4-and-waitid-next-to-native-variants/20170516-084127
>
>
> in testcase: boot
Cute... That's unsafe_put_user() bug, actually. There's no unsafe_put_user()
callers in mainline and it's fairly early in the cycle. Linus, do you have
any problems with that one? If not, I'll send a pull request with it +
osf_wait4()
fix...
fix unsafe_put_user()
__put_user_size() relies upon its first argument having the same type as what
the second one points to; the only other user makes sure of that and
unsafe_put_user() should do the same.
Signed-off-by: Al Viro <[email protected]>
---
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 68766b276d9e..d9668c3beb5b 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -703,7 +703,7 @@ extern struct movsl_mask {
#define unsafe_put_user(x, ptr, err_label)
\
do {
\
int __pu_err;
\
- __put_user_size((x), (ptr), sizeof(*(ptr)), __pu_err, -EFAULT);
\
+ __put_user_size((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)),
__pu_err, -EFAULT); \
if (unlikely(__pu_err)) goto err_label;
\
} while (0)