1 files changed, 6 insertions, 5 deletions
diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 33787ee817f0..26ced536005a 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -2319,7 +2319,7 @@ void
 perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs)
 {
        struct stack_frame frame;
-        const void __user *fp;
+        const unsigned long __user *fp;
        if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) {
                /* TODO: We don't support guest os callchain now */
@@ -2332,7 +2332,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs
        if (regs->flags & (X86_VM_MASK | PERF_EFLAGS_VM))
                return;
-        fp = (void __user *)regs->bp;
+        fp = (unsigned long __user *)regs->bp;
        perf_callchain_store(entry, regs->ip);
@@ -2345,16 +2345,17 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs
        pagefault_disable();
        while (entry->nr < entry->max_stack) {
                unsigned long bytes;
                frame.next_frame             = NULL;
                frame.return_address = 0;
-                if (!access_ok(VERIFY_READ, fp, 16))
+                if (!access_ok(VERIFY_READ, fp, sizeof(*fp) * 2))
                        break;
-                bytes = __copy_from_user_nmi(&frame.next_frame, fp, 8);
+                bytes = __copy_from_user_nmi(&frame.next_frame, fp, sizeof(*fp));
                if (bytes != 0)
                        break;
-                bytes = __copy_from_user_nmi(&frame.return_address, fp+8, 8);
+                bytes = __copy_from_user_nmi(&frame.return_address, fp + 1, sizeof(*fp));
                if (bytes != 0)
                        break;

diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c index 33787ee817f0..26ced536005a 100644 --- a/arch/x86/events/core.c +++ b/arch/x86/events/core.c
@@ -2319,7 +2319,7 @@ void
2319	perf_callchain_user(struct perf_callchain_entry_ctx entry, struct pt_regs regs)	2319	perf_callchain_user(struct perf_callchain_entry_ctx entry, struct pt_regs regs)
2320	{	2320	{
2321	struct stack_frame frame;	2321	struct stack_frame frame;
2322	const void __user *fp;	2322	const unsigned long __user *fp;
2323		2323
2324	if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) {	2324	if (perf_guest_cbs && perf_guest_cbs->is_in_guest()) {
2325	/* TODO: We don't support guest os callchain now */	2325	/* TODO: We don't support guest os callchain now */
@@ -2332,7 +2332,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx entry, struct pt_regs regs
2332	if (regs->flags & (X86_VM_MASK \| PERF_EFLAGS_VM))	2332	if (regs->flags & (X86_VM_MASK \| PERF_EFLAGS_VM))
2333	return;	2333	return;
2334		2334
2335	fp = (void __user *)regs->bp;	2335	fp = (unsigned long __user *)regs->bp;
2336		2336
2337	perf_callchain_store(entry, regs->ip);	2337	perf_callchain_store(entry, regs->ip);
2338		2338
@@ -2345,16 +2345,17 @@ perf_callchain_user(struct perf_callchain_entry_ctx entry, struct pt_regs regs
2345	pagefault_disable();	2345	pagefault_disable();
2346	while (entry->nr < entry->max_stack) {	2346	while (entry->nr < entry->max_stack) {
2347	unsigned long bytes;	2347	unsigned long bytes;
		2348
2348	frame.next_frame = NULL;	2349	frame.next_frame = NULL;
2349	frame.return_address = 0;	2350	frame.return_address = 0;
2350		2351
2351	if (!access_ok(VERIFY_READ, fp, 16))	2352	if (!access_ok(VERIFY_READ, fp, sizeof(fp) 2))
2352	break;	2353	break;
2353		2354
2354	bytes = __copy_from_user_nmi(&frame.next_frame, fp, 8);	2355	bytes = __copy_from_user_nmi(&frame.next_frame, fp, sizeof(*fp));
2355	if (bytes != 0)	2356	if (bytes != 0)
2356	break;	2357	break;
2357	bytes = __copy_from_user_nmi(&frame.return_address, fp+8, 8);	2358	bytes = __copy_from_user_nmi(&frame.return_address, fp + 1, sizeof(*fp));
2358	if (bytes != 0)	2359	if (bytes != 0)
2359	break;	2360	break;
2360		2361