1 files changed, 8 insertions, 4 deletions
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 95606a2d556f..a78186d826d7 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -221,21 +221,25 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
        }                                                               \
        static inline long SYSC##name(__MAP(x,__SC_DECL,__VA_ARGS__))
-#ifdef TIF_FSCHECK
 /*
 * Called before coming back to user-mode. Returning to user-mode with an
 * address limit different than USER_DS can allow to overwrite kernel memory.
 */
 static inline void addr_limit_user_check(void)
 {
+#ifdef TIF_FSCHECK
        if (!test_thread_flag(TIF_FSCHECK))
                return;
+#endif
-        BUG_ON(!segment_eq(get_fs(), USER_DS));
+        if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
+                                  "Invalid address limit on user-mode return"))
+                force_sig(SIGKILL, current);
+#ifdef TIF_FSCHECK
        clear_thread_flag(TIF_FSCHECK);
-}
 #endif
+}
 asmlinkage long sys32_quotactl(unsigned int cmd, const char __user *special,
                               qid_t id, void __user *addr);

diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 95606a2d556f..a78186d826d7 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h
@@ -221,21 +221,25 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
221	} \	221	} \
222	static inline long SYSC##name(__MAP(x,__SC_DECL,__VA_ARGS__))	222	static inline long SYSC##name(__MAP(x,__SC_DECL,__VA_ARGS__))
223		223
224	#ifdef TIF_FSCHECK
225	/*	224	/*
226	* Called before coming back to user-mode. Returning to user-mode with an	225	* Called before coming back to user-mode. Returning to user-mode with an
227	* address limit different than USER_DS can allow to overwrite kernel memory.	226	* address limit different than USER_DS can allow to overwrite kernel memory.
228	*/	227	*/
229	static inline void addr_limit_user_check(void)	228	static inline void addr_limit_user_check(void)
230	{	229	{
231		230	#ifdef TIF_FSCHECK
232	if (!test_thread_flag(TIF_FSCHECK))	231	if (!test_thread_flag(TIF_FSCHECK))
233	return;	232	return;
		233	#endif
234		234
235	BUG_ON(!segment_eq(get_fs(), USER_DS));	235	if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
		236	"Invalid address limit on user-mode return"))
		237	force_sig(SIGKILL, current);
		238
		239	#ifdef TIF_FSCHECK
236	clear_thread_flag(TIF_FSCHECK);	240	clear_thread_flag(TIF_FSCHECK);
237	}
238	#endif	241	#endif
		242	}
239		243
240	asmlinkage long sys32_quotactl(unsigned int cmd, const char __user *special,	244	asmlinkage long sys32_quotactl(unsigned int cmd, const char __user *special,
241	qid_t id, void __user *addr);	245	qid_t id, void __user *addr);