sh: __copy_user function can corrupt the stack in case of exception

The __copy_user function can corrupt the stack in the case of a
non-trivial length of data, and either of the first two move instructions
cause an exception. This is because the fixup for these two instructions
is mapped to the no_pop case, but these instructions execute after the
stack is pushed.

This change creates an explicit NO_POP exception mapping macro, and uses
it for the two instructions executed in the trivial case where no stack
pushes occur.

More information at ST Linux bugzilla:

	https://bugzilla.stlinux.com/show_bug.cgi?id=4824

Signed-off-by: Dylan Reid <dylan_reid@bose.com>
Signed-off-by: Stuart Menefy <stuart.menefy@st.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>

1 files changed, 8 insertions, 3 deletions

diff --git a/arch/sh/lib/copy_page.S b/arch/sh/lib/copy_page.S
index 5d12e657be34..43de7e8e4e17 100644
--- a/arch/sh/lib/copy_page.S
+++ b/arch/sh/lib/copy_page.S
@@ -80,6 +80,11 @@ ENTRY(copy_page)
         .section __ex_table, "a";       \
         .long 9999b, 6000f      ;       \
         .previous
+#define EX_NO_POP(...)                  \
+        9999: __VA_ARGS__ ;             \
+        .section __ex_table, "a";       \
+        .long 9999b, 6005f      ;       \
+        .previous
 ENTRY(__copy_user)
         ! Check if small number of bytes
         mov     #11,r0
@@ -139,9 +144,9 @@ EX(	mov.b	r1,@r4		)
         bt      1f
 
 2:
-EX(     mov.b   @r5+,r0         )
+EX_NO_POP(      mov.b   @r5+,r0         )
         dt      r6
-EX(     mov.b   r0,@r4          )
+EX_NO_POP(      mov.b   r0,@r4          )
         bf/s    2b
          add    #1,r4
 
@@ -150,7 +155,7 @@ EX(	mov.b	r0,@r4		)
 
 # Exception handler:
 .section .fixup, "ax"
-6000:
+6005:
         mov.l   8000f,r1
         mov     r3,r0
         jmp     @r1