1 files changed, 95 insertions, 21 deletions
diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c
index b2ad1b0910ff..d32cb0503110 100644
--- a/arch/mips/math-emu/cp1emu.c
+++ b/arch/mips/math-emu/cp1emu.c
@@ -64,7 +64,7 @@ static int fpu_emu(struct pt_regs *, struct mips_fpu_struct *,
 #if __mips >= 4 && __mips != 32
 static int fpux_emu(struct pt_regs *,
-        struct mips_fpu_struct *, mips_instruction);
+        struct mips_fpu_struct *, mips_instruction, void *__user *);
 #endif
 /* Further private data for which no space exists in mips_fpu_struct */
@@ -208,16 +208,23 @@ static inline int cop1_64bit(struct pt_regs *xcp)
 * Two instructions if the instruction is in a branch delay slot.
 */
-static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx)
+static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
+                       void *__user *fault_addr)
 {
        mips_instruction ir;
        unsigned long emulpc, contpc;
        unsigned int cond;
-        if (get_user(ir, (mips_instruction __user *) xcp->cp0_epc)) {
+        if (!access_ok(VERIFY_READ, xcp->cp0_epc, sizeof(mips_instruction))) {
                MIPS_FPU_EMU_INC_STATS(errors);
+                *fault_addr = (mips_instruction __user *)xcp->cp0_epc;
                return SIGBUS;
        }
+        if (__get_user(ir, (mips_instruction __user *) xcp->cp0_epc)) {
+                MIPS_FPU_EMU_INC_STATS(errors);
+                *fault_addr = (mips_instruction __user *)xcp->cp0_epc;
+                return SIGSEGV;
+        }
        /* XXX NEC Vr54xx bug workaround */
        if ((xcp->cp0_cause & CAUSEF_BD) && !isBranchInstr(&ir))
@@ -245,10 +252,16 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx)
 #endif
                        return SIGILL;
                }
-                if (get_user(ir, (mips_instruction __user *) emulpc)) {
+                if (!access_ok(VERIFY_READ, emulpc, sizeof(mips_instruction))) {
                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = (mips_instruction __user *)emulpc;
                        return SIGBUS;
                }
+                if (__get_user(ir, (mips_instruction __user *) emulpc)) {
+                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = (mips_instruction __user *)emulpc;
+                        return SIGSEGV;
+                }
                /* __compute_return_epc() will have updated cp0_epc */
                contpc = xcp->cp0_epc;
                /* In order not to confuse ptrace() et al, tweak context */
@@ -269,10 +282,17 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx)
                u64 val;
                MIPS_FPU_EMU_INC_STATS(loads);
-                if (get_user(val, va)) {
+                if (!access_ok(VERIFY_READ, va, sizeof(u64))) {
                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = va;
                        return SIGBUS;
                }
+                if (__get_user(val, va)) {
+                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = va;
+                        return SIGSEGV;
+                }
                DITOREG(val, MIPSInst_RT(ir));
                break;
        }
@@ -284,10 +304,16 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx)
                MIPS_FPU_EMU_INC_STATS(stores);
                DIFROMREG(val, MIPSInst_RT(ir));
-                if (put_user(val, va)) {
+                if (!access_ok(VERIFY_WRITE, va, sizeof(u64))) {
                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = va;
                        return SIGBUS;
                }
+                if (__put_user(val, va)) {
+                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = va;
+                        return SIGSEGV;
+                }
                break;
        }
@@ -297,10 +323,16 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx)
                u32 val;
                MIPS_FPU_EMU_INC_STATS(loads);
-                if (get_user(val, va)) {
+                if (!access_ok(VERIFY_READ, va, sizeof(u32))) {
                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = va;
                        return SIGBUS;
                }
+                if (__get_user(val, va)) {
+                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = va;
+                        return SIGSEGV;
+                }
                SITOREG(val, MIPSInst_RT(ir));
                break;
        }
@@ -312,10 +344,16 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx)
                MIPS_FPU_EMU_INC_STATS(stores);
                SIFROMREG(val, MIPSInst_RT(ir));
-                if (put_user(val, va)) {
+                if (!access_ok(VERIFY_WRITE, va, sizeof(u32))) {
                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = va;
                        return SIGBUS;
                }
+                if (__put_user(val, va)) {
+                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = va;
+                        return SIGSEGV;
+                }
                break;
        }
@@ -440,11 +478,18 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx)
                                contpc = (xcp->cp0_epc +
                                        (MIPSInst_SIMM(ir) << 2));
-                                if (get_user(ir,
+                                if (!access_ok(VERIFY_READ, xcp->cp0_epc,
-                                    (mips_instruction __user *) xcp->cp0_epc)) {
+                                               sizeof(mips_instruction))) {
                                        MIPS_FPU_EMU_INC_STATS(errors);
+                                        *fault_addr = (mips_instruction __user *)xcp->cp0_epc;
                                        return SIGBUS;
                                }
+                                if (__get_user(ir,
+                                    (mips_instruction __user *) xcp->cp0_epc)) {
+                                        MIPS_FPU_EMU_INC_STATS(errors);
+                                        *fault_addr = (mips_instruction __user *)xcp->cp0_epc;
+                                        return SIGSEGV;
+                                }
                                switch (MIPSInst_OPCODE(ir)) {
                                case lwc1_op:
@@ -506,9 +551,8 @@ static int cop1Emulate(struct pt_regs *xcp, struct mips_fpu_struct *ctx)
 #if __mips >= 4 && __mips != 32
        case cop1x_op:{
-                int sig;
+                int sig = fpux_emu(xcp, ctx, ir, fault_addr);
+                if (sig)
-                if ((sig = fpux_emu(xcp, ctx, ir)))
                        return sig;
                break;
        }
@@ -604,7 +648,7 @@ DEF3OP(nmadd, dp, ieee754dp_mul, ieee754dp_add, ieee754dp_neg);
 DEF3OP(nmsub, dp, ieee754dp_mul, ieee754dp_sub, ieee754dp_neg);
 static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
-        mips_instruction ir)
+        mips_instruction ir, void *__user *fault_addr)
 {
        unsigned rcsr = 0;      /* resulting csr */
@@ -624,10 +668,16 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                                xcp->regs[MIPSInst_FT(ir)]);
                        MIPS_FPU_EMU_INC_STATS(loads);
-                        if (get_user(val, va)) {
+                        if (!access_ok(VERIFY_READ, va, sizeof(u32))) {
                                MIPS_FPU_EMU_INC_STATS(errors);
+                                *fault_addr = va;
                                return SIGBUS;
                        }
+                        if (__get_user(val, va)) {
+                                MIPS_FPU_EMU_INC_STATS(errors);
+                                *fault_addr = va;
+                                return SIGSEGV;
+                        }
                        SITOREG(val, MIPSInst_FD(ir));
                        break;
@@ -638,10 +688,16 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                        MIPS_FPU_EMU_INC_STATS(stores);
                        SIFROMREG(val, MIPSInst_FS(ir));
-                        if (put_user(val, va)) {
+                        if (!access_ok(VERIFY_WRITE, va, sizeof(u32))) {
                                MIPS_FPU_EMU_INC_STATS(errors);
+                                *fault_addr = va;
                                return SIGBUS;
                        }
+                        if (put_user(val, va)) {
+                                MIPS_FPU_EMU_INC_STATS(errors);
+                                *fault_addr = va;
+                                return SIGSEGV;
+                        }
                        break;
                case madd_s_op:
@@ -701,10 +757,16 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                                xcp->regs[MIPSInst_FT(ir)]);
                        MIPS_FPU_EMU_INC_STATS(loads);
-                        if (get_user(val, va)) {
+                        if (!access_ok(VERIFY_READ, va, sizeof(u64))) {
                                MIPS_FPU_EMU_INC_STATS(errors);
+                                *fault_addr = va;
                                return SIGBUS;
                        }
+                        if (__get_user(val, va)) {
+                                MIPS_FPU_EMU_INC_STATS(errors);
+                                *fault_addr = va;
+                                return SIGSEGV;
+                        }
                        DITOREG(val, MIPSInst_FD(ir));
                        break;
@@ -714,10 +776,16 @@ static int fpux_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                        MIPS_FPU_EMU_INC_STATS(stores);
                        DIFROMREG(val, MIPSInst_FS(ir));
-                        if (put_user(val, va)) {
+                        if (!access_ok(VERIFY_WRITE, va, sizeof(u64))) {
                                MIPS_FPU_EMU_INC_STATS(errors);
+                                *fault_addr = va;
                                return SIGBUS;
                        }
+                        if (__put_user(val, va)) {
+                                MIPS_FPU_EMU_INC_STATS(errors);
+                                *fault_addr = va;
+                                return SIGSEGV;
+                        }
                        break;
                case madd_d_op:
@@ -1242,7 +1310,7 @@ static int fpu_emu(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
 }
 int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
-        int has_fpu)
+        int has_fpu, void *__user *fault_addr)
 {
        unsigned long oldepc, prevepc;
        mips_instruction insn;
@@ -1252,10 +1320,16 @@ int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
        do {
                prevepc = xcp->cp0_epc;
-                if (get_user(insn, (mips_instruction __user *) xcp->cp0_epc)) {
+                if (!access_ok(VERIFY_READ, xcp->cp0_epc, sizeof(mips_instruction))) {
                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = (mips_instruction __user *)xcp->cp0_epc;
                        return SIGBUS;
                }
+                if (__get_user(insn, (mips_instruction __user *) xcp->cp0_epc)) {
+                        MIPS_FPU_EMU_INC_STATS(errors);
+                        *fault_addr = (mips_instruction __user *)xcp->cp0_epc;
+                        return SIGSEGV;
+                }
                if (insn == 0)
                        xcp->cp0_epc += 4;      /* skip nops */
                else {
@@ -1267,7 +1341,7 @@ int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx,
                         */
                        /* convert to ieee library modes */
                        ieee754_csr.rm = ieee_rm[ieee754_csr.rm];
-                        sig = cop1Emulate(xcp, ctx);
+                        sig = cop1Emulate(xcp, ctx, fault_addr);
                        /* revert to mips rounding mode */
                        ieee754_csr.rm = mips_rm[ieee754_csr.rm];
                }

diff --git a/arch/mips/math-emu/cp1emu.c b/arch/mips/math-emu/cp1emu.c index b2ad1b0910ff..d32cb0503110 100644 --- a/arch/mips/math-emu/cp1emu.c +++ b/arch/mips/math-emu/cp1emu.c
@@ -64,7 +64,7 @@ static int fpu_emu(struct pt_regs , struct mips_fpu_struct ,
64		64
65	#if __mips >= 4 && __mips != 32	65	#if __mips >= 4 && __mips != 32
66	static int fpux_emu(struct pt_regs *,	66	static int fpux_emu(struct pt_regs *,
67	struct mips_fpu_struct *, mips_instruction);	67	struct mips_fpu_struct , mips_instruction, void __user *);
68	#endif	68	#endif
69		69
70	/* Further private data for which no space exists in mips_fpu_struct */	70	/* Further private data for which no space exists in mips_fpu_struct */
@@ -208,16 +208,23 @@ static inline int cop1_64bit(struct pt_regs *xcp)
208	* Two instructions if the instruction is in a branch delay slot.	208	* Two instructions if the instruction is in a branch delay slot.
209	*/	209	*/
210		210
211	static int cop1Emulate(struct pt_regs xcp, struct mips_fpu_struct ctx)	211	static int cop1Emulate(struct pt_regs xcp, struct mips_fpu_struct ctx,
		212	void __user fault_addr)
212	{	213	{
213	mips_instruction ir;	214	mips_instruction ir;
214	unsigned long emulpc, contpc;	215	unsigned long emulpc, contpc;
215	unsigned int cond;	216	unsigned int cond;
216		217
217	if (get_user(ir, (mips_instruction __user *) xcp->cp0_epc)) {	218	if (!access_ok(VERIFY_READ, xcp->cp0_epc, sizeof(mips_instruction))) {
218	MIPS_FPU_EMU_INC_STATS(errors);	219	MIPS_FPU_EMU_INC_STATS(errors);
		220	fault_addr = (mips_instruction __user )xcp->cp0_epc;
219	return SIGBUS;	221	return SIGBUS;
220	}	222	}
		223	if (__get_user(ir, (mips_instruction __user *) xcp->cp0_epc)) {
		224	MIPS_FPU_EMU_INC_STATS(errors);
		225	fault_addr = (mips_instruction __user )xcp->cp0_epc;
		226	return SIGSEGV;
		227	}
221		228
222	/* XXX NEC Vr54xx bug workaround */	229	/* XXX NEC Vr54xx bug workaround */
223	if ((xcp->cp0_cause & CAUSEF_BD) && !isBranchInstr(&ir))	230	if ((xcp->cp0_cause & CAUSEF_BD) && !isBranchInstr(&ir))
@@ -245,10 +252,16 @@ static int cop1Emulate(struct pt_regs xcp, struct mips_fpu_struct ctx)
245	#endif	252	#endif
246	return SIGILL;	253	return SIGILL;
247	}	254	}
248	if (get_user(ir, (mips_instruction __user *) emulpc)) {	255	if (!access_ok(VERIFY_READ, emulpc, sizeof(mips_instruction))) {
249	MIPS_FPU_EMU_INC_STATS(errors);	256	MIPS_FPU_EMU_INC_STATS(errors);
		257	fault_addr = (mips_instruction __user )emulpc;
250	return SIGBUS;	258	return SIGBUS;
251	}	259	}
		260	if (__get_user(ir, (mips_instruction __user *) emulpc)) {
		261	MIPS_FPU_EMU_INC_STATS(errors);
		262	fault_addr = (mips_instruction __user )emulpc;
		263	return SIGSEGV;
		264	}
252	/* __compute_return_epc() will have updated cp0_epc */	265	/* __compute_return_epc() will have updated cp0_epc */
253	contpc = xcp->cp0_epc;	266	contpc = xcp->cp0_epc;
254	/* In order not to confuse ptrace() et al, tweak context */	267	/* In order not to confuse ptrace() et al, tweak context */
@@ -269,10 +282,17 @@ static int cop1Emulate(struct pt_regs xcp, struct mips_fpu_struct ctx)
269	u64 val;	282	u64 val;
270		283
271	MIPS_FPU_EMU_INC_STATS(loads);	284	MIPS_FPU_EMU_INC_STATS(loads);
272	if (get_user(val, va)) {	285
		286	if (!access_ok(VERIFY_READ, va, sizeof(u64))) {
273	MIPS_FPU_EMU_INC_STATS(errors);	287	MIPS_FPU_EMU_INC_STATS(errors);
		288	*fault_addr = va;
274	return SIGBUS;	289	return SIGBUS;
275	}	290	}
		291	if (__get_user(val, va)) {
		292	MIPS_FPU_EMU_INC_STATS(errors);
		293	*fault_addr = va;
		294	return SIGSEGV;
		295	}
276	DITOREG(val, MIPSInst_RT(ir));	296	DITOREG(val, MIPSInst_RT(ir));
277	break;	297	break;
278	}	298	}
@@ -284,10 +304,16 @@ static int cop1Emulate(struct pt_regs xcp, struct mips_fpu_struct ctx)
284		304
285	MIPS_FPU_EMU_INC_STATS(stores);	305	MIPS_FPU_EMU_INC_STATS(stores);
286	DIFROMREG(val, MIPSInst_RT(ir));	306	DIFROMREG(val, MIPSInst_RT(ir));
287	if (put_user(val, va)) {	307	if (!access_ok(VERIFY_WRITE, va, sizeof(u64))) {
288	MIPS_FPU_EMU_INC_STATS(errors);	308	MIPS_FPU_EMU_INC_STATS(errors);
		309	*fault_addr = va;
289	return SIGBUS;	310	return SIGBUS;
290	}	311	}
		312	if (__put_user(val, va)) {
		313	MIPS_FPU_EMU_INC_STATS(errors);
		314	*fault_addr = va;
		315	return SIGSEGV;
		316	}
291	break;	317	break;
292	}	318	}
293		319
@@ -297,10 +323,16 @@ static int cop1Emulate(struct pt_regs xcp, struct mips_fpu_struct ctx)
297	u32 val;	323	u32 val;
298		324
299	MIPS_FPU_EMU_INC_STATS(loads);	325	MIPS_FPU_EMU_INC_STATS(loads);
300	if (get_user(val, va)) {	326	if (!access_ok(VERIFY_READ, va, sizeof(u32))) {
301	MIPS_FPU_EMU_INC_STATS(errors);	327	MIPS_FPU_EMU_INC_STATS(errors);
		328	*fault_addr = va;
302	return SIGBUS;	329	return SIGBUS;
303	}	330	}
		331	if (__get_user(val, va)) {
		332	MIPS_FPU_EMU_INC_STATS(errors);
		333	*fault_addr = va;
		334	return SIGSEGV;
		335	}
304	SITOREG(val, MIPSInst_RT(ir));	336	SITOREG(val, MIPSInst_RT(ir));
305	break;	337	break;
306	}	338	}
@@ -312,10 +344,16 @@ static int cop1Emulate(struct pt_regs xcp, struct mips_fpu_struct ctx)
312		344
313	MIPS_FPU_EMU_INC_STATS(stores);	345	MIPS_FPU_EMU_INC_STATS(stores);
314	SIFROMREG(val, MIPSInst_RT(ir));	346	SIFROMREG(val, MIPSInst_RT(ir));
315	if (put_user(val, va)) {	347	if (!access_ok(VERIFY_WRITE, va, sizeof(u32))) {
316	MIPS_FPU_EMU_INC_STATS(errors);	348	MIPS_FPU_EMU_INC_STATS(errors);
		349	*fault_addr = va;
317	return SIGBUS;	350	return SIGBUS;
318	}	351	}
		352	if (__put_user(val, va)) {
		353	MIPS_FPU_EMU_INC_STATS(errors);
		354	*fault_addr = va;
		355	return SIGSEGV;
		356	}
319	break;	357	break;
320	}	358	}
321		359
@@ -440,11 +478,18 @@ static int cop1Emulate(struct pt_regs xcp, struct mips_fpu_struct ctx)
440	contpc = (xcp->cp0_epc +	478	contpc = (xcp->cp0_epc +
441	(MIPSInst_SIMM(ir) << 2));	479	(MIPSInst_SIMM(ir) << 2));
442		480
443	if (get_user(ir,	481	if (!access_ok(VERIFY_READ, xcp->cp0_epc,
444	(mips_instruction __user *) xcp->cp0_epc)) {	482	sizeof(mips_instruction))) {
445	MIPS_FPU_EMU_INC_STATS(errors);	483	MIPS_FPU_EMU_INC_STATS(errors);
		484	fault_addr = (mips_instruction __user )xcp->cp0_epc;
446	return SIGBUS;	485	return SIGBUS;
447	}	486	}
		487	if (__get_user(ir,
		488	(mips_instruction __user *) xcp->cp0_epc)) {
		489	MIPS_FPU_EMU_INC_STATS(errors);
		490	fault_addr = (mips_instruction __user )xcp->cp0_epc;
		491	return SIGSEGV;
		492	}
448		493
449	switch (MIPSInst_OPCODE(ir)) {	494	switch (MIPSInst_OPCODE(ir)) {
450	case lwc1_op:	495	case lwc1_op:
@@ -506,9 +551,8 @@ static int cop1Emulate(struct pt_regs xcp, struct mips_fpu_struct ctx)
506		551
507	#if __mips >= 4 && __mips != 32	552	#if __mips >= 4 && __mips != 32
508	case cop1x_op:{	553	case cop1x_op:{
509	int sig;	554	int sig = fpux_emu(xcp, ctx, ir, fault_addr);
510		555	if (sig)
511	if ((sig = fpux_emu(xcp, ctx, ir)))
512	return sig;	556	return sig;
513	break;	557	break;
514	}	558	}
@@ -604,7 +648,7 @@ DEF3OP(nmadd, dp, ieee754dp_mul, ieee754dp_add, ieee754dp_neg);
604	DEF3OP(nmsub, dp, ieee754dp_mul, ieee754dp_sub, ieee754dp_neg);	648	DEF3OP(nmsub, dp, ieee754dp_mul, ieee754dp_sub, ieee754dp_neg);
605		649
606	static int fpux_emu(struct pt_regs xcp, struct mips_fpu_struct ctx,	650	static int fpux_emu(struct pt_regs xcp, struct mips_fpu_struct ctx,
607	mips_instruction ir)	651	mips_instruction ir, void __user fault_addr)
608	{	652	{
609	unsigned rcsr = 0; /* resulting csr */	653	unsigned rcsr = 0; /* resulting csr */
610		654
@@ -624,10 +668,16 @@ static int fpux_emu(struct pt_regs xcp, struct mips_fpu_struct ctx,
624	xcp->regs[MIPSInst_FT(ir)]);	668	xcp->regs[MIPSInst_FT(ir)]);
625		669
626	MIPS_FPU_EMU_INC_STATS(loads);	670	MIPS_FPU_EMU_INC_STATS(loads);
627	if (get_user(val, va)) {	671	if (!access_ok(VERIFY_READ, va, sizeof(u32))) {
628	MIPS_FPU_EMU_INC_STATS(errors);	672	MIPS_FPU_EMU_INC_STATS(errors);
		673	*fault_addr = va;
629	return SIGBUS;	674	return SIGBUS;
630	}	675	}
		676	if (__get_user(val, va)) {
		677	MIPS_FPU_EMU_INC_STATS(errors);
		678	*fault_addr = va;
		679	return SIGSEGV;
		680	}
631	SITOREG(val, MIPSInst_FD(ir));	681	SITOREG(val, MIPSInst_FD(ir));
632	break;	682	break;
633		683
@@ -638,10 +688,16 @@ static int fpux_emu(struct pt_regs xcp, struct mips_fpu_struct ctx,
638	MIPS_FPU_EMU_INC_STATS(stores);	688	MIPS_FPU_EMU_INC_STATS(stores);
639		689
640	SIFROMREG(val, MIPSInst_FS(ir));	690	SIFROMREG(val, MIPSInst_FS(ir));
641	if (put_user(val, va)) {	691	if (!access_ok(VERIFY_WRITE, va, sizeof(u32))) {
642	MIPS_FPU_EMU_INC_STATS(errors);	692	MIPS_FPU_EMU_INC_STATS(errors);
		693	*fault_addr = va;
643	return SIGBUS;	694	return SIGBUS;
644	}	695	}
		696	if (put_user(val, va)) {
		697	MIPS_FPU_EMU_INC_STATS(errors);
		698	*fault_addr = va;
		699	return SIGSEGV;
		700	}
645	break;	701	break;
646		702
647	case madd_s_op:	703	case madd_s_op:
@@ -701,10 +757,16 @@ static int fpux_emu(struct pt_regs xcp, struct mips_fpu_struct ctx,
701	xcp->regs[MIPSInst_FT(ir)]);	757	xcp->regs[MIPSInst_FT(ir)]);
702		758
703	MIPS_FPU_EMU_INC_STATS(loads);	759	MIPS_FPU_EMU_INC_STATS(loads);
704	if (get_user(val, va)) {	760	if (!access_ok(VERIFY_READ, va, sizeof(u64))) {
705	MIPS_FPU_EMU_INC_STATS(errors);	761	MIPS_FPU_EMU_INC_STATS(errors);
		762	*fault_addr = va;
706	return SIGBUS;	763	return SIGBUS;
707	}	764	}
		765	if (__get_user(val, va)) {
		766	MIPS_FPU_EMU_INC_STATS(errors);
		767	*fault_addr = va;
		768	return SIGSEGV;
		769	}
708	DITOREG(val, MIPSInst_FD(ir));	770	DITOREG(val, MIPSInst_FD(ir));
709	break;	771	break;
710		772
@@ -714,10 +776,16 @@ static int fpux_emu(struct pt_regs xcp, struct mips_fpu_struct ctx,
714		776
715	MIPS_FPU_EMU_INC_STATS(stores);	777	MIPS_FPU_EMU_INC_STATS(stores);
716	DIFROMREG(val, MIPSInst_FS(ir));	778	DIFROMREG(val, MIPSInst_FS(ir));
717	if (put_user(val, va)) {	779	if (!access_ok(VERIFY_WRITE, va, sizeof(u64))) {
718	MIPS_FPU_EMU_INC_STATS(errors);	780	MIPS_FPU_EMU_INC_STATS(errors);
		781	*fault_addr = va;
719	return SIGBUS;	782	return SIGBUS;
720	}	783	}
		784	if (__put_user(val, va)) {
		785	MIPS_FPU_EMU_INC_STATS(errors);
		786	*fault_addr = va;
		787	return SIGSEGV;
		788	}
721	break;	789	break;
722		790
723	case madd_d_op:	791	case madd_d_op:
@@ -1242,7 +1310,7 @@ static int fpu_emu(struct pt_regs xcp, struct mips_fpu_struct ctx,
1242	}	1310	}
1243		1311
1244	int fpu_emulator_cop1Handler(struct pt_regs xcp, struct mips_fpu_struct ctx,	1312	int fpu_emulator_cop1Handler(struct pt_regs xcp, struct mips_fpu_struct ctx,
1245	int has_fpu)	1313	int has_fpu, void __user fault_addr)
1246	{	1314	{
1247	unsigned long oldepc, prevepc;	1315	unsigned long oldepc, prevepc;
1248	mips_instruction insn;	1316	mips_instruction insn;
@@ -1252,10 +1320,16 @@ int fpu_emulator_cop1Handler(struct pt_regs xcp, struct mips_fpu_struct ctx,
1252	do {	1320	do {
1253	prevepc = xcp->cp0_epc;	1321	prevepc = xcp->cp0_epc;
1254		1322
1255	if (get_user(insn, (mips_instruction __user *) xcp->cp0_epc)) {	1323	if (!access_ok(VERIFY_READ, xcp->cp0_epc, sizeof(mips_instruction))) {
1256	MIPS_FPU_EMU_INC_STATS(errors);	1324	MIPS_FPU_EMU_INC_STATS(errors);
		1325	fault_addr = (mips_instruction __user )xcp->cp0_epc;
1257	return SIGBUS;	1326	return SIGBUS;
1258	}	1327	}
		1328	if (__get_user(insn, (mips_instruction __user *) xcp->cp0_epc)) {
		1329	MIPS_FPU_EMU_INC_STATS(errors);
		1330	fault_addr = (mips_instruction __user )xcp->cp0_epc;
		1331	return SIGSEGV;
		1332	}
1259	if (insn == 0)	1333	if (insn == 0)
1260	xcp->cp0_epc += 4; /* skip nops */	1334	xcp->cp0_epc += 4; /* skip nops */
1261	else {	1335	else {
@@ -1267,7 +1341,7 @@ int fpu_emulator_cop1Handler(struct pt_regs xcp, struct mips_fpu_struct ctx,
1267	*/	1341	*/
1268	/* convert to ieee library modes */	1342	/* convert to ieee library modes */
1269	ieee754_csr.rm = ieee_rm[ieee754_csr.rm];	1343	ieee754_csr.rm = ieee_rm[ieee754_csr.rm];
1270	sig = cop1Emulate(xcp, ctx);	1344	sig = cop1Emulate(xcp, ctx, fault_addr);
1271	/* revert to mips rounding mode */	1345	/* revert to mips rounding mode */
1272	ieee754_csr.rm = mips_rm[ieee754_csr.rm];	1346	ieee754_csr.rm = mips_rm[ieee754_csr.rm];
1273	}	1347	}