From 2ce9804fbd9d4da75fb5bb53331b46b614a7d5c3 Mon Sep 17 00:00:00 2001 From: Nicolas Pitre Date: Sat, 25 Mar 2006 22:44:05 +0000 Subject: [ARM] 3030/2: fix permission check in the obscur cmpxchg syscall Patch from Nicolas Pitre Quoting RMK: |pte_write() just says that the page _may_ be writable. It doesn't say |that the MMU is programmed to allow writes. If pte_dirty() doesn't |return true, that means that the page is _not_ writable from userspace. |If you write to it from kernel mode (without using put_user) you'll |bypass the MMU read-only protection and may end up writing to a page |owned by two separate processes. Signed-off-by: Nicolas Pitre Signed-off-by: Russell King diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c index 03924bc..d566d5f 100644 --- a/arch/arm/kernel/traps.c +++ b/arch/arm/kernel/traps.c @@ -506,7 +506,7 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs) if (!pmd_present(*pmd)) goto bad_access; pte = pte_offset_map_lock(mm, pmd, addr, &ptl); - if (!pte_present(*pte) || !pte_write(*pte)) { + if (!pte_present(*pte) || !pte_dirty(*pte)) { pte_unmap_unlock(pte, ptl); goto bad_access; } -- cgit v0.10.2