ARM: 6489/1: thumb2: fix incorrect optimisation in usracc

Commit 8b592783 added a Thumb-2 variant of usracc which, when it is
called with \rept=2, calls usraccoff once with an offset of 0 and
secondly with a hard-coded offset of 4 in order to avoid incrementing
the pointer again. If \inc != 4 then we will store the data to the wrong
offset from \ptr. Luckily, the only caller that passes \rept=2 to this
function is __clear_user so we haven't been actively corrupting user data.

This patch fixes usracc to pass \inc instead of #4 to usraccoff
when it is called a second time.

Cc: <[email protected]>
Reported-by: Tony Thompson <[email protected]>
Acked-by: Catalin Marinas <[email protected]>
Signed-off-by: Will Deacon <[email protected]>
Signed-off-by: Russell King <[email protected]>

diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
index 062b58c029ab92ceb23cf0616568a76d3ec3a6b1..749bb6622404b3aed8e9234d2c8ff67e13a731b1 100644 (file)
--- a/arch/arm/include/asm/assembler.h
+++ b/arch/arm/include/asm/assembler.h
@@ -238,7 +238,7 @@
        @ Slightly optimised to avoid incrementing the pointer twice
        usraccoff \instr, \reg, \ptr, \inc, 0, \cond, \abort
        .if     \rept == 2
-       usraccoff \instr, \reg, \ptr, \inc, 4, \cond, \abort
+       usraccoff \instr, \reg, \ptr, \inc, \inc, \cond, \abort
        .endif
 
        add\cond \ptr, #\rept * \inc