import PULS_20180308

[GitHub/mt8127/android_kernel_alcatel_ttab.git] / fs / aio.c

diff --git a/fs/aio.c b/fs/aio.c
index ded94c4fa30d31a6997625d007548d119c2aa75d..e6483800c73433a0ce4b7485be1f64f70f6d56cf 100644 (file)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -35,6 +35,7 @@
 #include <linux/eventfd.h>
 #include <linux/blkdev.h>
 #include <linux/compat.h>
+#include <linux/personality.h>
 
 #include <asm/kmap_types.h>
 #include <asm/uaccess.h>
@@ -153,6 +154,9 @@ static int aio_setup_ring(struct kioctx *ctx)
        unsigned long size, populate;
        int nr_pages;
 
+       if (current->personality & READ_IMPLIES_EXEC)
+               return -EPERM;
+
        /* Compensate for the ring buffer's head/tail overlap entry */
        nr_events += 2; /* 1 is required, 2 for good luck */
 
@@ -977,12 +981,17 @@ static ssize_t aio_setup_vectored_rw(int rw, struct kiocb *kiocb, bool compat)
 
 static ssize_t aio_setup_single_vector(int rw, struct kiocb *kiocb)
 {
-       if (unlikely(!access_ok(!rw, kiocb->ki_buf, kiocb->ki_nbytes)))
+       size_t len = kiocb->ki_nbytes;
+
+       if (len > MAX_RW_COUNT)
+               len = MAX_RW_COUNT;
+
+       if (unlikely(!access_ok(!rw, kiocb->ki_buf, len)))
                return -EFAULT;
 
        kiocb->ki_iovec = &kiocb->ki_inline_vec;
        kiocb->ki_iovec->iov_base = kiocb->ki_buf;
-       kiocb->ki_iovec->iov_len = kiocb->ki_nbytes;
+       kiocb->ki_iovec->iov_len = len;
        kiocb->ki_nr_segs = 1;
        return 0;
 }