patch-2.4.23 linux-2.4.23/arch/ppc/kernel/syscalls.c

• Lines: 144
• Date: 2003-11-28 10:26:19.000000000 -0800
• Orig file: linux-2.4.22/arch/ppc/kernel/syscalls.c
• Orig date: 2003-08-25 04:44:40.000000000 -0700

diff -urN linux-2.4.22/arch/ppc/kernel/syscalls.c linux-2.4.23/arch/ppc/kernel/syscalls.c
@@ -57,7 +57,7 @@
  * This is really horribly ugly.
  */
 int
-sys_ipc (uint call, int first, int second, int third, void *ptr, long fifth)
+sys_ipc(uint call, int first, int second, int third, void *ptr, long fifth)
 {
 	int version, ret;
 
@@ -67,24 +67,28 @@
 	ret = -EINVAL;
 	switch (call) {
 	case SEMOP:
-		ret = sys_semop (first, (struct sembuf *)ptr, second);
+		ret = sys_semtimedop(first, (struct sembuf *)ptr, second, NULL);
+		break;
+	case SEMTIMEDOP:
+		ret = sys_semtimedop(first, (struct sembuf *)ptr, second,
+				     (const struct timespec *)fifth);
 		break;
 	case SEMGET:
-		ret = sys_semget (first, second, third);
+		ret = sys_semget(first, second, third);
 		break;
 	case SEMCTL: {
 		union semun fourth;
 
 		if (!ptr)
 			break;
-		if ((ret = verify_area (VERIFY_READ, ptr, sizeof(long)))
+		if ((ret = verify_area(VERIFY_READ, ptr, sizeof(long)))
 		    || (ret = get_user(fourth.__pad, (void **)ptr)))
 			break;
-		ret = sys_semctl (first, second, third, fourth);
+		ret = sys_semctl(first, second, third, fourth);
 		break;
 		}
 	case MSGSND:
-		ret = sys_msgsnd (first, (struct msgbuf *) ptr, second, third);
+		ret = sys_msgsnd(first, (struct msgbuf *) ptr, second, third);
 		break;
 	case MSGRCV:
 		switch (version) {
@@ -93,26 +97,26 @@
 
 			if (!ptr)
 				break;
-			if ((ret = verify_area (VERIFY_READ, ptr, sizeof(tmp)))
+			if ((ret = verify_area(VERIFY_READ, ptr, sizeof(tmp)))
 			    || (ret = copy_from_user(&tmp,
 						(struct ipc_kludge *) ptr,
 						sizeof (tmp))))
 				break;
-			ret = sys_msgrcv (first, tmp.msgp, second, tmp.msgtyp,
-					  third);
+			ret = sys_msgrcv(first, tmp.msgp, second, tmp.msgtyp,
+					 third);
 			break;
 			}
 		default:
-			ret = sys_msgrcv (first, (struct msgbuf *) ptr,
-					  second, fifth, third);
+			ret = sys_msgrcv(first, (struct msgbuf *) ptr,
+					 second, fifth, third);
 			break;
 		}
 		break;
 	case MSGGET:
-		ret = sys_msgget ((key_t) first, second);
+		ret = sys_msgget((key_t) first, second);
 		break;
 	case MSGCTL:
-		ret = sys_msgctl (first, second, (struct msqid_ds *) ptr);
+		ret = sys_msgctl(first, second, (struct msqid_ds *) ptr);
 		break;
 	case SHMAT:
 		switch (version) {
@@ -122,29 +126,31 @@
 			if ((ret = verify_area(VERIFY_WRITE, (ulong*) third,
 					       sizeof(ulong))))
 				break;
-			ret = sys_shmat (first, (char *) ptr, second, &raddr);
+			ret = sys_shmat(first, (char *) ptr, second, &raddr);
 			if (ret)
 				break;
-			ret = put_user (raddr, (ulong *) third);
+			ret = put_user(raddr, (ulong *) third);
 			break;
 			}
 		case 1:	/* iBCS2 emulator entry point */
 			if (!segment_eq(get_fs(), get_ds()))
 				break;
-			ret = sys_shmat (first, (char *) ptr, second,
-					 (ulong *) third);
+			ret = sys_shmat(first, (char *) ptr, second,
+					(ulong *) third);
 			break;
 		}
 		break;
 	case SHMDT:
-		ret = sys_shmdt ((char *)ptr);
+		ret = sys_shmdt((char *)ptr);
 		break;
 	case SHMGET:
-		ret = sys_shmget (first, second, third);
+		ret = sys_shmget(first, second, third);
 		break;
 	case SHMCTL:
-		ret = sys_shmctl (first, second, (struct shmid_ds *) ptr);
+		ret = sys_shmctl(first, second, (struct shmid_ds *) ptr);
 		break;
+	default:
+		ret = -ENOSYS;
 	}
 
 	return ret;
@@ -167,6 +173,16 @@
 	return error;
 }
 
+#ifndef CONFIG_40x
+#define allow_mmap_address(addr)	1
+#else
+/* Blech.  On 40x allowing mmap() (MAP_FIXED) at the first few pages
+ * of (any process's) virtual memory is a security hole due to chip
+ * erratum #67 (and possibly also due to the (documented) bizarre
+ * prefetch behaviour around 'sc' see S3.8.2.1 of the user manual). */
+#define allow_mmap_address(addr)	((((addr) & PAGE_MASK) >= 0x2100) || suser())
+#endif
+
 static inline unsigned long
 do_mmap2(unsigned long addr, size_t len,
 	 unsigned long prot, unsigned long flags,
@@ -181,6 +197,10 @@
 			goto out;
 	}
 
+	ret = -EINVAL;
+	if ((! allow_mmap_address(addr)) && (flags & MAP_FIXED))
+		goto out;
+	
 	down_write(&current->mm->mmap_sem);
 	ret = do_mmap_pgoff(file, addr, len, prot, flags, pgoff);
 	up_write(&current->mm->mmap_sem);