From: Manfred Spraul <manfred@colorfullife.com>

4G/4G+CONFIG_DEBUG_PAGEALLOC crashes with my bochs setup.  It's caused by
copy_mount_options: the function must perform a copy_from_user without
proper boundary checks [stupid ABI] and the user access functions in
mm/usercopy.c do not create exception handler entries if fs==KERNEL_DS. 
The attached patch fixes that by using direct_copy_{from,to}_user instead
of memcpy.

I've triggered the crash with the debug option, but I'd bet that - given
enough users and setups - someone will trigger it with AGP GART memory.



 mm/usercopy.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff -puN mm/usercopy.c~4g4g-copy_mount_options-fix mm/usercopy.c
--- 25/mm/usercopy.c~4g4g-copy_mount_options-fix	2003-09-07 11:47:27.000000000 -0700
+++ 25-akpm/mm/usercopy.c	2003-09-07 11:47:27.000000000 -0700
@@ -192,7 +192,7 @@ int get_user_size(unsigned int size, voi
 	int ret;
 
 	if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
-		memcpy(val, ptr, size);
+		direct_copy_from_user(val, ptr, size);
 		return 0;
 	}
 	ret = rw_vm((unsigned long)ptr, val, size, 0);
@@ -212,7 +212,7 @@ int get_user_size(unsigned int size, voi
 int put_user_size(unsigned int size, const void *val, void *ptr)
 {
 	if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
-		memcpy(ptr, val, size);
+		direct_copy_to_user(ptr, val, size);
 		return 0;
 	}
 	return rw_vm((unsigned long)ptr, (void *)val, size, 1);

_