[PATCH] ipc/shm: Fix order of parameters when calling copy_compat_shmid_to_user

From: Will Deacon
Date: Mon Sep 18 2017 - 12:47:34 EST

Commit 553f770ef71b ("ipc: move compat shmctl to native") moved the
compat IPC syscall handling into ipc/shm.c and refactored the struct
accessors in the process. Unfortunately, the call to
copy_compat_shmid_to_user when handling a compat {IPC,SHM}_STAT command
gets the arguments the wrong way round, passing a kernel stack address
as the user buffer (destination) and the user buffer as the kernel stack
address (source).

This patch fixes the parameter ordering so the buffers are accessed

Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Will Deacon <will.deacon@xxxxxxx>
ipc/shm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipc/shm.c b/ipc/shm.c
index 1b3adfe3c60e..1e2b1692ba2c 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1237,7 +1237,7 @@ COMPAT_SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, void __user *, uptr)
err = shmctl_stat(ns, shmid, cmd, &sem64);
if (err < 0)
return err;
- if (copy_compat_shmid_to_user(&sem64, uptr, version))
+ if (copy_compat_shmid_to_user(uptr, &sem64, version))
err = -EFAULT;
return err;