sh: __copy_user function can corrupt the stack in case of exception

The __copy_user function can corrupt the stack in the case of a
non-trivial length of data, and either of the first two move instructions
cause an exception. This is because the fixup for these two instructions
is mapped to the no_pop case, but these instructions execute after the
stack is pushed.

This change creates an explicit NO_POP exception mapping macro, and uses
it for the two instructions executed in the trivial case where no stack
pushes occur.

More information at ST Linux bugzilla:

	https://bugzilla.stlinux.com/show_bug.cgi?id=4824Signed-off-by: Dylan Reid <dylan_reid@bose.com>
Signed-off-by: Stuart Menefy <stuart.menefy@st.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>

arch/sh/lib/copy_page.S

@@ -80,6 +80,11 @@ ENTRY(copy_page)
 	.section __ex_table, "a";	\
 	.long 9999b, 6000f	;	\
 	.previous
+#define EX_NO_POP(...)			\
+	9999: __VA_ARGS__ ;		\
+	.section __ex_table, "a";	\
+	.long 9999b, 6005f	;	\
+	.previous
 ENTRY(__copy_user)
 	! Check if small number of bytes
 	mov	#11,r0
@@ -139,9 +144,9 @@ EX(	mov.b	r1,@r4		)
 	bt	1f
 
 2:
-EX(	mov.b	@r5+,r0		)
+EX_NO_POP(	mov.b	@r5+,r0		)
 	dt	r6
-EX(	mov.b	r0,@r4		)
+EX_NO_POP(	mov.b	r0,@r4		)
 	bf/s	2b
 	 add	#1,r4
 
@@ -150,7 +155,7 @@ EX(	mov.b	r0,@r4		)
 
 # Exception handler:
 .section .fixup, "ax"
-6000:
+6005:
 	mov.l	8000f,r1
 	mov	r3,r0
 	jmp	@r1