From 429733db42fadd6566a5fa0e11433943c0cd8cb0 Mon Sep 17 00:00:00 2001
From: Sami Tolvanen <samitolvanen@google.com>
Date: Thu, 10 Sep 2020 15:46:59 -0700
Subject: [PATCH] ANDROID: lkdtm: use __va_function

To ensure we take the actual address of a function in kernel text,
use __va_function. Otherwise, with CONFIG_CFI_CLANG, the compiler
may replace the address with a pointer to the CFI jump table, which
can reside inside the module, when compiled with CONFIG_LKDTM=m.

Bug: 145210207
Change-Id: Ie65d3aace55695a5e515436267c048b13ace9002
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
---
 drivers/misc/lkdtm/usercopy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/misc/lkdtm/usercopy.c b/drivers/misc/lkdtm/usercopy.c
index 109e8d4302c1..d173d6175c87 100644
--- a/drivers/misc/lkdtm/usercopy.c
+++ b/drivers/misc/lkdtm/usercopy.c
@@ -314,7 +314,7 @@ void lkdtm_USERCOPY_KERNEL(void)
 
 	pr_info("attempting bad copy_to_user from kernel text: %px\n",
 		vm_mmap);
-	if (copy_to_user((void __user *)user_addr, vm_mmap,
+	if (copy_to_user((void __user *)user_addr, __va_function(vm_mmap),
 			 unconst + PAGE_SIZE)) {
 		pr_warn("copy_to_user failed, but lacked Oops\n");
 		goto free_user;