[PATCH] bpf: fix size of copy_to_user in percpu map.

[William Tu]

The total size of value copy_to_user() writes to userspace should
be the (current number of cpu) * (value size), instead of
num_possible_cpus() * (value size).  Found by samples/bpf/test_maps.c,
which always copies 512 byte to userspace, crashing the userspace
program stack.

Signed-off-by: William Tu <u9012...@gmail.com>
---
 kernel/bpf/syscall.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 228f962..47f738e 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -324,7 +324,8 @@ static int map_lookup_elem(union bpf_attr *attr)
                goto free_value;
 
        err = -EFAULT;
-       if (copy_to_user(uvalue, value, value_size) != 0)
+       if (copy_to_user(uvalue, value,
+               map->value_size * num_online_cpus()) != 0)
                goto free_value;
 
        err = 0;
-- 
2.5.0