Ack: [PATCH T/X/Y SRU] UBUNTU: SAUCE: (no-up) powerpc/64: Fix incorrect return value from __copy_tofrom_user
Leann Ogasawara
leann.ogasawara at canonical.com
Tue Oct 11 20:47:51 UTC 2016
On 10/11/2016 01:45 PM, Seth Forshee wrote:
> From: Paul Mackerras <paulus at ozlabs.org>
>
> BugLink: http://bugs.launchpad.net/bugs/1632462
>
> Debugging a data corruption issue with virtio-net/vhost-net led to
> the observation that __copy_tofrom_user was occasionally returning
> a value 16 larger than it should. Since the return value from
> __copy_tofrom_user is the number of bytes not copied, this means
> that __copy_tofrom_user can occasionally return a value larger
> than the number of bytes it was asked to copy. In turn this can
> cause higher-level copy functions such as copy_page_to_iter_iovec
> to corrupt memory by copying data into the wrong memory locations.
>
> It turns out that the failing case involves a fault on the store
> at label 79, and at that point the first unmodified byte of the
> destination is at R3 + 16. Consequently the exception handler
> for that store needs to add 16 to R3 before using it to work out
> how many bytes were not copied, but in this one case it was not
> adding the offset to R3. To fix it, this moves the label 179 to
> the point where we add 16 to R3. I have checked manually all the
> exception handlers for the loads and stores in this code and the
> rest of them are correct (it would be excellent to have an
> automated test of all the exception cases).
>
> Signed-off-by: Paul Mackerras <paulus at ozlabs.org>
> Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
Acked-by: Leann Ogasawara <leann.ogasawara at caonical.com>
> ---
> arch/powerpc/lib/copyuser_64.S | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/lib/copyuser_64.S b/arch/powerpc/lib/copyuser_64.S
> index f09899e35991..7b22624f332c 100644
> --- a/arch/powerpc/lib/copyuser_64.S
> +++ b/arch/powerpc/lib/copyuser_64.S
> @@ -359,6 +359,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_LD_STD)
> addi r3,r3,8
> 171:
> 177:
> +179:
> addi r3,r3,8
> 370:
> 372:
> @@ -373,7 +374,6 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_LD_STD)
> 173:
> 174:
> 175:
> -179:
> 181:
> 184:
> 186:
>
More information about the kernel-team
mailing list