On Sun, 2016-11-13 at 18:14 -0800, Linus Torvalds wrote: > No, this is no good. > > I had a slightly different version of this that is OK for older > kernels. And I thought I'd dropped this after you mentioned the problem at Kernel Summit. Thanks for checking. Sasha, this still needs to be reverted in 3.18 and 4.1 stable branches. Ben. >      Linus > > On Nov 13, 2016 6:04 PM, "Ben Hutchings" wrote: > > > 3.16.39-rc1 review patch.  If anyone has any objections, please let me > > know. > > > > ------------------ > > > > From: Al Viro > > > > commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream. > > > > get_user_ex(x, ptr) should zero x on failure.  It's not a lot of a leak > > (at most we are leaking uninitialized 64bit value off the kernel stack, > > and in a fairly constrained situation, at that), but the fix is trivial, > > so... > > > > > Signed-off-by: Al Viro > > [ This sat in different branch from the uaccess fixes since mid-August ] > > Signed-off-by: Linus Torvalds > > Signed-off-by: Ben Hutchings > > --- > >  arch/x86/include/asm/uaccess.h | 6 +++++- > >  1 file changed, 5 insertions(+), 1 deletion(-) > > > > --- a/arch/x86/include/asm/uaccess.h > > +++ b/arch/x86/include/asm/uaccess.h > > @@ -391,7 +391,11 @@ do { > >                      \ > >  #define __get_user_asm_ex(x, addr, itype, rtype, ltype) > >       \ > >         asm volatile("1:        mov"itype" %1,%"rtype"0\n"              \ > >                      "2:\n"                                             \ > > -                    _ASM_EXTABLE_EX(1b, 2b)                            \ > > +                    ".section .fixup,\"ax\"\n"                         \ > > +                     "3:xor"itype" %"rtype"0,%"rtype"0\n"              \ > > +                    "  jmp 2b\n"                                       \ > > +                    ".previous\n"                                      \ > > +                    _ASM_EXTABLE_EX(1b, 3b)                            \ > >                      : ltype(x) : "m" (__m(addr))) > > > >  #define __put_user_nocheck(x, ptr, size)                       \ > > > > -- Ben Hutchings If more than one person is responsible for a bug, no one is at fault.