From: Al Viro <viro@zeniv.linux.org.uk>
To: Tony Luck <tony.luck@intel.com>
Cc: "Borislav Petkov" <bp@alien8.de>, "Jue Wang" <juew@google.com>,
"Ding Hui" <dinghui@sangfor.com.cn>,
"HORIGUCHI NAOYA(堀口 直也)" <naoya.horiguchi@nec.com>,
"Oscar Salvador" <osalvador@suse.de>,
"Youquan Song" <youquan.song@intel.com>,
huangcun@sangfor.com.cn, X86-ML <x86@kernel.org>,
"Linux Edac Mailing List" <linux-edac@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 1/3] x86/mce: Avoid infinite loop for copy from user recovery
Date: Sat, 21 Aug 2021 21:51:11 +0000 [thread overview]
Message-ID: <YSF1T85pnplkm0Xo@zeniv-ca.linux.org.uk> (raw)
In-Reply-To: <CA+8MBb+M5JoDGONxZuMHZb8VU4DmG=zsv_0JuBhnzn6T=eSKEA@mail.gmail.com>
On Fri, Aug 20, 2021 at 09:51:41PM -0700, Tony Luck wrote:
> On Fri, Aug 20, 2021 at 1:25 PM Luck, Tony <tony.luck@intel.com> wrote:
> > Probably the same for the two different addresses case ... though I'm
> > not 100% confident about that. There could be some ioctl() that peeks
> > at two parts of a passed in structure, and the user might pass in a
> > structure that spans across a page boundary with both pages poisoned.
> > But that would only hit if the driver code ignored the failure of the
> > first get_user() and blindly tried the second. So I'd count that as a
> > critically bad driver bug.
>
> Or maybe driver writers are just evil :-(
>
> for (i = 0; i < len; i++) {
> tx_wait(10);
> get_user(dsp56k_host_interface.data.b[1], bin++);
> get_user(dsp56k_host_interface.data.b[2], bin++);
> get_user(dsp56k_host_interface.data.b[3], bin++);
> }
Almost any unchecked get_user()/put_user() is a bug. Fortunately, there's
not a lot of them
<greps>
93 for put_user() and 73 for get_user(). _Some_ of the former variety might
be legitimate, but most should be taken out and shot.
And dsp56k should be taken out and shot, period ;-/ This is far from the
worst in there...
next prev parent reply other threads:[~2021-08-21 21:51 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-06 19:06 [PATCH 0/3] More machine check recovery fixes Tony Luck
2021-07-06 19:06 ` [PATCH 1/3] x86/mce: Change to not send SIGBUS error during copy from user Tony Luck
2021-07-06 19:06 ` [PATCH 2/3] x86/mce: Avoid infinite loop for copy from user recovery Tony Luck
2021-07-06 19:06 ` [PATCH 3/3] x86/mce: Drop copyin special case for #MC Tony Luck
2021-08-18 0:29 ` [PATCH v2 0/3] More machine check recovery fixes Tony Luck
2021-08-18 0:29 ` [PATCH v2 1/3] x86/mce: Avoid infinite loop for copy from user recovery Tony Luck
2021-08-20 17:31 ` Borislav Petkov
2021-08-20 18:59 ` Luck, Tony
2021-08-20 19:27 ` Borislav Petkov
2021-08-20 20:23 ` Luck, Tony
2021-08-21 4:51 ` Tony Luck
2021-08-21 21:51 ` Al Viro [this message]
2021-08-22 14:36 ` Borislav Petkov
2021-08-20 20:33 ` Luck, Tony
2021-08-22 14:46 ` Borislav Petkov
2021-08-23 15:24 ` Luck, Tony
2021-09-13 9:24 ` Borislav Petkov
2021-09-13 21:52 ` [PATCH v3] " Luck, Tony
2021-09-14 8:28 ` Borislav Petkov
2021-08-18 0:29 ` [PATCH v2 2/3] x86/mce: Change to not send SIGBUS error during copy from user Tony Luck
2021-09-21 7:52 ` [tip: ras/core] " tip-bot2 for Tony Luck
2021-08-18 0:29 ` [PATCH v2 3/3] x86/mce: Drop copyin special case for #MC Tony Luck
2021-09-20 9:13 ` Borislav Petkov
2021-09-20 16:18 ` Luck, Tony
2021-09-20 16:37 ` Borislav Petkov
2021-09-20 16:43 ` Luck, Tony
2021-09-21 7:52 ` [tip: ras/core] " tip-bot2 for Tony Luck
2021-08-18 16:14 ` [PATCH v2 0/3] More machine check recovery fixes Luck, Tony
-- strict thread matches above, loose matches on Subject: below --
2021-01-08 22:22 [PATCH 0/2] Fix infinite machine check loop in futex_wait_setup() Tony Luck
2021-01-11 21:44 ` [PATCH v2 0/3] " Tony Luck
2021-01-11 21:44 ` [PATCH v2 1/3] x86/mce: Avoid infinite loop for copy from user recovery Tony Luck
2021-01-11 22:11 ` Andy Lutomirski
2021-01-11 22:20 ` Luck, Tony
2021-01-12 17:00 ` Andy Lutomirski
2021-01-12 17:00 ` Andy Lutomirski
2021-01-12 17:16 ` Luck, Tony
2021-01-12 17:21 ` Andy Lutomirski
2021-01-12 17:21 ` Andy Lutomirski
2021-01-12 18:23 ` Luck, Tony
2021-01-12 18:57 ` Andy Lutomirski
2021-01-12 18:57 ` Andy Lutomirski
2021-01-12 20:52 ` Luck, Tony
2021-01-12 22:04 ` Andy Lutomirski
2021-01-13 1:50 ` Luck, Tony
2021-01-13 4:15 ` Andy Lutomirski
2021-01-13 10:00 ` Borislav Petkov
2021-01-13 16:06 ` Luck, Tony
2021-01-13 16:19 ` Borislav Petkov
2021-01-13 16:32 ` Luck, Tony
2021-01-13 17:35 ` Borislav Petkov
2021-01-14 20:22 ` Borislav Petkov
2021-01-14 21:05 ` Luck, Tony
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YSF1T85pnplkm0Xo@zeniv-ca.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=bp@alien8.de \
--cc=dinghui@sangfor.com.cn \
--cc=huangcun@sangfor.com.cn \
--cc=juew@google.com \
--cc=linux-edac@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=naoya.horiguchi@nec.com \
--cc=osalvador@suse.de \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
--cc=youquan.song@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.