From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Paul Mackerras <paulus@ozlabs.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 3.12 18/72] powerpc/64: Fix incorrect return value from __copy_tofrom_user
Date: Mon, 7 Nov 2016 14:04:25 +0100 [thread overview]
Message-ID: <61bc5e39f2a0720c58f0db6679912c6cb6d2fb52.1478523828.git.jslaby@suse.cz> (raw)
In-Reply-To: <0f3caac741164dcff670ae0f4d1cfcb0a7026a1c.1478523828.git.jslaby@suse.cz>
In-Reply-To: <cover.1478523828.git.jslaby@suse.cz>
From: Paul Mackerras <paulus@ozlabs.org>
3.12-stable review patch. If anyone has any objections, please let me know.
===============
commit 1a34439e5a0b2235e43f96816dbb15ee1154f656 upstream.
Debugging a data corruption issue with virtio-net/vhost-net led to
the observation that __copy_tofrom_user was occasionally returning
a value 16 larger than it should. Since the return value from
__copy_tofrom_user is the number of bytes not copied, this means
that __copy_tofrom_user can occasionally return a value larger
than the number of bytes it was asked to copy. In turn this can
cause higher-level copy functions such as copy_page_to_iter_iovec
to corrupt memory by copying data into the wrong memory locations.
It turns out that the failing case involves a fault on the store
at label 79, and at that point the first unmodified byte of the
destination is at R3 + 16. Consequently the exception handler
for that store needs to add 16 to R3 before using it to work out
how many bytes were not copied, but in this one case it was not
adding the offset to R3. To fix it, this moves the label 179 to
the point where we add 16 to R3. I have checked manually all the
exception handlers for the loads and stores in this code and the
rest of them are correct (it would be excellent to have an
automated test of all the exception cases).
This bug has been present since this code was initially
committed in May 2002 to Linux version 2.5.20.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
arch/powerpc/lib/copyuser_64.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/lib/copyuser_64.S b/arch/powerpc/lib/copyuser_64.S
index d73a59014900..be94e1be4ae3 100644
--- a/arch/powerpc/lib/copyuser_64.S
+++ b/arch/powerpc/lib/copyuser_64.S
@@ -336,6 +336,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_LD_STD)
addi r3,r3,8
171:
177:
+179:
addi r3,r3,8
370:
372:
@@ -350,7 +351,6 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_LD_STD)
173:
174:
175:
-179:
181:
184:
186:
--
2.10.2
next prev parent reply other threads:[~2016-11-07 13:21 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20161107130417epcas3p4869f405f9f73d6336d5dbfd0e118b62b@epcas3p4.samsung.com>
2016-11-07 13:04 ` [PATCH 3.12 00/72] 3.12.67-stable review Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 01/72] i40e: avoid NULL pointer dereference and recursive errors on early PCI error Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 02/72] reiserfs: Unlock superblock before calling reiserfs_quota_on_mount() Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 03/72] scsi: ibmvfc: Fix I/O hang when port is not mapped Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 04/72] ext4: reinforce check of i_dtime when clearing high fields of uid and gid Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 05/72] ext4: allow DAX writeback for hole punch Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 06/72] cfq: fix starvation of asynchronous writes Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 07/72] pstore: Fix buffer overflow while write offset equal to buffer size Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 08/72] ipc: remove use of seq_printf return value Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 09/72] gpio: mpc8xxx: Correct irq handler function Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 10/72] regulator: tps65910: Work around silicon erratum SWCZ010 Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 11/72] mmc: block: don't use CMD23 with very old MMC cards Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 12/72] pstore/core: drop cmpxchg based updates Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 13/72] pstore/ram: Use memcpy_toio instead of memcpy Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 14/72] pstore/ram: Use memcpy_fromio() to save old buffer Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 15/72] dm: mark request_queue dead before destroying the DM device Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 16/72] powerpc/vdso64: Use double word compare on pointers Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 17/72] powerpc/powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data() Jiri Slaby
2016-11-07 13:04 ` Jiri Slaby [this message]
2016-11-07 13:04 ` [PATCH 3.12 19/72] powerpc/pseries: Fix stack corruption in htpe code Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 20/72] zfcp: fix fc_host port_type with NPIV Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 21/72] zfcp: fix ELS/GS request&response length for hardware data router Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 22/72] zfcp: close window with unblocked rport during rport gone Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 23/72] zfcp: retain trace level for SCSI and HBA FSF response records Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 24/72] zfcp: restore: Dont use 0 to indicate invalid LUN in rec trace Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 25/72] zfcp: trace on request for open and close of WKA port Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 26/72] zfcp: restore tracing of handle for port and LUN with HBA records Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 27/72] zfcp: fix D_ID field with actual value on tracing SAN responses Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 28/72] zfcp: fix payload trace length for SAN request&response Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 29/72] zfcp: trace full payload of all SAN records (req,resp,iels) Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 30/72] scsi: zfcp: spin_lock_irqsave() is not nestable Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 31/72] fbdev/efifb: Fix 16 color palette entry calculation Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 32/72] mb86a20s: fix the locking logic Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 33/72] mb86a20s: fix demod settings Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 34/72] cx231xx: don't return error on success Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 35/72] cx231xx: fix GPIOs for Pixelview SBTVD hybrid Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 36/72] MIPS: ptrace: Fix regs_return_value for kernel context Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 37/72] Input: elantech - force needed quirks on Fujitsu H760 Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 38/72] Input: elantech - add Fujitsu Lifebook E556 to force crc_enabled Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 39/72] NFSv4: Open state recovery must account for file permission changes Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 40/72] scsi: Fix use-after-free Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 41/72] metag: Only define atomic_dec_if_positive conditionally Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 42/72] compiler: Allow 1- and 2-byte smp_load_acquire() and smp_store_release() Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 43/72] ipc/sem.c: fix complex_count vs. simple op race Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 44/72] arc: don't leak bits of kernel stack into coredump Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 45/72] fs/super.c: fix race between freeze_super() and thaw_super() Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 46/72] cifs: Limit the overall credit acquired Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 47/72] Clarify locking of cifs file and tcon structures and make more granular Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 48/72] Display number of credits available Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 49/72] Set previous session id correctly on SMB3 reconnect Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 50/72] SMB3: GUIDs should be constructed as random but valid uuids Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 51/72] Do not send SMB3 SET_INFO request if nothing is changing Jiri Slaby
2016-11-07 13:04 ` [PATCH 3.12 52/72] net/mlx4_core: Allow resetting VF admin mac to zero Jiri Slaby
2016-11-07 13:05 ` [PATCH 3.12 53/72] isofs: Do not return EACCES for unknown filesystems Jiri Slaby
2016-11-07 13:05 ` [PATCH 3.12 54/72] mmc: core: Annotate cmd_hdr as __le32 Jiri Slaby
2016-11-07 13:05 ` [PATCH 3.12 55/72] ubifs: Fix xattr_names length in exit paths Jiri Slaby
2016-11-07 13:05 ` [PATCH 3.12 56/72] drm/radeon: narrow asic_init for virtualization Jiri Slaby
2016-11-07 13:05 ` [PATCH 3.12 57/72] drm/radeon/si/dpm: fix phase shedding setup Jiri Slaby
2016-11-07 13:05 ` [PATCH 3.12 58/72] drm/radeon: change vblank_time's calculation method to reduce computational error Jiri Slaby
2016-11-07 13:05 ` [PATCH 3.12 59/72] mm/hugetlb: fix memory offline with hugepage size > memory block size Jiri Slaby
2016-11-07 13:05 ` [PATCH 3.12 60/72] introduce NETIF_F_GSO_ENCAP_ALL helper mask Jiri Slaby
2016-11-07 13:05 ` [PATCH 3.12 61/72] tunnels: Remove encapsulation offloads on decap Jiri Slaby
2016-11-07 13:30 ` [PATCH 3.12 62/72] powerpc/eeh: Null check uses of eeh_pe_bus_get Jiri Slaby
2016-11-07 13:30 ` [PATCH 3.12 63/72] genirq/generic_chip: Add irq_unmap callback Jiri Slaby
2016-11-07 13:30 ` [PATCH 3.12 64/72] uio: fix dmem_region_start computation Jiri Slaby
2016-11-07 13:30 ` [PATCH 3.12 65/72] crypto: gcm - Fix IV buffer size in crypto_gcm_setkey Jiri Slaby
2016-11-07 13:30 ` [PATCH 3.12 66/72] hwrng: omap - Only fail if pm_runtime_get_sync returns < 0 Jiri Slaby
2016-11-07 13:30 ` [PATCH 3.12 67/72] perf symbols: Fixup symbol sizes before picking best ones Jiri Slaby
2016-11-07 13:30 ` [PATCH 3.12 68/72] powerpc/nvram: Fix an incorrect partition merge Jiri Slaby
2016-11-07 13:30 ` [PATCH 3.12 69/72] Revert "fix minor infoleak in get_user_ex()" Jiri Slaby
2016-11-07 16:45 ` Linus Torvalds
2016-11-08 10:36 ` Greg KH
2016-11-07 13:30 ` [PATCH 3.12 70/72] i2c: core: fix NULL pointer dereference under race condition Jiri Slaby
2016-11-07 13:30 ` [PATCH 3.12 71/72] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Jiri Slaby
2016-11-07 13:30 ` [PATCH 3.12 72/72] usb: hub: change CLEAR_FEATURE to SET_FEATURE Jiri Slaby
2016-11-07 17:16 ` [PATCH 3.12 00/72] 3.12.67-stable review Guenter Roeck
2016-11-08 15:40 ` Jiri Slaby
2016-11-09 4:14 ` Guenter Roeck
2016-11-10 18:50 ` Jiri Slaby
2016-11-07 18:34 ` Shuah Khan
2016-11-10 18:51 ` Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=61bc5e39f2a0720c58f0db6679912c6cb6d2fb52.1478523828.git.jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@ozlabs.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).