From: Linus Torvalds <torvalds@linux-foundation.org>
To: Xi Ruoyao <xry111@xry111.site>
Cc: Andreas Schwab <schwab@suse.de>,
Ben Hutchings <ben@decadent.org.uk>,
linux-mips@vger.kernel.org, linux-kernel@vger.kernel.org,
Jiaxun Yang <jiaxun.yang@flygoat.com>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
libc-alpha@sourceware.org
Subject: Re: Strange EFAULT on mips64el returned by syscall when another thread is forking
Date: Wed, 24 Jan 2024 14:10:54 -0800 [thread overview]
Message-ID: <CAHk-=whkEXGOCEZFO2vAZ9rDd8uW8MJwFNYg9KXaC_vZVso6iA@mail.gmail.com> (raw)
In-Reply-To: <CAHk-=wgVrw+8P68Sy2krcc3QFbm_eu_DRs0-i7mct_0BDORZuA@mail.gmail.com>
On Wed, 24 Jan 2024 at 13:54, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
>
> And I think the "fails with any integer in [1, 8)" is because the MIPS
> "copy_from_user()" code is likely doing something special for those
> small copies.
.Lcopy_bytes_checklen\@: does COPY_BYTE(0) for the first access, which is
#define COPY_BYTE(N) \
LOADB(t0, N(src), .Ll_exc\@); \
SUB len, len, 1; \
beqz len, .Ldone\@; \
STOREB(t0, N(dst), .Ls_exc_p1\@)
so yeah, for 'copy_to_user()" (which is what that "read (fd, buf, 7)"
will do, we have that user space write ("STOREB()") in the branch
delay slot of the length test.
So that matches.
And it only fails when
(a) you're unlucky, and that stack buffer
char buf[16] = {};
happens to be just under the last page that has been accessed, so
you get a page fault
(b) you hit a mmap_sem already being locked, presumably because
another thread is doing that fork().
Anyway, I'm pretty sure this is the bug, now some MIPS person just
needs to fix the MIPS version of "instruction_pointer()" to do what
"exception_epc()" already does.
Linus
next prev parent reply other threads:[~2024-01-24 22:11 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-24 10:42 Strange EFAULT on mips64el returned by syscall when another thread is forking Xi Ruoyao
2024-01-24 11:59 ` Andreas Schwab
2024-01-24 12:49 ` Xi Ruoyao
2024-01-24 16:13 ` Xi Ruoyao
2024-01-24 21:32 ` Xi Ruoyao
2024-01-24 21:38 ` Xi Ruoyao
2024-01-24 21:54 ` Linus Torvalds
2024-01-24 22:10 ` Linus Torvalds [this message]
2024-01-24 22:42 ` Xi Ruoyao
2024-01-25 9:28 ` Jiaxun Yang
2024-01-26 12:33 ` Jiaxun Yang
2024-01-26 12:58 ` Xi Ruoyao
2024-01-26 18:00 ` Xi Ruoyao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=whkEXGOCEZFO2vAZ9rDd8uW8MJwFNYg9KXaC_vZVso6iA@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=ben@decadent.org.uk \
--cc=jiaxun.yang@flygoat.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@vger.kernel.org \
--cc=schwab@suse.de \
--cc=tsbogend@alpha.franken.de \
--cc=xry111@xry111.site \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).