From: Guenter Roeck <linux@roeck-us.net>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: linux-kernel@vger.kernel.org,
Yoshinori Sato <ysato@users.sourceforge.jp>,
linux-sh@vger.kernel.org, Rich Felker <dalias@libc.org>
Subject: Re: Runtime failure running sh:qemu in -next due to 'sh: fix copy_from_user()'
Date: Fri, 16 Sep 2016 22:47:04 +0000 [thread overview]
Message-ID: <20160916224704.GA21916@roeck-us.net> (raw)
In-Reply-To: <20160916213141.GB2356@ZenIV.linux.org.uk>
On Fri, Sep 16, 2016 at 10:31:41PM +0100, Al Viro wrote:
> On Fri, Sep 16, 2016 at 01:59:38PM -0700, Guenter Roeck wrote:
> > Yes, reverting 6e050503a150 fixes the problem.
> >
> > I added a BUG() into the "if (unlikely())" below, but it doesn't catch,
> > and I still get the ip: OVERRUN errors. Which leaves me a bit puzzled.
> >
> > Guenter
> >
> > > The change in question is
> > > if (__copy_size && __access_ok(__copy_from, __copy_size))
> > > - return __copy_user(to, from, __copy_size);
> > > + __copy_size = __copy_user(to, from, __copy_size);
> > > +
> > > + if (unlikely(__copy_size))
> > > + memset(to + (n - __copy_size), 0, __copy_size);
> > >
> > > return __copy_size;
>
> So we don't even hit that memset()? What the hell? __copy_user() is
> declared as
> __kernel_size_t __copy_user(void *to, const void *from, __kernel_size_t n);
>
> and __copy_size copy_from_user() is
>
> __kernel_size_t __copy_size = (__kernel_size_t) n;
>
> So
> return __copy_user(to, from, __copy_size);
> and
> __copy_size = __copy_user(to, from, __copy_size);
> return __copy_size;
> ought to be doing exactly the same thing. At that point it's starting to
> smell like a compiler bug somewhere in there.
>
> Try to remove that (not triggered) if (unlikely(__copy_size)) memset(...)
> and see if that's enough to recover. And it would be nice to see what
> all three variants (as it is, with commit reverted and with just that if
> removed) generate in e.g. sys_utimensat() (fs/utimes.s)
Adding pr_info() just before the "if (unlikely..." fixes the problem.
Commenting out the "if (unlikely())" code fixes the problem.
Using a new variable "unsigned long x" for the return code instead of
re-using __copy_size fixes the problem.
Replacing "return __copy_size;" with "return __copy_size & 0xffffffff;"
fixes the problem.
The problem only seems to be seen if the copy size length is odd (more
specifically, the failing copy always has a length of 25 bytes).
No idea what is going on. Bug in __copy_user() ? Compiler bug ?
Guenter
WARNING: multiple messages have this Message-ID (diff)
From: Guenter Roeck <linux@roeck-us.net>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: linux-kernel@vger.kernel.org,
Yoshinori Sato <ysato@users.sourceforge.jp>,
linux-sh@vger.kernel.org, Rich Felker <dalias@libc.org>
Subject: Re: Runtime failure running sh:qemu in -next due to 'sh: fix copy_from_user()'
Date: Fri, 16 Sep 2016 15:47:04 -0700 [thread overview]
Message-ID: <20160916224704.GA21916@roeck-us.net> (raw)
In-Reply-To: <20160916213141.GB2356@ZenIV.linux.org.uk>
On Fri, Sep 16, 2016 at 10:31:41PM +0100, Al Viro wrote:
> On Fri, Sep 16, 2016 at 01:59:38PM -0700, Guenter Roeck wrote:
> > Yes, reverting 6e050503a150 fixes the problem.
> >
> > I added a BUG() into the "if (unlikely())" below, but it doesn't catch,
> > and I still get the ip: OVERRUN errors. Which leaves me a bit puzzled.
> >
> > Guenter
> >
> > > The change in question is
> > > if (__copy_size && __access_ok(__copy_from, __copy_size))
> > > - return __copy_user(to, from, __copy_size);
> > > + __copy_size = __copy_user(to, from, __copy_size);
> > > +
> > > + if (unlikely(__copy_size))
> > > + memset(to + (n - __copy_size), 0, __copy_size);
> > >
> > > return __copy_size;
>
> So we don't even hit that memset()? What the hell? __copy_user() is
> declared as
> __kernel_size_t __copy_user(void *to, const void *from, __kernel_size_t n);
>
> and __copy_size copy_from_user() is
>
> __kernel_size_t __copy_size = (__kernel_size_t) n;
>
> So
> return __copy_user(to, from, __copy_size);
> and
> __copy_size = __copy_user(to, from, __copy_size);
> return __copy_size;
> ought to be doing exactly the same thing. At that point it's starting to
> smell like a compiler bug somewhere in there.
>
> Try to remove that (not triggered) if (unlikely(__copy_size)) memset(...)
> and see if that's enough to recover. And it would be nice to see what
> all three variants (as it is, with commit reverted and with just that if
> removed) generate in e.g. sys_utimensat() (fs/utimes.s)
Adding pr_info() just before the "if (unlikely..." fixes the problem.
Commenting out the "if (unlikely())" code fixes the problem.
Using a new variable "unsigned long x" for the return code instead of
re-using __copy_size fixes the problem.
Replacing "return __copy_size;" with "return __copy_size & 0xffffffff;"
fixes the problem.
The problem only seems to be seen if the copy size length is odd (more
specifically, the failing copy always has a length of 25 bytes).
No idea what is going on. Bug in __copy_user() ? Compiler bug ?
Guenter
next prev parent reply other threads:[~2016-09-16 22:47 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-16 19:12 Runtime failure running sh:qemu in -next due to 'sh: fix copy_from_user()' Guenter Roeck
2016-09-16 19:12 ` Guenter Roeck
2016-09-16 19:45 ` Al Viro
2016-09-16 19:45 ` Al Viro
2016-09-16 20:59 ` Guenter Roeck
2016-09-16 20:59 ` Guenter Roeck
2016-09-16 21:31 ` Al Viro
2016-09-16 21:31 ` Al Viro
2016-09-16 21:39 ` Rich Felker
2016-09-16 21:39 ` Rich Felker
2016-09-16 22:47 ` Guenter Roeck
2016-09-16 22:47 ` Guenter Roeck
2016-09-16 23:32 ` Rich Felker
2016-09-16 23:32 ` Rich Felker
2016-09-17 2:23 ` Guenter Roeck
2016-09-17 2:23 ` Guenter Roeck
2016-09-18 4:40 ` Rob Landley
2016-09-18 4:40 ` Rob Landley
2016-09-18 15:17 ` Rich Felker
2016-09-18 15:17 ` Rich Felker
2016-09-29 2:36 ` Rob Landley
2016-09-29 2:36 ` Rob Landley
2016-09-17 2:28 ` Guenter Roeck
2016-09-17 2:28 ` Guenter Roeck
2016-09-16 22:47 ` Guenter Roeck [this message]
2016-09-16 22:47 ` Guenter Roeck
2016-09-16 23:00 ` Al Viro
2016-09-16 23:00 ` Al Viro
2016-09-16 20:03 ` Al Viro
2016-09-16 20:03 ` Al Viro
2016-09-16 20:32 ` Guenter Roeck
2016-09-16 20:32 ` Guenter Roeck
2016-09-16 20:43 ` Lennart Sorensen
2016-09-16 20:43 ` Lennart Sorensen
2016-09-16 21:20 ` Al Viro
2016-09-16 21:20 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160916224704.GA21916@roeck-us.net \
--to=linux@roeck-us.net \
--cc=dalias@libc.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=viro@ZenIV.linux.org.uk \
--cc=ysato@users.sourceforge.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.