From: Nicholas Piggin <npiggin@gmail.com>
To: Chao Liu <chao.liu.zevorn@gmail.com>
Cc: qemu-devel@nongnu.org, Warner Losh <imp@bsdimp.com>,
Kyle Evans <kevans@freebsd.org>,
Laurent Vivier <laurent@vivier.eu>,
Pierrick Bouvier <pierrick.bouvier@linaro.org>,
Palmer Dabbelt <palmer@dabbelt.com>,
Alistair Francis <alistair.francis@wdc.com>,
Weiwei Li <liwei1518@gmail.com>,
Daniel Henrique Barboza <dbarboza@ventanamicro.com>,
Liu Zhiwei <zhiwei_liu@linux.alibaba.com>,
qemu-riscv@nongnu.org
Subject: Re: [PATCH 2/3] linux-user: Fix unlock_user API usage
Date: Thu, 26 Mar 2026 16:01:42 +1000 [thread overview]
Message-ID: <acTKJSWVB8xrzRr7@lima-default> (raw)
In-Reply-To: <ab-Q2znE0qdtTRsT@ZEVORN-PC.localdomain>
On Sun, Mar 22, 2026 at 02:54:31PM +0800, Chao Liu wrote:
> On Sat, Mar 21, 2026 at 10:48:35AM +1000, Nicholas Piggin wrote:
> > Fix errors in unlock_user() calls:
> > - unlock_user() with len=1 instead of len=written
> > - unlock_user() with len=1 instead of len=0
> > - unlock_user() with len=0 instead of len=1
> >
> > Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> > ---
> > linux-user/linuxload.c | 2 +-
> > linux-user/syscall.c | 6 +++---
> > 2 files changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/linux-user/linuxload.c b/linux-user/linuxload.c
> > index 85d700953e..79416a94c9 100644
> > --- a/linux-user/linuxload.c
> > +++ b/linux-user/linuxload.c
> > @@ -19,7 +19,7 @@ abi_long memcpy_to_target(abi_ulong dest, const void *src, unsigned long len)
> > return -TARGET_EFAULT;
> > }
> > memcpy(host_ptr, src, len);
> > - unlock_user(host_ptr, dest, 1);
> > + unlock_user(host_ptr, dest, len);
> This fixes the writeback -- old code had 0 which meant
> no flush at all, so getsockopt results were silently
> lost under CONFIG_DEBUG_REMAP.
>
> Minor observation: getsockopt returns actual bytes in
> lv, so using lv rather than len would be more precise.
> That said, the swap loop above also uses len, so this
> is consistent with the existing code.
I guess this comment is for the next hunk below.
The swap loop as you noted stores to the full len, so I
think it's better to use that. If the logic changes to
only store lv, then the unlock would change.
> > return 0;
> > }
> >
> > diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> > index 7832a1aba5..13b8bd9ed3 100644
> > --- a/linux-user/syscall.c
> > +++ b/linux-user/syscall.c
> > @@ -2989,7 +2989,7 @@ get_timeout:
> > if (put_user_u32(lv, optlen)) {
> > return -TARGET_EFAULT;
> > }
> > - unlock_user(results, optval_addr, 0);
> > + unlock_user(results, optval_addr, len);
> > break;
> > }
Actually missing unlock on error too, I'll fix that up.
> > #endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(4, 2, 0) */
> > @@ -4006,7 +4006,7 @@ static inline abi_long host_to_target_semarray(int semid, abi_ulong target_addr,
> > __put_user((*host_array)[i], &array[i]);
> > }
> > g_free(*host_array);
> > - unlock_user(array, target_addr, 1);
> > + unlock_user(array, target_addr, nsems * sizeof(unsigned short));
> >
> > return 0;
> > }
> > @@ -7888,7 +7888,7 @@ static inline abi_long target_to_host_sigevent(struct sigevent *host_sevp,
> > host_sevp->sigev_notify = tswap32(target_sevp->sigev_notify);
> > host_sevp->sigev_notify_thread_id = tswap32(target_sevp->_sigev_un._tid);
> >
> > - unlock_user_struct(target_sevp, target_addr, 1);
> > + unlock_user_struct(target_sevp, target_addr, 0);
> Right. This function only reads from target, so
> copy=0 (no writeback) is the correct semantic.
>
> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Thanks,
Nick
next prev parent reply other threads:[~2026-03-26 6:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-21 0:48 [PATCH 0/3] Fix missing and incorrect unlock_user calls Nicholas Piggin
2026-03-21 0:48 ` [PATCH 1/3] bsd-user: Fix unlock_user API usage Nicholas Piggin
2026-03-21 4:17 ` Warner Losh
2026-03-21 0:48 ` [PATCH 2/3] linux-user: " Nicholas Piggin
2026-03-22 6:54 ` Chao Liu
2026-03-26 6:01 ` Nicholas Piggin [this message]
2026-03-25 1:46 ` Alistair Francis
2026-03-26 6:20 ` Nicholas Piggin
2026-03-21 0:48 ` [PATCH 3/3] linux-user: riscv: Fix signal frame user mapping Nicholas Piggin
2026-03-22 6:44 ` Chao Liu
2026-03-25 1:53 ` Alistair Francis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acTKJSWVB8xrzRr7@lima-default \
--to=npiggin@gmail.com \
--cc=alistair.francis@wdc.com \
--cc=chao.liu.zevorn@gmail.com \
--cc=dbarboza@ventanamicro.com \
--cc=imp@bsdimp.com \
--cc=kevans@freebsd.org \
--cc=laurent@vivier.eu \
--cc=liwei1518@gmail.com \
--cc=palmer@dabbelt.com \
--cc=pierrick.bouvier@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-riscv@nongnu.org \
--cc=zhiwei_liu@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.