From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754299AbbLERzP (ORCPT ); Sat, 5 Dec 2015 12:55:15 -0500 Received: from terminus.zytor.com ([198.137.202.10]:48139 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753331AbbLERzM (ORCPT ); Sat, 5 Dec 2015 12:55:12 -0500 Date: Sat, 5 Dec 2015 09:54:48 -0800 From: tip-bot for Dave Hansen Message-ID: Cc: dave@sr71.net, mingo@kernel.org, hpa@zytor.com, dan.carpenter@oracle.com, dave.hansen@linux.intel.com, linux-kernel@vger.kernel.org, tglx@linutronix.de Reply-To: mingo@kernel.org, dave@sr71.net, hpa@zytor.com, dan.carpenter@oracle.com, dave.hansen@linux.intel.com, linux-kernel@vger.kernel.org, tglx@linutronix.de In-Reply-To: <20151201003113.D800C1E0@viggo.jf.intel.com> References: <20151201003113.D800C1E0@viggo.jf.intel.com> To: linux-tip-commits@vger.kernel.org Subject: [tip:x86/urgent] x86/mpx: Fix instruction decoder condition Git-Commit-ID: 8e8efe0379bd93e8219ca0fc6fa80b5dd85b09cb X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit-ID: 8e8efe0379bd93e8219ca0fc6fa80b5dd85b09cb Gitweb: http://git.kernel.org/tip/8e8efe0379bd93e8219ca0fc6fa80b5dd85b09cb Author: Dave Hansen AuthorDate: Mon, 30 Nov 2015 16:31:13 -0800 Committer: Thomas Gleixner CommitDate: Sat, 5 Dec 2015 18:52:14 +0100 x86/mpx: Fix instruction decoder condition MPX decodes instructions in order to tell which bounds register was violated. Part of this decoding involves looking at the "REX prefix" which is a special instrucion prefix used to retrofit support for new registers in to old instructions. The X86_REX_*() macros are defined to return actual bit values: #define X86_REX_R(rex) ((rex) & 4) *not* boolean values. However, the MPX code was checking for them like they were booleans. This might have led to us mis-decoding the "REX prefix" and giving false information out to userspace about bounds violations. X86_REX_B() actually is bit 1, so this is really only broken for the X86_REX_X() case. Fix the conditionals up to tolerate the non-boolean values. Fixes: fcc7ffd67991 "x86, mpx: Decode MPX instruction to get bound violation information" Reported-by: Dan Carpenter Signed-off-by: Dave Hansen Cc: x86@kernel.org Cc: Dave Hansen Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20151201003113.D800C1E0@viggo.jf.intel.com Signed-off-by: Thomas Gleixner --- arch/x86/mm/mpx.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/x86/mm/mpx.c b/arch/x86/mm/mpx.c index 1202d5c..b2fd67d 100644 --- a/arch/x86/mm/mpx.c +++ b/arch/x86/mm/mpx.c @@ -101,19 +101,19 @@ static int get_reg_offset(struct insn *insn, struct pt_regs *regs, switch (type) { case REG_TYPE_RM: regno = X86_MODRM_RM(insn->modrm.value); - if (X86_REX_B(insn->rex_prefix.value) == 1) + if (X86_REX_B(insn->rex_prefix.value)) regno += 8; break; case REG_TYPE_INDEX: regno = X86_SIB_INDEX(insn->sib.value); - if (X86_REX_X(insn->rex_prefix.value) == 1) + if (X86_REX_X(insn->rex_prefix.value)) regno += 8; break; case REG_TYPE_BASE: regno = X86_SIB_BASE(insn->sib.value); - if (X86_REX_B(insn->rex_prefix.value) == 1) + if (X86_REX_B(insn->rex_prefix.value)) regno += 8; break;