Re: [2.6] busybox EFAULT on sparc64

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "David S. Miller" <davem@redhat.com>
To: joshk@triplehelix.org (Joshua Kwan)
Cc: sparclinux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [2.6] busybox EFAULT on sparc64
Date: Thu, 19 Aug 2004 09:52:00 -0700	[thread overview]
Message-ID: <20040819095200.14bb9100.davem@redhat.com> (raw)
In-Reply-To: <20040818235528.GA8070@triplehelix.org>

On Wed, 18 Aug 2004 16:55:28 -0700
joshk@triplehelix.org (Joshua Kwan) wrote:

> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=264482

Joshua, I think I have some more clues.

failing call:
| mount(0x14e060: 'none', 0x150070: '/proc', 0xefffffc5: 'proc', c0ed0000, 0x14e050: '')
successful call:
| mount(0x14e060: 'none', 0x14f068: '/proc', 0x151208: 'proc', c0ed0000, 0x14e050: '')

In the on-stack failing case, we have 0xefffffc5 which is very high up on
the user stack.  The top of stack is at 0xf0000000, that puts this string
pointer less than 64 bytes below that top of stack, this is important.

This confuses copy_mount_options()'s logic.  copy_from_user() for large sizes
tries to copy 64-byte blocks at a time, and this will fail for the first
block access that copy_from_user() tries, so copy_from_user() will say the
whole thing failed.  This causes fs/namespace.c:copy_mount_options() to return
-EFAULT to the mount system call implementation and thus back down to the
implementation.

The is an amazing corner case of this optimistic user space copying scheme that
copy_mount_options() is using.  I've never liked it, but technically it is
copy_from_user() which is buggy... I'll try and fix it.

I do not believe the fork problem is related at all, please try to strace
into the child of klogd using '-f' or similar.

next prev parent reply	other threads:[~2004-08-19 16:56 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-08-18 23:55 [2.6] busybox EFAULT on sparc64 Joshua Kwan
2004-08-19  0:04 ` Joshua Kwan
2004-08-19  0:06 ` David S. Miller
2004-08-19  0:07 ` David S. Miller
2004-08-19  1:43 ` David S. Miller
2004-08-19  9:09   ` Joshua Kwan
2004-08-19 16:52 ` David S. Miller [this message]
2004-08-20  5:02   ` David S. Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040819095200.14bb9100.davem@redhat.com \
    --to=davem@redhat.com \
    --cc=joshk@triplehelix.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sparclinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox