From: Nicholas Piggin <npiggin@gmail.com>
To: Chao Liu <chao.liu.zevorn@gmail.com>
Cc: qemu-devel@nongnu.org, Warner Losh <imp@bsdimp.com>,
Kyle Evans <kevans@freebsd.org>,
Laurent Vivier <laurent@vivier.eu>,
Pierrick Bouvier <pierrick.bouvier@linaro.org>,
Palmer Dabbelt <palmer@dabbelt.com>,
Alistair Francis <alistair.francis@wdc.com>,
Weiwei Li <liwei1518@gmail.com>,
Daniel Henrique Barboza <dbarboza@ventanamicro.com>,
Liu Zhiwei <zhiwei_liu@linux.alibaba.com>,
qemu-riscv@nongnu.org
Subject: Re: [PATCH 2/3] linux-user: Fix unlock_user API usage
Date: Thu, 26 Mar 2026 16:01:42 +1000 [thread overview]
Message-ID: <acTKJSWVB8xrzRr7@lima-default> (raw)
In-Reply-To: <ab-Q2znE0qdtTRsT@ZEVORN-PC.localdomain>
On Sun, Mar 22, 2026 at 02:54:31PM +0800, Chao Liu wrote:
> On Sat, Mar 21, 2026 at 10:48:35AM +1000, Nicholas Piggin wrote:
> > Fix errors in unlock_user() calls:
> > - unlock_user() with len=1 instead of len=written
> > - unlock_user() with len=1 instead of len=0
> > - unlock_user() with len=0 instead of len=1
> >
> > Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
> > ---
> > linux-user/linuxload.c | 2 +-
> > linux-user/syscall.c | 6 +++---
> > 2 files changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/linux-user/linuxload.c b/linux-user/linuxload.c
> > index 85d700953e..79416a94c9 100644
> > --- a/linux-user/linuxload.c
> > +++ b/linux-user/linuxload.c
> > @@ -19,7 +19,7 @@ abi_long memcpy_to_target(abi_ulong dest, const void *src, unsigned long len)
> > return -TARGET_EFAULT;
> > }
> > memcpy(host_ptr, src, len);
> > - unlock_user(host_ptr, dest, 1);
> > + unlock_user(host_ptr, dest, len);
> This fixes the writeback -- old code had 0 which meant
> no flush at all, so getsockopt results were silently
> lost under CONFIG_DEBUG_REMAP.
>
> Minor observation: getsockopt returns actual bytes in
> lv, so using lv rather than len would be more precise.
> That said, the swap loop above also uses len, so this
> is consistent with the existing code.
I guess this comment is for the next hunk below.
The swap loop as you noted stores to the full len, so I
think it's better to use that. If the logic changes to
only store lv, then the unlock would change.
> > return 0;
> > }
> >
> > diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> > index 7832a1aba5..13b8bd9ed3 100644
> > --- a/linux-user/syscall.c
> > +++ b/linux-user/syscall.c
> > @@ -2989,7 +2989,7 @@ get_timeout:
> > if (put_user_u32(lv, optlen)) {
> > return -TARGET_EFAULT;
> > }
> > - unlock_user(results, optval_addr, 0);
> > + unlock_user(results, optval_addr, len);
> > break;
> > }
Actually missing unlock on error too, I'll fix that up.
> > #endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(4, 2, 0) */
> > @@ -4006,7 +4006,7 @@ static inline abi_long host_to_target_semarray(int semid, abi_ulong target_addr,
> > __put_user((*host_array)[i], &array[i]);
> > }
> > g_free(*host_array);
> > - unlock_user(array, target_addr, 1);
> > + unlock_user(array, target_addr, nsems * sizeof(unsigned short));
> >
> > return 0;
> > }
> > @@ -7888,7 +7888,7 @@ static inline abi_long target_to_host_sigevent(struct sigevent *host_sevp,
> > host_sevp->sigev_notify = tswap32(target_sevp->sigev_notify);
> > host_sevp->sigev_notify_thread_id = tswap32(target_sevp->_sigev_un._tid);
> >
> > - unlock_user_struct(target_sevp, target_addr, 1);
> > + unlock_user_struct(target_sevp, target_addr, 0);
> Right. This function only reads from target, so
> copy=0 (no writeback) is the correct semantic.
>
> Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Thanks,
Nick
next prev parent reply other threads:[~2026-03-26 6:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-21 0:48 [PATCH 0/3] Fix missing and incorrect unlock_user calls Nicholas Piggin
2026-03-21 0:48 ` [PATCH 1/3] bsd-user: Fix unlock_user API usage Nicholas Piggin
2026-03-21 4:17 ` Warner Losh
2026-03-21 0:48 ` [PATCH 2/3] linux-user: " Nicholas Piggin
2026-03-22 6:54 ` Chao Liu
2026-03-26 6:01 ` Nicholas Piggin [this message]
2026-03-25 1:46 ` Alistair Francis
2026-03-26 6:20 ` Nicholas Piggin
2026-03-21 0:48 ` [PATCH 3/3] linux-user: riscv: Fix signal frame user mapping Nicholas Piggin
2026-03-22 6:44 ` Chao Liu
2026-03-25 1:53 ` Alistair Francis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acTKJSWVB8xrzRr7@lima-default \
--to=npiggin@gmail.com \
--cc=alistair.francis@wdc.com \
--cc=chao.liu.zevorn@gmail.com \
--cc=dbarboza@ventanamicro.com \
--cc=imp@bsdimp.com \
--cc=kevans@freebsd.org \
--cc=laurent@vivier.eu \
--cc=liwei1518@gmail.com \
--cc=palmer@dabbelt.com \
--cc=pierrick.bouvier@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-riscv@nongnu.org \
--cc=zhiwei_liu@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox