releases/4.8.5/powerpc-64-fix-incorrect-return-value-from-__copy_tofrom_user.patch

   1 From 1a34439e5a0b2235e43f96816dbb15ee1154f656 Mon Sep 17 00:00:00 2001
   2 From: Paul Mackerras <paulus@ozlabs.org>
   3 Date: Tue, 11 Oct 2016 22:25:47 +1100
   4 Subject: powerpc/64: Fix incorrect return value from __copy_tofrom_user
   5
   6 From: Paul Mackerras <paulus@ozlabs.org>
   7
   8 commit 1a34439e5a0b2235e43f96816dbb15ee1154f656 upstream.
   9
  10 Debugging a data corruption issue with virtio-net/vhost-net led to
  11 the observation that __copy_tofrom_user was occasionally returning
  12 a value 16 larger than it should.  Since the return value from
  13 __copy_tofrom_user is the number of bytes not copied, this means
  14 that __copy_tofrom_user can occasionally return a value larger
  15 than the number of bytes it was asked to copy.  In turn this can
  16 cause higher-level copy functions such as copy_page_to_iter_iovec
  17 to corrupt memory by copying data into the wrong memory locations.
  18
  19 It turns out that the failing case involves a fault on the store
  20 at label 79, and at that point the first unmodified byte of the
  21 destination is at R3 + 16.  Consequently the exception handler
  22 for that store needs to add 16 to R3 before using it to work out
  23 how many bytes were not copied, but in this one case it was not
  24 adding the offset to R3.  To fix it, this moves the label 179 to
  25 the point where we add 16 to R3.  I have checked manually all the
  26 exception handlers for the loads and stores in this code and the
  27 rest of them are correct (it would be excellent to have an
  28 automated test of all the exception cases).
  29
  30 This bug has been present since this code was initially
  31 committed in May 2002 to Linux version 2.5.20.
  32
  33 Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
  34 Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
  35 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  36
  37 ---
  38  arch/powerpc/lib/copyuser_64.S |    2 +-
  39  1 file changed, 1 insertion(+), 1 deletion(-)
  40
  41 --- a/arch/powerpc/lib/copyuser_64.S
  42 +++ b/arch/powerpc/lib/copyuser_64.S
  43 @@ -359,6 +359,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_
  44         addi    r3,r3,8
  45  171:
  46  177:
  47 +179:
  48         addi    r3,r3,8
  49  370:
  50  372:
  51 @@ -373,7 +374,6 @@ END_FTR_SECTION_IFCLR(CPU_FTR_UNALIGNED_
  52  173:
  53  174:
  54  175:
  55 -179:
  56  181:
  57  184:
  58  186: