Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965983AbbD1PlI (ORCPT ); Tue, 28 Apr 2015 11:41:08 -0400 Received: from mailapp01.imgtec.com ([195.59.15.196]:18985 "EHLO mailapp01.imgtec.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965619AbbD1PlB convert rfc822-to-8bit (ORCPT ); Tue, 28 Apr 2015 11:41:01 -0400 From: Leonid Yegoshin To: Jonas Gorski CC: MIPS Mailing List , Markos Chandras , Ralf Baechle , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] MIPS: R6: memcpy bugfix - zero length overwrites memory Thread-Topic: [PATCH] MIPS: R6: memcpy bugfix - zero length overwrites memory Thread-Index: AQHQgULZ1bzX0vDhRkipbErP9k3qlp1iuxGA///V1yI= Date: Tue, 28 Apr 2015 15:40:55 +0000 Message-ID: <2t0ohi7dtgbcu7itm7j8br57.1430235652967@email.android.com> References: <20150427233529.4423.20839.stgit@ubuntu-yegoshin>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2106 Lines: 76 You right, I am debugging new core and got a wrong backtrace. Please cancel it, sorry for noise. - Leonid. Jonas Gorski wrote: Hi, On Tue, Apr 28, 2015 at 1:35 AM, Leonid Yegoshin wrote: > MIPS R6 version of memcpy has bug - then length to copy is zero > and addresses are not aligned then it can overwrite a whole memory. > > Signed-off-by: Leonid Yegoshin > --- > arch/mips/lib/memcpy.S | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/mips/lib/memcpy.S b/arch/mips/lib/memcpy.S > index 9245e1705e69..7e0250f3aec8 100644 > --- a/arch/mips/lib/memcpy.S > +++ b/arch/mips/lib/memcpy.S > @@ -514,6 +514,8 @@ > > #ifdef CONFIG_CPU_MIPSR6 > .Lcopy_unaligned_bytes\@: > + beqz len, .Ldone\@ > + nop > 1: > COPY_BYTE(0) > COPY_BYTE(1) AFAICT it should never reach that if the amount to copy is zero bytes, so the check seems to be superfluous: sltu t2, len, NBYTES <- check for < NBYTES (4/8 bit depending on 32/64 bit) and t1, dst, ADDRMASK PREFS( 0, 1*32(src) ) PREFD( 1, 1*32(dst) ) bnez t2, .Lcopy_bytes_checklen\@ <- skip to copy_bytes_checklen if < NBYTES and t0, src, ADDRMASK PREFS( 0, 2*32(src) ) PREFD( 1, 2*32(dst) ) #ifndef CONFIG_CPU_MIPSR6 bnez t1, .Ldst_unaligned\@ nop bnez t0, .Lsrc_unaligned_dst_aligned\@ #else or t0, t0, t1 bnez t0, .Lcopy_unaligned_bytes\@ <- only outside place to branch to it, and only reachable if len >= NBYTES bytes. #endif And in the loop itself each COPY_BYTE() will already break out if len becomes zero, so the unconditional b 1b should also never be reached with len == 0 in that case.. But maybe I overlooked something. Regards Jonas -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/