Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp1332236ybp; Wed, 9 Oct 2019 12:23:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqw20kwoty2oly0Sp295gOPxDEZEZrJ3STnIAqo9zC5DhqGxS/t+XXCAtpW+LMQ6nEYDNR6v X-Received: by 2002:a17:907:365:: with SMTP id rs5mr4468706ejb.121.1570648987450; Wed, 09 Oct 2019 12:23:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570648987; cv=none; d=google.com; s=arc-20160816; b=i88+6F3wmr5WMQ5gp9U2UUL0kyPKzlogaliqm3pzHV5rUo5SnT/8G3M02RBjWDYeJ2 Jffro/18Os4LM2DW5LWAKQWrQYHPvE/bUuAPH09Qa6I28zVx++KBJ0vdUfg0m544WTCj vMFD6cEqwC5MddqA0VURmMDwpmTI0f/juH1plbrJ5ogTWnDEwSgfknKtCQTvwhCHmTNW 97tXUABbRRC5VuCqId3E0ez111Ei9vAMa1Zi29PVouPwA/CPs8c+A8J7z7D4CbXg/ald t+2ugFWf9iXLtQ/PfHuTGpT6LV5zc4Z/AsCuHXlj3L7TF0h1piMjYCC32e5Vu90uwlPS uhDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date; bh=KpWuFwbC/wV1dKVfu4yJ7eJW9qWjp7rUi2L3mpxSb4E=; b=RZouXHcjEFNKCuOV5/QBMoV2WuXPakZ7VGTb9evVsYOtp1ZbcYBLQsrbRcafGaIbP5 +VWEXm5jajkyqLewu6BTP4wXsbyyWaTTBHJTpTqF45dPMyt0EEGtQoE0oYr0ITeDc5as Numu4kDc4hJgsdpFv5sV0CWTSwqLhpwqrR6CSwgISNdf6KIsHRDXGqPERG5qIqRq1uwX 6eGyYA4LTtk9+hSVsFbidKN1y+CbMjthmPCpEz/fQ286g365bjAj9fI9urGJ/BhNieE5 Rbb+yb4hHxSxQIj9o2b0Nr3+ANJ/brNPh0HwQdfvSnRk9f1/0gW21cpGV7sSBQYeYrAd XEQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l26si1908528edb.258.2019.10.09.12.22.44; Wed, 09 Oct 2019 12:23:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731717AbfJITVI (ORCPT + 99 others); Wed, 9 Oct 2019 15:21:08 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:51958 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728804AbfJITVI (ORCPT ); Wed, 9 Oct 2019 15:21:08 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.2 #3 (Red Hat Linux)) id 1iIHWD-000215-PY; Wed, 09 Oct 2019 19:21:05 +0000 Date: Wed, 9 Oct 2019 20:21:05 +0100 From: Al Viro To: Max Filippov Cc: linux-xtensa@linux-xtensa.org, linux-kernel@vger.kernel.org Subject: [PATCH] xtensa: fix {get,put}_user() for 64bit values Message-ID: <20191009192105.GC26530@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org First of all, on short copies __copy_{to,from}_user() return the amount of bytes left uncopied, *not* -EFAULT. get_user() and put_user() are expected to return -EFAULT on failure. Another problem is get_user(v32, (__u64 __user *)p); that should fetch 64bit value and the assign it to v32, truncating it in process. Current code, OTOH, reads 8 bytes of data and stores them at the address of v32, stomping on the 4 bytes that follow v32 itself. Signed-off-by: Al Viro -- diff --git a/arch/xtensa/include/asm/uaccess.h b/arch/xtensa/include/asm/uaccess.h index 6792928ba84a..155174ddb7ae 100644 --- a/arch/xtensa/include/asm/uaccess.h +++ b/arch/xtensa/include/asm/uaccess.h @@ -100,7 +100,7 @@ do { \ case 4: __put_user_asm(x, ptr, retval, 4, "s32i", __cb); break; \ case 8: { \ __typeof__(*ptr) __v64 = x; \ - retval = __copy_to_user(ptr, &__v64, 8); \ + retval = __copy_to_user(ptr, &__v64, 8) ? -EFAULT : 0; \ break; \ } \ default: __put_user_bad(); \ @@ -198,7 +198,12 @@ do { \ case 1: __get_user_asm(x, ptr, retval, 1, "l8ui", __cb); break;\ case 2: __get_user_asm(x, ptr, retval, 2, "l16ui", __cb); break;\ case 4: __get_user_asm(x, ptr, retval, 4, "l32i", __cb); break;\ - case 8: retval = __copy_from_user(&x, ptr, 8); break; \ + case 8: { \ + __u64 __x = 0; \ + retval = __copy_from_user(&__x, ptr, 8) ? -EFAULT : 0; \ + (x) = *(__force __typeof__(*(ptr)) *) &__x; \ + break; \ + } \ default: (x) = __get_user_bad(); \ } \ } while (0)