Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp1598464ybp;
        Fri, 11 Oct 2019 17:19:01 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy7ILxtLMj2rISFmIp2QAtdVNjWIdcHRSBdrc/sGZTBcY68z8rHj0V7zLR75MS22borHtHe
X-Received: by 2002:a17:906:3797:: with SMTP id n23mr16542348ejc.284.1570839541156;
        Fri, 11 Oct 2019 17:19:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570839541; cv=none;
        d=google.com; s=arc-20160816;
        b=tlPkJ6TgMsRLXLU581AKTCaIuJeItlWXqp3HrBnNj8lw2VzMjM1IohZR7odO/4IkzZ
         z3i4nFtVQk3X7IWWIHpIK7Wz8pBuPhGbvLPcJak7HwbO6pXizjgrmGJoA+UWbQo1tmKh
         MWpcrgodWIx65mWn/KSxJoY1TED49reU6jl6yzfNDTyt7OGrfTbSyxcSx/7QXT9031JP
         Ha5ZWhWV45wHlEcHEJpuGdMRBtuzZsH3nXZ1kEO/kyYZ13u4Yq7148rQCJlbY9oJXZd2
         QuWOXyuUb0axJ/5QyD7QS1tp9UBoifajPRXhX1Oa0upy7T4xQXveMAFu/NN3/B+zfiqf
         lSkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=KOU51IFsj1iWUWTwrZgYX0bBua/cZqGBz0E2pjuMMik=;
        b=AWMmmLI6GJIIHcjHUS8KlaO3qHGETJvvDKKqg3BOeLjAM6ZO30bqWZ3TOuF2Zx8/aa
         qXA0vNuKnZE1PiD35BeSYK/1ROC09+fO49K9fvVfkNz6yRoiHtfkLWr5i48F6WHt9fKs
         Fxz4yFp1gJl9gprBLx5TzQ3HOv6ECo6OHkWJtAhCuC036ZdemH8zeVVlF/jNTJVLWduv
         8+fRG7TFzdOuyQW06Ag9xjRyOV9Z6/fix75HtRm14IWjZvfNQcpb4TqNgZA2wAtJqQQZ
         m5ggXUagMYaovB6ejduz44I6Hxf0fvD6G2kiXV2U3YnsXOOJexNQlEq2daSrL6HHftDW
         iPxA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=cf06n0Hk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j13si6416870ejb.98.2019.10.11.17.18.37;
        Fri, 11 Oct 2019 17:19:01 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=cf06n0Hk;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728546AbfJLAHd (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Fri, 11 Oct 2019 20:07:33 -0400
Received: from mail-lf1-f65.google.com ([209.85.167.65]:45800 "EHLO
        mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726458AbfJLAHd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 11 Oct 2019 20:07:33 -0400
Received: by mail-lf1-f65.google.com with SMTP id r134so8171302lff.12
        for <linux-kernel@vger.kernel.org>; Fri, 11 Oct 2019 17:07:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=KOU51IFsj1iWUWTwrZgYX0bBua/cZqGBz0E2pjuMMik=;
        b=cf06n0Hkxhy7kOh2+h4NMzhGw1OlsYghnaOjmz20S8X3irPNDR5+EZx4sRFVuWWnsT
         GNk+GUokwj9gqRZX+BJC9/1P0GY5lr6aBN+zddHlXQpTYn2+LB6ob8rzC85D7BnLYxSN
         OcRui87Nstph8ts/eUe7VxYBYWTssr8iWekrJAdC2dr0CIWZg+2a8muhXUXjo/GC1QL6
         WKNkh+hnb2An7bkTB3QcuJXT03Q/SrrddBgU2yW59/ZBJJ6PSwC+SDcssMCmJqU4WWpZ
         6mSngT+q53l5xM7SCgIWriPoeO33E20DQAVSby3nZkxzkCQC7hKWtnx1Dm7cRZh3jehC
         jPtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=KOU51IFsj1iWUWTwrZgYX0bBua/cZqGBz0E2pjuMMik=;
        b=nenQzUlVh9kvXWpCh1rYSoTgnieAFrsipeIFYrjB+T89H9lmQBaTP9AO6HyZqfu3NV
         /LFEfFxhTOhEWooguArOdJ5IrIt95CeLxjWfEJkmk6+yYT98RF86vmGz5VM+ErnbqG1D
         uu2M6Z+FchX9WmRc7r5aws4mhDsHfx/37c5pHiyxqjr3RZDX/iZgspHa6jYqYDuALRWO
         v3XahBg7rYKb+qLX9TrSOGivz7IxGrVk8mH0fM3XoqtywyqZDURb0jy6a1fmZdCc5rOC
         PkwGIlhNQygAW9UTNaF1JulzUBWqeS2qnpni9laHfsp/d50xQv4vPDms6zgE9V6f5l3N
         joMg==
X-Gm-Message-State: APjAAAVjhZeCw6kssccV97341qsl/eGHyDNQL5pVCGCR/J2YM1aXYSrq
        1Qu+x3Vufr94rYLfj12R1Ds=
X-Received: by 2002:a19:f813:: with SMTP id a19mr10378473lff.154.1570838851010;
        Fri, 11 Oct 2019 17:07:31 -0700 (PDT)
Received: from octofox.cadence.com (jcmvbkbc-1-pt.tunnel.tserv24.sto1.ipv6.he.net. [2001:470:27:1fa::2])
        by smtp.gmail.com with ESMTPSA id x17sm2215705lji.62.2019.10.11.17.07.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 11 Oct 2019 17:07:29 -0700 (PDT)
From:   Max Filippov <jcmvbkbc@gmail.com>
To:     linux-xtensa@linux-xtensa.org, Al Viro <viro@zeniv.linux.org.uk>
Cc:     Chris Zankel <chris@zankel.net>, linux-kernel@vger.kernel.org,
        Max Filippov <jcmvbkbc@gmail.com>
Subject: [PATCH 1/3] xtensa: fix {get,put}_user() for 64bit values
Date:   Fri, 11 Oct 2019 17:07:09 -0700
Message-Id: <20191012000711.3775-2-jcmvbkbc@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20191012000711.3775-1-jcmvbkbc@gmail.com>
References: <20191012000711.3775-1-jcmvbkbc@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Al Viro <viro@zeniv.linux.org.uk>

First of all, on short copies __copy_{to,from}_user() return the amount
of bytes left uncopied, *not* -EFAULT.  get_user() and put_user() are
expected to return -EFAULT on failure.

Another problem is get_user(v32, (__u64 __user *)p); that should
fetch 64bit value and the assign it to v32, truncating it in process.
Current code, OTOH, reads 8 bytes of data and stores them at the
address of v32, stomping on the 4 bytes that follow v32 itself.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
---
 arch/xtensa/include/asm/uaccess.h | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/arch/xtensa/include/asm/uaccess.h b/arch/xtensa/include/asm/uaccess.h
index 6792928ba84a..f568c00392ec 100644
--- a/arch/xtensa/include/asm/uaccess.h
+++ b/arch/xtensa/include/asm/uaccess.h
@@ -100,7 +100,7 @@ do {									\
 	case 4: __put_user_asm(x, ptr, retval, 4, "s32i", __cb); break;	\
 	case 8: {							\
 		     __typeof__(*ptr) __v64 = x;			\
-		     retval = __copy_to_user(ptr, &__v64, 8);		\
+		     retval = __copy_to_user(ptr, &__v64, 8) ? -EFAULT : 0;	\
 		     break;						\
 	        }							\
 	default: __put_user_bad();					\
@@ -198,7 +198,16 @@ do {									\
 	case 1: __get_user_asm(x, ptr, retval, 1, "l8ui", __cb);  break;\
 	case 2: __get_user_asm(x, ptr, retval, 2, "l16ui", __cb); break;\
 	case 4: __get_user_asm(x, ptr, retval, 4, "l32i", __cb);  break;\
-	case 8: retval = __copy_from_user(&x, ptr, 8);    break;	\
+	case 8: {							\
+		u64 __x;						\
+		if (unlikely(__copy_from_user(&__x, ptr, 8))) {		\
+			retval = -EFAULT;				\
+			(x) = 0;					\
+		} else {						\
+			(x) = *(__force __typeof__((ptr)))&__x;		\
+		}							\
+		break;							\
+	}								\
 	default: (x) = __get_user_bad();				\
 	}								\
 } while (0)
-- 
2.20.1