Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp675564pxb; Sat, 21 Aug 2021 14:58:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw/n3AxwqHmIjVZohb4tGygSFqqkq4Ydpsv2Y/7+3Q2fUQzB3JnbGHWv3tUvbfuFjrqMn0a X-Received: by 2002:a05:6e02:2145:: with SMTP id d5mr18103242ilv.23.1629583122948; Sat, 21 Aug 2021 14:58:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629583122; cv=none; d=google.com; s=arc-20160816; b=FF42TVdPFTfs3IOawwoWrjEmmXokCWBkTLKRuxkpHGiCCuEbaUS5v5M1v6UhlWgENG n9aUyvlO4E2ppzeMMaM4VvD7Lc42LGiFuv5LEWCxk2d4kgAJGELBLBCh0RwAewcJ1nX4 AI6TVrErQD1p+HM/s3BifpZ7Sa+3o4sGQUXxQ46EccnptJTuvxYSGG+c8+oSnKkO4Suq QhHBNyitjouOzstm0QSnhE6aUhT4ErcyVFQcpfJPcDSuDh1ncnH2Y84Orv9w7VFzMh4P aUKae+IP0s5gpWOiFQpf1FX4tRebHUlRb+kRyL44Le0P/0KSMGMp77ss2WDupERSZbsH IjLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=6lyI9ZPHdx451NUTrxYM9CYb4w5UxI7mwRa6pqszjss=; b=cAcN3aZAy6Zrmw7sU3KLyry7+iqUZrZ2py2UUlGibG3ne1zZ2iJPCuOQpbyeiWBdYr qrfw4c2EFzMqlLdTjsZBPBr5Jm+6xvq9+lzEluomyFzhlcxfchxVhlwmdHGBldcokW/h G2Y0IMoy6/7cUP8pmePyN25PwKDi9wWXOxUiGAa56OX5KTqRkZP1aIhnHCOxsF7GTjlM vYIDKctAmbZK5YzWnjGuLYPlHnEu3tk8KivwjDLvZGWjyUYvFw6dVSVwFzHFt5JFS1Dm zxAXwliua4s7Nk/M8rvkmezFpGDJhoVRF2/xpmYp9XAHWpyUazsV9as9FAw6bpCCCKsE nrEA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w13si4920285ilu.26.2021.08.21.14.58.29; Sat, 21 Aug 2021 14:58:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230445AbhHUVwW (ORCPT + 99 others); Sat, 21 Aug 2021 17:52:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56564 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230178AbhHUVwV (ORCPT ); Sat, 21 Aug 2021 17:52:21 -0400 Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [IPv6:2607:5300:60:148a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A085C061575 for ; Sat, 21 Aug 2021 14:51:41 -0700 (PDT) Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1mHYtT-00EmKv-4C; Sat, 21 Aug 2021 21:51:11 +0000 Date: Sat, 21 Aug 2021 21:51:11 +0000 From: Al Viro To: Tony Luck Cc: Borislav Petkov , Jue Wang , Ding Hui , HORIGUCHI =?utf-8?B?TkFPWUEo5aCA5Y+jIOebtOS5nyk=?= , Oscar Salvador , Youquan Song , huangcun@sangfor.com.cn, X86-ML , Linux Edac Mailing List , Linux-MM , Linux Kernel Mailing List Subject: Re: [PATCH v2 1/3] x86/mce: Avoid infinite loop for copy from user recovery Message-ID: References: <20210706190620.1290391-1-tony.luck@intel.com> <20210818002942.1607544-1-tony.luck@intel.com> <20210818002942.1607544-2-tony.luck@intel.com> <20210820185945.GA1623421@agluck-desk2.amr.corp.intel.com> <20210820202346.GA1623796@agluck-desk2.amr.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 20, 2021 at 09:51:41PM -0700, Tony Luck wrote: > On Fri, Aug 20, 2021 at 1:25 PM Luck, Tony wrote: > > Probably the same for the two different addresses case ... though I'm > > not 100% confident about that. There could be some ioctl() that peeks > > at two parts of a passed in structure, and the user might pass in a > > structure that spans across a page boundary with both pages poisoned. > > But that would only hit if the driver code ignored the failure of the > > first get_user() and blindly tried the second. So I'd count that as a > > critically bad driver bug. > > Or maybe driver writers are just evil :-( > > for (i = 0; i < len; i++) { > tx_wait(10); > get_user(dsp56k_host_interface.data.b[1], bin++); > get_user(dsp56k_host_interface.data.b[2], bin++); > get_user(dsp56k_host_interface.data.b[3], bin++); > } Almost any unchecked get_user()/put_user() is a bug. Fortunately, there's not a lot of them 93 for put_user() and 73 for get_user(). _Some_ of the former variety might be legitimate, but most should be taken out and shot. And dsp56k should be taken out and shot, period ;-/ This is far from the worst in there...