Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp304792lqs;
        Tue, 5 Mar 2024 02:32:35 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCV+rWNnhetzEQw1rsbLQcCQFUCLYVKCrg2V3++Muyha89bvMr1AWejFw+HJl+fZxu9ph8tizRfLI4BAQj5rqnXJ/BgTyu14/m8ES/xaOw==
X-Google-Smtp-Source: AGHT+IGd5hTvlRqaz8s7x8nvVIKuOX0Iv+s4GKjir01wo4DmeKieABBhYfptW2vt6uJZVH76Kr8P
X-Received: by 2002:a17:906:e08d:b0:a44:731c:bace with SMTP id gh13-20020a170906e08d00b00a44731cbacemr8669524ejb.35.1709634755281;
        Tue, 05 Mar 2024 02:32:35 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709634755; cv=pass;
        d=google.com; s=arc-20160816;
        b=W1/xfp+yNXENnJ2ikiIGbRmCAXHYGTlhsv4gdkIU3a2x2CbsQFNHH4r+w3gKo2+1KU
         TcK0OYTH0f42bcoLWidlffzHkyNS7bNxT98E38eItaMUteZ5ltPaBLuPVgMvG6e+4vXR
         bsBbgjyF1NheELgNFxi1qWIJsraxCD5/59bWieEZMzNEFHMyBuZAPMRVIOWTE3TaKkzc
         Iol4+gVQ96ec/al34M9EVrPfj6qcepLaeVGLrRqUmBi1myisR6PIU/c4S5JCNDHFKZpa
         9s1dxjIFiC+xX7TV8+VzCjynRiCCxkIl5/d2Al9TpYzNTn+GFpySuohk0ckOrakxk8SB
         AdwQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:references:to
         :content-language:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id;
        bh=p2vGY7qJVuLGZbfQxdMhSYVLMA6jZKdy6CbGX3rOcjU=;
        fh=IilVLVqoduJp1aHq05cKZupUnsbstJToVs/e3Ha7GM0=;
        b=V+6G/cVxe9y2MR0AECfbe5lFvyYYfUDfG3x5iSZ90cWn7dY2eoov/ccHw+hMiAZzsP
         ZCcfpZvIr8jlRuTm5An0HPO+REdpMoEJcfk6jGzfH+SfY5UsSYMMqvHP3c6/fdzmfEfY
         TUM16kzEx+kPXauVoO3WgrOpofLyrvKw1QrjZiGCJMF0lBzlmvK5TCORmKJ8URO2C8l7
         uyEaWIgGM5RM2WFdZSPk2uT1Fp4bL1NWEcUQ3w/tyW/c82SFy+OcGO9NKcv+RxCuOE7b
         ygiguW/G9neKJQ9+gLIoZF2RSUqqfWdbM8TzJCCbXoNcArTtHwobjwiQG/Ed9R47WhX9
         /xyA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp);
       spf=pass (google.com: domain of linux-kernel+bounces-92111-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92111-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-92111-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id qk34-20020a1709077fa200b00a449cbb2871si3770020ejc.77.2024.03.05.02.32.35
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Mar 2024 02:32:35 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-92111-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp);
       spf=pass (google.com: domain of linux-kernel+bounces-92111-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92111-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 07B421F218A6
	for <linux.lists.archive@gmail.com>; Tue,  5 Mar 2024 10:32:35 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id DDF3F58222;
	Tue,  5 Mar 2024 10:17:49 +0000 (UTC)
Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 877E458127
	for <linux-kernel@vger.kernel.org>; Tue,  5 Mar 2024 10:17:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709633869; cv=none; b=dpriSfL4ATrpToauEdo7dHWalmW2oPRqsP1deXZFJPSXfMeQ/1Fv6nczSoB8g8Qk0J9FlV6QSL5cbKHTQZY3NbKrhiBgwKFaAnfnf/zTz+1XwDfzQf3Sf2FFn6H34AVLF8h6e7x9FV44yz7zJcpjhFJc+bwQnAz4EJINdKNREdU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709633869; c=relaxed/simple;
	bh=b43DucxfSrZNmb7coHs1dYCGziXHL65Zh3a/pU2ENRA=;
	h=Message-ID:Date:MIME-Version:Subject:To:References:From:
	 In-Reply-To:Content-Type; b=E1oT08GFtOp6wXzeqhFv1LQ7x88POdi3RFHGh8ev8YH36G1AQKPb0sBF13nDp9zj/qfz1m0K1klp2D14L5Xi3T+uEv51a6zo9CcOZehOVh1BExDR1fLvd2jjm6NwkOHvlHOKpxtSvlWQ48AGUQVV4N247zbz4OOXK+NoHnDYvFE=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp
Received: from fsav114.sakura.ne.jp (fsav114.sakura.ne.jp [27.133.134.241])
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 425AHZ4Z080546;
	Tue, 5 Mar 2024 19:17:35 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav114.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav114.sakura.ne.jp);
 Tue, 05 Mar 2024 19:17:35 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav114.sakura.ne.jp)
Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
	(authenticated bits=0)
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 425AHZg5080543
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO);
	Tue, 5 Mar 2024 19:17:35 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Message-ID: <1fec6a8b-7083-4b08-858a-0793f996ed52@I-love.SAKURA.ne.jp>
Date: Tue, 5 Mar 2024 19:17:35 +0900
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [syzbot] [hardening?] [mm?] BUG: bad usercopy in fpa_set
Content-Language: en-US
To: syzbot <syzbot+cb76c2983557a07cdb14@syzkaller.appspotmail.com>,
        linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
References: <0000000000004cf5c205faf1c7f3@google.com>
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
In-Reply-To: <0000000000004cf5c205faf1c7f3@google.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index c421a899fc84..29b28961637c 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -573,8 +573,10 @@ static int fpa_get(struct task_struct *target,
 		   const struct user_regset *regset,
 		   struct membuf to)
 {
-	return membuf_write(&to, &task_thread_info(target)->fpstate,
-				 sizeof(struct user_fp));
+	struct thread_info *thread = task_thread_info(target);
+
+	return membuf_write(&to, &thread->fpstate,
+				 sizeof(thread->fpstate));
 }
 
 static int fpa_set(struct task_struct *target,
@@ -586,7 +588,7 @@ static int fpa_set(struct task_struct *target,
 
 	return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
 		&thread->fpstate,
-		0, sizeof(struct user_fp));
+		0, sizeof(thread->fpstate));
 }
 
 #ifdef CONFIG_VFP