Bug 453053

Summary: RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
Product: Red Hat Enterprise Linux 4 Reporter: John Hawkes <jhawkes>
Component: kernelAssignee: Larry Woodman <lwoodman>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: urgent    
Version: 4.6CC: dmair, eteo, fluo, jburke, khorenko, lwang, meissner, mstanichenko, qcai, rlerch, vgoyal, vmayatsk
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-18 19:08:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 458752, 461297, 471015    
Attachments:
Description Flags
Test program
none
fix calculation of return value in case of fault in the byte copy loop none

Description John Hawkes 2008-06-26 22:49:52 UTC 
The latest kernel update, RHSA-2008:0508, contains a patch:
    linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
for x86_64 processors which is broken.  The attached program demonstrates the
failure.  The test is derived from the LTP read02 test.

In brief:
  * create a file that contains one byte.
  * mmap a 1-byte buffer with PROT_NONE protections.
  * attempt to read that one byte into the mmap'd buffer.

With a kernel prior to 2.6.9-67.0.20, or with 2.6.9-67.0.20 and a non-x86_64
processor, this read() returns -1 and EFAULT.

With 2.6.9-67.0.20 and x86_64, the read() returns garbage and errno==0.
Comment 1 John Hawkes 2008-06-26 22:49:52 UTC 
Created attachment 310399 [details]
Test program
Comment 2 Vitaly Mayatskikh 2008-07-01 11:32:50 UTC 
Created attachment 310653 [details]
fix calculation of return value in case of fault in the byte copy loop
Comment 3 Vitaly Mayatskikh 2008-07-01 11:33:24 UTC 
Thanks for report, John. Bug was identified and fixed.

By the way, mmap() returns MAP_FAILED in case of error, not NULL.
Comment 4 John Hawkes 2008-07-01 14:58:36 UTC 
(In reply to comment #3)
> Thanks for report, John. Bug was identified and fixed.
> 
> By the way, mmap() returns MAP_FAILED in case of error, not NULL.

True.  The original LTP read02 test uses MAP_FAILED correctly.  My small test
program was a quick hack - at least it showed the problem.
Comment 5 John Hawkes 2008-07-01 17:25:21 UTC 
FYI: with this patch-to-the-patch in place, a dozen other LTP tests now fail: 
pwrite03 recvmsg01 semctl03 sendmsg01 setdomainname02 setgroups04 sockioctl101
write03 write05 writev01 writev02 writev05

I haven't examined these failures yet.  I just wanted to give you a heads-up.
Comment 6 RHEL Program Management 2008-09-03 13:02:11 UTC 
Updating PM score.
Comment 7 Larry Woodman 2008-09-17 18:57:41 UTC 
*** Bug 454865 has been marked as a duplicate of this bug. ***
Comment 8 Marat 2008-10-07 08:10:02 UTC 
(In reply to comment #2)
From my point of view this patch is not correct because it zeroises %rsi value but this is not the expected behavior in all cases.
%rsi value in this context should contain the number of uncopied 8-byte blocks and the command below saves this value in %rsi register.
".Lc1e:  movq %rcx,%rsi".
So, we should zeroise %rsi value only if something was happened at ".Lc2" piece of code otherwise we should save %rsi content.
The patch from #454865 seems to avoid this.
Comment 11 Larry Woodman 2008-11-07 14:11:24 UTC 
Patch was applied, tested and posted to rhkernel-list

------------------------------------------------------------------------------
--- linux-2.6.9/arch/x86_64/lib/copy_user.S.orig        2008-07-31 11:52:34.000000000 -0400
+++ linux-2.6.9/arch/x86_64/lib/copy_user.S     2008-07-31 11:53:37.000000000 -0400
@@ -315,11 +315,14 @@ copy_user_generic_c:
 .Lc1e: movq %rcx,%rsi
 .Lc3:  rep
        stosq
-.Lc2e: movl %edx,%ecx
+.Lc2ec:        movl %edx,%ecx
 .Lc4:  rep
        stosb
 .Lc3e: leaq (%rdx,%rsi,8),%rax
        ret
+       /* %rsi contains source address - clear it */
+.Lc2e: xorq %rsi,%rsi
+       jmp .Lc2ec

        .section __ex_table,"a"
        .align 8
-------------------------------------------------------------------------------


Larry Woodman
Comment 13 Vivek Goyal 2008-11-18 14:31:27 UTC 
Committed in 78.18.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 17 Luo Fei 2009-04-29 03:16:46 UTC 
I'm not set up to test RHEL4.8. But this testcase(read02) is included in syscalls test of LTP test(job 54944) with kernel 2.6.9-88.EL on machine gs-dl585g2-01.rhts.bos.redhat.com(x86_64), and  the fix(linux-2.6.9-kernel-fix-copy_user-on-x86_64-for-read-of-8-byte.patch) was present in the source RPM.
Comment 19 errata-xmlrpc 2009-05-18 19:08:58 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1024.html
Comment 20 Red Hat Bugzilla 2023-09-14 01:13:06 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days