The latest kernel update, RHSA-2008:0508, contains a patch: linux-2.6.9-x86_64-copy_user-zero-tail.patch broken for x86_64 processors which is broken. The attached program demonstrates the failure. The test is derived from the LTP read02 test. In brief: * create a file that contains one byte. * mmap a 1-byte buffer with PROT_NONE protections. * attempt to read that one byte into the mmap'd buffer. With a kernel prior to 2.6.9-67.0.20, or with 2.6.9-67.0.20 and a non-x86_64 processor, this read() returns -1 and EFAULT. With 2.6.9-67.0.20 and x86_64, the read() returns garbage and errno==0.
Created attachment 310399 [details] Test program
Created attachment 310653 [details] fix calculation of return value in case of fault in the byte copy loop
Thanks for report, John. Bug was identified and fixed. By the way, mmap() returns MAP_FAILED in case of error, not NULL.
(In reply to comment #3) > Thanks for report, John. Bug was identified and fixed. > > By the way, mmap() returns MAP_FAILED in case of error, not NULL. True. The original LTP read02 test uses MAP_FAILED correctly. My small test program was a quick hack - at least it showed the problem.
FYI: with this patch-to-the-patch in place, a dozen other LTP tests now fail: pwrite03 recvmsg01 semctl03 sendmsg01 setdomainname02 setgroups04 sockioctl101 write03 write05 writev01 writev02 writev05 I haven't examined these failures yet. I just wanted to give you a heads-up.
Updating PM score.
*** Bug 454865 has been marked as a duplicate of this bug. ***
(In reply to comment #2) From my point of view this patch is not correct because it zeroises %rsi value but this is not the expected behavior in all cases. %rsi value in this context should contain the number of uncopied 8-byte blocks and the command below saves this value in %rsi register. ".Lc1e: movq %rcx,%rsi". So, we should zeroise %rsi value only if something was happened at ".Lc2" piece of code otherwise we should save %rsi content. The patch from #454865 seems to avoid this.
Patch was applied, tested and posted to rhkernel-list ------------------------------------------------------------------------------ --- linux-2.6.9/arch/x86_64/lib/copy_user.S.orig 2008-07-31 11:52:34.000000000 -0400 +++ linux-2.6.9/arch/x86_64/lib/copy_user.S 2008-07-31 11:53:37.000000000 -0400 @@ -315,11 +315,14 @@ copy_user_generic_c: .Lc1e: movq %rcx,%rsi .Lc3: rep stosq -.Lc2e: movl %edx,%ecx +.Lc2ec: movl %edx,%ecx .Lc4: rep stosb .Lc3e: leaq (%rdx,%rsi,8),%rax ret + /* %rsi contains source address - clear it */ +.Lc2e: xorq %rsi,%rsi + jmp .Lc2ec .section __ex_table,"a" .align 8 ------------------------------------------------------------------------------- Larry Woodman
Committed in 78.18.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
I'm not set up to test RHEL4.8. But this testcase(read02) is included in syscalls test of LTP test(job 54944) with kernel 2.6.9-88.EL on machine gs-dl585g2-01.rhts.bos.redhat.com(x86_64), and the fix(linux-2.6.9-kernel-fix-copy_user-on-x86_64-for-read-of-8-byte.patch) was present in the source RPM.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-1024.html
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days