Skip to content
  • Linus Torvalds's avatar
    x86-64: Fix "bytes left to copy" return value for copy_from_user() · 42a886af
    Linus Torvalds authored
    Most users by far do not care about the exact return value (they only
    really care about whether the copy succeeded in its entirety or not),
    but a few special core routines actually care deeply about exactly how
    many bytes were copied from user space.
    
    And the unrolled versions of the x86-64 user copy routines would
    sometimes report that it had copied more bytes than it actually had.
    
    Very few uses actually have partial copies to begin with, but to make
    this bug even harder to trigger, most x86 CPU's use the "rep string"
    instructions for normal user copies, and that version didn't have this
    issue.
    
    To make it even harder to hit, the one user of this that really cared
    about the return value (and used the uncached version of the copy that
    doesn't use the "rep string" instructions) was the generic write
    routine, which pre-populated its source, once more hiding the problem by
    avoiding the exception case that triggers the bug.
    
    In other words, very special thanks to Bron Gondwana who not only
    triggered this, but created a test-program to show it, and bisected the
    behavior down to commit 08291429
    
     ("mm:
    fix pagecache write deadlocks") which changed the access pattern just
    enough that you can now trigger it with 'writev()' with multiple
    iovec's.
    
    That commit itself was not the cause of the bug, it just allowed all the
    stars to align just right that you could trigger the problem.
    
    [ Side note: this is just the minimal fix to make the copy routines
      (with __copy_from_user_inatomic_nocache as the particular version that
      was involved in showing this) have the right return values.
    
      We really should improve on the exceptional case further - to make the
      copy do a byte-accurate copy up to the exact page limit that causes it
      to fail.  As it is, the callers have to do extra work to handle the
      limit case gracefully. ]
    
    Reported-by: default avatarBron Gondwana <brong@fastmail.fm>
    Cc: Nick Piggin <npiggin@suse.de>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Andi Kleen <andi@firstfloor.org>
    Cc: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    
     (which didn't have this problem), and since
    most users that do the carethis was very hard to trigger, but
    42a886af