Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965308AbbHLJB0 (ORCPT ); Wed, 12 Aug 2015 05:01:26 -0400 Received: from mail-pa0-f53.google.com ([209.85.220.53]:36737 "EHLO mail-pa0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965284AbbHLJBV convert rfc822-to-8bit (ORCPT ); Wed, 12 Aug 2015 05:01:21 -0400 From: yalin wang Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Subject: [x86] copy_from{to}_user question Message-Id: <7FD389F5-C677-4439-8082-EB0CAE2814F6@gmail.com> Date: Wed, 12 Aug 2015 17:01:14 +0800 To: Thomas Gleixner , mingo@redhat.com, hpa@zytor.com, x86@kernel.org, bp@suse.de, open list , Will Deacon Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) X-Mailer: Apple Mail (2.2098) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2256 Lines: 65 hi x86 maintainers, i have a question about copy_from{to}_user() function, i find on other platforms like arm/ arm64 /hexagon, all copy_from{to}_user function only check source address for copy_from and only check to address for copy_to user function, never check both source and dest together, but on x86 platform, i see copy_from{to}_user use a generic function named copy_user_generic_unrolled() in arch/x86/lib/copy_user_64.S, it check source and dest address no matter it is copy_from user or copy_to_user , is it correct? for copy_from_user i think only need check source address is enough, if check both address, may hide some kernel BUG, if the kernel address is not valid, because the fix up code will fix it and kernel will not panic in this situation. another problems is that in ./fs/proc/kcore.c , read_kcore() function: if (kern_addr_valid(start)) { unsigned long n; n = copy_to_user(buffer, (char *)start, tsz); /* ¦* We cannot distinguish between fault on source ¦* and fault on destination. When this happens ¦* we clear too and hope it will trigger the ¦* EFAULT again. ¦*/ if (n) { if (clear_user(buffer + tsz - n, n)) return -EFAULT; } } else { if (clear_user(buffer, tsz)) return -EFAULT; } it relies on copy_to_user() can fault on both user and kernel address, it is not true on arm / arm64 /hexgon platforms, maybe some other platforms, i don’t check all platform code. and this code may result in kernel panic on these platforms. i think x86’s copy_from{to}_user code need to change like other platforms. or am i missing something ? Thanks -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/