Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965308AbbHLJB0 (ORCPT <rfc822;w@1wt.eu>);
	Wed, 12 Aug 2015 05:01:26 -0400
Received: from mail-pa0-f53.google.com ([209.85.220.53]:36737 "EHLO
	mail-pa0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S965284AbbHLJBV convert rfc822-to-8bit (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 12 Aug 2015 05:01:21 -0400
From: yalin wang <yalin.wang2010@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8BIT
Subject: [x86] copy_from{to}_user question
Message-Id: <7FD389F5-C677-4439-8082-EB0CAE2814F6@gmail.com>
Date: Wed, 12 Aug 2015 17:01:14 +0800
To: Thomas Gleixner <tglx@linutronix.de>, mingo@redhat.com, hpa@zytor.com,
        x86@kernel.org, bp@suse.de, open list <linux-kernel@vger.kernel.org>,
        Will Deacon <will.deacon@arm.com>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
X-Mailer: Apple Mail (2.2098)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2256
Lines: 65

hi x86 maintainers,

i have a question about copy_from{to}_user() function,
i find on other platforms like arm/ arm64 /hexagon,
all copy_from{to}_user function only check source address for
copy_from and only check to address for copy_to user function,
never check both source and dest together,

but on x86 platform, i see copy_from{to}_user use a generic function
named copy_user_generic_unrolled() in arch/x86/lib/copy_user_64.S,

it check source and dest address no matter it is copy_from user or
copy_to_user ,  is it correct? 
for copy_from_user i think only need check source address is enough,
if check both address, may hide some kernel BUG, if the kernel address
is not valid, because the fix up code will fix it and kernel will
not panic in this situation.

another problems is that in ./fs/proc/kcore.c ,
read_kcore() function:


if (kern_addr_valid(start)) {
          unsigned long n;
  
          n = copy_to_user(buffer, (char *)start, tsz);
          /*                                                                                                                                                                                               
          ¦* We cannot distinguish between fault on source
          ¦* and fault on destination. When this happens
          ¦* we clear too and hope it will trigger the
          ¦* EFAULT again.
          ¦*/ 
          if (n) { 
                  if (clear_user(buffer + tsz - n,
                                          n)) 
                          return -EFAULT;
          }   
  } else {
          if (clear_user(buffer, tsz))
                  return -EFAULT;
  }

it relies on copy_to_user() can fault on both user and kernel address,
it is not true on arm / arm64 /hexgon platforms, maybe some other platforms,
i don’t check all platform code.
and this code may result in kernel panic on these platforms.

i think x86’s copy_from{to}_user code need to change like other platforms.
or am i missing something ?

Thanks









--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/