On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote: > Since right after the user copy, we are going to > memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough?
access_ok() is *NOT* "will copy_from_user() succeed?" Not even close. On a bunch of architectures (sparc64, for one) access_ok() is always true. All it does is checking that address is not a kernel one - e.g. on i386 anything in range 0..3Gb qualifies. Whether anything's mapped at that address or not. Why bother with that copy_from_user() at all? The same ioctl() proceeds to copy_to_user() on exact same range; all you get from it is "if the area passed by caller is writable, but not readable, fail with -EFAULT". Who cares? Just drop that copy_from_user() completely. Anything access_ok() might've caught will be caught by copy_to_user() anyway.
