From: Michael S. Tsirkin > Sent: 02 June 2020 21:33 > On Tue, Jun 02, 2020 at 10:18:09AM -0700, Linus Torvalds wrote: > > On Tue, Jun 2, 2020 at 9:33 AM Al Viro <v...@zeniv.linux.org.uk> wrote: > > > > > > > > > > > It's not clear whether we need a new API, I think __uaccess_being() has > > > > the > > > > assumption that the address has been validated by access_ok(). > > > > > > __uaccess_begin() is a stopgap, not a public API. > > > > Correct. It's just an x86 implementation detail. > > > > > The problem is real, but "let's add a public API that would do > > > user_access_begin() > > > with access_ok() already done" is no-go. > > > > Yeah, it's completely pointless. > > > > The solution to this is easy: remove the incorrect and useless early > > "access_ok()". Boom, done. > > Hmm are you sure we can drop it? access_ok is done in the context > of the process. Access itself in the context of a kernel thread > that borrows the same mm. IIUC if the process can be 32 bit > while the kernel is 64 bit, access_ok in the context of the > kernel thread will not DTRT.
In which case you need a 'user_access_begin' that takes the mm as an additional parameter. I found an 'interesting' acccess_ok() call in the code that copies iov[] into kernel (eg for readv()). a) It is a long way from any copies. b) It can be conditionally ignored - and is so for one call. The oddball is code that reads from a different process. I didn't spot an equivalent check, but it all worked by mapping in the required page - so I'm not sure what happens. Are there really just 2 limits for access_ok(). One for 64bit programs and one for 32bit? With the limit being just below the 'dso' page?? So checking the current processes limit is never going to restrict access. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)