Re: [PATCH] fix fault_in_multipages_...() on architectures with no-op access_ok()

From: Al Viro
Date: Tue Sep 20 2016 - 16:38:34 EST


On Tue, Sep 20, 2016 at 01:24:25PM -0700, Linus Torvalds wrote:

> Quite frankly, I think it is access_ok() that should be fixed for s390.
>
> A wrapping user access is *not* ok, not even if kernel and user memory
> are separate.
>
> It is insane to make fault_in_multipages..() return EFAULT if a normal
> wrapping user access wouldn't. So the fix is not to change
> fault_in_multipage_xyz, but to make sure any op that tries to wrap
> will properly return EFAULT.

Not the point. Of course it *would* fail; the problem is that the loop
that would ping each page is never executed. What happens is
while (uaddr <= end)
touch uaddr
uaddr += PAGE_SIZE
if uaddr and end point to different pages
ping end

What happens if uaddr is greater than end, thanks to wraparound? Right,
we skip the loop entirely and all we do is one ping of the end. Which
might very well succeed, leaving us with false positive.