Re: [PATCH 1/6] syscalls: use uaccess_kernel in addr_limit_user_check

[Christoph Hellwig]

On Mon, Jul 20, 2020 at 03:10:46PM -0700, Guenter Roeck wrote:
> I had another look into the code. Right after this patch, I see
> 
> #define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
> 
> Yet, this patch is:
> 
> -       if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
> +       if (CHECK_DATA_CORRUPTION(uaccess_kernel(),
> 
> So there is a negation in the condition. Indeed, the following change
> on top of next-20200720 fixes the problem for mps2-an385.
> 
> -       if (CHECK_DATA_CORRUPTION(uaccess_kernel(),
> +       if (CHECK_DATA_CORRUPTION(!uaccess_kernel(),
> 
> How does this work anywhere ?

No, that is the wrong check - we want to make sure the address
space override doesn't leak to userspace.  The problem is that
armnommu (and m68knommu, but that doesn't call the offending
function) pretends to not have a kernel address space, which doesn't
really work.  Here is the fix I sent out yesterday, which I should
have Cc'ed you on, sorry:

---