From: "H. Peter Anvin" <hpa@zytor.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Ingo Molnar <mingo@kernel.org>, Al Viro <viro@ZenIV.linux.org.uk>,
Thomas Gleixner <tglx@linutronix.de>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Vitaly Mayatskikh <v.mayatskih@gmail.com>,
"Murty, Ravi" <ravi.murty@intel.com>,
neilb@suse.de
Subject: Re: copy_from_user_*() and buffer zeroing
Date: Tue, 26 Nov 2013 14:28:59 -0800 [thread overview]
Message-ID: <529520AB.2020407@zytor.com> (raw)
In-Reply-To: <20131126135454.b5e9597a998509f1ab43cee4@linux-foundation.org>
On 11/26/2013 01:54 PM, Andrew Morton wrote:
>
> Nine years ago:
>
> commit 7079f897164cb14f616c785d3d01629fd6a97719
> Author: mingo <mingo>
> Date: Fri Aug 27 17:33:18 2004 +0000
>
> [PATCH] Add a few might_sleep() checks
>
> Add a whole bunch more might_sleep() checks. We also enable might_sleep()
> checking in copy_*_user(). This was non-trivial because of the "copy_*_user()
> in atomic regions" trick would generate false positives. Fix that up by
> adding a new __copy_*_user_inatomic(), which avoids the might_sleep() check.
>
> Only i386 is supported in this patch.
>
>
> I can't think of any reason why __copy_from_user_inatomic() should be
> non-zeroing. But maybe I'm missing something - this would pretty
> easily permit uninitialised data to appear in pagecache and someone
> surely would have noticed..
>
Yes, and the might_sleep() check is indeed bypassed.
However, the non-zeroing bit is currently motivated by the following
comment:
/**
* __copy_from_user: - Copy a block of data from user space, with less
checking.
* @to: Destination address, in kernel space.
* @from: Source address, in user space.
* @n: Number of bytes to copy.
*
* Context: User context only. This function may sleep.
*
* Copy data from user space to kernel space. Caller must check
* the specified block with access_ok() before calling this function.
*
* Returns number of bytes that could not be copied.
* On success, this will be zero.
*
* If some data could not be copied, this function will pad the copied
* data to the requested size using zero bytes.
*
* An alternate version - __copy_from_user_inatomic() - may be called from
* atomic context and will fail rather than sleep. In this case the
* uncopied bytes will *NOT* be padded with zeros. See fs/filemap.h
* for explanation of why this is needed.
*/
This comment is only present in the 32-bit code. fs/filemap.h of course
no longer exists, however, the original commit seems to be
01408c4939479ec46c15aa7ef6e2406be50eeeca which puts a comment in the
(now defunct mm/filemap.h).
I have to say I don't follow the explanation in that patch. It seems
like if you're concurrently reading a buffer being written you should
expect to get any kind of mismash...
Neil, is this still an issue?
-hpa
next prev parent reply other threads:[~2013-11-26 22:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-26 21:07 copy_from_user_*() and buffer zeroing H. Peter Anvin
2013-11-26 21:54 ` Andrew Morton
2013-11-26 22:28 ` H. Peter Anvin [this message]
2013-11-26 23:04 ` NeilBrown
2013-11-26 23:08 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=529520AB.2020407@zytor.com \
--to=hpa@zytor.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=neilb@suse.de \
--cc=ravi.murty@intel.com \
--cc=tglx@linutronix.de \
--cc=v.mayatskih@gmail.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.