Re: [PATCH] drivers/tty: Use get_user instead of dereferencing user pointer

[Alan Cox <alan@lxorguk.ukuu.org.uk>]

On Fri, 20 Apr 2012 17:52:34 +0200
Emil Goode <emilgoode@gmail.com> wrote:

> We should use the get_user macro instead of dereferencing user
> pointers directly.
> 
> This patch fixes the following sparse warning:
> drivers/tty/n_tty.c:1648:51: warning:
> 	dereference of noderef expression
> 
> Signed-off-by: Emil Goode <emilgoode@gmail.com>

So I gave it a five second glance and thought "must be a crazy newbie",
then I looked harder 8)

> I'm a newbie so please review carefully.
> Not sure if I should add error handling for the get_user call here.

You are correct, and it's been wrong for ages. You are also the first
person to my knowledge to actually dig into that sparse warning and fix
it!

>  		/* Turn single EOF into zero-length read */
>  		if (L_EXTPROC(tty) && tty->icanon && n == 1) {
> -			if (!tty->read_cnt && (*b)[n-1] == EOF_CHAR(tty))
> +			get_user(ch, b[n-1]);
> +			if (!tty->read_cnt && ch == EOF_CHAR(tty))
>  				n--;
>  		}

The real question is what this code should be doing. The only case it can
be triggered as far as I can see is:

User provides buffer one byte shorter than the size passed to the syscall
Data is copied and copy_to_user returns 1 byte uncopied
n ends up as one

At this point we can take this path. What I don't understand at this
point is what this code path is actually *supposed* to do.

I think it should be testing against the value of n before the n -=
retval, and also checking the data it copied *from* in kernel space, not
the user size. The user data might be changed by another thread.

First problem therefore is to figure out what this code is supposed to be
doing. However you are right that the code is incorrect, and if it was a
simple bug your fix would also be correct.

It's not simple however, so can anyone work out or remember wtf the code
should be doing ???

Alan