From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753992AbcITUic (ORCPT ); Tue, 20 Sep 2016 16:38:32 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:60180 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751783AbcITUib (ORCPT ); Tue, 20 Sep 2016 16:38:31 -0400 Date: Tue, 20 Sep 2016 21:38:21 +0100 From: Al Viro To: Linus Torvalds Cc: Heiko Carstens , Martin Schwidefsky , Jan Stancek , Arnd Bergmann , Greg Ungerer , Linux Kernel Mailing List Subject: Re: [PATCH] fix fault_in_multipages_...() on architectures with no-op access_ok() Message-ID: <20160920203821.GQ2356@ZenIV.linux.org.uk> References: <57E131E6.1090507@redhat.com> <20160920150657.GN2356@ZenIV.linux.org.uk> <570490469.234828.1474391501934.JavaMail.zimbra@redhat.com> <20160920190742.GP2356@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 20, 2016 at 01:24:25PM -0700, Linus Torvalds wrote: > Quite frankly, I think it is access_ok() that should be fixed for s390. > > A wrapping user access is *not* ok, not even if kernel and user memory > are separate. > > It is insane to make fault_in_multipages..() return EFAULT if a normal > wrapping user access wouldn't. So the fix is not to change > fault_in_multipage_xyz, but to make sure any op that tries to wrap > will properly return EFAULT. Not the point. Of course it *would* fail; the problem is that the loop that would ping each page is never executed. What happens is while (uaddr <= end) touch uaddr uaddr += PAGE_SIZE if uaddr and end point to different pages ping end What happens if uaddr is greater than end, thanks to wraparound? Right, we skip the loop entirely and all we do is one ping of the end. Which might very well succeed, leaving us with false positive.