From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Andreas Schwab <schwab@linux-m68k.org>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Andrew Morton <akpm@linux-foundation.org>,
Tuxist <tuxist@tuxist.de>,
Patrick McCarthy <patrickjmc@gmail.com>,
Finn Thain <fthain@telegraphics.com.au>,
Rusty Russell <rusty@rustcorp.com.au>,
Thomas Gleixner <tglx@linutronix.de>,
Darren Hart <dvhart@linux.intel.com>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Linux-Next <linux-next@vger.kernel.org>
Subject: Re: [BUG -next] "futex: switch to USER_DS for futex test" breaks s390
Date: Tue, 7 Jan 2014 09:47:25 +0100 [thread overview]
Message-ID: <20140107084725.GA4576@osiris> (raw)
In-Reply-To: <20140103160924.GC4219@osiris>
On Fri, Jan 03, 2014 at 05:09:24PM +0100, Heiko Carstens wrote:
> On Fri, Jan 03, 2014 at 04:41:10PM +0100, Andreas Schwab wrote:
> > Heiko Carstens <heiko.carstens@de.ibm.com> writes:
> >
> > > There is also other code that relies on this: e.g. copy_mount_options() my be
> > > called with KERNEL_DS.
> >
> > With KERNEL_DS you can *only* access kernel memory, which is unpagable.
> > If you want to access user memory, you _must_ use USER_DS.
>
> I didn't say anything else. copy_mount_options() will be called with KERNEL_DS
> from e.g. do_mount_root().
Just to be more precise: when sys_mount() gets called from kernel space (with
KERNEL_DS) it will call copy_mount_options() which in turn will call
exact_copy_from_user() which will usually copy a whole page, unless a fault
happens.
E.g. devtmpfsd() (drivers/base/devtmpfs.c) calls sys_mount() with mount options
being on the kernel stack. Now if these mount options are at the beginning of
the kernel stack, copy_mount_options() _will_ cross page boundaries and leave
the kernel stack. In case of DEBUG_PAGEALLOC it's not very unlikely that the
next page has an invalid mapping and a fault happens.
I'm not saying that the devtmpfsd() code is correct, however this code would
crash on m68k as well if it doesn't fixup it's instructions pointer for
exceptions in kernel space.
prev parent reply other threads:[~2014-01-07 8:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-03 14:19 [BUG -next] "futex: switch to USER_DS for futex test" breaks s390 Heiko Carstens
2014-01-03 14:42 ` Geert Uytterhoeven
2014-01-03 15:36 ` Heiko Carstens
2014-01-03 15:41 ` Andreas Schwab
2014-01-03 16:09 ` Heiko Carstens
2014-01-07 8:47 ` Heiko Carstens [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140107084725.GA4576@osiris \
--to=heiko.carstens@de.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=dvhart@linux.intel.com \
--cc=fthain@telegraphics.com.au \
--cc=geert@linux-m68k.org \
--cc=linux-next@vger.kernel.org \
--cc=patrickjmc@gmail.com \
--cc=rusty@rustcorp.com.au \
--cc=schwab@linux-m68k.org \
--cc=schwidefsky@de.ibm.com \
--cc=tglx@linutronix.de \
--cc=tuxist@tuxist.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).