On Mon, May 08, 2017 at 04:06:35PM +0200, Jann Horn wrote: > I think Kees might be talking about > https://bugs.chromium.org/p/project-zero/issues/detail?id=822, fixed in > commit e6978e4bf181fb3b5f8cb6f71b4fe30fbf1b655c. The issue was that > perf code that can run in pretty much any context called access_ok(). And that commit has *NOT* solved the problem. perf_callchain_user() can be called synchronously, without passing through that code. Tracepoint shite... That set_fs() should be done in get_perf_callchain(), just around the call of perf_callchain_user(). Along with pagefault_disable(), actually. BTW, that's a nice example demonstrating why doing that on the kernel boundary is wrong. Wider (in theory) area being "protected" => easier to miss the ways not crossing its border. -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
