On Sun, 9 Feb 2025 at 13:18, David Laight <david.laight.linux@xxxxxxxxx> wrote: > > Except for the ppc? case which needs the size to open a bounded window. It passes the size down, but I didn't actually see it *use* the size anywhere outside of the actual range check. So it has code like static __always_inline void allow_user_access(void __user *to, const void __user *from, u32 size, unsigned long dir) { BUILD_BUG_ON(!__builtin_constant_p(dir)); if (!(dir & KUAP_WRITE)) return; current->thread.kuap = (__force u32)to; uaccess_begin_32s((__force u32)to); } but notice how the size is basically not an issue. Same for the 8xx case: static __always_inline void allow_user_access(void __user *to, const void __user *from, unsigned long size, unsigned long dir) { uaccess_begin_8xx(MD_APG_INIT); } or the booke case: static __always_inline void allow_user_access(void __user *to, const void __user *from, unsigned long size, unsigned long dir) { uaccess_begin_booke(current->thread.pid); } but admittedly this is all a maze of small helper functions calling each other, so I might have missed some path. Linus