On Fri, Jan 03, 2014 at 05:09:24PM +0100, Heiko Carstens wrote: > On Fri, Jan 03, 2014 at 04:41:10PM +0100, Andreas Schwab wrote: > > Heiko Carstens <heiko.carstens@xxxxxxxxxx> writes: > > > > > There is also other code that relies on this: e.g. copy_mount_options() my be > > > called with KERNEL_DS. > > > > With KERNEL_DS you can *only* access kernel memory, which is unpagable. > > If you want to access user memory, you _must_ use USER_DS. > > I didn't say anything else. copy_mount_options() will be called with KERNEL_DS > from e.g. do_mount_root(). Just to be more precise: when sys_mount() gets called from kernel space (with KERNEL_DS) it will call copy_mount_options() which in turn will call exact_copy_from_user() which will usually copy a whole page, unless a fault happens. E.g. devtmpfsd() (drivers/base/devtmpfs.c) calls sys_mount() with mount options being on the kernel stack. Now if these mount options are at the beginning of the kernel stack, copy_mount_options() _will_ cross page boundaries and leave the kernel stack. In case of DEBUG_PAGEALLOC it's not very unlikely that the next page has an invalid mapping and a fault happens. I'm not saying that the devtmpfsd() code is correct, however this code would crash on m68k as well if it doesn't fixup it's instructions pointer for exceptions in kernel space. -- To unsubscribe from this list: send the line "unsubscribe linux-next" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
