On Mon, Feb 13, 2017 at 1:56 AM, Steve Capper <steve.capper@xxxxxxxxxx> wrote: > > Okay so looking at what we have for access_ok(.) on arm64, my > understanding is that we perform a 65-bit add/compare (in assembler) to > see whether or not the range is below the current_thread_info->addr_limit. > So I think this is a roundabout way of checking for no-wrap around and <= TASK_SIZE. No, that's the problem. It's *not* testing against TASK_SIZE. Because add_limit is not always TASK_SIZE. When you do set_fs(KERNEL_DS), you set addr_limit to infinity. And yes, the kernel does read and write calls too. Seldom, but it happens. And walking the page tables with kernel addresses is not supposed to work (sometimes it happens to work by mistake). So if somebody finds a path that gets from that kind of situation into the get_user_pages() interface, bad things happen. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html