The patch titled Subject: lib: reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() has been added to the -mm tree. Its filename is lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Christophe Leroy <christophe.leroy@xxxxxx> Subject: lib: reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() The range passed to user_access_begin() by strncpy_from_user() and strnlen_user() starts at 'src' and goes up to the limit of userspace allthough reads will be limited by the 'count' param. On 32 bits powerpc (book3s/32) access has to be granted for each 256Mbytes segment and the cost increases with the number of segments to unlock. Limit the range with 'count' param. Link: http://lkml.kernel.org/r/70f99f7474826883877e84f93224e937d9c974de.1579767339.git.christophe.leroy@xxxxxx Fixes: 594cc251fdd0 ("make 'user_access_begin()' do 'access_ok()'") Signed-off-by: Christophe Leroy <christophe.leroy@xxxxxx> Acked-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- lib/strncpy_from_user.c | 14 +++++++------- lib/strnlen_user.c | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) --- a/lib/strncpy_from_user.c~lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user +++ a/lib/strncpy_from_user.c @@ -30,13 +30,6 @@ static inline long do_strncpy_from_user( const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS; unsigned long res = 0; - /* - * Truncate 'max' to the user-specified limit, so that - * we only have one limit we need to check in the loop - */ - if (max > count) - max = count; - if (IS_UNALIGNED(src, dst)) goto byte_at_a_time; @@ -114,6 +107,13 @@ long strncpy_from_user(char *dst, const unsigned long max = max_addr - src_addr; long retval; + /* + * Truncate 'max' to the user-specified limit, so that + * we only have one limit we need to check in the loop + */ + if (max > count) + max = count; + kasan_check_write(dst, count); check_object_size(dst, count, false); if (user_access_begin(src, max)) { --- a/lib/strnlen_user.c~lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user +++ a/lib/strnlen_user.c @@ -27,13 +27,6 @@ static inline long do_strnlen_user(const unsigned long c; /* - * Truncate 'max' to the user-specified limit, so that - * we only have one limit we need to check in the loop - */ - if (max > count) - max = count; - - /* * Do everything aligned. But that means that we * need to also expand the maximum.. */ @@ -109,6 +102,13 @@ long strnlen_user(const char __user *str unsigned long max = max_addr - src_addr; long retval; + /* + * Truncate 'max' to the user-specified limit, so that + * we only have one limit we need to check in the loop + */ + if (max > count) + max = count; + if (user_access_begin(str, max)) { retval = do_strnlen_user(str, count, max); user_access_end(); _ Patches currently in -mm which might be from christophe.leroy@xxxxxx are lib-reduce-user_access_begin-boundaries-in-strncpy_from_user-and-strnlen_user.patch init-fix-misleading-this-architecture-does-not-have-kernel-memory-protection-message.patch