Hello,
Mandeep Sandhu wrote:
if i dereference a user-space pointer from inside my driver (kernel code) without the customary checks of of copy_[to/from]_user,
then if the page i'm accessing is not available, it would cause a
page fault. the kernel then "oops". why is this so? can't we
gracefully recover from here ....we still have the user process's
context with us. The page fault handler would get the page in...and
I can go about doing my business. my code would sleep, but then that's
OK with me.
(References below apply to kernel 2.4)
In fact, copy_[to/from]_user lets the page fault handler handle the potential page fault generated when accessing the user space memory. Simply, before accessing this memory, copy_[to/from]_user «informs» the page fault handler that a page fault generated at a specific address on the user space memory should not be considered as invalid (so no «Oops» is generated).
The mecanism used to do this is a bit tricky. Have a look at the __copy_user() macro in include/asm-i386/uaccess.h. It adds information in the «__ex_table» ELF section a some code in the «.fixup» section. The __ex_table section.
Then, you can see that the do_page_fault() function (in arch/i386/mm/fault.c), called when a page fault occurs, calls the search_exception_table() with the EIP that generated the page fault. The search_exception_table() function is implemented in the arch/i386/mm/extable.c file. Basically, its job is to travel through the table stored in the «__ex_table» ELF section of the kernel to see if the given EIP is authorized to access user space.
For clearer explanations, I recommend you to read Chapter 5.7 of the Linux 2.4 VM documentation written by Mel Gorman, available at http://www.skynet.ie/~mel/projects/vm/guide/understand_html.tar.gz.
Thomas -- Thomas Petazzoni thomas.petazzoni@xxxxxxxx
-- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
