On Thu, 4 May 2000, Tigran Aivazian wrote:
> Hi,
>
> It would seem that the callers of find_vma() are supposed to
> down(&mm->mmap_sem) but copy_mount_options() does not do so and the
> obvious attempt to make it do so results in a deadlock. Any ideas on the
> reason how can copy_mount_options() safely call find_vma() without being
> protected by mmap_sem semaphore?
I presume you did an up on mmap_sem before the copy_from_user. In any
event, it looks like copy_mount_options is suffering from a case of bitrot
-- copy_from_user provides us with exactly the data we need (the length
of valid data at the address) as its return code -- how does the following
patch look? (warning: it's untested)
-ben
--- super.c.orig Wed May 3 21:10:34 2000
+++ super.c Thu May 4 16:51:51 2000
@@ -1097,21 +1097,20 @@
if (!data)
return 0;
- vma = find_vma(current->mm, (unsigned long) data);
- if (!vma || (unsigned long) data < vma->vm_start)
- return -EFAULT;
- if (!(vma->vm_flags & VM_READ))
- return -EFAULT;
- i = vma->vm_end - (unsigned long) data;
- if (PAGE_SIZE <= (unsigned long) i)
- i = PAGE_SIZE-1;
- if (!(page = __get_free_page(GFP_KERNEL))) {
+ if (!(page = __get_free_page(GFP_KERNEL)))
return -ENOMEM;
- }
- if (copy_from_user((void *) page,data,i)) {
+
+ /* We only care that *some* data at the address the user
+ * gave us is valid. Just in case, we'll zero
+ * the remainder of the page.
+ */
+ i = copy_from_user((void *) page,data,PAGE_SIZE);
+ if (i == PAGE_SIZE) {
free_page(page);
return -EFAULT;
}
+ if (i)
+ memset((char *)page + PAGE_SIZE - i, 0, i);
*where = page;
return 0;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun May 07 2000 - 21:00:16 EST