• Linus Torvalds's avatar
    make 'user_access_begin()' do 'access_ok()' · 594cc251
    Linus Torvalds authored
    Originally, the rule used to be that you'd have to do access_ok()
    separately, and then user_access_begin() before actually doing the
    direct (optimized) user access.
    
    But experience has shown that people then decide not to do access_ok()
    at all, and instead rely on it being implied by other operations or
    similar.  Which makes it very hard to verify that the access has
    actually been range-checked.
    
    If you use the unsafe direct user accesses, hardware features (either
    SMAP - Supervisor Mode Access Protection - on x86, or PAN - Privileged
    Access Never - on ARM) do force you to use user_access_begin().  But
    nothing really forces the range check.
    
    By putting the range check into user_access_begin(), we actually force
    people to do the right thing (tm), and the range check vill be visible
    near the actual accesses.  We have way too long a history of people
    trying to avoid them.
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    594cc251