The exact same fixup code is being used for copy_to_user and
copy_from_user.
For the copy_from_user case we want to zero the rest of the kernel
destination buffer when we hit a pagefault reading from user space.
However, for the copy_to_user case we most definitely don't want to
write zeros in the destination buffer when we hit a pagefault writing
to user space! I get unhandled pagefaults here, when copy_to_user is
called:
I would suggest re-working the fixup path and testing both fixup paths
thoroughly by placing the system under memory pressure and confirming
that they are both "hit".
Excerpt from the report:
The exact same fixup code is being used for copy_to_user and
copy_from_user.
For the copy_from_user case we want to zero the rest of the kernel
destination buffer when we hit a pagefault reading from user space.
However, for the copy_to_user case we most definitely don't want to
write zeros in the destination buffer when we hit a pagefault writing
to user space! I get unhandled pagefaults here, when copy_to_user is
called:
0xffffffc000 73c638 <+8920>: strb wzr, [x6],#1 73c63c <+8924>: subs x2, x2, #0x1 73c640 <+8928>: b.ne 0xffffffc00073c638 <__hyp_ text_end+ 8920> 73c644 <+8932>: ret
0xffffffc000
0xffffffc000
0xffffffc000
I would suggest re-working the fixup path and testing both fixup paths
thoroughly by placing the system under memory pressure and confirming
that they are both "hit".