From patchwork Sun Dec  5 10:06:03 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ohad Ben Cohen <ohad@wizery.com>
X-Patchwork-Id: 380781
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id oB5A4JFp022383
	for <patchwork-omap@patchwork.kernel.org>;
	Sun, 5 Dec 2010 10:04:19 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753982Ab0LEKDo (ORCPT
	<rfc822;patchwork-omap@patchwork.kernel.org>);
	Sun, 5 Dec 2010 05:03:44 -0500
Received: from mail-ww0-f44.google.com ([74.125.82.44]:52465 "EHLO
	mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753882Ab0LEKDm (ORCPT
	<rfc822; linux-omap@vger.kernel.org>); Sun, 5 Dec 2010 05:03:42 -0500
Received: by wwa36 with SMTP id 36so11735783wwa.1
	for <multiple recipients>; Sun, 05 Dec 2010 02:03:41 -0800 (PST)
Received: by 10.227.144.12 with SMTP id x12mr4116336wbu.218.1291543420741;
	Sun, 05 Dec 2010 02:03:40 -0800 (PST)
Received: from localhost.localdomain (89-139-39-216.bb.netvision.net.il
	[89.139.39.216])
	by mx.google.com with ESMTPS id 11sm2602381wbj.19.2010.12.05.02.03.38
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Sun, 05 Dec 2010 02:03:39 -0800 (PST)
From: Ohad Ben-Cohen <ohad@wizery.com>
To: <linux-omap@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<linux-arm-kernel@lists.infradead.org>
Cc: <akpm@linux-foundation.org>, Greg KH <greg@kroah.com>,
	Russell King <linux@arm.linux.org.uk>, Ohad Ben-Cohen <ohad@wizery.com>
Subject: [RFC] add BUG_ON_MAPPABLE_NULL macro
Date: Sun,  5 Dec 2010 12:06:03 +0200
Message-Id: <1291543563-5655-1-git-send-email-ohad@wizery.com>
X-Mailer: git-send-email 1.7.0.4
Sender: linux-omap-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-omap.vger.kernel.org>
X-Mailing-List: linux-omap@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]);
	Sun, 05 Dec 2010 10:04:20 +0000 (UTC)


diff --git a/arch/arm/include/asm/mman.h b/arch/arm/include/asm/mman.h
index 41f99c5..f0c5d58 100644
--- a/arch/arm/include/asm/mman.h
+++ b/arch/arm/include/asm/mman.h
@@ -1,4 +1,6 @@
 #include <asm-generic/mman.h>
+#include <asm/pgtable.h>
+#include <asm/errno.h>
 
 #define arch_mmap_check(addr, len, flags) \
 	(((flags) & MAP_FIXED && (addr) < FIRST_USER_ADDRESS) ? -EINVAL : 0)
diff --git a/include/asm-generic/bug.h b/include/asm-generic/bug.h
index c2c9ba0..0171a30 100644
--- a/include/asm-generic/bug.h
+++ b/include/asm-generic/bug.h
@@ -2,6 +2,11 @@
 #define _ASM_GENERIC_BUG_H
 
 #include <linux/compiler.h>
+#include <asm/mman.h>
+
+#ifndef arch_mmap_check
+#define arch_mmap_check(addr, len, flags)	(0)
+#endif
 
 #ifdef CONFIG_BUG
 
@@ -53,6 +58,47 @@ struct bug_entry {
 #define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while(0)
 #endif
 
+/**
+ * BUG_ON_MAPPABLE_NULL() - BUG_ON(condition) only if address 0 is mappable
+ * @condition:	condition to check, should contain a NULL check
+ *
+ * In general, NULL dereference Oopses are not desirable, since they take down
+ * the system with them and make the user extremely unhappy. So as a general
+ * rule drivers should avoid dereferencing NULL pointers by doing a simple
+ * check (when appropriate), and just return an error rather than crash.
+ * This way the system, despite having reduced functionality, will just keep
+ * running rather than immediately reboot.
+ *
+ * _Critical_ kernel code, OTOH, that should not (/cannot) keep running when
+ * given an unexpected NULL pointer, should just crash. On some architectures,
+ * a NULL dereference will always reliably produce an Oops. On others, where
+ * the zero address can be mmapped, an Oops is not guaranteed. Relying on
+ * NULL dereference Oopses to happen on these architectures might lead to
+ * data corruptions (system will keep running despite a critical bug and
+ * the results will be horribly undefined). In addition, these situations
+ * can also have security implications - we have seen several privilege
+ * escalation exploits with which an attacker gained full control over the
+ * system due to NULL dereference bugs.
+ *
+ * This macro will BUG_ON if @condition is true on architectures where the zero
+ * address can be mapped. On other architectures, where the zero address
+ * can never be mapped, this macro is compiled out. It only makes sense to
+ * use this macro if @condition contains a NULL check, in order to optimize that
+ * check out on architectures where the zero address can never be mapped.
+ * On such architectures, those checks are not necessary, since the code
+ * itself will reliably reproduce an Oops as soon as the NULL address will
+ * be dereferenced.
+ *
+ * As with BUG_ON, use this macro only if @condition cannot be tolerated.
+ * If proceeding with degraded functionality is an option, it's much
+ * better to just simply check for @condition and return some error code rather
+ * than crash the system.
+ */
+#define BUG_ON_MAPPABLE_NULL(cond) do { \
+	if (arch_mmap_check(0, 1, MAP_FIXED) == 0) \
+		BUG_ON(cond); \
+} while (0)
+
 /*
  * WARN(), WARN_ON(), WARN_ON_ONCE, and so on can be used to report
  * significant issues that need prompt attention if they should ever