Why do you have to use copy_to_user()/copy_from_user() to access user space from the kernel?

Question

I'm curious, because I got a kernel panic after trying to access memory directly (then I found these functions).

Answer 1

These functions do a few things:

• They check if the supplied userspace block is entirely within the user portion of the address space (access_ok()) - this prevents userspace applications from asking the kernel to read/write kernel addresses;
• They return an error if any of the addresses are inaccessible, allowing the error to be returned to userspace (EFAULT) instead of crashing the kernel (this is implemented by special co-operation with the page fault handler, which specifically can detect when a fault occurs in one of the user memory access functions);
• They allow architecture-specific magic, for example to ensure consistency on architectures with virtually-tagged caches, to disable protections like SMAP or to switch address spaces on architectures with separate user/kernel address spaces like S/390.

Answer 2

Those functions check whether the memory is accessible. If the kernel attempts to directly access a non-accessible address, it will panic. But in addition, the kernel and user address spaces may be different ... a valid address in the user address space may not be accessible in the kernel, and if it is it may point to kernel stuff rather than user stuff.

For more details, see https://developer.ibm.com/articles/l-kernel-memory-access

On a historical note: once upon a time there were operating systems in which the kernel was designed to be part of the user address space, and in those systems the kernel could always access user space directly. There may still be such systems, but modern linux isn't one. The user process's memory being part of the kernel address space is always an option for the implementation, of course, and that can make copy_to_user and copy_from_user a lot faster.