From: Andi Kleen <ak@suse.de>

On i386 and most other ports kern_addr_valid is hardcoded to 1.

This works fine as long as only mapped areas are accessed.  When you have
something partially mapped in the kclist it is possible that start points to
an unmapped address.  The correct behaviour in this case is to zero the user
space.  We shouldn't return -EFAULT because the fault is against the mmapped
range, not against the user's address.

copy_to_user usually even checks for exceptions on both source and
destination, but it does not zero the destination in this case and worse
results in EFAULT, which is user visible.

This patch just tries to clear_user in this case again to actually zero the
user data and catch real user side EFAULTs.

Another way to fix this is to have kern_addr_valid do a real page table
lookup (I did that on AMD64), but having this fallback is a bit more
reliable in case there is a race somewhere.

On i386 it could happen for example if the direct space to max_low_pfn
contains something unmapped.  This normally isn't the case, but e.g.  the
slab debugging patches in -mm* do this so it's better to handle it.

Drawback is that it relies on a somewhat undocumented copy_to_user behaviour
(fault on both source and destination).  It is true for i386 and amd64, but I
don't know if it is for other port.  In the worst case they just don't have
the race protection and may see bogus EFAULTs.