mirror of
https://github.com/torvalds/linux.git
synced 2024-11-18 18:11:56 +00:00
96d4f267e4
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
229 lines
5.1 KiB
C
229 lines
5.1 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __ASM_GENERIC_UACCESS_H
|
|
#define __ASM_GENERIC_UACCESS_H
|
|
|
|
/*
|
|
* User space memory access functions, these should work
|
|
* on any machine that has kernel and user data in the same
|
|
* address space, e.g. all NOMMU machines.
|
|
*/
|
|
#include <linux/string.h>
|
|
|
|
#include <asm/segment.h>
|
|
|
|
#define MAKE_MM_SEG(s) ((mm_segment_t) { (s) })
|
|
|
|
#ifndef KERNEL_DS
|
|
#define KERNEL_DS MAKE_MM_SEG(~0UL)
|
|
#endif
|
|
|
|
#ifndef USER_DS
|
|
#define USER_DS MAKE_MM_SEG(TASK_SIZE - 1)
|
|
#endif
|
|
|
|
#ifndef get_fs
|
|
#define get_ds() (KERNEL_DS)
|
|
#define get_fs() (current_thread_info()->addr_limit)
|
|
|
|
static inline void set_fs(mm_segment_t fs)
|
|
{
|
|
current_thread_info()->addr_limit = fs;
|
|
}
|
|
#endif
|
|
|
|
#ifndef segment_eq
|
|
#define segment_eq(a, b) ((a).seg == (b).seg)
|
|
#endif
|
|
|
|
#define access_ok(addr, size) __access_ok((unsigned long)(addr),(size))
|
|
|
|
/*
|
|
* The architecture should really override this if possible, at least
|
|
* doing a check on the get_fs()
|
|
*/
|
|
#ifndef __access_ok
|
|
static inline int __access_ok(unsigned long addr, unsigned long size)
|
|
{
|
|
return 1;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* These are the main single-value transfer routines. They automatically
|
|
* use the right size if we just have the right pointer type.
|
|
* This version just falls back to copy_{from,to}_user, which should
|
|
* provide a fast-path for small values.
|
|
*/
|
|
#define __put_user(x, ptr) \
|
|
({ \
|
|
__typeof__(*(ptr)) __x = (x); \
|
|
int __pu_err = -EFAULT; \
|
|
__chk_user_ptr(ptr); \
|
|
switch (sizeof (*(ptr))) { \
|
|
case 1: \
|
|
case 2: \
|
|
case 4: \
|
|
case 8: \
|
|
__pu_err = __put_user_fn(sizeof (*(ptr)), \
|
|
ptr, &__x); \
|
|
break; \
|
|
default: \
|
|
__put_user_bad(); \
|
|
break; \
|
|
} \
|
|
__pu_err; \
|
|
})
|
|
|
|
#define put_user(x, ptr) \
|
|
({ \
|
|
void __user *__p = (ptr); \
|
|
might_fault(); \
|
|
access_ok(__p, sizeof(*ptr)) ? \
|
|
__put_user((x), ((__typeof__(*(ptr)) __user *)__p)) : \
|
|
-EFAULT; \
|
|
})
|
|
|
|
#ifndef __put_user_fn
|
|
|
|
static inline int __put_user_fn(size_t size, void __user *ptr, void *x)
|
|
{
|
|
return unlikely(raw_copy_to_user(ptr, x, size)) ? -EFAULT : 0;
|
|
}
|
|
|
|
#define __put_user_fn(sz, u, k) __put_user_fn(sz, u, k)
|
|
|
|
#endif
|
|
|
|
extern int __put_user_bad(void) __attribute__((noreturn));
|
|
|
|
#define __get_user(x, ptr) \
|
|
({ \
|
|
int __gu_err = -EFAULT; \
|
|
__chk_user_ptr(ptr); \
|
|
switch (sizeof(*(ptr))) { \
|
|
case 1: { \
|
|
unsigned char __x = 0; \
|
|
__gu_err = __get_user_fn(sizeof (*(ptr)), \
|
|
ptr, &__x); \
|
|
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
|
|
break; \
|
|
}; \
|
|
case 2: { \
|
|
unsigned short __x = 0; \
|
|
__gu_err = __get_user_fn(sizeof (*(ptr)), \
|
|
ptr, &__x); \
|
|
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
|
|
break; \
|
|
}; \
|
|
case 4: { \
|
|
unsigned int __x = 0; \
|
|
__gu_err = __get_user_fn(sizeof (*(ptr)), \
|
|
ptr, &__x); \
|
|
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
|
|
break; \
|
|
}; \
|
|
case 8: { \
|
|
unsigned long long __x = 0; \
|
|
__gu_err = __get_user_fn(sizeof (*(ptr)), \
|
|
ptr, &__x); \
|
|
(x) = *(__force __typeof__(*(ptr)) *) &__x; \
|
|
break; \
|
|
}; \
|
|
default: \
|
|
__get_user_bad(); \
|
|
break; \
|
|
} \
|
|
__gu_err; \
|
|
})
|
|
|
|
#define get_user(x, ptr) \
|
|
({ \
|
|
const void __user *__p = (ptr); \
|
|
might_fault(); \
|
|
access_ok(__p, sizeof(*ptr)) ? \
|
|
__get_user((x), (__typeof__(*(ptr)) __user *)__p) :\
|
|
((x) = (__typeof__(*(ptr)))0,-EFAULT); \
|
|
})
|
|
|
|
#ifndef __get_user_fn
|
|
static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
|
|
{
|
|
return unlikely(raw_copy_from_user(x, ptr, size)) ? -EFAULT : 0;
|
|
}
|
|
|
|
#define __get_user_fn(sz, u, k) __get_user_fn(sz, u, k)
|
|
|
|
#endif
|
|
|
|
extern int __get_user_bad(void) __attribute__((noreturn));
|
|
|
|
/*
|
|
* Copy a null terminated string from userspace.
|
|
*/
|
|
#ifndef __strncpy_from_user
|
|
static inline long
|
|
__strncpy_from_user(char *dst, const char __user *src, long count)
|
|
{
|
|
char *tmp;
|
|
strncpy(dst, (const char __force *)src, count);
|
|
for (tmp = dst; *tmp && count > 0; tmp++, count--)
|
|
;
|
|
return (tmp - dst);
|
|
}
|
|
#endif
|
|
|
|
static inline long
|
|
strncpy_from_user(char *dst, const char __user *src, long count)
|
|
{
|
|
if (!access_ok(src, 1))
|
|
return -EFAULT;
|
|
return __strncpy_from_user(dst, src, count);
|
|
}
|
|
|
|
/*
|
|
* Return the size of a string (including the ending 0)
|
|
*
|
|
* Return 0 on exception, a value greater than N if too long
|
|
*/
|
|
#ifndef __strnlen_user
|
|
#define __strnlen_user(s, n) (strnlen((s), (n)) + 1)
|
|
#endif
|
|
|
|
/*
|
|
* Unlike strnlen, strnlen_user includes the nul terminator in
|
|
* its returned count. Callers should check for a returned value
|
|
* greater than N as an indication the string is too long.
|
|
*/
|
|
static inline long strnlen_user(const char __user *src, long n)
|
|
{
|
|
if (!access_ok(src, 1))
|
|
return 0;
|
|
return __strnlen_user(src, n);
|
|
}
|
|
|
|
/*
|
|
* Zero Userspace
|
|
*/
|
|
#ifndef __clear_user
|
|
static inline __must_check unsigned long
|
|
__clear_user(void __user *to, unsigned long n)
|
|
{
|
|
memset((void __force *)to, 0, n);
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
static inline __must_check unsigned long
|
|
clear_user(void __user *to, unsigned long n)
|
|
{
|
|
might_fault();
|
|
if (!access_ok(to, n))
|
|
return n;
|
|
|
|
return __clear_user(to, n);
|
|
}
|
|
|
|
#include <asm/extable.h>
|
|
|
|
#endif /* __ASM_GENERIC_UACCESS_H */
|