2019-05-27 14:55:01 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
2011-06-04 16:06:11 +08:00
|
|
|
/*
|
|
|
|
* OpenRISC Linux
|
|
|
|
*
|
|
|
|
* Linux architectural port borrowing liberally from similar works of
|
|
|
|
* others. All original copyrights apply as per the original source
|
|
|
|
* declaration.
|
|
|
|
*
|
|
|
|
* OpenRISC implementation:
|
|
|
|
* Copyright (C) 2003 Matjaz Breskvar <phoenix@bsemi.com>
|
|
|
|
* Copyright (C) 2010-2011 Jonas Bonn <jonas@southpole.se>
|
|
|
|
* et al.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef __ASM_OPENRISC_UACCESS_H
|
|
|
|
#define __ASM_OPENRISC_UACCESS_H
|
|
|
|
|
|
|
|
/*
|
|
|
|
* User space memory access functions
|
|
|
|
*/
|
|
|
|
#include <linux/prefetch.h>
|
|
|
|
#include <linux/string.h>
|
|
|
|
#include <asm/page.h>
|
2016-12-26 03:34:44 +08:00
|
|
|
#include <asm/extable.h>
|
2011-06-04 16:06:11 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* The fs value determines whether argument validity checking should be
|
|
|
|
* performed or not. If get_fs() == USER_DS, checking is performed, with
|
|
|
|
* get_fs() == KERNEL_DS, checking is bypassed.
|
|
|
|
*
|
|
|
|
* For historical reasons, these macros are grossly misnamed.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* addr_limit is the maximum accessible address for the task. we misuse
|
|
|
|
* the KERNEL_DS and USER_DS values to both assign and compare the
|
|
|
|
* addr_limit values through the equally misnamed get/set_fs macros.
|
|
|
|
* (see above)
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define KERNEL_DS (~0UL)
|
|
|
|
|
|
|
|
#define USER_DS (TASK_SIZE)
|
|
|
|
#define get_fs() (current_thread_info()->addr_limit)
|
|
|
|
#define set_fs(x) (current_thread_info()->addr_limit = (x))
|
|
|
|
|
|
|
|
#define segment_eq(a, b) ((a) == (b))
|
|
|
|
|
|
|
|
/* Ensure that the range from addr to addr+size is all within the process'
|
|
|
|
* address space
|
|
|
|
*/
|
|
|
|
#define __range_ok(addr, size) (size <= get_fs() && addr <= (get_fs()-size))
|
|
|
|
|
|
|
|
/* Ensure that addr is below task's addr_limit */
|
|
|
|
#define __addr_ok(addr) ((unsigned long) addr < get_fs())
|
|
|
|
|
2019-01-08 21:15:15 +08:00
|
|
|
#define access_ok(addr, size) \
|
|
|
|
({ \
|
|
|
|
unsigned long __ao_addr = (unsigned long)(addr); \
|
|
|
|
unsigned long __ao_size = (unsigned long)(size); \
|
|
|
|
__range_ok(__ao_addr, __ao_size); \
|
|
|
|
})
|
2011-06-04 16:06:11 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* These are the main single-value transfer routines. They automatically
|
|
|
|
* use the right size if we just have the right pointer type.
|
|
|
|
*
|
|
|
|
* This gets kind of ugly. We want to return _two_ values in "get_user()"
|
|
|
|
* and yet we don't want to do any pointers, because that is too much
|
|
|
|
* of a performance impact. Thus we have a few rather ugly macros here,
|
|
|
|
* and hide all the uglyness from the user.
|
|
|
|
*
|
|
|
|
* The "__xxx" versions of the user access functions are versions that
|
|
|
|
* do not verify the address space, that must have been done previously
|
|
|
|
* with a separate "access_ok()" call (this is used when we do multiple
|
|
|
|
* accesses to the same area of user memory).
|
|
|
|
*
|
|
|
|
* As we use the same address space for kernel and user data on the
|
|
|
|
* PowerPC, we can just do these as direct assignments. (Of course, the
|
|
|
|
* exception handling means that it's no longer "just"...)
|
|
|
|
*/
|
|
|
|
#define get_user(x, ptr) \
|
|
|
|
__get_user_check((x), (ptr), sizeof(*(ptr)))
|
|
|
|
#define put_user(x, ptr) \
|
|
|
|
__put_user_check((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
|
|
|
|
|
|
|
|
#define __get_user(x, ptr) \
|
|
|
|
__get_user_nocheck((x), (ptr), sizeof(*(ptr)))
|
|
|
|
#define __put_user(x, ptr) \
|
|
|
|
__put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
|
|
|
|
|
|
|
|
extern long __put_user_bad(void);
|
|
|
|
|
|
|
|
#define __put_user_nocheck(x, ptr, size) \
|
|
|
|
({ \
|
|
|
|
long __pu_err; \
|
|
|
|
__put_user_size((x), (ptr), (size), __pu_err); \
|
|
|
|
__pu_err; \
|
|
|
|
})
|
|
|
|
|
|
|
|
#define __put_user_check(x, ptr, size) \
|
|
|
|
({ \
|
|
|
|
long __pu_err = -EFAULT; \
|
|
|
|
__typeof__(*(ptr)) *__pu_addr = (ptr); \
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-04 10:57:57 +08:00
|
|
|
if (access_ok(__pu_addr, size)) \
|
2011-06-04 16:06:11 +08:00
|
|
|
__put_user_size((x), __pu_addr, (size), __pu_err); \
|
|
|
|
__pu_err; \
|
|
|
|
})
|
|
|
|
|
|
|
|
#define __put_user_size(x, ptr, size, retval) \
|
|
|
|
do { \
|
|
|
|
retval = 0; \
|
|
|
|
switch (size) { \
|
|
|
|
case 1: __put_user_asm(x, ptr, retval, "l.sb"); break; \
|
|
|
|
case 2: __put_user_asm(x, ptr, retval, "l.sh"); break; \
|
|
|
|
case 4: __put_user_asm(x, ptr, retval, "l.sw"); break; \
|
|
|
|
case 8: __put_user_asm2(x, ptr, retval); break; \
|
|
|
|
default: __put_user_bad(); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
struct __large_struct {
|
|
|
|
unsigned long buf[100];
|
|
|
|
};
|
|
|
|
#define __m(x) (*(struct __large_struct *)(x))
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We don't tell gcc that we are accessing memory, but this is OK
|
|
|
|
* because we do not write to any memory gcc knows about, so there
|
|
|
|
* are no aliasing issues.
|
|
|
|
*/
|
|
|
|
#define __put_user_asm(x, addr, err, op) \
|
|
|
|
__asm__ __volatile__( \
|
|
|
|
"1: "op" 0(%2),%1\n" \
|
|
|
|
"2:\n" \
|
|
|
|
".section .fixup,\"ax\"\n" \
|
|
|
|
"3: l.addi %0,r0,%3\n" \
|
|
|
|
" l.j 2b\n" \
|
|
|
|
" l.nop\n" \
|
|
|
|
".previous\n" \
|
|
|
|
".section __ex_table,\"a\"\n" \
|
|
|
|
" .align 2\n" \
|
|
|
|
" .long 1b,3b\n" \
|
|
|
|
".previous" \
|
|
|
|
: "=r"(err) \
|
|
|
|
: "r"(x), "r"(addr), "i"(-EFAULT), "0"(err))
|
|
|
|
|
|
|
|
#define __put_user_asm2(x, addr, err) \
|
|
|
|
__asm__ __volatile__( \
|
|
|
|
"1: l.sw 0(%2),%1\n" \
|
|
|
|
"2: l.sw 4(%2),%H1\n" \
|
|
|
|
"3:\n" \
|
|
|
|
".section .fixup,\"ax\"\n" \
|
|
|
|
"4: l.addi %0,r0,%3\n" \
|
|
|
|
" l.j 3b\n" \
|
|
|
|
" l.nop\n" \
|
|
|
|
".previous\n" \
|
|
|
|
".section __ex_table,\"a\"\n" \
|
|
|
|
" .align 2\n" \
|
|
|
|
" .long 1b,4b\n" \
|
|
|
|
" .long 2b,4b\n" \
|
|
|
|
".previous" \
|
|
|
|
: "=r"(err) \
|
|
|
|
: "r"(x), "r"(addr), "i"(-EFAULT), "0"(err))
|
|
|
|
|
|
|
|
#define __get_user_nocheck(x, ptr, size) \
|
|
|
|
({ \
|
|
|
|
long __gu_err, __gu_val; \
|
|
|
|
__get_user_size(__gu_val, (ptr), (size), __gu_err); \
|
2014-12-12 07:56:04 +08:00
|
|
|
(x) = (__force __typeof__(*(ptr)))__gu_val; \
|
2011-06-04 16:06:11 +08:00
|
|
|
__gu_err; \
|
|
|
|
})
|
|
|
|
|
|
|
|
#define __get_user_check(x, ptr, size) \
|
|
|
|
({ \
|
|
|
|
long __gu_err = -EFAULT, __gu_val = 0; \
|
|
|
|
const __typeof__(*(ptr)) * __gu_addr = (ptr); \
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-04 10:57:57 +08:00
|
|
|
if (access_ok(__gu_addr, size)) \
|
2011-06-04 16:06:11 +08:00
|
|
|
__get_user_size(__gu_val, __gu_addr, (size), __gu_err); \
|
2014-12-12 07:56:04 +08:00
|
|
|
(x) = (__force __typeof__(*(ptr)))__gu_val; \
|
2011-06-04 16:06:11 +08:00
|
|
|
__gu_err; \
|
|
|
|
})
|
|
|
|
|
|
|
|
extern long __get_user_bad(void);
|
|
|
|
|
|
|
|
#define __get_user_size(x, ptr, size, retval) \
|
|
|
|
do { \
|
|
|
|
retval = 0; \
|
|
|
|
switch (size) { \
|
|
|
|
case 1: __get_user_asm(x, ptr, retval, "l.lbz"); break; \
|
|
|
|
case 2: __get_user_asm(x, ptr, retval, "l.lhz"); break; \
|
|
|
|
case 4: __get_user_asm(x, ptr, retval, "l.lwz"); break; \
|
2017-03-13 06:44:45 +08:00
|
|
|
case 8: __get_user_asm2(x, ptr, retval); break; \
|
2011-06-04 16:06:11 +08:00
|
|
|
default: (x) = __get_user_bad(); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
#define __get_user_asm(x, addr, err, op) \
|
|
|
|
__asm__ __volatile__( \
|
|
|
|
"1: "op" %1,0(%2)\n" \
|
|
|
|
"2:\n" \
|
|
|
|
".section .fixup,\"ax\"\n" \
|
|
|
|
"3: l.addi %0,r0,%3\n" \
|
|
|
|
" l.addi %1,r0,0\n" \
|
|
|
|
" l.j 2b\n" \
|
|
|
|
" l.nop\n" \
|
|
|
|
".previous\n" \
|
|
|
|
".section __ex_table,\"a\"\n" \
|
|
|
|
" .align 2\n" \
|
|
|
|
" .long 1b,3b\n" \
|
|
|
|
".previous" \
|
|
|
|
: "=r"(err), "=r"(x) \
|
|
|
|
: "r"(addr), "i"(-EFAULT), "0"(err))
|
|
|
|
|
|
|
|
#define __get_user_asm2(x, addr, err) \
|
|
|
|
__asm__ __volatile__( \
|
|
|
|
"1: l.lwz %1,0(%2)\n" \
|
|
|
|
"2: l.lwz %H1,4(%2)\n" \
|
|
|
|
"3:\n" \
|
|
|
|
".section .fixup,\"ax\"\n" \
|
|
|
|
"4: l.addi %0,r0,%3\n" \
|
|
|
|
" l.addi %1,r0,0\n" \
|
|
|
|
" l.addi %H1,r0,0\n" \
|
|
|
|
" l.j 3b\n" \
|
|
|
|
" l.nop\n" \
|
|
|
|
".previous\n" \
|
|
|
|
".section __ex_table,\"a\"\n" \
|
|
|
|
" .align 2\n" \
|
|
|
|
" .long 1b,4b\n" \
|
|
|
|
" .long 2b,4b\n" \
|
|
|
|
".previous" \
|
|
|
|
: "=r"(err), "=&r"(x) \
|
|
|
|
: "r"(addr), "i"(-EFAULT), "0"(err))
|
|
|
|
|
|
|
|
/* more complex routines */
|
|
|
|
|
|
|
|
extern unsigned long __must_check
|
|
|
|
__copy_tofrom_user(void *to, const void *from, unsigned long size);
|
|
|
|
static inline unsigned long
|
2017-03-23 01:13:15 +08:00
|
|
|
raw_copy_from_user(void *to, const void __user *from, unsigned long size)
|
2011-06-04 16:06:11 +08:00
|
|
|
{
|
2017-03-23 01:13:15 +08:00
|
|
|
return __copy_tofrom_user(to, (__force const void *)from, size);
|
2011-06-04 16:06:11 +08:00
|
|
|
}
|
|
|
|
static inline unsigned long
|
2017-03-23 01:13:15 +08:00
|
|
|
raw_copy_to_user(void *to, const void __user *from, unsigned long size)
|
2011-06-04 16:06:11 +08:00
|
|
|
{
|
2017-03-23 01:13:15 +08:00
|
|
|
return __copy_tofrom_user((__force void *)to, from, size);
|
2011-06-04 16:06:11 +08:00
|
|
|
}
|
2017-03-23 01:13:15 +08:00
|
|
|
#define INLINE_COPY_FROM_USER
|
|
|
|
#define INLINE_COPY_TO_USER
|
2011-06-04 16:06:11 +08:00
|
|
|
|
|
|
|
extern unsigned long __clear_user(void *addr, unsigned long size);
|
|
|
|
|
|
|
|
static inline __must_check unsigned long
|
|
|
|
clear_user(void *addr, unsigned long size)
|
|
|
|
{
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-04 10:57:57 +08:00
|
|
|
if (likely(access_ok(addr, size)))
|
2016-08-21 05:05:21 +08:00
|
|
|
size = __clear_user(addr, size);
|
2011-06-04 16:06:11 +08:00
|
|
|
return size;
|
|
|
|
}
|
|
|
|
|
2012-05-25 14:24:49 +08:00
|
|
|
#define user_addr_max() \
|
2017-03-21 09:08:07 +08:00
|
|
|
(uaccess_kernel() ? ~0UL : TASK_SIZE)
|
2011-06-04 16:06:11 +08:00
|
|
|
|
2012-05-25 14:24:49 +08:00
|
|
|
extern long strncpy_from_user(char *dest, const char __user *src, long count);
|
2011-06-04 16:06:11 +08:00
|
|
|
|
2012-05-27 16:25:47 +08:00
|
|
|
extern __must_check long strnlen_user(const char __user *str, long n);
|
2011-06-04 16:06:11 +08:00
|
|
|
|
|
|
|
#endif /* __ASM_OPENRISC_UACCESS_H */
|