xref: /openbmc/linux/mm/maccess.c (revision f8e17c17)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Access kernel memory without faulting.
4  */
5 #include <linux/export.h>
6 #include <linux/mm.h>
7 #include <linux/uaccess.h>
8 
9 static __always_inline long
10 probe_read_common(void *dst, const void __user *src, size_t size)
11 {
12 	long ret;
13 
14 	pagefault_disable();
15 	ret = __copy_from_user_inatomic(dst, src, size);
16 	pagefault_enable();
17 
18 	return ret ? -EFAULT : 0;
19 }
20 
21 static __always_inline long
22 probe_write_common(void __user *dst, const void *src, size_t size)
23 {
24 	long ret;
25 
26 	pagefault_disable();
27 	ret = __copy_to_user_inatomic(dst, src, size);
28 	pagefault_enable();
29 
30 	return ret ? -EFAULT : 0;
31 }
32 
33 /**
34  * probe_kernel_read(): safely attempt to read from a kernel-space location
35  * @dst: pointer to the buffer that shall take the data
36  * @src: address to read from
37  * @size: size of the data chunk
38  *
39  * Safely read from address @src to the buffer at @dst.  If a kernel fault
40  * happens, handle that and return -EFAULT.
41  *
42  * We ensure that the copy_from_user is executed in atomic context so that
43  * do_page_fault() doesn't attempt to take mmap_sem.  This makes
44  * probe_kernel_read() suitable for use within regions where the caller
45  * already holds mmap_sem, or other locks which nest inside mmap_sem.
46  *
47  * probe_kernel_read_strict() is the same as probe_kernel_read() except for
48  * the case where architectures have non-overlapping user and kernel address
49  * ranges: probe_kernel_read_strict() will additionally return -EFAULT for
50  * probing memory on a user address range where probe_user_read() is supposed
51  * to be used instead.
52  */
53 
54 long __weak probe_kernel_read(void *dst, const void *src, size_t size)
55     __attribute__((alias("__probe_kernel_read")));
56 
57 long __weak probe_kernel_read_strict(void *dst, const void *src, size_t size)
58     __attribute__((alias("__probe_kernel_read")));
59 
60 long __probe_kernel_read(void *dst, const void *src, size_t size)
61 {
62 	long ret;
63 	mm_segment_t old_fs = get_fs();
64 
65 	set_fs(KERNEL_DS);
66 	ret = probe_read_common(dst, (__force const void __user *)src, size);
67 	set_fs(old_fs);
68 
69 	return ret;
70 }
71 EXPORT_SYMBOL_GPL(probe_kernel_read);
72 
73 /**
74  * probe_user_read(): safely attempt to read from a user-space location
75  * @dst: pointer to the buffer that shall take the data
76  * @src: address to read from. This must be a user address.
77  * @size: size of the data chunk
78  *
79  * Safely read from user address @src to the buffer at @dst. If a kernel fault
80  * happens, handle that and return -EFAULT.
81  */
82 
83 long __weak probe_user_read(void *dst, const void __user *src, size_t size)
84     __attribute__((alias("__probe_user_read")));
85 
86 long __probe_user_read(void *dst, const void __user *src, size_t size)
87 {
88 	long ret = -EFAULT;
89 	mm_segment_t old_fs = get_fs();
90 
91 	set_fs(USER_DS);
92 	if (access_ok(src, size))
93 		ret = probe_read_common(dst, src, size);
94 	set_fs(old_fs);
95 
96 	return ret;
97 }
98 EXPORT_SYMBOL_GPL(probe_user_read);
99 
100 /**
101  * probe_kernel_write(): safely attempt to write to a location
102  * @dst: address to write to
103  * @src: pointer to the data that shall be written
104  * @size: size of the data chunk
105  *
106  * Safely write to address @dst from the buffer at @src.  If a kernel fault
107  * happens, handle that and return -EFAULT.
108  */
109 
110 long __weak probe_kernel_write(void *dst, const void *src, size_t size)
111     __attribute__((alias("__probe_kernel_write")));
112 
113 long __probe_kernel_write(void *dst, const void *src, size_t size)
114 {
115 	long ret;
116 	mm_segment_t old_fs = get_fs();
117 
118 	set_fs(KERNEL_DS);
119 	ret = probe_write_common((__force void __user *)dst, src, size);
120 	set_fs(old_fs);
121 
122 	return ret;
123 }
124 EXPORT_SYMBOL_GPL(probe_kernel_write);
125 
126 /**
127  * probe_user_write(): safely attempt to write to a user-space location
128  * @dst: address to write to
129  * @src: pointer to the data that shall be written
130  * @size: size of the data chunk
131  *
132  * Safely write to address @dst from the buffer at @src.  If a kernel fault
133  * happens, handle that and return -EFAULT.
134  */
135 
136 long __weak probe_user_write(void __user *dst, const void *src, size_t size)
137     __attribute__((alias("__probe_user_write")));
138 
139 long __probe_user_write(void __user *dst, const void *src, size_t size)
140 {
141 	long ret = -EFAULT;
142 	mm_segment_t old_fs = get_fs();
143 
144 	set_fs(USER_DS);
145 	if (access_ok(dst, size))
146 		ret = probe_write_common(dst, src, size);
147 	set_fs(old_fs);
148 
149 	return ret;
150 }
151 EXPORT_SYMBOL_GPL(probe_user_write);
152 
153 /**
154  * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
155  * @dst:   Destination address, in kernel space.  This buffer must be at
156  *         least @count bytes long.
157  * @unsafe_addr: Unsafe address.
158  * @count: Maximum number of bytes to copy, including the trailing NUL.
159  *
160  * Copies a NUL-terminated string from unsafe address to kernel buffer.
161  *
162  * On success, returns the length of the string INCLUDING the trailing NUL.
163  *
164  * If access fails, returns -EFAULT (some data may have been copied
165  * and the trailing NUL added).
166  *
167  * If @count is smaller than the length of the string, copies @count-1 bytes,
168  * sets the last byte of @dst buffer to NUL and returns @count.
169  *
170  * strncpy_from_unsafe_strict() is the same as strncpy_from_unsafe() except
171  * for the case where architectures have non-overlapping user and kernel address
172  * ranges: strncpy_from_unsafe_strict() will additionally return -EFAULT for
173  * probing memory on a user address range where strncpy_from_unsafe_user() is
174  * supposed to be used instead.
175  */
176 
177 long __weak strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
178     __attribute__((alias("__strncpy_from_unsafe")));
179 
180 long __weak strncpy_from_unsafe_strict(char *dst, const void *unsafe_addr,
181 				       long count)
182     __attribute__((alias("__strncpy_from_unsafe")));
183 
184 long __strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
185 {
186 	mm_segment_t old_fs = get_fs();
187 	const void *src = unsafe_addr;
188 	long ret;
189 
190 	if (unlikely(count <= 0))
191 		return 0;
192 
193 	set_fs(KERNEL_DS);
194 	pagefault_disable();
195 
196 	do {
197 		ret = __get_user(*dst++, (const char __user __force *)src++);
198 	} while (dst[-1] && ret == 0 && src - unsafe_addr < count);
199 
200 	dst[-1] = '\0';
201 	pagefault_enable();
202 	set_fs(old_fs);
203 
204 	return ret ? -EFAULT : src - unsafe_addr;
205 }
206 
207 /**
208  * strncpy_from_unsafe_user: - Copy a NUL terminated string from unsafe user
209  *				address.
210  * @dst:   Destination address, in kernel space.  This buffer must be at
211  *         least @count bytes long.
212  * @unsafe_addr: Unsafe user address.
213  * @count: Maximum number of bytes to copy, including the trailing NUL.
214  *
215  * Copies a NUL-terminated string from unsafe user address to kernel buffer.
216  *
217  * On success, returns the length of the string INCLUDING the trailing NUL.
218  *
219  * If access fails, returns -EFAULT (some data may have been copied
220  * and the trailing NUL added).
221  *
222  * If @count is smaller than the length of the string, copies @count-1 bytes,
223  * sets the last byte of @dst buffer to NUL and returns @count.
224  */
225 long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr,
226 			      long count)
227 {
228 	mm_segment_t old_fs = get_fs();
229 	long ret;
230 
231 	if (unlikely(count <= 0))
232 		return 0;
233 
234 	set_fs(USER_DS);
235 	pagefault_disable();
236 	ret = strncpy_from_user(dst, unsafe_addr, count);
237 	pagefault_enable();
238 	set_fs(old_fs);
239 
240 	if (ret >= count) {
241 		ret = count;
242 		dst[ret - 1] = '\0';
243 	} else if (ret > 0) {
244 		ret++;
245 	}
246 
247 	return ret;
248 }
249 
250 /**
251  * strnlen_unsafe_user: - Get the size of a user string INCLUDING final NUL.
252  * @unsafe_addr: The string to measure.
253  * @count: Maximum count (including NUL)
254  *
255  * Get the size of a NUL-terminated string in user space without pagefault.
256  *
257  * Returns the size of the string INCLUDING the terminating NUL.
258  *
259  * If the string is too long, returns a number larger than @count. User
260  * has to check the return value against "> count".
261  * On exception (or invalid count), returns 0.
262  *
263  * Unlike strnlen_user, this can be used from IRQ handler etc. because
264  * it disables pagefaults.
265  */
266 long strnlen_unsafe_user(const void __user *unsafe_addr, long count)
267 {
268 	mm_segment_t old_fs = get_fs();
269 	int ret;
270 
271 	set_fs(USER_DS);
272 	pagefault_disable();
273 	ret = strnlen_user(unsafe_addr, count);
274 	pagefault_enable();
275 	set_fs(old_fs);
276 
277 	return ret;
278 }
279