[linux-2.6-block.git] / mm / maccess.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * Access kernel or user memory without faulting.
 */
#include <linux/export.h>
#include <linux/mm.h>
#include <linux/uaccess.h>

static __always_inline long
probe_read_common(void *dst, const void __user *src, size_t size)
{
	long ret;

	pagefault_disable();
	ret = __copy_from_user_inatomic(dst, src, size);
	pagefault_enable();

	return ret ? -EFAULT : 0;
}

static __always_inline long
probe_write_common(void __user *dst, const void *src, size_t size)
{
	long ret;

	pagefault_disable();
	ret = __copy_to_user_inatomic(dst, src, size);
	pagefault_enable();

	return ret ? -EFAULT : 0;
}

/**
 * probe_kernel_read(): safely attempt to read from any location
 * @dst: pointer to the buffer that shall take the data
 * @src: address to read from
 * @size: size of the data chunk
 *
 * Same as probe_kernel_read_strict() except that for architectures with
 * not fully separated user and kernel address spaces this function also works
 * for user address tanges.
 *
 * DO NOT USE THIS FUNCTION - it is broken on architectures with entirely
 * separate kernel and user address spaces, and also a bad idea otherwise.
 */
long __weak probe_kernel_read(void *dst, const void *src, size_t size)
    __attribute__((alias("__probe_kernel_read")));

/**
 * probe_kernel_read_strict(): safely attempt to read from kernel-space
 * @dst: pointer to the buffer that shall take the data
 * @src: address to read from
 * @size: size of the data chunk
 *
 * Safely read from kernel address @src to the buffer at @dst.  If a kernel
 * fault happens, handle that and return -EFAULT.
 *
 * We ensure that the copy_from_user is executed in atomic context so that
 * do_page_fault() doesn't attempt to take mmap_lock.  This makes
 * probe_kernel_read() suitable for use within regions where the caller
 * already holds mmap_lock, or other locks which nest inside mmap_lock.
 */

long __weak probe_kernel_read_strict(void *dst, const void *src, size_t size)
    __attribute__((alias("__probe_kernel_read")));

long __probe_kernel_read(void *dst, const void *src, size_t size)
{
	long ret;
	mm_segment_t old_fs = get_fs();

	set_fs(KERNEL_DS);
	ret = probe_read_common(dst, (__force const void __user *)src, size);
	set_fs(old_fs);

	return ret;
}
EXPORT_SYMBOL_GPL(probe_kernel_read);

/**
 * probe_user_read(): safely attempt to read from a user-space location
 * @dst: pointer to the buffer that shall take the data
 * @src: address to read from. This must be a user address.
 * @size: size of the data chunk
 *
 * Safely read from user address @src to the buffer at @dst. If a kernel fault
 * happens, handle that and return -EFAULT.
 */
long probe_user_read(void *dst, const void __user *src, size_t size)
{
	long ret = -EFAULT;
	mm_segment_t old_fs = get_fs();

	set_fs(USER_DS);
	if (access_ok(src, size))
		ret = probe_read_common(dst, src, size);
	set_fs(old_fs);

	return ret;
}
EXPORT_SYMBOL_GPL(probe_user_read);

/**
 * probe_kernel_write(): safely attempt to write to a location
 * @dst: address to write to
 * @src: pointer to the data that shall be written
 * @size: size of the data chunk
 *
 * Safely write to address @dst from the buffer at @src.  If a kernel fault
 * happens, handle that and return -EFAULT.
 */
long probe_kernel_write(void *dst, const void *src, size_t size)
{
	long ret;
	mm_segment_t old_fs = get_fs();

	set_fs(KERNEL_DS);
	ret = probe_write_common((__force void __user *)dst, src, size);
	set_fs(old_fs);

	return ret;
}

/**
 * probe_user_write(): safely attempt to write to a user-space location
 * @dst: address to write to
 * @src: pointer to the data that shall be written
 * @size: size of the data chunk
 *
 * Safely write to address @dst from the buffer at @src.  If a kernel fault
 * happens, handle that and return -EFAULT.
 */
long probe_user_write(void __user *dst, const void *src, size_t size)
{
	long ret = -EFAULT;
	mm_segment_t old_fs = get_fs();

	set_fs(USER_DS);
	if (access_ok(dst, size))
		ret = probe_write_common(dst, src, size);
	set_fs(old_fs);

	return ret;
}
EXPORT_SYMBOL_GPL(probe_user_write);

/**
 * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
 * @dst:   Destination address, in kernel space.  This buffer must be at
 *         least @count bytes long.
 * @unsafe_addr: Unsafe address.
 * @count: Maximum number of bytes to copy, including the trailing NUL.
 *
 * Copies a NUL-terminated string from unsafe address to kernel buffer.
 *
 * On success, returns the length of the string INCLUDING the trailing NUL.
 *
 * If access fails, returns -EFAULT (some data may have been copied
 * and the trailing NUL added).
 *
 * If @count is smaller than the length of the string, copies @count-1 bytes,
 * sets the last byte of @dst buffer to NUL and returns @count.
 *
 * Same as strncpy_from_kernel_nofault() except that for architectures with
 * not fully separated user and kernel address spaces this function also works
 * for user address tanges.
 *
 * DO NOT USE THIS FUNCTION - it is broken on architectures with entirely
 * separate kernel and user address spaces, and also a bad idea otherwise.
 */
long __weak strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
    __attribute__((alias("__strncpy_from_unsafe")));

/**
 * strncpy_from_kernel_nofault: - Copy a NUL terminated string from unsafe
 *				 address.
 * @dst:   Destination address, in kernel space.  This buffer must be at
 *         least @count bytes long.
 * @unsafe_addr: Unsafe address.
 * @count: Maximum number of bytes to copy, including the trailing NUL.
 *
 * Copies a NUL-terminated string from unsafe address to kernel buffer.
 *
 * On success, returns the length of the string INCLUDING the trailing NUL.
 *
 * If access fails, returns -EFAULT (some data may have been copied
 * and the trailing NUL added).
 *
 * If @count is smaller than the length of the string, copies @count-1 bytes,
 * sets the last byte of @dst buffer to NUL and returns @count.
 */
long __weak strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr,
				       long count)
    __attribute__((alias("__strncpy_from_unsafe")));

long __strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
{
	mm_segment_t old_fs = get_fs();
	const void *src = unsafe_addr;
	long ret;

	if (unlikely(count <= 0))
		return 0;

	set_fs(KERNEL_DS);
	pagefault_disable();

	do {
		ret = __get_user(*dst++, (const char __user __force *)src++);
	} while (dst[-1] && ret == 0 && src - unsafe_addr < count);

	dst[-1] = '\0';
	pagefault_enable();
	set_fs(old_fs);

	return ret ? -EFAULT : src - unsafe_addr;
}

/**
 * strncpy_from_user_nofault: - Copy a NUL terminated string from unsafe user
 *				address.
 * @dst:   Destination address, in kernel space.  This buffer must be at
 *         least @count bytes long.
 * @unsafe_addr: Unsafe user address.
 * @count: Maximum number of bytes to copy, including the trailing NUL.
 *
 * Copies a NUL-terminated string from unsafe user address to kernel buffer.
 *
 * On success, returns the length of the string INCLUDING the trailing NUL.
 *
 * If access fails, returns -EFAULT (some data may have been copied
 * and the trailing NUL added).
 *
 * If @count is smaller than the length of the string, copies @count-1 bytes,
 * sets the last byte of @dst buffer to NUL and returns @count.
 */
long strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
			      long count)
{
	mm_segment_t old_fs = get_fs();
	long ret;

	if (unlikely(count <= 0))
		return 0;

	set_fs(USER_DS);
	pagefault_disable();
	ret = strncpy_from_user(dst, unsafe_addr, count);
	pagefault_enable();
	set_fs(old_fs);

	if (ret >= count) {
		ret = count;
		dst[ret - 1] = '\0';
	} else if (ret > 0) {
		ret++;
	}

	return ret;
}

/**
 * strnlen_user_nofault: - Get the size of a user string INCLUDING final NUL.
 * @unsafe_addr: The string to measure.
 * @count: Maximum count (including NUL)
 *
 * Get the size of a NUL-terminated string in user space without pagefault.
 *
 * Returns the size of the string INCLUDING the terminating NUL.
 *
 * If the string is too long, returns a number larger than @count. User
 * has to check the return value against "> count".
 * On exception (or invalid count), returns 0.
 *
 * Unlike strnlen_user, this can be used from IRQ handler etc. because
 * it disables pagefaults.
 */
long strnlen_user_nofault(const void __user *unsafe_addr, long count)
{
	mm_segment_t old_fs = get_fs();
	int ret;

	set_fs(USER_DS);
	pagefault_disable();
	ret = strnlen_user(unsafe_addr, count);
	pagefault_enable();
	set_fs(old_fs);

	return ret;
}
Commit	Line	Data
457c8996	1	// SPDX-License-Identifier: GPL-2.0-only
c33fa9f5	2	/*
3f0acb1e	3	* Access kernel or user memory without faulting.
c33fa9f5	4	*/
b95f1b31	5	#include <linux/export.h>
c33fa9f5	6	#include <linux/mm.h>
7c7fcf76	7	#include <linux/uaccess.h>
c33fa9f5	8
3d708182 MH	9	static __always_inline long
	10	probe_read_common(void dst, const void __user src, size_t size)
	11	{
	12	long ret;
	13
	14	pagefault_disable();
	15	ret = __copy_from_user_inatomic(dst, src, size);
	16	pagefault_enable();
	17
	18	return ret ? -EFAULT : 0;
	19	}
	20
1d1585ca DB	21	static __always_inline long
	22	probe_write_common(void __user dst, const void src, size_t size)
	23	{
	24	long ret;
	25
	26	pagefault_disable();
	27	ret = __copy_to_user_inatomic(dst, src, size);
	28	pagefault_enable();
	29
	30	return ret ? -EFAULT : 0;
	31	}
	32
c33fa9f5	33	/**
4f6de12b	34	* probe_kernel_read(): safely attempt to read from any location
c33fa9f5 IM	35	* @dst: pointer to the buffer that shall take the data
	36	* @src: address to read from
	37	* @size: size of the data chunk
	38	*
4f6de12b CH	39	* Same as probe_kernel_read_strict() except that for architectures with
	40	* not fully separated user and kernel address spaces this function also works
	41	* for user address tanges.
	42	*
	43	* DO NOT USE THIS FUNCTION - it is broken on architectures with entirely
	44	* separate kernel and user address spaces, and also a bad idea otherwise.
	45	*/
	46	long __weak probe_kernel_read(void dst, const void src, size_t size)
	47	__attribute__((alias("__probe_kernel_read")));
	48
	49	/**
	50	* probe_kernel_read_strict(): safely attempt to read from kernel-space
	51	* @dst: pointer to the buffer that shall take the data
	52	* @src: address to read from
	53	* @size: size of the data chunk
	54	*
	55	* Safely read from kernel address @src to the buffer at @dst. If a kernel
	56	* fault happens, handle that and return -EFAULT.
0ab32b6f AM	57	*
0ab32b6f AM	58	* We ensure that the copy_from_user is executed in atomic context so that
c1e8d7c6	59	* do_page_fault() doesn't attempt to take mmap_lock. This makes
0ab32b6f	60	* probe_kernel_read() suitable for use within regions where the caller
c1e8d7c6	61	* already holds mmap_lock, or other locks which nest inside mmap_lock.
c33fa9f5	62	*/
6144a85a	63
75a1a607 DB	64	long __weak probe_kernel_read_strict(void dst, const void src, size_t size)
	65	__attribute__((alias("__probe_kernel_read")));
	66
f29c5041	67	long __probe_kernel_read(void dst, const void src, size_t size)
c33fa9f5 IM	68	{
c33fa9f5 IM	69	long ret;
b4b8ac52	70	mm_segment_t old_fs = get_fs();
c33fa9f5	71
b4b8ac52	72	set_fs(KERNEL_DS);
3d708182	73	ret = probe_read_common(dst, (__force const void __user *)src, size);
b4b8ac52	74	set_fs(old_fs);
c33fa9f5	75
3d708182	76	return ret;
c33fa9f5 IM	77	}
	78	EXPORT_SYMBOL_GPL(probe_kernel_read);
	79
3d708182 MH	80	/**
	81	* probe_user_read(): safely attempt to read from a user-space location
	82	* @dst: pointer to the buffer that shall take the data
	83	* @src: address to read from. This must be a user address.
	84	* @size: size of the data chunk
	85	*
	86	* Safely read from user address @src to the buffer at @dst. If a kernel fault
	87	* happens, handle that and return -EFAULT.
	88	*/
48c49c0e	89	long probe_user_read(void dst, const void __user src, size_t size)
3d708182 MH	90	{
	91	long ret = -EFAULT;
	92	mm_segment_t old_fs = get_fs();
	93
	94	set_fs(USER_DS);
	95	if (access_ok(src, size))
	96	ret = probe_read_common(dst, src, size);
	97	set_fs(old_fs);
	98
	99	return ret;
	100	}
	101	EXPORT_SYMBOL_GPL(probe_user_read);
	102
c33fa9f5 IM	103	/**
	104	* probe_kernel_write(): safely attempt to write to a location
	105	* @dst: address to write to
	106	* @src: pointer to the data that shall be written
	107	* @size: size of the data chunk
	108	*
	109	* Safely write to address @dst from the buffer at @src. If a kernel fault
	110	* happens, handle that and return -EFAULT.
	111	*/
48c49c0e	112	long probe_kernel_write(void dst, const void src, size_t size)
c33fa9f5 IM	113	{
c33fa9f5 IM	114	long ret;
b4b8ac52	115	mm_segment_t old_fs = get_fs();
c33fa9f5	116
b4b8ac52	117	set_fs(KERNEL_DS);
1d1585ca	118	ret = probe_write_common((__force void __user *)dst, src, size);
b4b8ac52	119	set_fs(old_fs);
c33fa9f5	120
1d1585ca	121	return ret;
c33fa9f5	122	}
dbb7ee0e	123
1d1585ca DB	124	/**
	125	* probe_user_write(): safely attempt to write to a user-space location
	126	* @dst: address to write to
	127	* @src: pointer to the data that shall be written
	128	* @size: size of the data chunk
	129	*
	130	* Safely write to address @dst from the buffer at @src. If a kernel fault
	131	* happens, handle that and return -EFAULT.
	132	*/
48c49c0e	133	long probe_user_write(void __user dst, const void src, size_t size)
1d1585ca DB	134	{
	135	long ret = -EFAULT;
	136	mm_segment_t old_fs = get_fs();
	137
	138	set_fs(USER_DS);
	139	if (access_ok(dst, size))
	140	ret = probe_write_common(dst, src, size);
	141	set_fs(old_fs);
	142
	143	return ret;
	144	}
	145	EXPORT_SYMBOL_GPL(probe_user_write);
3d708182	146
dbb7ee0e AS	147	/**
	148	* strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
	149	* @dst: Destination address, in kernel space. This buffer must be at
	150	* least @count bytes long.
f144c390	151	* @unsafe_addr: Unsafe address.
dbb7ee0e AS	152	* @count: Maximum number of bytes to copy, including the trailing NUL.
	153	*
	154	* Copies a NUL-terminated string from unsafe address to kernel buffer.
	155	*
	156	* On success, returns the length of the string INCLUDING the trailing NUL.
	157	*
	158	* If access fails, returns -EFAULT (some data may have been copied
	159	* and the trailing NUL added).
	160	*
	161	* If @count is smaller than the length of the string, copies @count-1 bytes,
	162	* sets the last byte of @dst buffer to NUL and returns @count.
75a1a607	163	*
c4cb1644	164	* Same as strncpy_from_kernel_nofault() except that for architectures with
4f6de12b CH	165	* not fully separated user and kernel address spaces this function also works
	166	* for user address tanges.
	167	*
	168	* DO NOT USE THIS FUNCTION - it is broken on architectures with entirely
	169	* separate kernel and user address spaces, and also a bad idea otherwise.
dbb7ee0e	170	*/
75a1a607 DB	171	long __weak strncpy_from_unsafe(char dst, const void unsafe_addr, long count)
	172	__attribute__((alias("__strncpy_from_unsafe")));
	173
4f6de12b	174	/**
c4cb1644	175	* strncpy_from_kernel_nofault: - Copy a NUL terminated string from unsafe
4f6de12b CH	176	* address.
	177	* @dst: Destination address, in kernel space. This buffer must be at
	178	* least @count bytes long.
	179	* @unsafe_addr: Unsafe address.
	180	* @count: Maximum number of bytes to copy, including the trailing NUL.
	181	*
	182	* Copies a NUL-terminated string from unsafe address to kernel buffer.
	183	*
	184	* On success, returns the length of the string INCLUDING the trailing NUL.
	185	*
	186	* If access fails, returns -EFAULT (some data may have been copied
	187	* and the trailing NUL added).
	188	*
	189	* If @count is smaller than the length of the string, copies @count-1 bytes,
	190	* sets the last byte of @dst buffer to NUL and returns @count.
	191	*/
c4cb1644	192	long __weak strncpy_from_kernel_nofault(char dst, const void unsafe_addr,
75a1a607 DB	193	long count)
	194	__attribute__((alias("__strncpy_from_unsafe")));
	195
	196	long __strncpy_from_unsafe(char dst, const void unsafe_addr, long count)
dbb7ee0e AS	197	{
	198	mm_segment_t old_fs = get_fs();
	199	const void *src = unsafe_addr;
	200	long ret;
	201
	202	if (unlikely(count <= 0))
	203	return 0;
	204
	205	set_fs(KERNEL_DS);
	206	pagefault_disable();
	207
	208	do {
bd28b145	209	ret = __get_user(dst++, (const char __user __force )src++);
dbb7ee0e AS	210	} while (dst[-1] && ret == 0 && src - unsafe_addr < count);
	211
	212	dst[-1] = '\0';
	213	pagefault_enable();
	214	set_fs(old_fs);
	215
9dd861d5	216	return ret ? -EFAULT : src - unsafe_addr;
dbb7ee0e	217	}
3d708182 MH	218
3d708182 MH	219	/**
bd88bb5d	220	* strncpy_from_user_nofault: - Copy a NUL terminated string from unsafe user
3d708182 MH	221	* address.
	222	* @dst: Destination address, in kernel space. This buffer must be at
	223	* least @count bytes long.
	224	* @unsafe_addr: Unsafe user address.
	225	* @count: Maximum number of bytes to copy, including the trailing NUL.
	226	*
	227	* Copies a NUL-terminated string from unsafe user address to kernel buffer.
	228	*
	229	* On success, returns the length of the string INCLUDING the trailing NUL.
	230	*
	231	* If access fails, returns -EFAULT (some data may have been copied
	232	* and the trailing NUL added).
	233	*
	234	* If @count is smaller than the length of the string, copies @count-1 bytes,
	235	* sets the last byte of @dst buffer to NUL and returns @count.
	236	*/
bd88bb5d	237	long strncpy_from_user_nofault(char dst, const void __user unsafe_addr,
3d708182 MH	238	long count)
	239	{
	240	mm_segment_t old_fs = get_fs();
	241	long ret;
	242
	243	if (unlikely(count <= 0))
	244	return 0;
	245
	246	set_fs(USER_DS);
	247	pagefault_disable();
	248	ret = strncpy_from_user(dst, unsafe_addr, count);
	249	pagefault_enable();
	250	set_fs(old_fs);
	251
	252	if (ret >= count) {
	253	ret = count;
	254	dst[ret - 1] = '\0';
	255	} else if (ret > 0) {
	256	ret++;
	257	}
	258
	259	return ret;
	260	}
	261
	262	/**
02dddb16	263	* strnlen_user_nofault: - Get the size of a user string INCLUDING final NUL.
3d708182 MH	264	* @unsafe_addr: The string to measure.
	265	* @count: Maximum count (including NUL)
	266	*
	267	* Get the size of a NUL-terminated string in user space without pagefault.
	268	*
	269	* Returns the size of the string INCLUDING the terminating NUL.
	270	*
	271	* If the string is too long, returns a number larger than @count. User
	272	* has to check the return value against "> count".
	273	* On exception (or invalid count), returns 0.
	274	*
	275	* Unlike strnlen_user, this can be used from IRQ handler etc. because
	276	* it disables pagefaults.
	277	*/
02dddb16	278	long strnlen_user_nofault(const void __user *unsafe_addr, long count)
3d708182 MH	279	{
	280	mm_segment_t old_fs = get_fs();
	281	int ret;
	282
	283	set_fs(USER_DS);
	284	pagefault_disable();
	285	ret = strnlen_user(unsafe_addr, count);
	286	pagefault_enable();
	287	set_fs(old_fs);
	288
	289	return ret;
	290	}