2008-10-23 12:26:29 +07:00
|
|
|
#ifndef _ASM_X86_UACCESS_H
|
|
|
|
#define _ASM_X86_UACCESS_H
|
2008-06-14 00:39:25 +07:00
|
|
|
/*
|
|
|
|
* User space memory access functions
|
|
|
|
*/
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/compiler.h>
|
2016-05-21 06:59:31 +07:00
|
|
|
#include <linux/kasan-checks.h>
|
2008-06-14 00:39:25 +07:00
|
|
|
#include <linux/thread_info.h>
|
|
|
|
#include <linux/string.h>
|
|
|
|
#include <asm/asm.h>
|
|
|
|
#include <asm/page.h>
|
2012-09-22 02:43:12 +07:00
|
|
|
#include <asm/smap.h>
|
2008-06-14 00:39:25 +07:00
|
|
|
|
|
|
|
#define VERIFY_READ 0
|
|
|
|
#define VERIFY_WRITE 1
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The fs value determines whether argument validity checking should be
|
|
|
|
* performed or not. If get_fs() == USER_DS, checking is performed, with
|
|
|
|
* get_fs() == KERNEL_DS, checking is bypassed.
|
|
|
|
*
|
|
|
|
* For historical reasons, these macros are grossly misnamed.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define MAKE_MM_SEG(s) ((mm_segment_t) { (s) })
|
|
|
|
|
|
|
|
#define KERNEL_DS MAKE_MM_SEG(-1UL)
|
x86, 64-bit: Clean up user address masking
The discussion about using "access_ok()" in get_user_pages_fast() (see
commit 7f8189068726492950bf1a2dcfd9b51314560abf: "x86: don't use
'access_ok()' as a range check in get_user_pages_fast()" for details and
end result), made us notice that x86-64 was really being very sloppy
about virtual address checking.
So be way more careful and straightforward about masking x86-64 virtual
addresses:
- All the VIRTUAL_MASK* variants now cover half of the address
space, it's not like we can use the full mask on a signed
integer, and the larger mask just invites mistakes when
applying it to either half of the 48-bit address space.
- /proc/kcore's kc_offset_to_vaddr() becomes a lot more
obvious when it transforms a file offset into a
(kernel-half) virtual address.
- Unify/simplify the 32-bit and 64-bit USER_DS definition to
be based on TASK_SIZE_MAX.
This cleanup and more careful/obvious user virtual address checking also
uncovered a buglet in the x86-64 implementation of strnlen_user(): it
would do an "access_ok()" check on the whole potential area, even if the
string itself was much shorter, and thus return an error even for valid
strings. Our sloppy checking had hidden this.
So this fixes 'strnlen_user()' to do this properly, the same way we
already handled user strings in 'strncpy_from_user()'. Namely by just
checking the first byte, and then relying on fault handling for the
rest. That always works, since we impose a guard page that cannot be
mapped at the end of the user space address space (and even if we
didn't, we'd have the address space hole).
Acked-by: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Nick Piggin <npiggin@suse.de>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-06-21 05:40:00 +07:00
|
|
|
#define USER_DS MAKE_MM_SEG(TASK_SIZE_MAX)
|
2008-06-14 00:39:25 +07:00
|
|
|
|
|
|
|
#define get_ds() (KERNEL_DS)
|
2016-07-15 03:22:57 +07:00
|
|
|
#define get_fs() (current->thread.addr_limit)
|
|
|
|
#define set_fs(x) (current->thread.addr_limit = (x))
|
2008-06-14 00:39:25 +07:00
|
|
|
|
|
|
|
#define segment_eq(a, b) ((a).seg == (b).seg)
|
|
|
|
|
2016-07-15 03:22:57 +07:00
|
|
|
#define user_addr_max() (current->thread.addr_limit.seg)
|
2012-04-21 05:41:35 +07:00
|
|
|
#define __addr_ok(addr) \
|
|
|
|
((unsigned long __force)(addr) < user_addr_max())
|
2008-06-25 21:08:51 +07:00
|
|
|
|
2008-06-14 00:39:25 +07:00
|
|
|
/*
|
|
|
|
* Test whether a block of memory is a valid user space address.
|
|
|
|
* Returns 0 if the range is valid, nonzero otherwise.
|
|
|
|
*/
|
2013-12-28 07:52:47 +07:00
|
|
|
static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, unsigned long limit)
|
2013-12-28 06:30:58 +07:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
* If we have used "sizeof()" for the size,
|
|
|
|
* we know it won't overflow the limit (but
|
|
|
|
* it might overflow the 'addr', so it's
|
|
|
|
* important to subtract the size from the
|
|
|
|
* limit, not add it to the address).
|
|
|
|
*/
|
|
|
|
if (__builtin_constant_p(size))
|
2015-10-06 07:47:50 +07:00
|
|
|
return unlikely(addr > limit - size);
|
2013-12-28 06:30:58 +07:00
|
|
|
|
|
|
|
/* Arbitrary sizes? Be careful about overflow */
|
|
|
|
addr += size;
|
2015-10-06 07:47:50 +07:00
|
|
|
if (unlikely(addr < size))
|
2013-12-28 07:52:47 +07:00
|
|
|
return true;
|
2015-10-06 07:47:50 +07:00
|
|
|
return unlikely(addr > limit);
|
2013-12-28 06:30:58 +07:00
|
|
|
}
|
2008-06-14 00:39:25 +07:00
|
|
|
|
2012-04-21 05:41:35 +07:00
|
|
|
#define __range_not_ok(addr, size, limit) \
|
2008-06-14 00:39:25 +07:00
|
|
|
({ \
|
|
|
|
__chk_user_ptr(addr); \
|
2013-12-28 06:30:58 +07:00
|
|
|
__chk_range_not_ok((unsigned long __force)(addr), size, limit); \
|
2008-06-14 00:39:25 +07:00
|
|
|
})
|
|
|
|
|
|
|
|
/**
|
|
|
|
* access_ok: - Checks if a user space pointer is valid
|
|
|
|
* @type: Type of access: %VERIFY_READ or %VERIFY_WRITE. Note that
|
|
|
|
* %VERIFY_WRITE is a superset of %VERIFY_READ - if it is safe
|
|
|
|
* to write to a block, it is always safe to read from it.
|
|
|
|
* @addr: User space pointer to start of block to check
|
|
|
|
* @size: Size of block to check
|
|
|
|
*
|
2015-05-11 22:52:08 +07:00
|
|
|
* Context: User context only. This function may sleep if pagefaults are
|
|
|
|
* enabled.
|
2008-06-14 00:39:25 +07:00
|
|
|
*
|
|
|
|
* Checks if a pointer to a block of memory in user space is valid.
|
|
|
|
*
|
|
|
|
* Returns true (nonzero) if the memory block may be valid, false (zero)
|
|
|
|
* if it is definitely invalid.
|
|
|
|
*
|
|
|
|
* Note that, depending on architecture, this function probably just
|
|
|
|
* checks that the pointer is in the user space range - after calling
|
|
|
|
* this function, memory access functions may still return -EFAULT.
|
|
|
|
*/
|
2012-04-21 05:41:35 +07:00
|
|
|
#define access_ok(type, addr, size) \
|
2013-12-28 07:52:47 +07:00
|
|
|
likely(!__range_not_ok(addr, size, user_addr_max()))
|
2008-06-14 00:39:25 +07:00
|
|
|
|
|
|
|
/*
|
2016-02-18 01:20:12 +07:00
|
|
|
* The exception table consists of triples of addresses relative to the
|
|
|
|
* exception table entry itself. The first address is of an instruction
|
|
|
|
* that is allowed to fault, the second is the target at which the program
|
|
|
|
* should continue. The third is a handler function to deal with the fault
|
|
|
|
* caused by the instruction in the first field.
|
2008-06-14 00:39:25 +07:00
|
|
|
*
|
|
|
|
* All the routines below use bits of fixup code that are out of line
|
|
|
|
* with the main instruction path. This means when everything is well,
|
|
|
|
* we don't even have to jump over them. Further, they do not intrude
|
|
|
|
* on our cache or tlb entries.
|
|
|
|
*/
|
|
|
|
|
|
|
|
struct exception_table_entry {
|
2016-02-18 01:20:12 +07:00
|
|
|
int insn, fixup, handler;
|
2008-06-14 00:39:25 +07:00
|
|
|
};
|
2016-03-23 04:28:17 +07:00
|
|
|
|
|
|
|
#define ARCH_HAS_RELATIVE_EXTABLE
|
2008-06-14 00:39:25 +07:00
|
|
|
|
2016-05-11 04:07:02 +07:00
|
|
|
#define swap_ex_entry_fixup(a, b, tmp, delta) \
|
|
|
|
do { \
|
|
|
|
(a)->fixup = (b)->fixup + (delta); \
|
|
|
|
(b)->fixup = (tmp).fixup - (delta); \
|
|
|
|
(a)->handler = (b)->handler + (delta); \
|
|
|
|
(b)->handler = (tmp).handler - (delta); \
|
|
|
|
} while (0)
|
|
|
|
|
2016-02-18 01:20:12 +07:00
|
|
|
extern int fixup_exception(struct pt_regs *regs, int trapnr);
|
|
|
|
extern bool ex_has_fault_handler(unsigned long ip);
|
2016-04-02 21:01:34 +07:00
|
|
|
extern void early_fixup_exception(struct pt_regs *regs, int trapnr);
|
2008-06-14 00:39:25 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* These are the main single-value transfer routines. They automatically
|
|
|
|
* use the right size if we just have the right pointer type.
|
|
|
|
*
|
|
|
|
* This gets kind of ugly. We want to return _two_ values in "get_user()"
|
|
|
|
* and yet we don't want to do any pointers, because that is too much
|
|
|
|
* of a performance impact. Thus we have a few rather ugly macros here,
|
|
|
|
* and hide all the ugliness from the user.
|
|
|
|
*
|
|
|
|
* The "__xxx" versions of the user access functions are versions that
|
|
|
|
* do not verify the address space, that must have been done previously
|
|
|
|
* with a separate "access_ok()" call (this is used when we do multiple
|
|
|
|
* accesses to the same area of user memory).
|
|
|
|
*/
|
|
|
|
|
|
|
|
extern int __get_user_1(void);
|
|
|
|
extern int __get_user_2(void);
|
|
|
|
extern int __get_user_4(void);
|
|
|
|
extern int __get_user_8(void);
|
|
|
|
extern int __get_user_bad(void);
|
|
|
|
|
2015-12-18 00:45:09 +07:00
|
|
|
#define __uaccess_begin() stac()
|
|
|
|
#define __uaccess_end() clac()
|
|
|
|
|
2013-02-13 02:47:31 +07:00
|
|
|
/*
|
|
|
|
* This is a type: either unsigned long, if the argument fits into
|
|
|
|
* that type, or otherwise unsigned long long.
|
|
|
|
*/
|
|
|
|
#define __inttype(x) \
|
|
|
|
__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
|
2008-06-25 21:05:11 +07:00
|
|
|
|
|
|
|
/**
|
|
|
|
* get_user: - Get a simple variable from user space.
|
|
|
|
* @x: Variable to store result.
|
|
|
|
* @ptr: Source address, in user space.
|
|
|
|
*
|
2015-05-11 22:52:08 +07:00
|
|
|
* Context: User context only. This function may sleep if pagefaults are
|
|
|
|
* enabled.
|
2008-06-25 21:05:11 +07:00
|
|
|
*
|
|
|
|
* This macro copies a single simple variable from user space to kernel
|
|
|
|
* space. It supports simple types like char and int, but not larger
|
|
|
|
* data types like structures or arrays.
|
|
|
|
*
|
|
|
|
* @ptr must have pointer-to-simple-variable type, and the result of
|
|
|
|
* dereferencing @ptr must be assignable to @x without a cast.
|
|
|
|
*
|
|
|
|
* Returns zero on success, or -EFAULT on error.
|
|
|
|
* On error, the variable @x is set to zero.
|
2013-02-13 06:37:02 +07:00
|
|
|
*/
|
|
|
|
/*
|
2013-02-13 02:47:31 +07:00
|
|
|
* Careful: we have to cast the result to the type of the pointer
|
|
|
|
* for sign reasons.
|
2013-02-13 06:37:02 +07:00
|
|
|
*
|
2013-08-30 03:34:50 +07:00
|
|
|
* The use of _ASM_DX as the register specifier is a bit of a
|
2013-02-13 06:37:02 +07:00
|
|
|
* simplification, as gcc only cares about it as the starting point
|
|
|
|
* and not size: for a 64-bit value it will use %ecx:%edx on 32 bits
|
|
|
|
* (%ecx being the next register in gcc's x86 register sequence), and
|
|
|
|
* %rdx on 64 bits.
|
2013-08-30 03:34:50 +07:00
|
|
|
*
|
|
|
|
* Clang/LLVM cares about the size of the register, but still wants
|
|
|
|
* the base register for something that ends up being a pair.
|
2008-06-25 21:05:11 +07:00
|
|
|
*/
|
|
|
|
#define get_user(x, ptr) \
|
|
|
|
({ \
|
|
|
|
int __ret_gu; \
|
2013-08-30 02:13:05 +07:00
|
|
|
register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \
|
2016-01-22 05:49:25 +07:00
|
|
|
register void *__sp asm(_ASM_SP); \
|
2008-06-25 21:05:11 +07:00
|
|
|
__chk_user_ptr(ptr); \
|
2008-09-10 18:37:17 +07:00
|
|
|
might_fault(); \
|
2016-01-22 05:49:25 +07:00
|
|
|
asm volatile("call __get_user_%P4" \
|
|
|
|
: "=a" (__ret_gu), "=r" (__val_gu), "+r" (__sp) \
|
2013-02-13 02:47:31 +07:00
|
|
|
: "0" (ptr), "i" (sizeof(*(ptr)))); \
|
2014-12-12 06:56:04 +07:00
|
|
|
(x) = (__force __typeof__(*(ptr))) __val_gu; \
|
2015-10-06 07:47:49 +07:00
|
|
|
__builtin_expect(__ret_gu, 0); \
|
2008-06-25 21:05:11 +07:00
|
|
|
})
|
|
|
|
|
2008-06-25 23:17:43 +07:00
|
|
|
#define __put_user_x(size, x, ptr, __ret_pu) \
|
|
|
|
asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
|
2009-01-20 07:34:26 +07:00
|
|
|
: "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
|
2008-06-25 23:17:43 +07:00
|
|
|
|
|
|
|
|
|
|
|
|
2008-06-25 21:48:29 +07:00
|
|
|
#ifdef CONFIG_X86_32
|
2009-01-31 09:16:46 +07:00
|
|
|
#define __put_user_asm_u64(x, addr, err, errret) \
|
2015-12-18 00:45:09 +07:00
|
|
|
asm volatile("\n" \
|
2012-09-22 02:43:12 +07:00
|
|
|
"1: movl %%eax,0(%2)\n" \
|
2008-06-25 21:48:29 +07:00
|
|
|
"2: movl %%edx,4(%2)\n" \
|
2015-12-18 00:45:09 +07:00
|
|
|
"3:" \
|
2008-06-25 21:48:29 +07:00
|
|
|
".section .fixup,\"ax\"\n" \
|
|
|
|
"4: movl %3,%0\n" \
|
|
|
|
" jmp 3b\n" \
|
|
|
|
".previous\n" \
|
|
|
|
_ASM_EXTABLE(1b, 4b) \
|
|
|
|
_ASM_EXTABLE(2b, 4b) \
|
|
|
|
: "=r" (err) \
|
2009-01-31 09:16:46 +07:00
|
|
|
: "A" (x), "r" (addr), "i" (errret), "0" (err))
|
2008-06-25 23:17:43 +07:00
|
|
|
|
2009-01-24 06:49:41 +07:00
|
|
|
#define __put_user_asm_ex_u64(x, addr) \
|
2015-12-18 00:45:09 +07:00
|
|
|
asm volatile("\n" \
|
2012-09-22 02:43:12 +07:00
|
|
|
"1: movl %%eax,0(%1)\n" \
|
2009-01-24 06:49:41 +07:00
|
|
|
"2: movl %%edx,4(%1)\n" \
|
2015-12-18 00:45:09 +07:00
|
|
|
"3:" \
|
2012-04-21 06:57:35 +07:00
|
|
|
_ASM_EXTABLE_EX(1b, 2b) \
|
|
|
|
_ASM_EXTABLE_EX(2b, 3b) \
|
2009-01-24 06:49:41 +07:00
|
|
|
: : "A" (x), "r" (addr))
|
|
|
|
|
2008-06-25 23:17:43 +07:00
|
|
|
#define __put_user_x8(x, ptr, __ret_pu) \
|
|
|
|
asm volatile("call __put_user_8" : "=a" (__ret_pu) \
|
|
|
|
: "A" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
|
2008-06-25 21:48:29 +07:00
|
|
|
#else
|
2009-01-31 09:16:46 +07:00
|
|
|
#define __put_user_asm_u64(x, ptr, retval, errret) \
|
2009-07-21 13:27:39 +07:00
|
|
|
__put_user_asm(x, ptr, retval, "q", "", "er", errret)
|
2009-01-24 06:49:41 +07:00
|
|
|
#define __put_user_asm_ex_u64(x, addr) \
|
2009-07-21 13:27:39 +07:00
|
|
|
__put_user_asm_ex(x, addr, "q", "", "er")
|
2008-06-25 23:17:43 +07:00
|
|
|
#define __put_user_x8(x, ptr, __ret_pu) __put_user_x(8, x, ptr, __ret_pu)
|
2008-06-25 21:48:29 +07:00
|
|
|
#endif
|
|
|
|
|
2008-06-25 23:17:43 +07:00
|
|
|
extern void __put_user_bad(void);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Strange magic calling convention: pointer in %ecx,
|
|
|
|
* value in %eax(:%edx), return value in %eax. clobbers %rbx
|
|
|
|
*/
|
|
|
|
extern void __put_user_1(void);
|
|
|
|
extern void __put_user_2(void);
|
|
|
|
extern void __put_user_4(void);
|
|
|
|
extern void __put_user_8(void);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* put_user: - Write a simple value into user space.
|
|
|
|
* @x: Value to copy to user space.
|
|
|
|
* @ptr: Destination address, in user space.
|
|
|
|
*
|
2015-05-11 22:52:08 +07:00
|
|
|
* Context: User context only. This function may sleep if pagefaults are
|
|
|
|
* enabled.
|
2008-06-25 23:17:43 +07:00
|
|
|
*
|
|
|
|
* This macro copies a single simple value from kernel space to user
|
|
|
|
* space. It supports simple types like char and int, but not larger
|
|
|
|
* data types like structures or arrays.
|
|
|
|
*
|
|
|
|
* @ptr must have pointer-to-simple-variable type, and @x must be assignable
|
|
|
|
* to the result of dereferencing @ptr.
|
|
|
|
*
|
|
|
|
* Returns zero on success, or -EFAULT on error.
|
|
|
|
*/
|
|
|
|
#define put_user(x, ptr) \
|
|
|
|
({ \
|
|
|
|
int __ret_pu; \
|
|
|
|
__typeof__(*(ptr)) __pu_val; \
|
|
|
|
__chk_user_ptr(ptr); \
|
2008-09-10 18:37:17 +07:00
|
|
|
might_fault(); \
|
2008-06-25 23:17:43 +07:00
|
|
|
__pu_val = x; \
|
|
|
|
switch (sizeof(*(ptr))) { \
|
|
|
|
case 1: \
|
|
|
|
__put_user_x(1, __pu_val, ptr, __ret_pu); \
|
|
|
|
break; \
|
|
|
|
case 2: \
|
|
|
|
__put_user_x(2, __pu_val, ptr, __ret_pu); \
|
|
|
|
break; \
|
|
|
|
case 4: \
|
|
|
|
__put_user_x(4, __pu_val, ptr, __ret_pu); \
|
|
|
|
break; \
|
|
|
|
case 8: \
|
|
|
|
__put_user_x8(__pu_val, ptr, __ret_pu); \
|
|
|
|
break; \
|
|
|
|
default: \
|
|
|
|
__put_user_x(X, __pu_val, ptr, __ret_pu); \
|
|
|
|
break; \
|
|
|
|
} \
|
2015-10-06 07:47:49 +07:00
|
|
|
__builtin_expect(__ret_pu, 0); \
|
2008-06-25 23:17:43 +07:00
|
|
|
})
|
|
|
|
|
2008-06-25 21:48:29 +07:00
|
|
|
#define __put_user_size(x, ptr, size, retval, errret) \
|
|
|
|
do { \
|
|
|
|
retval = 0; \
|
|
|
|
__chk_user_ptr(ptr); \
|
|
|
|
switch (size) { \
|
|
|
|
case 1: \
|
|
|
|
__put_user_asm(x, ptr, retval, "b", "b", "iq", errret); \
|
|
|
|
break; \
|
|
|
|
case 2: \
|
|
|
|
__put_user_asm(x, ptr, retval, "w", "w", "ir", errret); \
|
|
|
|
break; \
|
|
|
|
case 4: \
|
2009-01-20 07:34:26 +07:00
|
|
|
__put_user_asm(x, ptr, retval, "l", "k", "ir", errret); \
|
2008-06-25 21:48:29 +07:00
|
|
|
break; \
|
|
|
|
case 8: \
|
2009-01-31 09:16:46 +07:00
|
|
|
__put_user_asm_u64((__typeof__(*ptr))(x), ptr, retval, \
|
|
|
|
errret); \
|
2008-06-25 21:48:29 +07:00
|
|
|
break; \
|
|
|
|
default: \
|
|
|
|
__put_user_bad(); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
2015-12-18 00:45:09 +07:00
|
|
|
/*
|
|
|
|
* This doesn't do __uaccess_begin/end - the exception handling
|
|
|
|
* around it must do that.
|
|
|
|
*/
|
2009-01-24 06:49:41 +07:00
|
|
|
#define __put_user_size_ex(x, ptr, size) \
|
|
|
|
do { \
|
|
|
|
__chk_user_ptr(ptr); \
|
|
|
|
switch (size) { \
|
|
|
|
case 1: \
|
|
|
|
__put_user_asm_ex(x, ptr, "b", "b", "iq"); \
|
|
|
|
break; \
|
|
|
|
case 2: \
|
|
|
|
__put_user_asm_ex(x, ptr, "w", "w", "ir"); \
|
|
|
|
break; \
|
|
|
|
case 4: \
|
|
|
|
__put_user_asm_ex(x, ptr, "l", "k", "ir"); \
|
|
|
|
break; \
|
|
|
|
case 8: \
|
|
|
|
__put_user_asm_ex_u64((__typeof__(*ptr))(x), ptr); \
|
|
|
|
break; \
|
|
|
|
default: \
|
|
|
|
__put_user_bad(); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
2008-06-25 22:48:47 +07:00
|
|
|
#ifdef CONFIG_X86_32
|
2016-03-10 03:05:56 +07:00
|
|
|
#define __get_user_asm_u64(x, ptr, retval, errret) \
|
|
|
|
({ \
|
|
|
|
__typeof__(ptr) __ptr = (ptr); \
|
|
|
|
asm volatile(ASM_STAC "\n" \
|
|
|
|
"1: movl %2,%%eax\n" \
|
|
|
|
"2: movl %3,%%edx\n" \
|
|
|
|
"3: " ASM_CLAC "\n" \
|
|
|
|
".section .fixup,\"ax\"\n" \
|
|
|
|
"4: mov %4,%0\n" \
|
|
|
|
" xorl %%eax,%%eax\n" \
|
|
|
|
" xorl %%edx,%%edx\n" \
|
|
|
|
" jmp 3b\n" \
|
|
|
|
".previous\n" \
|
|
|
|
_ASM_EXTABLE(1b, 4b) \
|
|
|
|
_ASM_EXTABLE(2b, 4b) \
|
|
|
|
: "=r" (retval), "=A"(x) \
|
|
|
|
: "m" (__m(__ptr)), "m" __m(((u32 *)(__ptr)) + 1), \
|
|
|
|
"i" (errret), "0" (retval)); \
|
|
|
|
})
|
|
|
|
|
2009-01-24 06:49:41 +07:00
|
|
|
#define __get_user_asm_ex_u64(x, ptr) (x) = __get_user_bad()
|
2008-06-25 22:48:47 +07:00
|
|
|
#else
|
|
|
|
#define __get_user_asm_u64(x, ptr, retval, errret) \
|
|
|
|
__get_user_asm(x, ptr, retval, "q", "", "=r", errret)
|
2009-01-24 06:49:41 +07:00
|
|
|
#define __get_user_asm_ex_u64(x, ptr) \
|
|
|
|
__get_user_asm_ex(x, ptr, "q", "", "=r")
|
2008-06-25 22:48:47 +07:00
|
|
|
#endif
|
|
|
|
|
|
|
|
#define __get_user_size(x, ptr, size, retval, errret) \
|
|
|
|
do { \
|
|
|
|
retval = 0; \
|
|
|
|
__chk_user_ptr(ptr); \
|
|
|
|
switch (size) { \
|
|
|
|
case 1: \
|
|
|
|
__get_user_asm(x, ptr, retval, "b", "b", "=q", errret); \
|
|
|
|
break; \
|
|
|
|
case 2: \
|
|
|
|
__get_user_asm(x, ptr, retval, "w", "w", "=r", errret); \
|
|
|
|
break; \
|
|
|
|
case 4: \
|
|
|
|
__get_user_asm(x, ptr, retval, "l", "k", "=r", errret); \
|
|
|
|
break; \
|
|
|
|
case 8: \
|
|
|
|
__get_user_asm_u64(x, ptr, retval, errret); \
|
|
|
|
break; \
|
|
|
|
default: \
|
|
|
|
(x) = __get_user_bad(); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
#define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
|
2015-12-18 00:45:09 +07:00
|
|
|
asm volatile("\n" \
|
2012-09-22 02:43:12 +07:00
|
|
|
"1: mov"itype" %2,%"rtype"1\n" \
|
2015-12-18 00:45:09 +07:00
|
|
|
"2:\n" \
|
2008-06-25 22:48:47 +07:00
|
|
|
".section .fixup,\"ax\"\n" \
|
|
|
|
"3: mov %3,%0\n" \
|
|
|
|
" xor"itype" %"rtype"1,%"rtype"1\n" \
|
|
|
|
" jmp 2b\n" \
|
|
|
|
".previous\n" \
|
|
|
|
_ASM_EXTABLE(1b, 3b) \
|
|
|
|
: "=r" (err), ltype(x) \
|
|
|
|
: "m" (__m(addr)), "i" (errret), "0" (err))
|
|
|
|
|
2015-12-18 00:45:09 +07:00
|
|
|
/*
|
|
|
|
* This doesn't do __uaccess_begin/end - the exception handling
|
|
|
|
* around it must do that.
|
|
|
|
*/
|
2009-01-24 06:49:41 +07:00
|
|
|
#define __get_user_size_ex(x, ptr, size) \
|
|
|
|
do { \
|
|
|
|
__chk_user_ptr(ptr); \
|
|
|
|
switch (size) { \
|
|
|
|
case 1: \
|
|
|
|
__get_user_asm_ex(x, ptr, "b", "b", "=q"); \
|
|
|
|
break; \
|
|
|
|
case 2: \
|
|
|
|
__get_user_asm_ex(x, ptr, "w", "w", "=r"); \
|
|
|
|
break; \
|
|
|
|
case 4: \
|
|
|
|
__get_user_asm_ex(x, ptr, "l", "k", "=r"); \
|
|
|
|
break; \
|
|
|
|
case 8: \
|
|
|
|
__get_user_asm_ex_u64(x, ptr); \
|
|
|
|
break; \
|
|
|
|
default: \
|
|
|
|
(x) = __get_user_bad(); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
#define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
|
2012-09-22 02:43:15 +07:00
|
|
|
asm volatile("1: mov"itype" %1,%"rtype"0\n" \
|
|
|
|
"2:\n" \
|
2016-09-15 08:35:29 +07:00
|
|
|
".section .fixup,\"ax\"\n" \
|
|
|
|
"3:xor"itype" %"rtype"0,%"rtype"0\n" \
|
|
|
|
" jmp 2b\n" \
|
|
|
|
".previous\n" \
|
|
|
|
_ASM_EXTABLE_EX(1b, 3b) \
|
2009-01-24 06:49:41 +07:00
|
|
|
: ltype(x) : "m" (__m(addr)))
|
|
|
|
|
2008-06-25 21:48:29 +07:00
|
|
|
#define __put_user_nocheck(x, ptr, size) \
|
|
|
|
({ \
|
2008-12-09 10:18:38 +07:00
|
|
|
int __pu_err; \
|
2015-12-18 00:45:09 +07:00
|
|
|
__uaccess_begin(); \
|
2008-06-25 21:48:29 +07:00
|
|
|
__put_user_size((x), (ptr), (size), __pu_err, -EFAULT); \
|
2015-12-18 00:45:09 +07:00
|
|
|
__uaccess_end(); \
|
2015-10-06 07:47:49 +07:00
|
|
|
__builtin_expect(__pu_err, 0); \
|
2008-06-25 21:48:29 +07:00
|
|
|
})
|
|
|
|
|
2008-06-25 22:48:47 +07:00
|
|
|
#define __get_user_nocheck(x, ptr, size) \
|
|
|
|
({ \
|
2008-12-09 10:18:38 +07:00
|
|
|
int __gu_err; \
|
2016-03-10 03:05:56 +07:00
|
|
|
__inttype(*(ptr)) __gu_val; \
|
2015-12-18 00:45:09 +07:00
|
|
|
__uaccess_begin(); \
|
2008-06-25 22:48:47 +07:00
|
|
|
__get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
|
2015-12-18 00:45:09 +07:00
|
|
|
__uaccess_end(); \
|
2008-06-25 22:48:47 +07:00
|
|
|
(x) = (__force __typeof__(*(ptr)))__gu_val; \
|
2015-10-06 07:47:49 +07:00
|
|
|
__builtin_expect(__gu_err, 0); \
|
2008-06-25 22:48:47 +07:00
|
|
|
})
|
2008-06-25 21:48:29 +07:00
|
|
|
|
|
|
|
/* FIXME: this hack is definitely wrong -AK */
|
|
|
|
struct __large_struct { unsigned long buf[100]; };
|
|
|
|
#define __m(x) (*(struct __large_struct __user *)(x))
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Tell gcc we read from memory instead of writing: this is because
|
|
|
|
* we do not write to any memory gcc knows about, so there are no
|
|
|
|
* aliasing issues.
|
|
|
|
*/
|
|
|
|
#define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
|
2015-12-18 00:45:09 +07:00
|
|
|
asm volatile("\n" \
|
2012-09-22 02:43:12 +07:00
|
|
|
"1: mov"itype" %"rtype"1,%2\n" \
|
2015-12-18 00:45:09 +07:00
|
|
|
"2:\n" \
|
2008-06-25 21:48:29 +07:00
|
|
|
".section .fixup,\"ax\"\n" \
|
|
|
|
"3: mov %3,%0\n" \
|
|
|
|
" jmp 2b\n" \
|
|
|
|
".previous\n" \
|
|
|
|
_ASM_EXTABLE(1b, 3b) \
|
|
|
|
: "=r"(err) \
|
|
|
|
: ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
|
2009-01-24 06:49:41 +07:00
|
|
|
|
|
|
|
#define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
|
2012-09-22 02:43:15 +07:00
|
|
|
asm volatile("1: mov"itype" %"rtype"0,%1\n" \
|
|
|
|
"2:\n" \
|
2012-04-21 06:57:35 +07:00
|
|
|
_ASM_EXTABLE_EX(1b, 2b) \
|
2009-01-24 06:49:41 +07:00
|
|
|
: : ltype(x), "m" (__m(addr)))
|
|
|
|
|
|
|
|
/*
|
|
|
|
* uaccess_try and catch
|
|
|
|
*/
|
|
|
|
#define uaccess_try do { \
|
2016-07-15 03:22:56 +07:00
|
|
|
current->thread.uaccess_err = 0; \
|
2015-12-18 00:45:09 +07:00
|
|
|
__uaccess_begin(); \
|
2009-01-24 06:49:41 +07:00
|
|
|
barrier();
|
|
|
|
|
|
|
|
#define uaccess_catch(err) \
|
2015-12-18 00:45:09 +07:00
|
|
|
__uaccess_end(); \
|
2016-07-15 03:22:56 +07:00
|
|
|
(err) |= (current->thread.uaccess_err ? -EFAULT : 0); \
|
2009-01-24 06:49:41 +07:00
|
|
|
} while (0)
|
|
|
|
|
2008-06-26 00:43:30 +07:00
|
|
|
/**
|
|
|
|
* __get_user: - Get a simple variable from user space, with less checking.
|
|
|
|
* @x: Variable to store result.
|
|
|
|
* @ptr: Source address, in user space.
|
|
|
|
*
|
2015-05-11 22:52:08 +07:00
|
|
|
* Context: User context only. This function may sleep if pagefaults are
|
|
|
|
* enabled.
|
2008-06-26 00:43:30 +07:00
|
|
|
*
|
|
|
|
* This macro copies a single simple variable from user space to kernel
|
|
|
|
* space. It supports simple types like char and int, but not larger
|
|
|
|
* data types like structures or arrays.
|
|
|
|
*
|
|
|
|
* @ptr must have pointer-to-simple-variable type, and the result of
|
|
|
|
* dereferencing @ptr must be assignable to @x without a cast.
|
|
|
|
*
|
|
|
|
* Caller must check the pointer with access_ok() before calling this
|
|
|
|
* function.
|
|
|
|
*
|
|
|
|
* Returns zero on success, or -EFAULT on error.
|
|
|
|
* On error, the variable @x is set to zero.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define __get_user(x, ptr) \
|
|
|
|
__get_user_nocheck((x), (ptr), sizeof(*(ptr)))
|
2009-01-24 06:49:41 +07:00
|
|
|
|
2008-06-26 00:43:30 +07:00
|
|
|
/**
|
|
|
|
* __put_user: - Write a simple value into user space, with less checking.
|
|
|
|
* @x: Value to copy to user space.
|
|
|
|
* @ptr: Destination address, in user space.
|
|
|
|
*
|
2015-05-11 22:52:08 +07:00
|
|
|
* Context: User context only. This function may sleep if pagefaults are
|
|
|
|
* enabled.
|
2008-06-26 00:43:30 +07:00
|
|
|
*
|
|
|
|
* This macro copies a single simple value from kernel space to user
|
|
|
|
* space. It supports simple types like char and int, but not larger
|
|
|
|
* data types like structures or arrays.
|
|
|
|
*
|
|
|
|
* @ptr must have pointer-to-simple-variable type, and @x must be assignable
|
|
|
|
* to the result of dereferencing @ptr.
|
|
|
|
*
|
|
|
|
* Caller must check the pointer with access_ok() before calling this
|
|
|
|
* function.
|
|
|
|
*
|
|
|
|
* Returns zero on success, or -EFAULT on error.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define __put_user(x, ptr) \
|
|
|
|
__put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
|
2008-06-25 21:48:29 +07:00
|
|
|
|
2008-06-26 00:43:30 +07:00
|
|
|
#define __get_user_unaligned __get_user
|
|
|
|
#define __put_user_unaligned __put_user
|
2008-06-25 21:05:11 +07:00
|
|
|
|
2009-01-24 06:49:41 +07:00
|
|
|
/*
|
|
|
|
* {get|put}_user_try and catch
|
|
|
|
*
|
|
|
|
* get_user_try {
|
|
|
|
* get_user_ex(...);
|
|
|
|
* } get_user_catch(err)
|
|
|
|
*/
|
|
|
|
#define get_user_try uaccess_try
|
|
|
|
#define get_user_catch(err) uaccess_catch(err)
|
|
|
|
|
|
|
|
#define get_user_ex(x, ptr) do { \
|
|
|
|
unsigned long __gue_val; \
|
|
|
|
__get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
|
|
|
|
(x) = (__force __typeof__(*(ptr)))__gue_val; \
|
|
|
|
} while (0)
|
|
|
|
|
2009-01-30 02:49:18 +07:00
|
|
|
#define put_user_try uaccess_try
|
|
|
|
#define put_user_catch(err) uaccess_catch(err)
|
|
|
|
|
2009-01-24 06:49:41 +07:00
|
|
|
#define put_user_ex(x, ptr) \
|
|
|
|
__put_user_size_ex((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
|
|
|
|
|
2011-06-07 16:49:55 +07:00
|
|
|
extern unsigned long
|
|
|
|
copy_from_user_nmi(void *to, const void __user *from, unsigned long n);
|
2012-04-07 04:32:32 +07:00
|
|
|
extern __must_check long
|
|
|
|
strncpy_from_user(char *dst, const char __user *src, long count);
|
2011-06-07 16:49:55 +07:00
|
|
|
|
2012-05-27 01:09:53 +07:00
|
|
|
extern __must_check long strlen_user(const char __user *str);
|
|
|
|
extern __must_check long strnlen_user(const char __user *str, long n);
|
|
|
|
|
2012-09-22 02:43:11 +07:00
|
|
|
unsigned long __must_check clear_user(void __user *mem, unsigned long len);
|
|
|
|
unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
|
|
|
|
|
2013-12-14 13:25:02 +07:00
|
|
|
extern void __cmpxchg_wrong_size(void)
|
|
|
|
__compiletime_error("Bad argument size for cmpxchg");
|
|
|
|
|
|
|
|
#define __user_atomic_cmpxchg_inatomic(uval, ptr, old, new, size) \
|
|
|
|
({ \
|
|
|
|
int __ret = 0; \
|
|
|
|
__typeof__(ptr) __uval = (uval); \
|
|
|
|
__typeof__(*(ptr)) __old = (old); \
|
|
|
|
__typeof__(*(ptr)) __new = (new); \
|
2015-12-18 00:45:09 +07:00
|
|
|
__uaccess_begin(); \
|
2013-12-14 13:25:02 +07:00
|
|
|
switch (size) { \
|
|
|
|
case 1: \
|
|
|
|
{ \
|
2015-12-18 00:45:09 +07:00
|
|
|
asm volatile("\n" \
|
2013-12-14 13:25:02 +07:00
|
|
|
"1:\t" LOCK_PREFIX "cmpxchgb %4, %2\n" \
|
2015-12-18 00:45:09 +07:00
|
|
|
"2:\n" \
|
2013-12-14 13:25:02 +07:00
|
|
|
"\t.section .fixup, \"ax\"\n" \
|
|
|
|
"3:\tmov %3, %0\n" \
|
|
|
|
"\tjmp 2b\n" \
|
|
|
|
"\t.previous\n" \
|
|
|
|
_ASM_EXTABLE(1b, 3b) \
|
|
|
|
: "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
|
|
|
|
: "i" (-EFAULT), "q" (__new), "1" (__old) \
|
|
|
|
: "memory" \
|
|
|
|
); \
|
|
|
|
break; \
|
|
|
|
} \
|
|
|
|
case 2: \
|
|
|
|
{ \
|
2015-12-18 00:45:09 +07:00
|
|
|
asm volatile("\n" \
|
2013-12-14 13:25:02 +07:00
|
|
|
"1:\t" LOCK_PREFIX "cmpxchgw %4, %2\n" \
|
2015-12-18 00:45:09 +07:00
|
|
|
"2:\n" \
|
2013-12-14 13:25:02 +07:00
|
|
|
"\t.section .fixup, \"ax\"\n" \
|
|
|
|
"3:\tmov %3, %0\n" \
|
|
|
|
"\tjmp 2b\n" \
|
|
|
|
"\t.previous\n" \
|
|
|
|
_ASM_EXTABLE(1b, 3b) \
|
|
|
|
: "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
|
|
|
|
: "i" (-EFAULT), "r" (__new), "1" (__old) \
|
|
|
|
: "memory" \
|
|
|
|
); \
|
|
|
|
break; \
|
|
|
|
} \
|
|
|
|
case 4: \
|
|
|
|
{ \
|
2015-12-18 00:45:09 +07:00
|
|
|
asm volatile("\n" \
|
2013-12-14 13:25:02 +07:00
|
|
|
"1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n" \
|
2015-12-18 00:45:09 +07:00
|
|
|
"2:\n" \
|
2013-12-14 13:25:02 +07:00
|
|
|
"\t.section .fixup, \"ax\"\n" \
|
|
|
|
"3:\tmov %3, %0\n" \
|
|
|
|
"\tjmp 2b\n" \
|
|
|
|
"\t.previous\n" \
|
|
|
|
_ASM_EXTABLE(1b, 3b) \
|
|
|
|
: "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
|
|
|
|
: "i" (-EFAULT), "r" (__new), "1" (__old) \
|
|
|
|
: "memory" \
|
|
|
|
); \
|
|
|
|
break; \
|
|
|
|
} \
|
|
|
|
case 8: \
|
|
|
|
{ \
|
|
|
|
if (!IS_ENABLED(CONFIG_X86_64)) \
|
|
|
|
__cmpxchg_wrong_size(); \
|
|
|
|
\
|
2015-12-18 00:45:09 +07:00
|
|
|
asm volatile("\n" \
|
2013-12-14 13:25:02 +07:00
|
|
|
"1:\t" LOCK_PREFIX "cmpxchgq %4, %2\n" \
|
2015-12-18 00:45:09 +07:00
|
|
|
"2:\n" \
|
2013-12-14 13:25:02 +07:00
|
|
|
"\t.section .fixup, \"ax\"\n" \
|
|
|
|
"3:\tmov %3, %0\n" \
|
|
|
|
"\tjmp 2b\n" \
|
|
|
|
"\t.previous\n" \
|
|
|
|
_ASM_EXTABLE(1b, 3b) \
|
|
|
|
: "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
|
|
|
|
: "i" (-EFAULT), "r" (__new), "1" (__old) \
|
|
|
|
: "memory" \
|
|
|
|
); \
|
|
|
|
break; \
|
|
|
|
} \
|
|
|
|
default: \
|
|
|
|
__cmpxchg_wrong_size(); \
|
|
|
|
} \
|
2015-12-18 00:45:09 +07:00
|
|
|
__uaccess_end(); \
|
2013-12-14 13:25:02 +07:00
|
|
|
*__uval = __old; \
|
|
|
|
__ret; \
|
|
|
|
})
|
|
|
|
|
|
|
|
#define user_atomic_cmpxchg_inatomic(uval, ptr, old, new) \
|
|
|
|
({ \
|
|
|
|
access_ok(VERIFY_WRITE, (ptr), sizeof(*(ptr))) ? \
|
|
|
|
__user_atomic_cmpxchg_inatomic((uval), (ptr), \
|
|
|
|
(old), (new), sizeof(*(ptr))) : \
|
|
|
|
-EFAULT; \
|
|
|
|
})
|
|
|
|
|
2008-06-26 00:53:41 +07:00
|
|
|
/*
|
|
|
|
* movsl can be slow when source and dest are not both 8-byte aligned
|
|
|
|
*/
|
|
|
|
#ifdef CONFIG_X86_INTEL_USERCOPY
|
|
|
|
extern struct movsl_mask {
|
|
|
|
int mask;
|
|
|
|
} ____cacheline_aligned_in_smp movsl_mask;
|
|
|
|
#endif
|
|
|
|
|
2008-06-26 00:56:53 +07:00
|
|
|
#define ARCH_HAS_NOCACHE_UACCESS 1
|
|
|
|
|
2007-10-11 16:20:03 +07:00
|
|
|
#ifdef CONFIG_X86_32
|
2012-10-03 00:01:25 +07:00
|
|
|
# include <asm/uaccess_32.h>
|
2007-10-11 16:20:03 +07:00
|
|
|
#else
|
2012-10-03 00:01:25 +07:00
|
|
|
# include <asm/uaccess_64.h>
|
2007-10-11 16:20:03 +07:00
|
|
|
#endif
|
2008-06-14 00:39:25 +07:00
|
|
|
|
2013-10-21 15:43:57 +07:00
|
|
|
unsigned long __must_check _copy_from_user(void *to, const void __user *from,
|
|
|
|
unsigned n);
|
2013-10-21 15:44:37 +07:00
|
|
|
unsigned long __must_check _copy_to_user(void __user *to, const void *from,
|
|
|
|
unsigned n);
|
2013-10-21 15:43:57 +07:00
|
|
|
|
mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
There are three usercopy warnings which are currently being silenced for
gcc 4.6 and newer:
1) "copy_from_user() buffer size is too small" compile warning/error
This is a static warning which happens when object size and copy size
are both const, and copy size > object size. I didn't see any false
positives for this one. So the function warning attribute seems to
be working fine here.
Note this scenario is always a bug and so I think it should be
changed to *always* be an error, regardless of
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.
2) "copy_from_user() buffer size is not provably correct" compile warning
This is another static warning which happens when I enable
__compiletime_object_size() for new compilers (and
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS). It happens when object size
is const, but copy size is *not*. In this case there's no way to
compare the two at build time, so it gives the warning. (Note the
warning is a byproduct of the fact that gcc has no way of knowing
whether the overflow function will be called, so the call isn't dead
code and the warning attribute is activated.)
So this warning seems to only indicate "this is an unusual pattern,
maybe you should check it out" rather than "this is a bug".
I get 102(!) of these warnings with allyesconfig and the
__compiletime_object_size() gcc check removed. I don't know if there
are any real bugs hiding in there, but from looking at a small
sample, I didn't see any. According to Kees, it does sometimes find
real bugs. But the false positive rate seems high.
3) "Buffer overflow detected" runtime warning
This is a runtime warning where object size is const, and copy size >
object size.
All three warnings (both static and runtime) were completely disabled
for gcc 4.6 with the following commit:
2fb0815c9ee6 ("gcc4: disable __compiletime_object_size for GCC 4.6+")
That commit mistakenly assumed that the false positives were caused by a
gcc bug in __compiletime_object_size(). But in fact,
__compiletime_object_size() seems to be working fine. The false
positives were instead triggered by #2 above. (Though I don't have an
explanation for why the warnings supposedly only started showing up in
gcc 4.6.)
So remove warning #2 to get rid of all the false positives, and re-enable
warnings #1 and #3 by reverting the above commit.
Furthermore, since #1 is a real bug which is detected at compile time,
upgrade it to always be an error.
Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer
needed.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Byungchul Park <byungchul.park@lge.com>
Cc: Nilay Vaish <nilayvaish@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-30 20:04:16 +07:00
|
|
|
extern void __compiletime_error("usercopy buffer size is too small")
|
|
|
|
__bad_copy_user(void);
|
2013-10-21 15:43:57 +07:00
|
|
|
|
mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
There are three usercopy warnings which are currently being silenced for
gcc 4.6 and newer:
1) "copy_from_user() buffer size is too small" compile warning/error
This is a static warning which happens when object size and copy size
are both const, and copy size > object size. I didn't see any false
positives for this one. So the function warning attribute seems to
be working fine here.
Note this scenario is always a bug and so I think it should be
changed to *always* be an error, regardless of
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.
2) "copy_from_user() buffer size is not provably correct" compile warning
This is another static warning which happens when I enable
__compiletime_object_size() for new compilers (and
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS). It happens when object size
is const, but copy size is *not*. In this case there's no way to
compare the two at build time, so it gives the warning. (Note the
warning is a byproduct of the fact that gcc has no way of knowing
whether the overflow function will be called, so the call isn't dead
code and the warning attribute is activated.)
So this warning seems to only indicate "this is an unusual pattern,
maybe you should check it out" rather than "this is a bug".
I get 102(!) of these warnings with allyesconfig and the
__compiletime_object_size() gcc check removed. I don't know if there
are any real bugs hiding in there, but from looking at a small
sample, I didn't see any. According to Kees, it does sometimes find
real bugs. But the false positive rate seems high.
3) "Buffer overflow detected" runtime warning
This is a runtime warning where object size is const, and copy size >
object size.
All three warnings (both static and runtime) were completely disabled
for gcc 4.6 with the following commit:
2fb0815c9ee6 ("gcc4: disable __compiletime_object_size for GCC 4.6+")
That commit mistakenly assumed that the false positives were caused by a
gcc bug in __compiletime_object_size(). But in fact,
__compiletime_object_size() seems to be working fine. The false
positives were instead triggered by #2 above. (Though I don't have an
explanation for why the warnings supposedly only started showing up in
gcc 4.6.)
So remove warning #2 to get rid of all the false positives, and re-enable
warnings #1 and #3 by reverting the above commit.
Furthermore, since #1 is a real bug which is detected at compile time,
upgrade it to always be an error.
Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer
needed.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Byungchul Park <byungchul.park@lge.com>
Cc: Nilay Vaish <nilayvaish@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-30 20:04:16 +07:00
|
|
|
static inline void copy_user_overflow(int size, unsigned long count)
|
2013-10-21 15:43:57 +07:00
|
|
|
{
|
|
|
|
WARN(1, "Buffer overflow detected (%d < %lu)!\n", size, count);
|
|
|
|
}
|
|
|
|
|
2016-09-07 01:56:01 +07:00
|
|
|
static __always_inline unsigned long __must_check
|
2013-10-21 15:43:57 +07:00
|
|
|
copy_from_user(void *to, const void __user *from, unsigned long n)
|
|
|
|
{
|
|
|
|
int sz = __compiletime_object_size(to);
|
|
|
|
|
|
|
|
might_fault();
|
|
|
|
|
2016-05-21 06:59:31 +07:00
|
|
|
kasan_check_write(to, n);
|
|
|
|
|
2016-06-24 05:04:01 +07:00
|
|
|
if (likely(sz < 0 || sz >= n)) {
|
|
|
|
check_object_size(to, n, false);
|
2013-10-21 15:43:57 +07:00
|
|
|
n = _copy_from_user(to, from, n);
|
mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
There are three usercopy warnings which are currently being silenced for
gcc 4.6 and newer:
1) "copy_from_user() buffer size is too small" compile warning/error
This is a static warning which happens when object size and copy size
are both const, and copy size > object size. I didn't see any false
positives for this one. So the function warning attribute seems to
be working fine here.
Note this scenario is always a bug and so I think it should be
changed to *always* be an error, regardless of
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.
2) "copy_from_user() buffer size is not provably correct" compile warning
This is another static warning which happens when I enable
__compiletime_object_size() for new compilers (and
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS). It happens when object size
is const, but copy size is *not*. In this case there's no way to
compare the two at build time, so it gives the warning. (Note the
warning is a byproduct of the fact that gcc has no way of knowing
whether the overflow function will be called, so the call isn't dead
code and the warning attribute is activated.)
So this warning seems to only indicate "this is an unusual pattern,
maybe you should check it out" rather than "this is a bug".
I get 102(!) of these warnings with allyesconfig and the
__compiletime_object_size() gcc check removed. I don't know if there
are any real bugs hiding in there, but from looking at a small
sample, I didn't see any. According to Kees, it does sometimes find
real bugs. But the false positive rate seems high.
3) "Buffer overflow detected" runtime warning
This is a runtime warning where object size is const, and copy size >
object size.
All three warnings (both static and runtime) were completely disabled
for gcc 4.6 with the following commit:
2fb0815c9ee6 ("gcc4: disable __compiletime_object_size for GCC 4.6+")
That commit mistakenly assumed that the false positives were caused by a
gcc bug in __compiletime_object_size(). But in fact,
__compiletime_object_size() seems to be working fine. The false
positives were instead triggered by #2 above. (Though I don't have an
explanation for why the warnings supposedly only started showing up in
gcc 4.6.)
So remove warning #2 to get rid of all the false positives, and re-enable
warnings #1 and #3 by reverting the above commit.
Furthermore, since #1 is a real bug which is detected at compile time,
upgrade it to always be an error.
Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer
needed.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Byungchul Park <byungchul.park@lge.com>
Cc: Nilay Vaish <nilayvaish@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-30 20:04:16 +07:00
|
|
|
} else if (!__builtin_constant_p(n))
|
|
|
|
copy_user_overflow(sz, n);
|
2013-10-21 15:43:57 +07:00
|
|
|
else
|
mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
There are three usercopy warnings which are currently being silenced for
gcc 4.6 and newer:
1) "copy_from_user() buffer size is too small" compile warning/error
This is a static warning which happens when object size and copy size
are both const, and copy size > object size. I didn't see any false
positives for this one. So the function warning attribute seems to
be working fine here.
Note this scenario is always a bug and so I think it should be
changed to *always* be an error, regardless of
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.
2) "copy_from_user() buffer size is not provably correct" compile warning
This is another static warning which happens when I enable
__compiletime_object_size() for new compilers (and
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS). It happens when object size
is const, but copy size is *not*. In this case there's no way to
compare the two at build time, so it gives the warning. (Note the
warning is a byproduct of the fact that gcc has no way of knowing
whether the overflow function will be called, so the call isn't dead
code and the warning attribute is activated.)
So this warning seems to only indicate "this is an unusual pattern,
maybe you should check it out" rather than "this is a bug".
I get 102(!) of these warnings with allyesconfig and the
__compiletime_object_size() gcc check removed. I don't know if there
are any real bugs hiding in there, but from looking at a small
sample, I didn't see any. According to Kees, it does sometimes find
real bugs. But the false positive rate seems high.
3) "Buffer overflow detected" runtime warning
This is a runtime warning where object size is const, and copy size >
object size.
All three warnings (both static and runtime) were completely disabled
for gcc 4.6 with the following commit:
2fb0815c9ee6 ("gcc4: disable __compiletime_object_size for GCC 4.6+")
That commit mistakenly assumed that the false positives were caused by a
gcc bug in __compiletime_object_size(). But in fact,
__compiletime_object_size() seems to be working fine. The false
positives were instead triggered by #2 above. (Though I don't have an
explanation for why the warnings supposedly only started showing up in
gcc 4.6.)
So remove warning #2 to get rid of all the false positives, and re-enable
warnings #1 and #3 by reverting the above commit.
Furthermore, since #1 is a real bug which is detected at compile time,
upgrade it to always be an error.
Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer
needed.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Byungchul Park <byungchul.park@lge.com>
Cc: Nilay Vaish <nilayvaish@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-30 20:04:16 +07:00
|
|
|
__bad_copy_user();
|
2013-10-21 15:43:57 +07:00
|
|
|
|
|
|
|
return n;
|
|
|
|
}
|
|
|
|
|
2016-09-07 01:56:01 +07:00
|
|
|
static __always_inline unsigned long __must_check
|
2013-10-21 15:44:37 +07:00
|
|
|
copy_to_user(void __user *to, const void *from, unsigned long n)
|
|
|
|
{
|
|
|
|
int sz = __compiletime_object_size(from);
|
|
|
|
|
2016-05-21 06:59:31 +07:00
|
|
|
kasan_check_read(from, n);
|
|
|
|
|
2013-10-21 15:44:37 +07:00
|
|
|
might_fault();
|
|
|
|
|
2016-06-24 05:04:01 +07:00
|
|
|
if (likely(sz < 0 || sz >= n)) {
|
|
|
|
check_object_size(from, n, true);
|
2013-10-21 15:44:37 +07:00
|
|
|
n = _copy_to_user(to, from, n);
|
mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
There are three usercopy warnings which are currently being silenced for
gcc 4.6 and newer:
1) "copy_from_user() buffer size is too small" compile warning/error
This is a static warning which happens when object size and copy size
are both const, and copy size > object size. I didn't see any false
positives for this one. So the function warning attribute seems to
be working fine here.
Note this scenario is always a bug and so I think it should be
changed to *always* be an error, regardless of
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.
2) "copy_from_user() buffer size is not provably correct" compile warning
This is another static warning which happens when I enable
__compiletime_object_size() for new compilers (and
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS). It happens when object size
is const, but copy size is *not*. In this case there's no way to
compare the two at build time, so it gives the warning. (Note the
warning is a byproduct of the fact that gcc has no way of knowing
whether the overflow function will be called, so the call isn't dead
code and the warning attribute is activated.)
So this warning seems to only indicate "this is an unusual pattern,
maybe you should check it out" rather than "this is a bug".
I get 102(!) of these warnings with allyesconfig and the
__compiletime_object_size() gcc check removed. I don't know if there
are any real bugs hiding in there, but from looking at a small
sample, I didn't see any. According to Kees, it does sometimes find
real bugs. But the false positive rate seems high.
3) "Buffer overflow detected" runtime warning
This is a runtime warning where object size is const, and copy size >
object size.
All three warnings (both static and runtime) were completely disabled
for gcc 4.6 with the following commit:
2fb0815c9ee6 ("gcc4: disable __compiletime_object_size for GCC 4.6+")
That commit mistakenly assumed that the false positives were caused by a
gcc bug in __compiletime_object_size(). But in fact,
__compiletime_object_size() seems to be working fine. The false
positives were instead triggered by #2 above. (Though I don't have an
explanation for why the warnings supposedly only started showing up in
gcc 4.6.)
So remove warning #2 to get rid of all the false positives, and re-enable
warnings #1 and #3 by reverting the above commit.
Furthermore, since #1 is a real bug which is detected at compile time,
upgrade it to always be an error.
Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer
needed.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Byungchul Park <byungchul.park@lge.com>
Cc: Nilay Vaish <nilayvaish@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-30 20:04:16 +07:00
|
|
|
} else if (!__builtin_constant_p(n))
|
|
|
|
copy_user_overflow(sz, n);
|
2013-10-21 15:44:37 +07:00
|
|
|
else
|
mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
There are three usercopy warnings which are currently being silenced for
gcc 4.6 and newer:
1) "copy_from_user() buffer size is too small" compile warning/error
This is a static warning which happens when object size and copy size
are both const, and copy size > object size. I didn't see any false
positives for this one. So the function warning attribute seems to
be working fine here.
Note this scenario is always a bug and so I think it should be
changed to *always* be an error, regardless of
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.
2) "copy_from_user() buffer size is not provably correct" compile warning
This is another static warning which happens when I enable
__compiletime_object_size() for new compilers (and
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS). It happens when object size
is const, but copy size is *not*. In this case there's no way to
compare the two at build time, so it gives the warning. (Note the
warning is a byproduct of the fact that gcc has no way of knowing
whether the overflow function will be called, so the call isn't dead
code and the warning attribute is activated.)
So this warning seems to only indicate "this is an unusual pattern,
maybe you should check it out" rather than "this is a bug".
I get 102(!) of these warnings with allyesconfig and the
__compiletime_object_size() gcc check removed. I don't know if there
are any real bugs hiding in there, but from looking at a small
sample, I didn't see any. According to Kees, it does sometimes find
real bugs. But the false positive rate seems high.
3) "Buffer overflow detected" runtime warning
This is a runtime warning where object size is const, and copy size >
object size.
All three warnings (both static and runtime) were completely disabled
for gcc 4.6 with the following commit:
2fb0815c9ee6 ("gcc4: disable __compiletime_object_size for GCC 4.6+")
That commit mistakenly assumed that the false positives were caused by a
gcc bug in __compiletime_object_size(). But in fact,
__compiletime_object_size() seems to be working fine. The false
positives were instead triggered by #2 above. (Though I don't have an
explanation for why the warnings supposedly only started showing up in
gcc 4.6.)
So remove warning #2 to get rid of all the false positives, and re-enable
warnings #1 and #3 by reverting the above commit.
Furthermore, since #1 is a real bug which is detected at compile time,
upgrade it to always be an error.
Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer
needed.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Byungchul Park <byungchul.park@lge.com>
Cc: Nilay Vaish <nilayvaish@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-30 20:04:16 +07:00
|
|
|
__bad_copy_user();
|
2013-10-21 15:44:37 +07:00
|
|
|
|
|
|
|
return n;
|
|
|
|
}
|
|
|
|
|
2015-10-23 05:07:20 +07:00
|
|
|
/*
|
|
|
|
* We rely on the nested NMI work to allow atomic faults from the NMI path; the
|
|
|
|
* nested NMI paths are careful to preserve CR2.
|
|
|
|
*
|
|
|
|
* Caller must use pagefault_enable/disable, or run in interrupt context,
|
|
|
|
* and also do a uaccess_ok() check
|
|
|
|
*/
|
|
|
|
#define __copy_from_user_nmi __copy_from_user_inatomic
|
|
|
|
|
2015-12-18 00:57:27 +07:00
|
|
|
/*
|
|
|
|
* The "unsafe" user accesses aren't really "unsafe", but the naming
|
|
|
|
* is a big fat warning: you have to not only do the access_ok()
|
|
|
|
* checking before using them, but you have to surround them with the
|
|
|
|
* user_access_begin/end() pair.
|
|
|
|
*/
|
|
|
|
#define user_access_begin() __uaccess_begin()
|
|
|
|
#define user_access_end() __uaccess_end()
|
|
|
|
|
unsafe_[get|put]_user: change interface to use a error target label
When I initially added the unsafe_[get|put]_user() helpers in commit
5b24a7a2aa20 ("Add 'unsafe' user access functions for batched
accesses"), I made the mistake of modeling the interface on our
traditional __[get|put]_user() functions, which return zero on success,
or -EFAULT on failure.
That interface is fairly easy to use, but it's actually fairly nasty for
good code generation, since it essentially forces the caller to check
the error value for each access.
In particular, since the error handling is already internally
implemented with an exception handler, and we already use "asm goto" for
various other things, we could fairly easily make the error cases just
jump directly to an error label instead, and avoid the need for explicit
checking after each operation.
So switch the interface to pass in an error label, rather than checking
the error value in the caller. Best do it now before we start growing
more users (the signal handling code in particular would be a good place
to use the new interface).
So rather than
if (unsafe_get_user(x, ptr))
... handle error ..
the interface is now
unsafe_get_user(x, ptr, label);
where an error during the user mode fetch will now just cause a jump to
'label' in the caller.
Right now the actual _implementation_ of this all still ends up being a
"if (err) goto label", and does not take advantage of any exception
label tricks, but for "unsafe_put_user()" in particular it should be
fairly straightforward to convert to using the exception table model.
Note that "unsafe_get_user()" is much harder to convert to a clever
exception table model, because current versions of gcc do not allow the
use of "asm goto" (for the exception) with output values (for the actual
value to be fetched). But that is hopefully not a limitation in the
long term.
[ Also note that it might be a good idea to switch unsafe_get_user() to
actually _return_ the value it fetches from user space, but this
commit only changes the error handling semantics ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-09 03:02:01 +07:00
|
|
|
#define unsafe_put_user(x, ptr, err_label) \
|
|
|
|
do { \
|
2015-12-18 00:57:27 +07:00
|
|
|
int __pu_err; \
|
|
|
|
__put_user_size((x), (ptr), sizeof(*(ptr)), __pu_err, -EFAULT); \
|
unsafe_[get|put]_user: change interface to use a error target label
When I initially added the unsafe_[get|put]_user() helpers in commit
5b24a7a2aa20 ("Add 'unsafe' user access functions for batched
accesses"), I made the mistake of modeling the interface on our
traditional __[get|put]_user() functions, which return zero on success,
or -EFAULT on failure.
That interface is fairly easy to use, but it's actually fairly nasty for
good code generation, since it essentially forces the caller to check
the error value for each access.
In particular, since the error handling is already internally
implemented with an exception handler, and we already use "asm goto" for
various other things, we could fairly easily make the error cases just
jump directly to an error label instead, and avoid the need for explicit
checking after each operation.
So switch the interface to pass in an error label, rather than checking
the error value in the caller. Best do it now before we start growing
more users (the signal handling code in particular would be a good place
to use the new interface).
So rather than
if (unsafe_get_user(x, ptr))
... handle error ..
the interface is now
unsafe_get_user(x, ptr, label);
where an error during the user mode fetch will now just cause a jump to
'label' in the caller.
Right now the actual _implementation_ of this all still ends up being a
"if (err) goto label", and does not take advantage of any exception
label tricks, but for "unsafe_put_user()" in particular it should be
fairly straightforward to convert to using the exception table model.
Note that "unsafe_get_user()" is much harder to convert to a clever
exception table model, because current versions of gcc do not allow the
use of "asm goto" (for the exception) with output values (for the actual
value to be fetched). But that is hopefully not a limitation in the
long term.
[ Also note that it might be a good idea to switch unsafe_get_user() to
actually _return_ the value it fetches from user space, but this
commit only changes the error handling semantics ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-09 03:02:01 +07:00
|
|
|
if (unlikely(__pu_err)) goto err_label; \
|
|
|
|
} while (0)
|
2015-12-18 00:57:27 +07:00
|
|
|
|
unsafe_[get|put]_user: change interface to use a error target label
When I initially added the unsafe_[get|put]_user() helpers in commit
5b24a7a2aa20 ("Add 'unsafe' user access functions for batched
accesses"), I made the mistake of modeling the interface on our
traditional __[get|put]_user() functions, which return zero on success,
or -EFAULT on failure.
That interface is fairly easy to use, but it's actually fairly nasty for
good code generation, since it essentially forces the caller to check
the error value for each access.
In particular, since the error handling is already internally
implemented with an exception handler, and we already use "asm goto" for
various other things, we could fairly easily make the error cases just
jump directly to an error label instead, and avoid the need for explicit
checking after each operation.
So switch the interface to pass in an error label, rather than checking
the error value in the caller. Best do it now before we start growing
more users (the signal handling code in particular would be a good place
to use the new interface).
So rather than
if (unsafe_get_user(x, ptr))
... handle error ..
the interface is now
unsafe_get_user(x, ptr, label);
where an error during the user mode fetch will now just cause a jump to
'label' in the caller.
Right now the actual _implementation_ of this all still ends up being a
"if (err) goto label", and does not take advantage of any exception
label tricks, but for "unsafe_put_user()" in particular it should be
fairly straightforward to convert to using the exception table model.
Note that "unsafe_get_user()" is much harder to convert to a clever
exception table model, because current versions of gcc do not allow the
use of "asm goto" (for the exception) with output values (for the actual
value to be fetched). But that is hopefully not a limitation in the
long term.
[ Also note that it might be a good idea to switch unsafe_get_user() to
actually _return_ the value it fetches from user space, but this
commit only changes the error handling semantics ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-09 03:02:01 +07:00
|
|
|
#define unsafe_get_user(x, ptr, err_label) \
|
|
|
|
do { \
|
2015-12-18 00:57:27 +07:00
|
|
|
int __gu_err; \
|
|
|
|
unsigned long __gu_val; \
|
|
|
|
__get_user_size(__gu_val, (ptr), sizeof(*(ptr)), __gu_err, -EFAULT); \
|
|
|
|
(x) = (__force __typeof__(*(ptr)))__gu_val; \
|
unsafe_[get|put]_user: change interface to use a error target label
When I initially added the unsafe_[get|put]_user() helpers in commit
5b24a7a2aa20 ("Add 'unsafe' user access functions for batched
accesses"), I made the mistake of modeling the interface on our
traditional __[get|put]_user() functions, which return zero on success,
or -EFAULT on failure.
That interface is fairly easy to use, but it's actually fairly nasty for
good code generation, since it essentially forces the caller to check
the error value for each access.
In particular, since the error handling is already internally
implemented with an exception handler, and we already use "asm goto" for
various other things, we could fairly easily make the error cases just
jump directly to an error label instead, and avoid the need for explicit
checking after each operation.
So switch the interface to pass in an error label, rather than checking
the error value in the caller. Best do it now before we start growing
more users (the signal handling code in particular would be a good place
to use the new interface).
So rather than
if (unsafe_get_user(x, ptr))
... handle error ..
the interface is now
unsafe_get_user(x, ptr, label);
where an error during the user mode fetch will now just cause a jump to
'label' in the caller.
Right now the actual _implementation_ of this all still ends up being a
"if (err) goto label", and does not take advantage of any exception
label tricks, but for "unsafe_put_user()" in particular it should be
fairly straightforward to convert to using the exception table model.
Note that "unsafe_get_user()" is much harder to convert to a clever
exception table model, because current versions of gcc do not allow the
use of "asm goto" (for the exception) with output values (for the actual
value to be fetched). But that is hopefully not a limitation in the
long term.
[ Also note that it might be a good idea to switch unsafe_get_user() to
actually _return_ the value it fetches from user space, but this
commit only changes the error handling semantics ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-09 03:02:01 +07:00
|
|
|
if (unlikely(__gu_err)) goto err_label; \
|
|
|
|
} while (0)
|
2015-12-18 00:57:27 +07:00
|
|
|
|
2008-10-23 12:26:29 +07:00
|
|
|
#endif /* _ASM_X86_UACCESS_H */
|
x86: lockless get_user_pages_fast()
Implement get_user_pages_fast without locking in the fastpath on x86.
Do an optimistic lockless pagetable walk, without taking mmap_sem or any
page table locks or even mmap_sem. Page table existence is guaranteed by
turning interrupts off (combined with the fact that we're always looking
up the current mm, means we can do the lockless page table walk within the
constraints of the TLB shootdown design). Basically we can do this
lockless pagetable walk in a similar manner to the way the CPU's pagetable
walker does not have to take any locks to find present ptes.
This patch (combined with the subsequent ones to convert direct IO to use
it) was found to give about 10% performance improvement on a 2 socket 8
core Intel Xeon system running an OLTP workload on DB2 v9.5
"To test the effects of the patch, an OLTP workload was run on an IBM
x3850 M2 server with 2 processors (quad-core Intel Xeon processors at
2.93 GHz) using IBM DB2 v9.5 running Linux 2.6.24rc7 kernel. Comparing
runs with and without the patch resulted in an overall performance
benefit of ~9.8%. Correspondingly, oprofiles showed that samples from
__up_read and __down_read routines that is seen during thread contention
for system resources was reduced from 2.8% down to .05%. Monitoring the
/proc/vmstat output from the patched run showed that the counter for
fast_gup contained a very high number while the fast_gup_slow value was
zero."
(fast_gup is the old name for get_user_pages_fast, fast_gup_slow is a
counter we had for the number of times the slowpath was invoked).
The main reason for the improvement is that DB2 has multiple threads each
issuing direct-IO. Direct-IO uses get_user_pages, and thus the threads
contend the mmap_sem cacheline, and can also contend on page table locks.
I would anticipate larger performance gains on larger systems, however I
think DB2 uses an adaptive mix of threads and processes, so it could be
that thread contention remains pretty constant as machine size increases.
In which case, we stuck with "only" a 10% gain.
The downside of using get_user_pages_fast is that if there is not a pte
with the correct permissions for the access, we end up falling back to
get_user_pages and so the get_user_pages_fast is a bit of extra work.
However this should not be the common case in most performance critical
code.
[akpm@linux-foundation.org: coding-style fixes]
[akpm@linux-foundation.org: build fix]
[akpm@linux-foundation.org: Kconfig fix]
[akpm@linux-foundation.org: Makefile fix/cleanup]
[akpm@linux-foundation.org: warning fix]
Signed-off-by: Nick Piggin <npiggin@suse.de>
Cc: Dave Kleikamp <shaggy@austin.ibm.com>
Cc: Andy Whitcroft <apw@shadowen.org>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Dave Kleikamp <shaggy@austin.ibm.com>
Cc: Badari Pulavarty <pbadari@us.ibm.com>
Cc: Zach Brown <zach.brown@oracle.com>
Cc: Jens Axboe <jens.axboe@oracle.com>
Reviewed-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-07-26 09:45:24 +07:00
|
|
|
|