[mirror_ubuntu-jammy-kernel.git] / mm / maccess.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * Access kernel memory without faulting.
 */
#include <linux/export.h>
#include <linux/mm.h>
#include <linux/uaccess.h>

static __always_inline long
probe_read_common(void *dst, const void __user *src, size_t size)
{
	long ret;

	pagefault_disable();
	ret = __copy_from_user_inatomic(dst, src, size);
	pagefault_enable();

	return ret ? -EFAULT : 0;
}

static __always_inline long
probe_write_common(void __user *dst, const void *src, size_t size)
{
	long ret;

	pagefault_disable();
	ret = __copy_to_user_inatomic(dst, src, size);
	pagefault_enable();

	return ret ? -EFAULT : 0;
}

/**
 * probe_kernel_read(): safely attempt to read from a kernel-space location
 * @dst: pointer to the buffer that shall take the data
 * @src: address to read from
 * @size: size of the data chunk
 *
 * Safely read from address @src to the buffer at @dst.  If a kernel fault
 * happens, handle that and return -EFAULT.
 *
 * We ensure that the copy_from_user is executed in atomic context so that
 * do_page_fault() doesn't attempt to take mmap_sem.  This makes
 * probe_kernel_read() suitable for use within regions where the caller
 * already holds mmap_sem, or other locks which nest inside mmap_sem.
 *
 * probe_kernel_read_strict() is the same as probe_kernel_read() except for
 * the case where architectures have non-overlapping user and kernel address
 * ranges: probe_kernel_read_strict() will additionally return -EFAULT for
 * probing memory on a user address range where probe_user_read() is supposed
 * to be used instead.
 */

long __weak probe_kernel_read(void *dst, const void *src, size_t size)
    __attribute__((alias("__probe_kernel_read")));

long __weak probe_kernel_read_strict(void *dst, const void *src, size_t size)
    __attribute__((alias("__probe_kernel_read")));

long __probe_kernel_read(void *dst, const void *src, size_t size)
{
	long ret;
	mm_segment_t old_fs = get_fs();

	set_fs(KERNEL_DS);
	ret = probe_read_common(dst, (__force const void __user *)src, size);
	set_fs(old_fs);

	return ret;
}
EXPORT_SYMBOL_GPL(probe_kernel_read);

/**
 * probe_user_read(): safely attempt to read from a user-space location
 * @dst: pointer to the buffer that shall take the data
 * @src: address to read from. This must be a user address.
 * @size: size of the data chunk
 *
 * Safely read from user address @src to the buffer at @dst. If a kernel fault
 * happens, handle that and return -EFAULT.
 */

long __weak probe_user_read(void *dst, const void __user *src, size_t size)
    __attribute__((alias("__probe_user_read")));

long __probe_user_read(void *dst, const void __user *src, size_t size)
{
	long ret = -EFAULT;
	mm_segment_t old_fs = get_fs();

	set_fs(USER_DS);
	if (access_ok(src, size))
		ret = probe_read_common(dst, src, size);
	set_fs(old_fs);

	return ret;
}
EXPORT_SYMBOL_GPL(probe_user_read);

/**
 * probe_kernel_write(): safely attempt to write to a location
 * @dst: address to write to
 * @src: pointer to the data that shall be written
 * @size: size of the data chunk
 *
 * Safely write to address @dst from the buffer at @src.  If a kernel fault
 * happens, handle that and return -EFAULT.
 */

long __weak probe_kernel_write(void *dst, const void *src, size_t size)
    __attribute__((alias("__probe_kernel_write")));

long __probe_kernel_write(void *dst, const void *src, size_t size)
{
	long ret;
	mm_segment_t old_fs = get_fs();

	set_fs(KERNEL_DS);
	ret = probe_write_common((__force void __user *)dst, src, size);
	set_fs(old_fs);

	return ret;
}
EXPORT_SYMBOL_GPL(probe_kernel_write);

/**
 * probe_user_write(): safely attempt to write to a user-space location
 * @dst: address to write to
 * @src: pointer to the data that shall be written
 * @size: size of the data chunk
 *
 * Safely write to address @dst from the buffer at @src.  If a kernel fault
 * happens, handle that and return -EFAULT.
 */

long __weak probe_user_write(void __user *dst, const void *src, size_t size)
    __attribute__((alias("__probe_user_write")));

long __probe_user_write(void __user *dst, const void *src, size_t size)
{
	long ret = -EFAULT;
	mm_segment_t old_fs = get_fs();

	set_fs(USER_DS);
	if (access_ok(dst, size))
		ret = probe_write_common(dst, src, size);
	set_fs(old_fs);

	return ret;
}
EXPORT_SYMBOL_GPL(probe_user_write);

/**
 * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
 * @dst:   Destination address, in kernel space.  This buffer must be at
 *         least @count bytes long.
 * @unsafe_addr: Unsafe address.
 * @count: Maximum number of bytes to copy, including the trailing NUL.
 *
 * Copies a NUL-terminated string from unsafe address to kernel buffer.
 *
 * On success, returns the length of the string INCLUDING the trailing NUL.
 *
 * If access fails, returns -EFAULT (some data may have been copied
 * and the trailing NUL added).
 *
 * If @count is smaller than the length of the string, copies @count-1 bytes,
 * sets the last byte of @dst buffer to NUL and returns @count.
 *
 * strncpy_from_unsafe_strict() is the same as strncpy_from_unsafe() except
 * for the case where architectures have non-overlapping user and kernel address
 * ranges: strncpy_from_unsafe_strict() will additionally return -EFAULT for
 * probing memory on a user address range where strncpy_from_unsafe_user() is
 * supposed to be used instead.
 */

long __weak strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
    __attribute__((alias("__strncpy_from_unsafe")));

long __weak strncpy_from_unsafe_strict(char *dst, const void *unsafe_addr,
				       long count)
    __attribute__((alias("__strncpy_from_unsafe")));

long __strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
{
	mm_segment_t old_fs = get_fs();
	const void *src = unsafe_addr;
	long ret;

	if (unlikely(count <= 0))
		return 0;

	set_fs(KERNEL_DS);
	pagefault_disable();

	do {
		ret = __get_user(*dst++, (const char __user __force *)src++);
	} while (dst[-1] && ret == 0 && src - unsafe_addr < count);

	dst[-1] = '\0';
	pagefault_enable();
	set_fs(old_fs);

	return ret ? -EFAULT : src - unsafe_addr;
}

/**
 * strncpy_from_unsafe_user: - Copy a NUL terminated string from unsafe user
 *				address.
 * @dst:   Destination address, in kernel space.  This buffer must be at
 *         least @count bytes long.
 * @unsafe_addr: Unsafe user address.
 * @count: Maximum number of bytes to copy, including the trailing NUL.
 *
 * Copies a NUL-terminated string from unsafe user address to kernel buffer.
 *
 * On success, returns the length of the string INCLUDING the trailing NUL.
 *
 * If access fails, returns -EFAULT (some data may have been copied
 * and the trailing NUL added).
 *
 * If @count is smaller than the length of the string, copies @count-1 bytes,
 * sets the last byte of @dst buffer to NUL and returns @count.
 */
long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr,
			      long count)
{
	mm_segment_t old_fs = get_fs();
	long ret;

	if (unlikely(count <= 0))
		return 0;

	set_fs(USER_DS);
	pagefault_disable();
	ret = strncpy_from_user(dst, unsafe_addr, count);
	pagefault_enable();
	set_fs(old_fs);

	if (ret >= count) {
		ret = count;
		dst[ret - 1] = '\0';
	} else if (ret > 0) {
		ret++;
	}

	return ret;
}

/**
 * strnlen_unsafe_user: - Get the size of a user string INCLUDING final NUL.
 * @unsafe_addr: The string to measure.
 * @count: Maximum count (including NUL)
 *
 * Get the size of a NUL-terminated string in user space without pagefault.
 *
 * Returns the size of the string INCLUDING the terminating NUL.
 *
 * If the string is too long, returns a number larger than @count. User
 * has to check the return value against "> count".
 * On exception (or invalid count), returns 0.
 *
 * Unlike strnlen_user, this can be used from IRQ handler etc. because
 * it disables pagefaults.
 */
long strnlen_unsafe_user(const void __user *unsafe_addr, long count)
{
	mm_segment_t old_fs = get_fs();
	int ret;

	set_fs(USER_DS);
	pagefault_disable();
	ret = strnlen_user(unsafe_addr, count);
	pagefault_enable();
	set_fs(old_fs);

	return ret;
}
Commit	Line	Data
457c8996	1	// SPDX-License-Identifier: GPL-2.0-only
c33fa9f5 IM	2	/*
	3	* Access kernel memory without faulting.
	4	*/
b95f1b31	5	#include <linux/export.h>
c33fa9f5	6	#include <linux/mm.h>
7c7fcf76	7	#include <linux/uaccess.h>
c33fa9f5	8
3d708182 MH	9	static __always_inline long
	10	probe_read_common(void dst, const void __user src, size_t size)
	11	{
	12	long ret;
	13
	14	pagefault_disable();
	15	ret = __copy_from_user_inatomic(dst, src, size);
	16	pagefault_enable();
	17
	18	return ret ? -EFAULT : 0;
	19	}
	20
1d1585ca DB	21	static __always_inline long
	22	probe_write_common(void __user dst, const void src, size_t size)
	23	{
	24	long ret;
	25
	26	pagefault_disable();
	27	ret = __copy_to_user_inatomic(dst, src, size);
	28	pagefault_enable();
	29
	30	return ret ? -EFAULT : 0;
	31	}
	32
c33fa9f5	33	/**
3d708182	34	* probe_kernel_read(): safely attempt to read from a kernel-space location
c33fa9f5 IM	35	* @dst: pointer to the buffer that shall take the data
	36	* @src: address to read from
	37	* @size: size of the data chunk
	38	*
	39	* Safely read from address @src to the buffer at @dst. If a kernel fault
	40	* happens, handle that and return -EFAULT.
0ab32b6f AM	41	*
	42	* We ensure that the copy_from_user is executed in atomic context so that
	43	* do_page_fault() doesn't attempt to take mmap_sem. This makes
	44	* probe_kernel_read() suitable for use within regions where the caller
	45	* already holds mmap_sem, or other locks which nest inside mmap_sem.
75a1a607 DB	46	*
	47	* probe_kernel_read_strict() is the same as probe_kernel_read() except for
	48	* the case where architectures have non-overlapping user and kernel address
	49	* ranges: probe_kernel_read_strict() will additionally return -EFAULT for
	50	* probing memory on a user address range where probe_user_read() is supposed
	51	* to be used instead.
c33fa9f5	52	*/
6144a85a	53
f29c5041	54	long __weak probe_kernel_read(void dst, const void src, size_t size)
6144a85a JW	55	__attribute__((alias("__probe_kernel_read")));
6144a85a JW	56
75a1a607 DB	57	long __weak probe_kernel_read_strict(void dst, const void src, size_t size)
	58	__attribute__((alias("__probe_kernel_read")));
	59
f29c5041	60	long __probe_kernel_read(void dst, const void src, size_t size)
c33fa9f5 IM	61	{
c33fa9f5 IM	62	long ret;
b4b8ac52	63	mm_segment_t old_fs = get_fs();
c33fa9f5	64
b4b8ac52	65	set_fs(KERNEL_DS);
3d708182	66	ret = probe_read_common(dst, (__force const void __user *)src, size);
b4b8ac52	67	set_fs(old_fs);
c33fa9f5	68
3d708182	69	return ret;
c33fa9f5 IM	70	}
	71	EXPORT_SYMBOL_GPL(probe_kernel_read);
	72
3d708182 MH	73	/**
	74	* probe_user_read(): safely attempt to read from a user-space location
	75	* @dst: pointer to the buffer that shall take the data
	76	* @src: address to read from. This must be a user address.
	77	* @size: size of the data chunk
	78	*
	79	* Safely read from user address @src to the buffer at @dst. If a kernel fault
	80	* happens, handle that and return -EFAULT.
	81	*/
	82
	83	long __weak probe_user_read(void dst, const void __user src, size_t size)
	84	__attribute__((alias("__probe_user_read")));
	85
	86	long __probe_user_read(void dst, const void __user src, size_t size)
	87	{
	88	long ret = -EFAULT;
	89	mm_segment_t old_fs = get_fs();
	90
	91	set_fs(USER_DS);
	92	if (access_ok(src, size))
	93	ret = probe_read_common(dst, src, size);
	94	set_fs(old_fs);
	95
	96	return ret;
	97	}
	98	EXPORT_SYMBOL_GPL(probe_user_read);
	99
c33fa9f5 IM	100	/**
	101	* probe_kernel_write(): safely attempt to write to a location
	102	* @dst: address to write to
	103	* @src: pointer to the data that shall be written
	104	* @size: size of the data chunk
	105	*
	106	* Safely write to address @dst from the buffer at @src. If a kernel fault
	107	* happens, handle that and return -EFAULT.
	108	*/
1d1585ca	109
f29c5041	110	long __weak probe_kernel_write(void dst, const void src, size_t size)
6144a85a JW	111	__attribute__((alias("__probe_kernel_write")));
6144a85a JW	112
f29c5041	113	long __probe_kernel_write(void dst, const void src, size_t size)
c33fa9f5 IM	114	{
c33fa9f5 IM	115	long ret;
b4b8ac52	116	mm_segment_t old_fs = get_fs();
c33fa9f5	117
b4b8ac52	118	set_fs(KERNEL_DS);
1d1585ca	119	ret = probe_write_common((__force void __user *)dst, src, size);
b4b8ac52	120	set_fs(old_fs);
c33fa9f5	121
1d1585ca	122	return ret;
c33fa9f5 IM	123	}
c33fa9f5 IM	124	EXPORT_SYMBOL_GPL(probe_kernel_write);
dbb7ee0e	125
1d1585ca DB	126	/**
	127	* probe_user_write(): safely attempt to write to a user-space location
	128	* @dst: address to write to
	129	* @src: pointer to the data that shall be written
	130	* @size: size of the data chunk
	131	*
	132	* Safely write to address @dst from the buffer at @src. If a kernel fault
	133	* happens, handle that and return -EFAULT.
	134	*/
	135
	136	long __weak probe_user_write(void __user dst, const void src, size_t size)
	137	__attribute__((alias("__probe_user_write")));
	138
	139	long __probe_user_write(void __user dst, const void src, size_t size)
	140	{
	141	long ret = -EFAULT;
	142	mm_segment_t old_fs = get_fs();
	143
	144	set_fs(USER_DS);
	145	if (access_ok(dst, size))
	146	ret = probe_write_common(dst, src, size);
	147	set_fs(old_fs);
	148
	149	return ret;
	150	}
	151	EXPORT_SYMBOL_GPL(probe_user_write);
3d708182	152
dbb7ee0e AS	153	/**
	154	* strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
	155	* @dst: Destination address, in kernel space. This buffer must be at
	156	* least @count bytes long.
f144c390	157	* @unsafe_addr: Unsafe address.
dbb7ee0e AS	158	* @count: Maximum number of bytes to copy, including the trailing NUL.
	159	*
	160	* Copies a NUL-terminated string from unsafe address to kernel buffer.
	161	*
	162	* On success, returns the length of the string INCLUDING the trailing NUL.
	163	*
	164	* If access fails, returns -EFAULT (some data may have been copied
	165	* and the trailing NUL added).
	166	*
	167	* If @count is smaller than the length of the string, copies @count-1 bytes,
	168	* sets the last byte of @dst buffer to NUL and returns @count.
75a1a607 DB	169	*
	170	* strncpy_from_unsafe_strict() is the same as strncpy_from_unsafe() except
	171	* for the case where architectures have non-overlapping user and kernel address
	172	* ranges: strncpy_from_unsafe_strict() will additionally return -EFAULT for
	173	* probing memory on a user address range where strncpy_from_unsafe_user() is
	174	* supposed to be used instead.
dbb7ee0e	175	*/
75a1a607 DB	176
	177	long __weak strncpy_from_unsafe(char dst, const void unsafe_addr, long count)
	178	__attribute__((alias("__strncpy_from_unsafe")));
	179
	180	long __weak strncpy_from_unsafe_strict(char dst, const void unsafe_addr,
	181	long count)
	182	__attribute__((alias("__strncpy_from_unsafe")));
	183
	184	long __strncpy_from_unsafe(char dst, const void unsafe_addr, long count)
dbb7ee0e AS	185	{
	186	mm_segment_t old_fs = get_fs();
	187	const void *src = unsafe_addr;
	188	long ret;
	189
	190	if (unlikely(count <= 0))
	191	return 0;
	192
	193	set_fs(KERNEL_DS);
	194	pagefault_disable();
	195
	196	do {
bd28b145	197	ret = __get_user(dst++, (const char __user __force )src++);
dbb7ee0e AS	198	} while (dst[-1] && ret == 0 && src - unsafe_addr < count);
	199
	200	dst[-1] = '\0';
	201	pagefault_enable();
	202	set_fs(old_fs);
	203
9dd861d5	204	return ret ? -EFAULT : src - unsafe_addr;
dbb7ee0e	205	}
3d708182 MH	206
	207	/**
	208	* strncpy_from_unsafe_user: - Copy a NUL terminated string from unsafe user
	209	* address.
	210	* @dst: Destination address, in kernel space. This buffer must be at
	211	* least @count bytes long.
	212	* @unsafe_addr: Unsafe user address.
	213	* @count: Maximum number of bytes to copy, including the trailing NUL.
	214	*
	215	* Copies a NUL-terminated string from unsafe user address to kernel buffer.
	216	*
	217	* On success, returns the length of the string INCLUDING the trailing NUL.
	218	*
	219	* If access fails, returns -EFAULT (some data may have been copied
	220	* and the trailing NUL added).
	221	*
	222	* If @count is smaller than the length of the string, copies @count-1 bytes,
	223	* sets the last byte of @dst buffer to NUL and returns @count.
	224	*/
	225	long strncpy_from_unsafe_user(char dst, const void __user unsafe_addr,
	226	long count)
	227	{
	228	mm_segment_t old_fs = get_fs();
	229	long ret;
	230
	231	if (unlikely(count <= 0))
	232	return 0;
	233
	234	set_fs(USER_DS);
	235	pagefault_disable();
	236	ret = strncpy_from_user(dst, unsafe_addr, count);
	237	pagefault_enable();
	238	set_fs(old_fs);
	239
	240	if (ret >= count) {
	241	ret = count;
	242	dst[ret - 1] = '\0';
	243	} else if (ret > 0) {
	244	ret++;
	245	}
	246
	247	return ret;
	248	}
	249
	250	/**
	251	* strnlen_unsafe_user: - Get the size of a user string INCLUDING final NUL.
	252	* @unsafe_addr: The string to measure.
	253	* @count: Maximum count (including NUL)
	254	*
	255	* Get the size of a NUL-terminated string in user space without pagefault.
	256	*
	257	* Returns the size of the string INCLUDING the terminating NUL.
	258	*
	259	* If the string is too long, returns a number larger than @count. User
	260	* has to check the return value against "> count".
	261	* On exception (or invalid count), returns 0.
	262	*
	263	* Unlike strnlen_user, this can be used from IRQ handler etc. because
	264	* it disables pagefaults.
	265	*/
	266	long strnlen_unsafe_user(const void __user *unsafe_addr, long count)
	267	{
	268	mm_segment_t old_fs = get_fs();
	269	int ret;
270
271	set_fs(USER_DS);
272	pagefault_disable();
273	ret = strnlen_user(unsafe_addr, count);
274	pagefault_enable();
275	set_fs(old_fs);
276
277	return ret;
278	}