[mirror_ubuntu-hirsute-kernel.git] / mm / maccess.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * Access kernel memory without faulting.
 */
#include <linux/export.h>
#include <linux/mm.h>
#include <linux/uaccess.h>

static __always_inline long
probe_read_common(void *dst, const void __user *src, size_t size)
{
	long ret;

	pagefault_disable();
	ret = __copy_from_user_inatomic(dst, src, size);
	pagefault_enable();

	return ret ? -EFAULT : 0;
}

static __always_inline long
probe_write_common(void __user *dst, const void *src, size_t size)
{
	long ret;

	pagefault_disable();
	ret = __copy_to_user_inatomic(dst, src, size);
	pagefault_enable();

	return ret ? -EFAULT : 0;
}

/**
 * probe_kernel_read(): safely attempt to read from a kernel-space location
 * @dst: pointer to the buffer that shall take the data
 * @src: address to read from
 * @size: size of the data chunk
 *
 * Safely read from address @src to the buffer at @dst.  If a kernel fault
 * happens, handle that and return -EFAULT.
 *
 * We ensure that the copy_from_user is executed in atomic context so that
 * do_page_fault() doesn't attempt to take mmap_lock.  This makes
 * probe_kernel_read() suitable for use within regions where the caller
 * already holds mmap_lock, or other locks which nest inside mmap_lock.
 *
 * probe_kernel_read_strict() is the same as probe_kernel_read() except for
 * the case where architectures have non-overlapping user and kernel address
 * ranges: probe_kernel_read_strict() will additionally return -EFAULT for
 * probing memory on a user address range where probe_user_read() is supposed
 * to be used instead.
 */

long __weak probe_kernel_read(void *dst, const void *src, size_t size)
    __attribute__((alias("__probe_kernel_read")));

long __weak probe_kernel_read_strict(void *dst, const void *src, size_t size)
    __attribute__((alias("__probe_kernel_read")));

long __probe_kernel_read(void *dst, const void *src, size_t size)
{
	long ret;
	mm_segment_t old_fs = get_fs();

	set_fs(KERNEL_DS);
	ret = probe_read_common(dst, (__force const void __user *)src, size);
	set_fs(old_fs);

	return ret;
}
EXPORT_SYMBOL_GPL(probe_kernel_read);

/**
 * probe_user_read(): safely attempt to read from a user-space location
 * @dst: pointer to the buffer that shall take the data
 * @src: address to read from. This must be a user address.
 * @size: size of the data chunk
 *
 * Safely read from user address @src to the buffer at @dst. If a kernel fault
 * happens, handle that and return -EFAULT.
 */
long probe_user_read(void *dst, const void __user *src, size_t size)
{
	long ret = -EFAULT;
	mm_segment_t old_fs = get_fs();

	set_fs(USER_DS);
	if (access_ok(src, size))
		ret = probe_read_common(dst, src, size);
	set_fs(old_fs);

	return ret;
}
EXPORT_SYMBOL_GPL(probe_user_read);

/**
 * probe_kernel_write(): safely attempt to write to a location
 * @dst: address to write to
 * @src: pointer to the data that shall be written
 * @size: size of the data chunk
 *
 * Safely write to address @dst from the buffer at @src.  If a kernel fault
 * happens, handle that and return -EFAULT.
 */
long probe_kernel_write(void *dst, const void *src, size_t size)
{
	long ret;
	mm_segment_t old_fs = get_fs();

	set_fs(KERNEL_DS);
	ret = probe_write_common((__force void __user *)dst, src, size);
	set_fs(old_fs);

	return ret;
}

/**
 * probe_user_write(): safely attempt to write to a user-space location
 * @dst: address to write to
 * @src: pointer to the data that shall be written
 * @size: size of the data chunk
 *
 * Safely write to address @dst from the buffer at @src.  If a kernel fault
 * happens, handle that and return -EFAULT.
 */
long probe_user_write(void __user *dst, const void *src, size_t size)
{
	long ret = -EFAULT;
	mm_segment_t old_fs = get_fs();

	set_fs(USER_DS);
	if (access_ok(dst, size))
		ret = probe_write_common(dst, src, size);
	set_fs(old_fs);

	return ret;
}
EXPORT_SYMBOL_GPL(probe_user_write);

/**
 * strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
 * @dst:   Destination address, in kernel space.  This buffer must be at
 *         least @count bytes long.
 * @unsafe_addr: Unsafe address.
 * @count: Maximum number of bytes to copy, including the trailing NUL.
 *
 * Copies a NUL-terminated string from unsafe address to kernel buffer.
 *
 * On success, returns the length of the string INCLUDING the trailing NUL.
 *
 * If access fails, returns -EFAULT (some data may have been copied
 * and the trailing NUL added).
 *
 * If @count is smaller than the length of the string, copies @count-1 bytes,
 * sets the last byte of @dst buffer to NUL and returns @count.
 *
 * strncpy_from_unsafe_strict() is the same as strncpy_from_unsafe() except
 * for the case where architectures have non-overlapping user and kernel address
 * ranges: strncpy_from_unsafe_strict() will additionally return -EFAULT for
 * probing memory on a user address range where strncpy_from_unsafe_user() is
 * supposed to be used instead.
 */
long __weak strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
    __attribute__((alias("__strncpy_from_unsafe")));

long __weak strncpy_from_unsafe_strict(char *dst, const void *unsafe_addr,
				       long count)
    __attribute__((alias("__strncpy_from_unsafe")));

long __strncpy_from_unsafe(char *dst, const void *unsafe_addr, long count)
{
	mm_segment_t old_fs = get_fs();
	const void *src = unsafe_addr;
	long ret;

	if (unlikely(count <= 0))
		return 0;

	set_fs(KERNEL_DS);
	pagefault_disable();

	do {
		ret = __get_user(*dst++, (const char __user __force *)src++);
	} while (dst[-1] && ret == 0 && src - unsafe_addr < count);

	dst[-1] = '\0';
	pagefault_enable();
	set_fs(old_fs);

	return ret ? -EFAULT : src - unsafe_addr;
}

/**
 * strncpy_from_unsafe_user: - Copy a NUL terminated string from unsafe user
 *				address.
 * @dst:   Destination address, in kernel space.  This buffer must be at
 *         least @count bytes long.
 * @unsafe_addr: Unsafe user address.
 * @count: Maximum number of bytes to copy, including the trailing NUL.
 *
 * Copies a NUL-terminated string from unsafe user address to kernel buffer.
 *
 * On success, returns the length of the string INCLUDING the trailing NUL.
 *
 * If access fails, returns -EFAULT (some data may have been copied
 * and the trailing NUL added).
 *
 * If @count is smaller than the length of the string, copies @count-1 bytes,
 * sets the last byte of @dst buffer to NUL and returns @count.
 */
long strncpy_from_unsafe_user(char *dst, const void __user *unsafe_addr,
			      long count)
{
	mm_segment_t old_fs = get_fs();
	long ret;

	if (unlikely(count <= 0))
		return 0;

	set_fs(USER_DS);
	pagefault_disable();
	ret = strncpy_from_user(dst, unsafe_addr, count);
	pagefault_enable();
	set_fs(old_fs);

	if (ret >= count) {
		ret = count;
		dst[ret - 1] = '\0';
	} else if (ret > 0) {
		ret++;
	}

	return ret;
}

/**
 * strnlen_unsafe_user: - Get the size of a user string INCLUDING final NUL.
 * @unsafe_addr: The string to measure.
 * @count: Maximum count (including NUL)
 *
 * Get the size of a NUL-terminated string in user space without pagefault.
 *
 * Returns the size of the string INCLUDING the terminating NUL.
 *
 * If the string is too long, returns a number larger than @count. User
 * has to check the return value against "> count".
 * On exception (or invalid count), returns 0.
 *
 * Unlike strnlen_user, this can be used from IRQ handler etc. because
 * it disables pagefaults.
 */
long strnlen_unsafe_user(const void __user *unsafe_addr, long count)
{
	mm_segment_t old_fs = get_fs();
	int ret;

	set_fs(USER_DS);
	pagefault_disable();
	ret = strnlen_user(unsafe_addr, count);
	pagefault_enable();
	set_fs(old_fs);

	return ret;
}
Commit	Line	Data
457c8996	1	// SPDX-License-Identifier: GPL-2.0-only
c33fa9f5 IM	2	/*
	3	* Access kernel memory without faulting.
	4	*/
b95f1b31	5	#include <linux/export.h>
c33fa9f5	6	#include <linux/mm.h>
7c7fcf76	7	#include <linux/uaccess.h>
c33fa9f5	8
3d708182 MH	9	static __always_inline long
	10	probe_read_common(void dst, const void __user src, size_t size)
	11	{
	12	long ret;
	13
	14	pagefault_disable();
	15	ret = __copy_from_user_inatomic(dst, src, size);
	16	pagefault_enable();
	17
	18	return ret ? -EFAULT : 0;
	19	}
	20
1d1585ca DB	21	static __always_inline long
	22	probe_write_common(void __user dst, const void src, size_t size)
	23	{
	24	long ret;
	25
	26	pagefault_disable();
	27	ret = __copy_to_user_inatomic(dst, src, size);
	28	pagefault_enable();
	29
	30	return ret ? -EFAULT : 0;
	31	}
	32
c33fa9f5	33	/**
3d708182	34	* probe_kernel_read(): safely attempt to read from a kernel-space location
c33fa9f5 IM	35	* @dst: pointer to the buffer that shall take the data
	36	* @src: address to read from
	37	* @size: size of the data chunk
	38	*
	39	* Safely read from address @src to the buffer at @dst. If a kernel fault
	40	* happens, handle that and return -EFAULT.
0ab32b6f AM	41	*
0ab32b6f AM	42	* We ensure that the copy_from_user is executed in atomic context so that
c1e8d7c6	43	* do_page_fault() doesn't attempt to take mmap_lock. This makes
0ab32b6f	44	* probe_kernel_read() suitable for use within regions where the caller
c1e8d7c6	45	* already holds mmap_lock, or other locks which nest inside mmap_lock.
75a1a607 DB	46	*
	47	* probe_kernel_read_strict() is the same as probe_kernel_read() except for
	48	* the case where architectures have non-overlapping user and kernel address
	49	* ranges: probe_kernel_read_strict() will additionally return -EFAULT for
	50	* probing memory on a user address range where probe_user_read() is supposed
	51	* to be used instead.
c33fa9f5	52	*/
6144a85a	53
f29c5041	54	long __weak probe_kernel_read(void dst, const void src, size_t size)
6144a85a JW	55	__attribute__((alias("__probe_kernel_read")));
6144a85a JW	56
75a1a607 DB	57	long __weak probe_kernel_read_strict(void dst, const void src, size_t size)
	58	__attribute__((alias("__probe_kernel_read")));
	59
f29c5041	60	long __probe_kernel_read(void dst, const void src, size_t size)
c33fa9f5 IM	61	{
c33fa9f5 IM	62	long ret;
b4b8ac52	63	mm_segment_t old_fs = get_fs();
c33fa9f5	64
b4b8ac52	65	set_fs(KERNEL_DS);
3d708182	66	ret = probe_read_common(dst, (__force const void __user *)src, size);
b4b8ac52	67	set_fs(old_fs);
c33fa9f5	68
3d708182	69	return ret;
c33fa9f5 IM	70	}
	71	EXPORT_SYMBOL_GPL(probe_kernel_read);
	72
3d708182 MH	73	/**
	74	* probe_user_read(): safely attempt to read from a user-space location
	75	* @dst: pointer to the buffer that shall take the data
	76	* @src: address to read from. This must be a user address.
	77	* @size: size of the data chunk
	78	*
	79	* Safely read from user address @src to the buffer at @dst. If a kernel fault
	80	* happens, handle that and return -EFAULT.
	81	*/
48c49c0e	82	long probe_user_read(void dst, const void __user src, size_t size)
3d708182 MH	83	{
	84	long ret = -EFAULT;
	85	mm_segment_t old_fs = get_fs();
	86
	87	set_fs(USER_DS);
	88	if (access_ok(src, size))
	89	ret = probe_read_common(dst, src, size);
	90	set_fs(old_fs);
	91
	92	return ret;
	93	}
	94	EXPORT_SYMBOL_GPL(probe_user_read);
	95
c33fa9f5 IM	96	/**
	97	* probe_kernel_write(): safely attempt to write to a location
	98	* @dst: address to write to
	99	* @src: pointer to the data that shall be written
	100	* @size: size of the data chunk
	101	*
	102	* Safely write to address @dst from the buffer at @src. If a kernel fault
	103	* happens, handle that and return -EFAULT.
	104	*/
48c49c0e	105	long probe_kernel_write(void dst, const void src, size_t size)
c33fa9f5 IM	106	{
c33fa9f5 IM	107	long ret;
b4b8ac52	108	mm_segment_t old_fs = get_fs();
c33fa9f5	109
b4b8ac52	110	set_fs(KERNEL_DS);
1d1585ca	111	ret = probe_write_common((__force void __user *)dst, src, size);
b4b8ac52	112	set_fs(old_fs);
c33fa9f5	113
1d1585ca	114	return ret;
c33fa9f5	115	}
dbb7ee0e	116
1d1585ca DB	117	/**
	118	* probe_user_write(): safely attempt to write to a user-space location
	119	* @dst: address to write to
	120	* @src: pointer to the data that shall be written
	121	* @size: size of the data chunk
	122	*
	123	* Safely write to address @dst from the buffer at @src. If a kernel fault
	124	* happens, handle that and return -EFAULT.
	125	*/
48c49c0e	126	long probe_user_write(void __user dst, const void src, size_t size)
1d1585ca DB	127	{
	128	long ret = -EFAULT;
	129	mm_segment_t old_fs = get_fs();
	130
	131	set_fs(USER_DS);
	132	if (access_ok(dst, size))
	133	ret = probe_write_common(dst, src, size);
	134	set_fs(old_fs);
	135
	136	return ret;
	137	}
	138	EXPORT_SYMBOL_GPL(probe_user_write);
3d708182	139
dbb7ee0e AS	140	/**
	141	* strncpy_from_unsafe: - Copy a NUL terminated string from unsafe address.
	142	* @dst: Destination address, in kernel space. This buffer must be at
	143	* least @count bytes long.
f144c390	144	* @unsafe_addr: Unsafe address.
dbb7ee0e AS	145	* @count: Maximum number of bytes to copy, including the trailing NUL.
	146	*
	147	* Copies a NUL-terminated string from unsafe address to kernel buffer.
	148	*
	149	* On success, returns the length of the string INCLUDING the trailing NUL.
	150	*
	151	* If access fails, returns -EFAULT (some data may have been copied
	152	* and the trailing NUL added).
	153	*
	154	* If @count is smaller than the length of the string, copies @count-1 bytes,
	155	* sets the last byte of @dst buffer to NUL and returns @count.
75a1a607 DB	156	*
	157	* strncpy_from_unsafe_strict() is the same as strncpy_from_unsafe() except
	158	* for the case where architectures have non-overlapping user and kernel address
	159	* ranges: strncpy_from_unsafe_strict() will additionally return -EFAULT for
	160	* probing memory on a user address range where strncpy_from_unsafe_user() is
	161	* supposed to be used instead.
dbb7ee0e	162	*/
75a1a607 DB	163	long __weak strncpy_from_unsafe(char dst, const void unsafe_addr, long count)
	164	__attribute__((alias("__strncpy_from_unsafe")));
	165
	166	long __weak strncpy_from_unsafe_strict(char dst, const void unsafe_addr,
	167	long count)
	168	__attribute__((alias("__strncpy_from_unsafe")));
	169
	170	long __strncpy_from_unsafe(char dst, const void unsafe_addr, long count)
dbb7ee0e AS	171	{
	172	mm_segment_t old_fs = get_fs();
	173	const void *src = unsafe_addr;
	174	long ret;
	175
	176	if (unlikely(count <= 0))
	177	return 0;
	178
	179	set_fs(KERNEL_DS);
	180	pagefault_disable();
	181
	182	do {
bd28b145	183	ret = __get_user(dst++, (const char __user __force )src++);
dbb7ee0e AS	184	} while (dst[-1] && ret == 0 && src - unsafe_addr < count);
	185
	186	dst[-1] = '\0';
	187	pagefault_enable();
	188	set_fs(old_fs);
	189
9dd861d5	190	return ret ? -EFAULT : src - unsafe_addr;
dbb7ee0e	191	}
3d708182 MH	192
	193	/**
	194	* strncpy_from_unsafe_user: - Copy a NUL terminated string from unsafe user
	195	* address.
	196	* @dst: Destination address, in kernel space. This buffer must be at
	197	* least @count bytes long.
	198	* @unsafe_addr: Unsafe user address.
	199	* @count: Maximum number of bytes to copy, including the trailing NUL.
	200	*
	201	* Copies a NUL-terminated string from unsafe user address to kernel buffer.
	202	*
	203	* On success, returns the length of the string INCLUDING the trailing NUL.
	204	*
	205	* If access fails, returns -EFAULT (some data may have been copied
	206	* and the trailing NUL added).
	207	*
	208	* If @count is smaller than the length of the string, copies @count-1 bytes,
	209	* sets the last byte of @dst buffer to NUL and returns @count.
	210	*/
	211	long strncpy_from_unsafe_user(char dst, const void __user unsafe_addr,
	212	long count)
	213	{
	214	mm_segment_t old_fs = get_fs();
	215	long ret;
	216
	217	if (unlikely(count <= 0))
	218	return 0;
	219
	220	set_fs(USER_DS);
	221	pagefault_disable();
	222	ret = strncpy_from_user(dst, unsafe_addr, count);
	223	pagefault_enable();
	224	set_fs(old_fs);
	225
	226	if (ret >= count) {
	227	ret = count;
	228	dst[ret - 1] = '\0';
	229	} else if (ret > 0) {
	230	ret++;
	231	}
	232
	233	return ret;
	234	}
	235
	236	/**
	237	* strnlen_unsafe_user: - Get the size of a user string INCLUDING final NUL.
	238	* @unsafe_addr: The string to measure.
	239	* @count: Maximum count (including NUL)
	240	*
	241	* Get the size of a NUL-terminated string in user space without pagefault.
	242	*
	243	* Returns the size of the string INCLUDING the terminating NUL.
	244	*
	245	* If the string is too long, returns a number larger than @count. User
	246	* has to check the return value against "> count".
	247	* On exception (or invalid count), returns 0.
	248	*
	249	* Unlike strnlen_user, this can be used from IRQ handler etc. because
	250	* it disables pagefaults.
	251	*/
	252	long strnlen_unsafe_user(const void __user *unsafe_addr, long count)
	253	{
	254	mm_segment_t old_fs = get_fs();
	255	int ret;
256
257	set_fs(USER_DS);
258	pagefault_disable();
259	ret = strnlen_user(unsafe_addr, count);
260	pagefault_enable();
261	set_fs(old_fs);
262
263	return ret;
264	}