2019-05-29 07:18:00 -07:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-only */
|
2017-07-10 18:03:19 -07:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2012 Regents of the University of California
|
|
|
|
|
*
|
|
|
|
|
* This file was copied from include/asm-generic/uaccess.h
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef _ASM_RISCV_UACCESS_H
|
|
|
|
|
#define _ASM_RISCV_UACCESS_H
|
|
|
|
|
|
2021-11-18 19:25:45 +08:00
|
|
|
#include <asm/asm-extable.h>
|
2024-10-16 13:27:46 -07:00
|
|
|
#include <asm/cpufeature.h>
|
2020-08-11 18:33:41 -07:00
|
|
|
#include <asm/pgtable.h> /* for TASK_SIZE */
|
|
|
|
|
|
2024-10-16 13:27:46 -07:00
|
|
|
#ifdef CONFIG_RISCV_ISA_SUPM
|
|
|
|
|
static inline unsigned long __untagged_addr_remote(struct mm_struct *mm, unsigned long addr)
|
|
|
|
|
{
|
|
|
|
|
if (riscv_has_extension_unlikely(RISCV_ISA_EXT_SUPM)) {
|
|
|
|
|
u8 pmlen = mm->context.pmlen;
|
|
|
|
|
|
|
|
|
|
/* Virtual addresses are sign-extended; physical addresses are zero-extended. */
|
|
|
|
|
if (IS_ENABLED(CONFIG_MMU))
|
|
|
|
|
return (long)(addr << pmlen) >> pmlen;
|
|
|
|
|
else
|
|
|
|
|
return (addr << pmlen) >> pmlen;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return addr;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define untagged_addr(addr) ({ \
|
|
|
|
|
unsigned long __addr = (__force unsigned long)(addr); \
|
|
|
|
|
(__force __typeof__(addr))__untagged_addr_remote(current->mm, __addr); \
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
#define untagged_addr_remote(mm, addr) ({ \
|
|
|
|
|
unsigned long __addr = (__force unsigned long)(addr); \
|
|
|
|
|
mmap_assert_locked(mm); \
|
|
|
|
|
(__force __typeof__(addr))__untagged_addr_remote(mm, __addr); \
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
#define access_ok(addr, size) likely(__access_ok(untagged_addr(addr), size))
|
|
|
|
|
#else
|
|
|
|
|
#define untagged_addr(addr) (addr)
|
|
|
|
|
#endif
|
|
|
|
|
|
2017-07-10 18:03:19 -07:00
|
|
|
/*
|
|
|
|
|
* User space memory access functions
|
|
|
|
|
*/
|
2019-10-28 13:10:41 +01:00
|
|
|
#ifdef CONFIG_MMU
|
2017-07-10 18:03:19 -07:00
|
|
|
#include <linux/errno.h>
|
|
|
|
|
#include <linux/compiler.h>
|
|
|
|
|
#include <linux/thread_info.h>
|
|
|
|
|
#include <asm/byteorder.h>
|
2019-04-15 11:14:32 +02:00
|
|
|
#include <asm/extable.h>
|
2017-07-10 18:03:19 -07:00
|
|
|
#include <asm/asm.h>
|
uaccess: generalize access_ok()
There are many different ways that access_ok() is defined across
architectures, but in the end, they all just compare against the
user_addr_max() value or they accept anything.
Provide one definition that works for most architectures, checking
against TASK_SIZE_MAX for user processes or skipping the check inside
of uaccess_kernel() sections.
For architectures without CONFIG_SET_FS(), this should be the fastest
check, as it comes down to a single comparison of a pointer against a
compile-time constant, while the architecture specific versions tend to
do something more complex for historic reasons or get something wrong.
Type checking for __user annotations is handled inconsistently across
architectures, but this is easily simplified as well by using an inline
function that takes a 'const void __user *' argument. A handful of
callers need an extra __user annotation for this.
Some architectures had trick to use 33-bit or 65-bit arithmetic on the
addresses to calculate the overflow, however this simpler version uses
fewer registers, which means it can produce better object code in the
end despite needing a second (statically predicted) branch.
Reviewed-by: Christoph Hellwig <hch@lst.de>
Acked-by: Mark Rutland <mark.rutland@arm.com> [arm64, asm-generic]
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Stafford Horne <shorne@gmail.com>
Acked-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2022-02-15 17:55:04 +01:00
|
|
|
#include <asm-generic/access_ok.h>
|
2017-07-10 18:03:19 -07:00
|
|
|
|
|
|
|
|
#define __enable_user_access() \
|
|
|
|
|
__asm__ __volatile__ ("csrs sstatus, %0" : : "r" (SR_SUM) : "memory")
|
|
|
|
|
#define __disable_user_access() \
|
|
|
|
|
__asm__ __volatile__ ("csrc sstatus, %0" : : "r" (SR_SUM) : "memory")
|
|
|
|
|
|
2025-04-10 07:05:23 +00:00
|
|
|
/*
|
|
|
|
|
* This is the smallest unsigned integer type that can fit a value
|
|
|
|
|
* (up to 'long long')
|
|
|
|
|
*/
|
|
|
|
|
#define __inttype(x) __typeof__( \
|
|
|
|
|
__typefits(x, char, \
|
|
|
|
|
__typefits(x, short, \
|
|
|
|
|
__typefits(x, int, \
|
|
|
|
|
__typefits(x, long, 0ULL)))))
|
|
|
|
|
|
|
|
|
|
#define __typefits(x, type, not) \
|
|
|
|
|
__builtin_choose_expr(sizeof(x) <= sizeof(type), (unsigned type)0, not)
|
|
|
|
|
|
2017-07-10 18:03:19 -07:00
|
|
|
/*
|
|
|
|
|
* The exception table consists of pairs of addresses: the first is the
|
|
|
|
|
* address of an instruction that is allowed to fault, and the second is
|
|
|
|
|
* the address at which the program should continue. No registers are
|
|
|
|
|
* modified, so it is entirely up to the continuation code to figure out
|
|
|
|
|
* what to do.
|
|
|
|
|
*
|
|
|
|
|
* All the routines below use bits of fixup code that are out of line
|
|
|
|
|
* with the main instruction path. This means when everything is well,
|
|
|
|
|
* we don't even have to jump over them. Further, they do not intrude
|
|
|
|
|
* on our cache or tlb entries.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#define __LSW 0
|
2019-04-15 11:14:34 +02:00
|
|
|
#define __MSW 1
|
2017-07-10 18:03:19 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The "__xxx" versions of the user access functions do not verify the address
|
|
|
|
|
* space - it must have been done previously with a separate "access_ok()"
|
|
|
|
|
* call.
|
|
|
|
|
*/
|
|
|
|
|
|
2025-04-10 07:05:26 +00:00
|
|
|
#ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT
|
|
|
|
|
#define __get_user_asm(insn, x, ptr, label) \
|
|
|
|
|
asm_goto_output( \
|
|
|
|
|
"1:\n" \
|
|
|
|
|
" " insn " %0, %1\n" \
|
|
|
|
|
_ASM_EXTABLE_UACCESS_ERR(1b, %l2, %0) \
|
|
|
|
|
: "=&r" (x) \
|
|
|
|
|
: "m" (*(ptr)) : : label)
|
|
|
|
|
#else /* !CONFIG_CC_HAS_ASM_GOTO_OUTPUT */
|
|
|
|
|
#define __get_user_asm(insn, x, ptr, label) \
|
2017-07-10 18:03:19 -07:00
|
|
|
do { \
|
2025-04-10 07:05:26 +00:00
|
|
|
long __gua_err = 0; \
|
2017-07-10 18:03:19 -07:00
|
|
|
__asm__ __volatile__ ( \
|
|
|
|
|
"1:\n" \
|
2021-11-18 19:26:51 +08:00
|
|
|
" " insn " %1, %2\n" \
|
2017-07-10 18:03:19 -07:00
|
|
|
"2:\n" \
|
2021-11-18 19:26:51 +08:00
|
|
|
_ASM_EXTABLE_UACCESS_ERR_ZERO(1b, 2b, %0, %1) \
|
2025-04-10 07:05:26 +00:00
|
|
|
: "+r" (__gua_err), "=&r" (x) \
|
2021-11-18 19:26:51 +08:00
|
|
|
: "m" (*(ptr))); \
|
2025-04-10 07:05:26 +00:00
|
|
|
if (__gua_err) \
|
|
|
|
|
goto label; \
|
2017-07-10 18:03:19 -07:00
|
|
|
} while (0)
|
2025-04-10 07:05:26 +00:00
|
|
|
#endif /* CONFIG_CC_HAS_ASM_GOTO_OUTPUT */
|
2017-07-10 18:03:19 -07:00
|
|
|
|
|
|
|
|
#ifdef CONFIG_64BIT
|
2025-04-10 07:05:26 +00:00
|
|
|
#define __get_user_8(x, ptr, label) \
|
|
|
|
|
__get_user_asm("ld", x, ptr, label)
|
2017-07-10 18:03:19 -07:00
|
|
|
#else /* !CONFIG_64BIT */
|
2025-04-10 07:05:26 +00:00
|
|
|
|
|
|
|
|
#ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT
|
|
|
|
|
#define __get_user_8(x, ptr, label) \
|
2025-06-10 14:30:58 -07:00
|
|
|
do { \
|
2025-04-10 07:05:26 +00:00
|
|
|
u32 __user *__ptr = (u32 __user *)(ptr); \
|
|
|
|
|
u32 __lo, __hi; \
|
|
|
|
|
asm_goto_output( \
|
|
|
|
|
"1:\n" \
|
|
|
|
|
" lw %0, %2\n" \
|
|
|
|
|
"2:\n" \
|
|
|
|
|
" lw %1, %3\n" \
|
|
|
|
|
_ASM_EXTABLE_UACCESS_ERR(1b, %l4, %0) \
|
|
|
|
|
_ASM_EXTABLE_UACCESS_ERR(2b, %l4, %0) \
|
|
|
|
|
: "=&r" (__lo), "=r" (__hi) \
|
|
|
|
|
: "m" (__ptr[__LSW]), "m" (__ptr[__MSW]) \
|
|
|
|
|
: : label); \
|
|
|
|
|
(x) = (__typeof__(x))((__typeof__((x) - (x)))( \
|
|
|
|
|
(((u64)__hi << 32) | __lo))); \
|
2025-06-10 14:30:58 -07:00
|
|
|
} while (0)
|
2025-04-10 07:05:26 +00:00
|
|
|
#else /* !CONFIG_CC_HAS_ASM_GOTO_OUTPUT */
|
|
|
|
|
#define __get_user_8(x, ptr, label) \
|
2017-07-10 18:03:19 -07:00
|
|
|
do { \
|
|
|
|
|
u32 __user *__ptr = (u32 __user *)(ptr); \
|
|
|
|
|
u32 __lo, __hi; \
|
2025-04-10 07:05:26 +00:00
|
|
|
long __gu8_err = 0; \
|
2017-07-10 18:03:19 -07:00
|
|
|
__asm__ __volatile__ ( \
|
|
|
|
|
"1:\n" \
|
2021-11-18 19:26:51 +08:00
|
|
|
" lw %1, %3\n" \
|
2017-07-10 18:03:19 -07:00
|
|
|
"2:\n" \
|
2021-11-18 19:26:51 +08:00
|
|
|
" lw %2, %4\n" \
|
2017-07-10 18:03:19 -07:00
|
|
|
"3:\n" \
|
2021-11-18 19:26:51 +08:00
|
|
|
_ASM_EXTABLE_UACCESS_ERR_ZERO(1b, 3b, %0, %1) \
|
|
|
|
|
_ASM_EXTABLE_UACCESS_ERR_ZERO(2b, 3b, %0, %1) \
|
2025-04-10 07:05:26 +00:00
|
|
|
: "+r" (__gu8_err), "=&r" (__lo), "=r" (__hi) \
|
2021-11-18 19:26:51 +08:00
|
|
|
: "m" (__ptr[__LSW]), "m" (__ptr[__MSW])); \
|
2025-04-10 07:05:26 +00:00
|
|
|
if (__gu8_err) { \
|
2021-11-18 19:26:51 +08:00
|
|
|
__hi = 0; \
|
2025-04-10 07:05:26 +00:00
|
|
|
goto label; \
|
|
|
|
|
} \
|
|
|
|
|
(x) = (__typeof__(x))((__typeof__((x) - (x)))( \
|
2017-07-10 18:03:19 -07:00
|
|
|
(((u64)__hi << 32) | __lo))); \
|
|
|
|
|
} while (0)
|
2025-04-10 07:05:26 +00:00
|
|
|
#endif /* CONFIG_CC_HAS_ASM_GOTO_OUTPUT */
|
|
|
|
|
|
2017-07-10 18:03:19 -07:00
|
|
|
#endif /* CONFIG_64BIT */
|
|
|
|
|
|
2025-06-02 21:39:16 +02:00
|
|
|
unsigned long __must_check __asm_copy_to_user_sum_enabled(void __user *to,
|
|
|
|
|
const void *from, unsigned long n);
|
|
|
|
|
unsigned long __must_check __asm_copy_from_user_sum_enabled(void *to,
|
|
|
|
|
const void __user *from, unsigned long n);
|
|
|
|
|
|
2025-04-10 07:05:26 +00:00
|
|
|
#define __get_user_nocheck(x, __gu_ptr, label) \
|
2020-09-07 07:58:23 +02:00
|
|
|
do { \
|
2025-06-02 21:39:16 +02:00
|
|
|
if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && \
|
|
|
|
|
!IS_ALIGNED((uintptr_t)__gu_ptr, sizeof(*__gu_ptr))) { \
|
|
|
|
|
if (__asm_copy_from_user_sum_enabled(&(x), __gu_ptr, sizeof(*__gu_ptr))) \
|
|
|
|
|
goto label; \
|
|
|
|
|
break; \
|
|
|
|
|
} \
|
2020-09-07 07:58:23 +02:00
|
|
|
switch (sizeof(*__gu_ptr)) { \
|
|
|
|
|
case 1: \
|
2025-04-10 07:05:26 +00:00
|
|
|
__get_user_asm("lb", (x), __gu_ptr, label); \
|
2020-09-07 07:58:23 +02:00
|
|
|
break; \
|
|
|
|
|
case 2: \
|
2025-04-10 07:05:26 +00:00
|
|
|
__get_user_asm("lh", (x), __gu_ptr, label); \
|
2020-09-07 07:58:23 +02:00
|
|
|
break; \
|
|
|
|
|
case 4: \
|
2025-04-10 07:05:26 +00:00
|
|
|
__get_user_asm("lw", (x), __gu_ptr, label); \
|
2020-09-07 07:58:23 +02:00
|
|
|
break; \
|
|
|
|
|
case 8: \
|
2025-04-10 07:05:26 +00:00
|
|
|
__get_user_8((x), __gu_ptr, label); \
|
2020-09-07 07:58:23 +02:00
|
|
|
break; \
|
|
|
|
|
default: \
|
|
|
|
|
BUILD_BUG(); \
|
|
|
|
|
} \
|
|
|
|
|
} while (0)
|
2017-07-10 18:03:19 -07:00
|
|
|
|
2025-04-10 07:05:26 +00:00
|
|
|
#define __get_user_error(x, ptr, err) \
|
|
|
|
|
do { \
|
|
|
|
|
__label__ __gu_failed; \
|
|
|
|
|
\
|
|
|
|
|
__get_user_nocheck(x, ptr, __gu_failed); \
|
|
|
|
|
err = 0; \
|
|
|
|
|
break; \
|
|
|
|
|
__gu_failed: \
|
|
|
|
|
x = 0; \
|
|
|
|
|
err = -EFAULT; \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
2017-07-10 18:03:19 -07:00
|
|
|
/**
|
|
|
|
|
* __get_user: - Get a simple variable from user space, with less checking.
|
|
|
|
|
* @x: Variable to store result.
|
|
|
|
|
* @ptr: Source address, in user space.
|
|
|
|
|
*
|
|
|
|
|
* Context: User context only. This function may sleep.
|
|
|
|
|
*
|
|
|
|
|
* This macro copies a single simple variable from user space to kernel
|
|
|
|
|
* space. It supports simple types like char and int, but not larger
|
|
|
|
|
* data types like structures or arrays.
|
|
|
|
|
*
|
|
|
|
|
* @ptr must have pointer-to-simple-variable type, and the result of
|
|
|
|
|
* dereferencing @ptr must be assignable to @x without a cast.
|
|
|
|
|
*
|
|
|
|
|
* Caller must check the pointer with access_ok() before calling this
|
|
|
|
|
* function.
|
|
|
|
|
*
|
|
|
|
|
* Returns zero on success, or -EFAULT on error.
|
|
|
|
|
* On error, the variable @x is set to zero.
|
|
|
|
|
*/
|
|
|
|
|
#define __get_user(x, ptr) \
|
|
|
|
|
({ \
|
2024-10-16 13:27:46 -07:00
|
|
|
const __typeof__(*(ptr)) __user *__gu_ptr = untagged_addr(ptr); \
|
2020-09-07 07:58:23 +02:00
|
|
|
long __gu_err = 0; \
|
2025-04-10 07:05:26 +00:00
|
|
|
__typeof__(x) __gu_val; \
|
2020-09-07 07:58:23 +02:00
|
|
|
\
|
2017-07-10 18:03:19 -07:00
|
|
|
__chk_user_ptr(__gu_ptr); \
|
2020-09-07 07:58:23 +02:00
|
|
|
\
|
|
|
|
|
__enable_user_access(); \
|
2025-04-10 07:05:26 +00:00
|
|
|
__get_user_error(__gu_val, __gu_ptr, __gu_err); \
|
2020-09-07 07:58:23 +02:00
|
|
|
__disable_user_access(); \
|
|
|
|
|
\
|
2025-04-10 07:05:26 +00:00
|
|
|
(x) = __gu_val; \
|
|
|
|
|
\
|
2017-07-10 18:03:19 -07:00
|
|
|
__gu_err; \
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* get_user: - Get a simple variable from user space.
|
|
|
|
|
* @x: Variable to store result.
|
|
|
|
|
* @ptr: Source address, in user space.
|
|
|
|
|
*
|
|
|
|
|
* Context: User context only. This function may sleep.
|
|
|
|
|
*
|
|
|
|
|
* This macro copies a single simple variable from user space to kernel
|
|
|
|
|
* space. It supports simple types like char and int, but not larger
|
|
|
|
|
* data types like structures or arrays.
|
|
|
|
|
*
|
|
|
|
|
* @ptr must have pointer-to-simple-variable type, and the result of
|
|
|
|
|
* dereferencing @ptr must be assignable to @x without a cast.
|
|
|
|
|
*
|
|
|
|
|
* Returns zero on success, or -EFAULT on error.
|
|
|
|
|
* On error, the variable @x is set to zero.
|
|
|
|
|
*/
|
|
|
|
|
#define get_user(x, ptr) \
|
|
|
|
|
({ \
|
|
|
|
|
const __typeof__(*(ptr)) __user *__p = (ptr); \
|
|
|
|
|
might_fault(); \
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-03 18:57:57 -08:00
|
|
|
access_ok(__p, sizeof(*__p)) ? \
|
2017-07-10 18:03:19 -07:00
|
|
|
__get_user((x), __p) : \
|
2022-12-29 17:05:45 +00:00
|
|
|
((x) = (__force __typeof__(x))0, -EFAULT); \
|
2017-07-10 18:03:19 -07:00
|
|
|
})
|
|
|
|
|
|
2025-04-10 07:05:25 +00:00
|
|
|
#define __put_user_asm(insn, x, ptr, label) \
|
2017-07-10 18:03:19 -07:00
|
|
|
do { \
|
|
|
|
|
__typeof__(*(ptr)) __x = x; \
|
2025-04-10 07:05:25 +00:00
|
|
|
asm goto( \
|
2017-07-10 18:03:19 -07:00
|
|
|
"1:\n" \
|
2025-04-10 07:05:25 +00:00
|
|
|
" " insn " %z0, %1\n" \
|
|
|
|
|
_ASM_EXTABLE(1b, %l2) \
|
|
|
|
|
: : "rJ" (__x), "m"(*(ptr)) : : label); \
|
2017-07-10 18:03:19 -07:00
|
|
|
} while (0)
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_64BIT
|
2025-04-10 07:05:25 +00:00
|
|
|
#define __put_user_8(x, ptr, label) \
|
|
|
|
|
__put_user_asm("sd", x, ptr, label)
|
2017-07-10 18:03:19 -07:00
|
|
|
#else /* !CONFIG_64BIT */
|
2025-04-10 07:05:25 +00:00
|
|
|
#define __put_user_8(x, ptr, label) \
|
2017-07-10 18:03:19 -07:00
|
|
|
do { \
|
|
|
|
|
u32 __user *__ptr = (u32 __user *)(ptr); \
|
|
|
|
|
u64 __x = (__typeof__((x)-(x)))(x); \
|
2025-04-10 07:05:25 +00:00
|
|
|
asm goto( \
|
2017-07-10 18:03:19 -07:00
|
|
|
"1:\n" \
|
2025-04-10 07:05:25 +00:00
|
|
|
" sw %z0, %2\n" \
|
2017-07-10 18:03:19 -07:00
|
|
|
"2:\n" \
|
2025-04-10 07:05:25 +00:00
|
|
|
" sw %z1, %3\n" \
|
|
|
|
|
_ASM_EXTABLE(1b, %l4) \
|
|
|
|
|
_ASM_EXTABLE(2b, %l4) \
|
|
|
|
|
: : "rJ" (__x), "rJ" (__x >> 32), \
|
2025-04-10 07:05:24 +00:00
|
|
|
"m" (__ptr[__LSW]), \
|
2025-04-10 07:05:25 +00:00
|
|
|
"m" (__ptr[__MSW]) : : label); \
|
2017-07-10 18:03:19 -07:00
|
|
|
} while (0)
|
|
|
|
|
#endif /* CONFIG_64BIT */
|
|
|
|
|
|
2025-04-10 07:05:25 +00:00
|
|
|
#define __put_user_nocheck(x, __gu_ptr, label) \
|
2020-09-07 07:58:23 +02:00
|
|
|
do { \
|
2025-06-02 21:39:16 +02:00
|
|
|
if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && \
|
|
|
|
|
!IS_ALIGNED((uintptr_t)__gu_ptr, sizeof(*__gu_ptr))) { \
|
riscv: uaccess: Fix -Wuninitialized and -Wshadow in __put_user_nocheck
After a recent change in clang to strengthen uninitialized warnings [1],
there is a warning from val being uninitialized in __put_user_nocheck
when called from futex_put_value():
kernel/futex/futex.h:326:18: warning: variable 'val' is uninitialized when used within its own initialization [-Wuninitialized]
326 | unsafe_put_user(val, to, Efault);
| ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~
arch/riscv/include/asm/uaccess.h:464:21: note: expanded from macro 'unsafe_put_user'
464 | __put_user_nocheck(x, (ptr), label)
| ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~
arch/riscv/include/asm/uaccess.h:314:36: note: expanded from macro '__put_user_nocheck'
314 | __inttype(x) val = (__inttype(x))x; \
| ~~~ ^
While not on by default, -Wshadow flags the same mistake:
kernel/futex/futex.h:326:2: warning: declaration shadows a local variable [-Wshadow]
326 | unsafe_put_user(val, to, Efault);
| ^
arch/riscv/include/asm/uaccess.h:464:2: note: expanded from macro 'unsafe_put_user'
464 | __put_user_nocheck(x, (ptr), label)
| ^
arch/riscv/include/asm/uaccess.h:314:16: note: expanded from macro '__put_user_nocheck'
314 | __inttype(x) val = (__inttype(x))x; \
| ^
kernel/futex/futex.h:320:48: note: previous declaration is here
320 | static __always_inline int futex_put_value(u32 val, u32 __user *to)
| ^
Use a three underscore prefix for the val variable in __put_user_nocheck
to avoid clashing with either val or __val, which are both used within
the put_user macros, clearing up all warnings.
Closes: https://github.com/ClangBuiltLinux/linux/issues/2109
Fixes: ca1a66cdd685 ("riscv: uaccess: do not do misaligned accesses in get/put_user()")
Link: https://github.com/llvm/llvm-project/commit/2464313eef01c5b1edf0eccf57a32cdee01472c7 [1]
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20250715-riscv-uaccess-fix-self-init-val-v1-1-82b8e911f120@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com>
2025-07-15 20:07:01 -07:00
|
|
|
__inttype(x) ___val = (__inttype(x))x; \
|
|
|
|
|
if (__asm_copy_to_user_sum_enabled(__gu_ptr, &(___val), sizeof(*__gu_ptr))) \
|
2025-06-02 21:39:16 +02:00
|
|
|
goto label; \
|
|
|
|
|
break; \
|
|
|
|
|
} \
|
2020-09-07 07:58:23 +02:00
|
|
|
switch (sizeof(*__gu_ptr)) { \
|
|
|
|
|
case 1: \
|
2025-04-10 07:05:25 +00:00
|
|
|
__put_user_asm("sb", (x), __gu_ptr, label); \
|
2020-09-07 07:58:23 +02:00
|
|
|
break; \
|
|
|
|
|
case 2: \
|
2025-04-10 07:05:25 +00:00
|
|
|
__put_user_asm("sh", (x), __gu_ptr, label); \
|
2020-09-07 07:58:23 +02:00
|
|
|
break; \
|
|
|
|
|
case 4: \
|
2025-04-10 07:05:25 +00:00
|
|
|
__put_user_asm("sw", (x), __gu_ptr, label); \
|
2020-09-07 07:58:23 +02:00
|
|
|
break; \
|
|
|
|
|
case 8: \
|
2025-04-10 07:05:25 +00:00
|
|
|
__put_user_8((x), __gu_ptr, label); \
|
2020-09-07 07:58:23 +02:00
|
|
|
break; \
|
|
|
|
|
default: \
|
|
|
|
|
BUILD_BUG(); \
|
|
|
|
|
} \
|
|
|
|
|
} while (0)
|
2017-07-10 18:03:19 -07:00
|
|
|
|
2025-04-10 07:05:25 +00:00
|
|
|
#define __put_user_error(x, ptr, err) \
|
|
|
|
|
do { \
|
|
|
|
|
__label__ err_label; \
|
|
|
|
|
__put_user_nocheck(x, ptr, err_label); \
|
|
|
|
|
break; \
|
|
|
|
|
err_label: \
|
|
|
|
|
(err) = -EFAULT; \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
2017-07-10 18:03:19 -07:00
|
|
|
/**
|
|
|
|
|
* __put_user: - Write a simple value into user space, with less checking.
|
|
|
|
|
* @x: Value to copy to user space.
|
|
|
|
|
* @ptr: Destination address, in user space.
|
|
|
|
|
*
|
|
|
|
|
* Context: User context only. This function may sleep.
|
|
|
|
|
*
|
|
|
|
|
* This macro copies a single simple value from kernel space to user
|
|
|
|
|
* space. It supports simple types like char and int, but not larger
|
|
|
|
|
* data types like structures or arrays.
|
|
|
|
|
*
|
|
|
|
|
* @ptr must have pointer-to-simple-variable type, and @x must be assignable
|
2021-03-29 10:57:49 +01:00
|
|
|
* to the result of dereferencing @ptr. The value of @x is copied to avoid
|
|
|
|
|
* re-ordering where @x is evaluated inside the block that enables user-space
|
|
|
|
|
* access (thus bypassing user space protection if @x is a function).
|
2017-07-10 18:03:19 -07:00
|
|
|
*
|
|
|
|
|
* Caller must check the pointer with access_ok() before calling this
|
|
|
|
|
* function.
|
|
|
|
|
*
|
|
|
|
|
* Returns zero on success, or -EFAULT on error.
|
|
|
|
|
*/
|
|
|
|
|
#define __put_user(x, ptr) \
|
|
|
|
|
({ \
|
2024-10-16 13:27:46 -07:00
|
|
|
__typeof__(*(ptr)) __user *__gu_ptr = untagged_addr(ptr); \
|
2021-03-29 10:57:49 +01:00
|
|
|
__typeof__(*__gu_ptr) __val = (x); \
|
2020-09-07 07:58:23 +02:00
|
|
|
long __pu_err = 0; \
|
|
|
|
|
\
|
2017-07-10 18:03:19 -07:00
|
|
|
__chk_user_ptr(__gu_ptr); \
|
2020-09-07 07:58:23 +02:00
|
|
|
\
|
|
|
|
|
__enable_user_access(); \
|
2025-04-10 07:05:25 +00:00
|
|
|
__put_user_error(__val, __gu_ptr, __pu_err); \
|
2020-09-07 07:58:23 +02:00
|
|
|
__disable_user_access(); \
|
|
|
|
|
\
|
2017-07-10 18:03:19 -07:00
|
|
|
__pu_err; \
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* put_user: - Write a simple value into user space.
|
|
|
|
|
* @x: Value to copy to user space.
|
|
|
|
|
* @ptr: Destination address, in user space.
|
|
|
|
|
*
|
|
|
|
|
* Context: User context only. This function may sleep.
|
|
|
|
|
*
|
|
|
|
|
* This macro copies a single simple value from kernel space to user
|
|
|
|
|
* space. It supports simple types like char and int, but not larger
|
|
|
|
|
* data types like structures or arrays.
|
|
|
|
|
*
|
|
|
|
|
* @ptr must have pointer-to-simple-variable type, and @x must be assignable
|
|
|
|
|
* to the result of dereferencing @ptr.
|
|
|
|
|
*
|
|
|
|
|
* Returns zero on success, or -EFAULT on error.
|
|
|
|
|
*/
|
|
|
|
|
#define put_user(x, ptr) \
|
|
|
|
|
({ \
|
|
|
|
|
__typeof__(*(ptr)) __user *__p = (ptr); \
|
|
|
|
|
might_fault(); \
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-03 18:57:57 -08:00
|
|
|
access_ok(__p, sizeof(*__p)) ? \
|
2017-07-10 18:03:19 -07:00
|
|
|
__put_user((x), __p) : \
|
|
|
|
|
-EFAULT; \
|
|
|
|
|
})
|
|
|
|
|
|
2020-09-07 07:58:22 +02:00
|
|
|
|
|
|
|
|
unsigned long __must_check __asm_copy_to_user(void __user *to,
|
|
|
|
|
const void *from, unsigned long n);
|
|
|
|
|
unsigned long __must_check __asm_copy_from_user(void *to,
|
|
|
|
|
const void __user *from, unsigned long n);
|
|
|
|
|
|
|
|
|
|
static inline unsigned long
|
|
|
|
|
raw_copy_from_user(void *to, const void __user *from, unsigned long n)
|
|
|
|
|
{
|
2024-10-16 13:27:46 -07:00
|
|
|
return __asm_copy_from_user(to, untagged_addr(from), n);
|
2020-09-07 07:58:22 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline unsigned long
|
|
|
|
|
raw_copy_to_user(void __user *to, const void *from, unsigned long n)
|
|
|
|
|
{
|
2024-10-16 13:27:46 -07:00
|
|
|
return __asm_copy_to_user(untagged_addr(to), from, n);
|
2020-09-07 07:58:22 +02:00
|
|
|
}
|
|
|
|
|
|
2017-07-10 18:03:19 -07:00
|
|
|
extern long strncpy_from_user(char *dest, const char __user *src, long count);
|
|
|
|
|
|
|
|
|
|
extern long __must_check strnlen_user(const char __user *str, long n);
|
|
|
|
|
|
|
|
|
|
extern
|
|
|
|
|
unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
|
|
|
|
|
|
|
|
|
|
static inline
|
|
|
|
|
unsigned long __must_check clear_user(void __user *to, unsigned long n)
|
|
|
|
|
{
|
|
|
|
|
might_fault();
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-03 18:57:57 -08:00
|
|
|
return access_ok(to, n) ?
|
2024-10-16 13:27:46 -07:00
|
|
|
__clear_user(untagged_addr(to), n) : n;
|
2017-07-10 18:03:19 -07:00
|
|
|
}
|
|
|
|
|
|
2020-09-07 07:58:24 +02:00
|
|
|
#define __get_kernel_nofault(dst, src, type, err_label) \
|
2025-04-10 07:05:26 +00:00
|
|
|
__get_user_nocheck(*((type *)(dst)), (type *)(src), err_label)
|
2020-09-07 07:58:24 +02:00
|
|
|
|
|
|
|
|
#define __put_kernel_nofault(dst, src, type, err_label) \
|
2025-04-10 07:05:25 +00:00
|
|
|
__put_user_nocheck(*((type *)(src)), (type *)(dst), err_label)
|
2020-09-07 07:58:24 +02:00
|
|
|
|
2025-04-10 07:05:23 +00:00
|
|
|
static __must_check __always_inline bool user_access_begin(const void __user *ptr, size_t len)
|
|
|
|
|
{
|
|
|
|
|
if (unlikely(!access_ok(ptr, len)))
|
|
|
|
|
return 0;
|
|
|
|
|
__enable_user_access();
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
#define user_access_begin user_access_begin
|
|
|
|
|
#define user_access_end __disable_user_access
|
|
|
|
|
|
|
|
|
|
static inline unsigned long user_access_save(void) { return 0UL; }
|
|
|
|
|
static inline void user_access_restore(unsigned long enabled) { }
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We want the unsafe accessors to always be inlined and use
|
|
|
|
|
* the error labels - thus the macro games.
|
|
|
|
|
*/
|
2025-04-10 07:05:25 +00:00
|
|
|
#define unsafe_put_user(x, ptr, label) \
|
|
|
|
|
__put_user_nocheck(x, (ptr), label)
|
2025-04-10 07:05:23 +00:00
|
|
|
|
|
|
|
|
#define unsafe_get_user(x, ptr, label) do { \
|
|
|
|
|
__inttype(*(ptr)) __gu_val; \
|
2025-04-10 07:05:26 +00:00
|
|
|
__get_user_nocheck(__gu_val, (ptr), label); \
|
2025-04-10 07:05:23 +00:00
|
|
|
(x) = (__force __typeof__(*(ptr)))__gu_val; \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
|
|
#define unsafe_copy_to_user(_dst, _src, _len, label) \
|
2025-06-02 21:39:14 +02:00
|
|
|
if (__asm_copy_to_user_sum_enabled(_dst, _src, _len)) \
|
|
|
|
|
goto label;
|
2025-04-10 07:05:23 +00:00
|
|
|
|
|
|
|
|
#define unsafe_copy_from_user(_dst, _src, _len, label) \
|
2025-06-02 21:39:14 +02:00
|
|
|
if (__asm_copy_from_user_sum_enabled(_dst, _src, _len)) \
|
|
|
|
|
goto label;
|
2025-04-10 07:05:23 +00:00
|
|
|
|
2019-10-28 13:10:41 +01:00
|
|
|
#else /* CONFIG_MMU */
|
|
|
|
|
#include <asm-generic/uaccess.h>
|
|
|
|
|
#endif /* CONFIG_MMU */
|
2017-07-10 18:03:19 -07:00
|
|
|
#endif /* _ASM_RISCV_UACCESS_H */
|