From: Arnd Bergmann <arnd@arndb.de>
To: monstr@monstr.eu
Cc: linux-kernel@vger.kernel.org, john.williams@petalogix.com
Subject: Re: [PATCH 20/30] microblaze_mmu_v1: uaccess MMU update
Date: Wed, 29 Apr 2009 13:26:23 +0200 [thread overview]
Message-ID: <200904291326.23511.arnd@arndb.de> (raw)
In-Reply-To: <1240821139-7247-21-git-send-email-monstr@monstr.eu>
Following up on my earlier comment:
On Monday 27 April 2009, monstr@monstr.eu wrote:
> +#define __get_user(var, ptr) \
> +({ \
> + int __gu_err = 0; \
> + switch (sizeof(*(ptr))) { \
> + case 1: \
> + case 2: \
> + case 4: \
> + (var) = *(ptr); \
> + break; \
> + case 8: \
> + memcpy((void *) &(var), (ptr), 8); \
> + break; \
> + default: \
> + (var) = 0; \
> + __gu_err = __get_user_bad(); \
> + break; \
> + } \
> + __gu_err; \
> +})
This needs more __force to dereference the user pointers.
> #define __get_user_bad() (bad_user_access_length(), (-EFAULT))
You have actually defined bad_user_access_length(), which is not
how it __get_user_bad() was meant as. The idea was to declare
an undefined function, which results in a link error in case
of funny length inputs to __get_user, a cheap way to do
BUILD_BUG_ON() in a switch() statement.
> +/* FIXME is not there defined __pu_val */
> +({ \
> + int __pu_err = 0; \
> + switch (sizeof(*(ptr))) { \
> + case 1: \
> + case 2: \
> + case 4: \
> + *(ptr) = (var); \
> + break; \
> + case 8: { \
> + typeof(*(ptr)) __pu_val = (var); \
> + memcpy(ptr, &__pu_val, sizeof(__pu_val)); \
> + } \
> + break; \
> + default: \
> + __pu_err = __put_user_bad(); \
> + break; \
> + } \
> + __pu_err; \
> +})
>
> #define __put_user_bad() (bad_user_access_length(), (-EFAULT))
Same comments apply here.
> -#define put_user(x, ptr) __put_user(x, ptr)
> -#define get_user(x, ptr) __get_user(x, ptr)
> -
> -#define copy_to_user(to, from, n) (memcpy(to, from, n), 0)
> -#define copy_from_user(to, from, n) (memcpy(to, from, n), 0)
> +#define put_user(x, ptr) __put_user((x), (ptr))
> +#define get_user(x, ptr) __get_user((x), (ptr))
put_user and get_user should call access_ok() for the !MMU version I guess,
if you can easily detect kernel pointers based on the address.
It's also a good idea to add might_sleep() in there if access_ok()
doesn't have it already.
> -#define __copy_to_user(to, from, n) (copy_to_user(to, from, n))
> -#define __copy_from_user(to, from, n) (copy_from_user(to, from, n))
> -#define __copy_to_user_inatomic(to, from, n) (__copy_to_user(to, from, n))
> -#define __copy_from_user_inatomic(to, from, n) (__copy_from_user(to, from, n))
> +#define copy_to_user(to, from, n) (memcpy((to), (from), (n)), 0)
> +#define copy_from_user(to, from, n) (memcpy((to), (from), (n)), 0)
Same here, plus they can be shared between MMU and NOMMU.
> +#else /* CONFIG_MMU */
> +
> +/*
> + * Address is valid if:
> + * - "addr", "addr + size" and "size" are all below the limit
> + */
> +#define access_ok(type, addr, size) \
> + (get_fs().seg > (((unsigned long)(addr)) | \
> + (size) | ((unsigned long)(addr) + (size))))
> +
> +/* || printk("access_ok failed for %s at 0x%08lx (size %d), seg 0x%08x\n",
> + type?"WRITE":"READ",addr,size,get_fs().seg)) */
> +
> +/*
> + * All the __XXX versions macros/functions below do not perform
> + * access checking. It is assumed that the necessary checks have been
> + * already performed before the finction (macro) is called.
> + */
> +
> +#define get_user(x, ptr) \
> +({ \
> + access_ok(VERIFY_READ, (ptr), sizeof(*(ptr))) \
> + ? __get_user((x), (ptr)) : -EFAULT; \
> +})
> +
> +#define put_user(x, ptr) \
> +({ \
> + access_ok(VERIFY_WRITE, (ptr), sizeof(*(ptr))) \
> + ? __put_user((x), (ptr)) : -EFAULT; \
> +})
Please add might_sleep() either here or in access_ok().
> +#define __get_user(x, ptr) \
> +({ \
> + unsigned long __gu_val; \
> + /*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \
> + long __gu_err; \
> + switch (sizeof(*(ptr))) { \
> + case 1: \
> + __get_user_asm("lbu", (ptr), __gu_val, __gu_err); \
> + break; \
> + case 2: \
> + __get_user_asm("lhu", (ptr), __gu_val, __gu_err); \
> + break; \
> + case 4: \
> + __get_user_asm("lw", (ptr), __gu_val, __gu_err); \
> + break; \
> + default: \
> + __gu_val = 0; __gu_err = -EINVAL; \
> + } \
> + x = (__typeof__(*(ptr))) __gu_val; \
> + __gu_err; \
> +})
Again, the 'default:' case should give a link error, not a runtime
error.
It seems inconsistent to have a 'case 8:' in !MMU as well as both
__put_user variants but not in the MMU __get_user.
> +#define __put_user(x, ptr) \
> +({ \
> + __typeof__(*(ptr)) __gu_val = x; \
> + long __gu_err = 0; \
> + switch (sizeof(__gu_val)) { \
> + case 1: \
> + __put_user_asm("sb", (ptr), __gu_val, __gu_err); \
> + break; \
> + case 2: \
> + __put_user_asm("sh", (ptr), __gu_val, __gu_err); \
> + break; \
> + case 4: \
> + __put_user_asm("sw", (ptr), __gu_val, __gu_err); \
> + break; \
> + case 8: \
> + __put_user_asm_8((ptr), __gu_val, __gu_err); \
> + break; \
> + default: \
> + __gu_err = -EINVAL; \
> + } \
> + __gu_err; \
> +})
> +/*
> + * Return: number of not copied bytes, i.e. 0 if OK or non-zero if fail.
> + */
> +static inline int clear_user(char *to, int size)
> +{
> + if (size && access_ok(VERIFY_WRITE, to, size)) {
> + __asm__ __volatile__ (" \
> + 1: \
> + sb r0, %2, r0; \
> + addik %0, %0, -1; \
> + bneid %0, 1b; \
> + addik %2, %2, 1; \
> + 2: \
> + .section __ex_table,\"a\"; \
> + .word 1b,2b; \
> + .section .text;" \
> + : "=r"(size) \
> + : "0"(size), "r"(to)
> + );
> + }
> + return size;
> +}
Please use the prototype I mentioned in the other mail.
While I don't remember the exact story, I think the preferred
way to write multi-line inline assembly is
asm volatile("# clear_user \n"
"1: \n"
" sb r0, %2, r0 \n"
" addik %0, %0, -1 \n"
" bneid %0, 1b \n"
"2: \n"
".section __ex_table,\"a\" \n"
".word 1b,2b; \n"
".section .text; \n");
rather than a single multi-line string.
> +extern unsigned long __copy_tofrom_user(void __user *to,
> + const void __user *from, unsigned long size);
> +
> +#define copy_to_user(to, from, n) \
> + (access_ok(VERIFY_WRITE, (to), (n)) ? \
> + __copy_tofrom_user((void __user *)(to), \
> + (__force const void __user *)(from), (n)) \
> + : -EFAULT)
No, copy_to_user does *not* return an errno, but instead the number
of bytes not copied. Assuming your __copy_tofrom_user is correct,
this would be
static inline __must_check unsigned long
copy_to_user(void __user *to, void *from, size_t n)
{
might_sleep();
if (!access_ok(VERIFY_WRITE, to, n))
return n;
return __copy_tofrom_user(to, (const void __force __user *)from, n);
}
> +#define __copy_to_user(to, from, n) copy_to_user((to), (from), (n))
> +#define __copy_to_user_inatomic(to, from, n) copy_to_user((to), (from), (n))
> +
> +#define copy_from_user(to, from, n) \
> + (access_ok(VERIFY_READ, (from), (n)) ? \
> + __copy_tofrom_user((__force void __user *)(to), \
> + (void __user *)(from), (n)) \
> + : -EFAULT)
same here
> +#define __copy_from_user(to, from, n) copy_from_user((to), (from), (n))
> +#define __copy_from_user_inatomic(to, from, n) \
> + copy_from_user((to), (from), (n))
> +
> +extern int __strncpy_user(char *to, const char __user *from, int len);
> +extern int __strnlen_user(const char __user *sstr, int len);
> +
> +#define strncpy_from_user(to, from, len) \
> + (access_ok(VERIFY_READ, from, 1) ? \
> + __strncpy_user(to, from, len) : -EFAULT)
and here.
Arnd <><
next prev parent reply other threads:[~2009-04-29 11:27 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-27 8:31 Microblaze MMU patches monstr
2009-04-27 8:31 ` [PATCH 01/30] microblaze_mmu_v1: Makefiles monstr
2009-04-27 8:31 ` [PATCH 02/30] microblaze_mmu_v1: Kconfig update monstr
2009-04-27 8:31 ` [PATCH 03/30] microblaze_mmu_v1: Add mmu_defconfig monstr
2009-04-27 8:31 ` [PATCH 04/30] microblaze_mmu_v1: MMU update for startup code monstr
2009-04-27 8:31 ` [PATCH 05/30] microblaze_mmu_v1: Alocate TLB for early console monstr
2009-04-27 8:31 ` [PATCH 06/30] microblaze_mmu_v1: TLB low level code monstr
2009-04-27 8:31 ` [PATCH 07/30] microblaze_mmu_v1: MMU initialization monstr
2009-04-27 8:31 ` [PATCH 08/30] microblaze_mmu_v1: mmu.h update monstr
2009-04-27 8:31 ` [PATCH 09/30] microblaze_mmu_v1: Page fault handling high level - fault.c monstr
2009-04-27 8:31 ` [PATCH 10/30] microblaze_mmu_v1: Context handling - mmu_context.c/h monstr
2009-04-27 8:32 ` [PATCH 11/30] microblaze_mmu_v1: Page table - ioremap - pgtable.c/h, section update monstr
2009-04-27 8:32 ` [PATCH 12/30] microblaze_mmu_v1: io.h MMU update monstr
2009-04-27 8:32 ` [PATCH 13/30] microblaze_mmu_v1: pgalloc.h and page.h monstr
2009-04-27 8:32 ` [PATCH 14/30] microblaze_mmu_v1: Update process creation for MMU monstr
2009-04-27 8:32 ` [PATCH 15/30] microblaze_mmu_v1: Update tlb.h and tlbflush.h monstr
2009-04-27 8:32 ` [PATCH 16/30] microblaze_mmu_v1: MMU asm offset update monstr
2009-04-27 8:32 ` [PATCH 17/30] microblaze_mmu_v1: Add CURRENT_TASK for entry.S monstr
2009-04-27 8:32 ` [PATCH 18/30] microblaze_mmu_v1: entry.S, entry.h monstr
2009-04-27 8:32 ` [PATCH 19/30] microblaze_mmu_v1: Update exception handling - MMU exception monstr
2009-04-27 8:32 ` [PATCH 20/30] microblaze_mmu_v1: uaccess MMU update monstr
2009-04-27 8:32 ` [PATCH 21/30] microblaze_mmu_v1: Add MMU related exceptions handling monstr
2009-04-27 8:32 ` [PATCH 22/30] microblaze_mmu_v1: Update linker script for MMU monstr
2009-04-27 8:32 ` [PATCH 23/30] microblaze_mmu_v1: Enable fork syscall for MMU and add fork as vfork for noMMU monstr
2009-04-27 8:32 ` [PATCH 24/30] microblaze_mmu_v1: Traps MMU update monstr
2009-04-27 8:32 ` [PATCH 25/30] microblaze_mmu_v1: Update signal returning address monstr
2009-04-27 8:32 ` [PATCH 26/30] microblaze_mmu_v1: Update cacheflush.h monstr
2009-04-27 8:32 ` [PATCH 27/30] microblaze_mmu_v1: Update dma.h for MMU monstr
2009-04-27 8:32 ` [PATCH 28/30] microblaze_mmu_v1: Elf update monstr
2009-04-27 8:32 ` [PATCH 29/30] microblaze_mmu_v1: stat.h MMU update monstr
2009-04-27 8:32 ` [PATCH 30/30] microblaze_mmu_v1: fcntl.h " monstr
2009-04-27 9:59 ` Christoph Hellwig
2009-04-27 10:05 ` John Williams
2009-04-27 10:56 ` Michal Simek
2009-04-27 9:58 ` [PATCH 29/30] microblaze_mmu_v1: stat.h " Christoph Hellwig
2009-04-27 10:35 ` Michal Simek
2009-04-27 11:30 ` Christoph Hellwig
2009-04-27 11:43 ` Michal Simek
2009-04-27 11:57 ` Arnd Bergmann
2009-04-27 12:15 ` Sam Ravnborg
2009-04-27 12:37 ` Arnd Bergmann
2009-04-27 12:48 ` Sam Ravnborg
2009-04-27 12:55 ` Arnd Bergmann
2009-04-27 12:31 ` Michal Simek
2009-04-27 12:42 ` Arnd Bergmann
2009-04-27 12:44 ` Michal Simek
2009-04-27 12:47 ` Arnd Bergmann
2009-04-27 12:48 ` Michal Simek
2009-04-30 13:53 ` Arnd Bergmann
2009-04-30 14:10 ` Michal Simek
2009-04-30 14:40 ` Arnd Bergmann
2009-04-30 14:51 ` Michal Simek
2009-04-27 12:53 ` Arnd Bergmann
2009-04-27 13:03 ` Michal Simek
2009-04-27 13:13 ` Arnd Bergmann
2009-04-27 11:43 ` [PATCH 23/30] microblaze_mmu_v1: Enable fork syscall for MMU and add fork as vfork for noMMU John Williams
2009-04-29 10:16 ` Michal Simek
2009-04-29 11:31 ` Arnd Bergmann
2009-04-29 11:27 ` [PATCH 22/30] microblaze_mmu_v1: Update linker script for MMU Arnd Bergmann
2009-04-29 11:39 ` Michal Simek
2009-04-29 5:54 ` [PATCH 21/30] microblaze_mmu_v1: Add MMU related exceptions handling Andrew Morton
2009-04-29 9:36 ` Michal Simek
2009-04-29 5:53 ` [PATCH 20/30] microblaze_mmu_v1: uaccess MMU update Andrew Morton
2009-04-29 10:12 ` Michal Simek
2009-04-29 10:58 ` Arnd Bergmann
2009-04-29 15:19 ` Michal Simek
2009-04-29 15:35 ` Arnd Bergmann
2009-04-29 15:43 ` Michal Simek
2009-04-29 15:55 ` Arnd Bergmann
2009-04-29 11:26 ` Arnd Bergmann [this message]
2009-04-27 10:55 ` [PATCH 10/30] microblaze_mmu_v1: Context handling - mmu_context.c/h Arnd Bergmann
2009-04-27 11:18 ` Geert Uytterhoeven
2009-04-29 5:46 ` [PATCH 09/30] microblaze_mmu_v1: Page fault handling high level - fault.c Andrew Morton
2009-04-29 9:30 ` Michal Simek
2009-04-29 5:44 ` [PATCH 08/30] microblaze_mmu_v1: mmu.h update Andrew Morton
2009-04-29 9:28 ` Michal Simek
2009-04-29 5:42 ` [PATCH 07/30] microblaze_mmu_v1: MMU initialization Andrew Morton
2009-04-29 7:02 ` Michal Simek
2009-04-29 8:42 ` Michal Simek
2009-04-27 10:50 ` [PATCH 01/30] microblaze_mmu_v1: Makefiles Arnd Bergmann
2009-04-27 10:54 ` Michal Simek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200904291326.23511.arnd@arndb.de \
--to=arnd@arndb.de \
--cc=john.williams@petalogix.com \
--cc=linux-kernel@vger.kernel.org \
--cc=monstr@monstr.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox