linux/include/asm-generic/access_ok.h

/* SPDX-License-Identifier: GPL-2.0 */
#ifndef __ASM_GENERIC_ACCESS_OK_H__
#define __ASM_GENERIC_ACCESS_OK_H__

/*
 * Checking whether a pointer is valid for user space access.
 * These definitions work on most architectures, but overrides can
 * be used where necessary.
 */

/*
 * architectures with compat tasks have a variable TASK_SIZE and should
 * override this to a constant.
 */
#ifndef TASK_SIZE_MAX
#define TASK_SIZE_MAX			TASK_SIZE
#endif

#ifndef __access_ok
/*
 * 'size' is a compile-time constant for most callers, so optimize for
 * this case to turn the check into a single comparison against a constant
 * limit and catch all possible overflows.
 * On architectures with separate user address space (m68k, s390, parisc,
 * sparc64) or those without an MMU, this should always return true.
 *
 * This version was originally contributed by Jonas Bonn for the
 * OpenRISC architecture, and was found to be the most efficient
 * for constant 'size' and 'limit' values.
 */
static inline int __access_ok(const void __user *ptr, unsigned long size)
{
	unsigned long limit = TASK_SIZE_MAX;
	unsigned long addr = (unsigned long)ptr;

	if (IS_ENABLED(CONFIG_ALTERNATE_USER_ADDRESS_SPACE) ||
	    !IS_ENABLED(CONFIG_MMU))
		return true;

	return (size <= limit) && (addr <= (limit - size));
}
#endif

#ifndef access_ok
#define access_ok(addr, size) likely(__access_ok(addr, size))
#endif

#endif
uaccess: generalize access_ok() There are many different ways that access_ok() is defined across architectures, but in the end, they all just compare against the user_addr_max() value or they accept anything. Provide one definition that works for most architectures, checking against TASK_SIZE_MAX for user processes or skipping the check inside of uaccess_kernel() sections. For architectures without CONFIG_SET_FS(), this should be the fastest check, as it comes down to a single comparison of a pointer against a compile-time constant, while the architecture specific versions tend to do something more complex for historic reasons or get something wrong. Type checking for __user annotations is handled inconsistently across architectures, but this is easily simplified as well by using an inline function that takes a 'const void __user *' argument. A handful of callers need an extra __user annotation for this. Some architectures had trick to use 33-bit or 65-bit arithmetic on the addresses to calculate the overflow, however this simpler version uses fewer registers, which means it can produce better object code in the end despite needing a second (statically predicted) branch. Reviewed-by: Christoph Hellwig <hch@lst.de> Acked-by: Mark Rutland <mark.rutland@arm.com> [arm64, asm-generic] Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> Acked-by: Stafford Horne <shorne@gmail.com> Acked-by: Dinh Nguyen <dinguyen@kernel.org> Signed-off-by: Arnd Bergmann <arnd@arndb.de> 2022-02-15 17:55:04 +01:00			`/* SPDX-License-Identifier: GPL-2.0 */`
			`#ifndef __ASM_GENERIC_ACCESS_OK_H__`
			`#define __ASM_GENERIC_ACCESS_OK_H__`

			`/*`
			`* Checking whether a pointer is valid for user space access.`
			`* These definitions work on most architectures, but overrides can`
			`* be used where necessary.`
			`*/`

			`/*`
			`* architectures with compat tasks have a variable TASK_SIZE and should`
			`* override this to a constant.`
			`*/`
			`#ifndef TASK_SIZE_MAX`
			`#define TASK_SIZE_MAX TASK_SIZE`
			`#endif`

			`#ifndef __access_ok`
			`/*`
			`* 'size' is a compile-time constant for most callers, so optimize for`
			`* this case to turn the check into a single comparison against a constant`
			`* limit and catch all possible overflows.`
			`* On architectures with separate user address space (m68k, s390, parisc,`
			`* sparc64) or those without an MMU, this should always return true.`
			`*`
			`* This version was originally contributed by Jonas Bonn for the`
			`* OpenRISC architecture, and was found to be the most efficient`
			`* for constant 'size' and 'limit' values.`
			`*/`
			`static inline int __access_ok(const void __user *ptr, unsigned long size)`
			`{`
uaccess: remove CONFIG_SET_FS There are no remaining callers of set_fs(), so CONFIG_SET_FS can be removed globally, along with the thread_info field and any references to it. This turns access_ok() into a cheaper check against TASK_SIZE_MAX. As CONFIG_SET_FS is now gone, drop all remaining references to set_fs()/get_fs(), mm_segment_t, user_addr_max() and uaccess_kernel(). Acked-by: Sam Ravnborg <sam@ravnborg.org> # for sparc32 changes Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Tested-by: Sergey Matyukevich <sergey.matyukevich@synopsys.com> # for arc changes Acked-by: Stafford Horne <shorne@gmail.com> # [openrisc, asm-generic] Acked-by: Dinh Nguyen <dinguyen@kernel.org> Signed-off-by: Arnd Bergmann <arnd@arndb.de> 2022-02-11 21:42:45 +01:00			`unsigned long limit = TASK_SIZE_MAX;`
uaccess: generalize access_ok() There are many different ways that access_ok() is defined across architectures, but in the end, they all just compare against the user_addr_max() value or they accept anything. Provide one definition that works for most architectures, checking against TASK_SIZE_MAX for user processes or skipping the check inside of uaccess_kernel() sections. For architectures without CONFIG_SET_FS(), this should be the fastest check, as it comes down to a single comparison of a pointer against a compile-time constant, while the architecture specific versions tend to do something more complex for historic reasons or get something wrong. Type checking for __user annotations is handled inconsistently across architectures, but this is easily simplified as well by using an inline function that takes a 'const void __user *' argument. A handful of callers need an extra __user annotation for this. Some architectures had trick to use 33-bit or 65-bit arithmetic on the addresses to calculate the overflow, however this simpler version uses fewer registers, which means it can produce better object code in the end despite needing a second (statically predicted) branch. Reviewed-by: Christoph Hellwig <hch@lst.de> Acked-by: Mark Rutland <mark.rutland@arm.com> [arm64, asm-generic] Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> Acked-by: Stafford Horne <shorne@gmail.com> Acked-by: Dinh Nguyen <dinguyen@kernel.org> Signed-off-by: Arnd Bergmann <arnd@arndb.de> 2022-02-15 17:55:04 +01:00			`unsigned long addr = (unsigned long)ptr;`

			`if (IS_ENABLED(CONFIG_ALTERNATE_USER_ADDRESS_SPACE) \|\|`
			`!IS_ENABLED(CONFIG_MMU))`
			`return true;`

			`return (size <= limit) && (addr <= (limit - size));`
			`}`
			`#endif`

			`#ifndef access_ok`
			`#define access_ok(addr, size) likely(__access_ok(addr, size))`
			`#endif`

			`#endif`