linux/lib/strnlen_user.c

#include <linux/kernel.h>
#include <linux/export.h>
#include <linux/uaccess.h>

#include <asm/word-at-a-time.h>

/* Set bits in the first 'n' bytes when loaded from memory */
#ifdef __LITTLE_ENDIAN
#  define aligned_byte_mask(n) ((1ul << 8*(n))-1)
#else
#  define aligned_byte_mask(n) (~0xfful << (BITS_PER_LONG - 8 - 8*(n)))
#endif

/*
 * Do a strnlen, return length of string *with* final '\0'.
 * 'count' is the user-supplied count, while 'max' is the
 * address space maximum.
 *
 * Return 0 for exceptions (which includes hitting the address
 * space maximum), or 'count+1' if hitting the user-supplied
 * maximum count.
 *
 * NOTE! We can sometimes overshoot the user-supplied maximum
 * if it fits in a aligned 'long'. The caller needs to check
 * the return value against "> max".
 */
static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)
{
	const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
	long align, res = 0;
	unsigned long c;

	/*
	 * Truncate 'max' to the user-specified limit, so that
	 * we only have one limit we need to check in the loop
	 */
	if (max > count)
		max = count;

	/*
	 * Do everything aligned. But that means that we
	 * need to also expand the maximum..
	 */
	align = (sizeof(long) - 1) & (unsigned long)src;
	src -= align;
	max += align;

	if (unlikely(unsafe_get_user(c,(unsigned long __user *)src)))
		return 0;
	c |= aligned_byte_mask(align);

	for (;;) {
		unsigned long data;
		if (has_zero(c, &data, &constants)) {
			data = prep_zero_mask(c, data, &constants);
			data = create_zero_mask(data);
			return res + find_zero(data) + 1 - align;
		}
		res += sizeof(unsigned long);
		/* We already handled 'unsigned long' bytes. Did we do it all ? */
		if (unlikely(max <= sizeof(unsigned long)))
			break;
		max -= sizeof(unsigned long);
		if (unlikely(unsafe_get_user(c,(unsigned long __user *)(src+res))))
			return 0;
	}
	res -= align;

	/*
	 * Uhhuh. We hit 'max'. But was that the user-specified maximum
	 * too? If so, return the marker for "too long".
	 */
	if (res >= count)
		return count+1;

	/*
	 * Nope: we hit the address space limit, and we still had more
	 * characters the caller would have wanted. That's 0.
	 */
	return 0;
}

/**
 * strnlen_user: - Get the size of a user string INCLUDING final NUL.
 * @str: The string to measure.
 * @count: Maximum count (including NUL character)
 *
 * Context: User context only. This function may sleep if pagefaults are
 *          enabled.
 *
 * Get the size of a NUL-terminated string in user space.
 *
 * Returns the size of the string INCLUDING the terminating NUL.
 * If the string is too long, returns a number larger than @count. User
 * has to check the return value against "> count".
 * On exception (or invalid count), returns 0.
 *
 * NOTE! You should basically never use this function. There is
 * almost never any valid case for using the length of a user space
 * string, since the string can be changed at any time by other
 * threads. Use "strncpy_from_user()" instead to get a stable copy
 * of the string.
 */
long strnlen_user(const char __user *str, long count)
{
	unsigned long max_addr, src_addr;

	if (unlikely(count <= 0))
		return 0;

	max_addr = user_addr_max();
	src_addr = (unsigned long)str;
	if (likely(src_addr < max_addr)) {
		unsigned long max = max_addr - src_addr;
		long retval;

		user_access_begin();
		retval = do_strnlen_user(str, count, max);
		user_access_end();
		return retval;
	}
	return 0;
}
EXPORT_SYMBOL(strnlen_user);

/**
 * strlen_user: - Get the size of a user string INCLUDING final NUL.
 * @str: The string to measure.
 *
 * Context: User context only. This function may sleep if pagefaults are
 *          enabled.
 *
 * Get the size of a NUL-terminated string in user space.
 *
 * Returns the size of the string INCLUDING the terminating NUL.
 * On exception, returns 0.
 *
 * If there is a limit on the length of a valid string, you may wish to
 * consider using strnlen_user() instead.
 */
long strlen_user(const char __user *str)
{
	unsigned long max_addr, src_addr;

	max_addr = user_addr_max();
	src_addr = (unsigned long)str;
	if (likely(src_addr < max_addr)) {
		unsigned long max = max_addr - src_addr;
		long retval;

		user_access_begin();
		retval = do_strnlen_user(str, ~0ul, max);
		user_access_end();
		return retval;
	}
	return 0;
}
EXPORT_SYMBOL(strlen_user);
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`#include <linux/kernel.h>`
			`#include <linux/export.h>`
			`#include <linux/uaccess.h>`

			`#include <asm/word-at-a-time.h>`

			`/* Set bits in the first 'n' bytes when loaded from memory */`
			`#ifdef __LITTLE_ENDIAN`
			`# define aligned_byte_mask(n) ((1ul << 8*(n))-1)`
			`#else`
lib: Fix generic strnlen_user for 32-bit big-endian machines The aligned_byte_mask() definition is wrong for 32-bit big-endian machines: the "7-(n)" part of the definition assumes a long is 8 bytes. This fixes it by using BITS_PER_LONG - 8 instead of 8*7. Tested on 32-bit and 64-bit PowerPC. Signed-off-by: Paul Mackerras <paulus@samba.org> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-28 06:59:56 +04:00			`# define aligned_byte_mask(n) (~0xfful << (BITS_PER_LONG - 8 - 8*(n)))`
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`#endif`

			`/*`
			`* Do a strnlen, return length of string with final '\0'.`
			`* 'count' is the user-supplied count, while 'max' is the`
			`* address space maximum.`
			`*`
			`* Return 0 for exceptions (which includes hitting the address`
			`* space maximum), or 'count+1' if hitting the user-supplied`
			`* maximum count.`
			`*`
			`* NOTE! We can sometimes overshoot the user-supplied maximum`
			`* if it fits in a aligned 'long'. The caller needs to check`
			`* the return value against "> max".`
			`*/`
			`static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)`
			`{`
			`const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;`
			`long align, res = 0;`
			`unsigned long c;`

			`/*`
			`* Truncate 'max' to the user-specified limit, so that`
			`* we only have one limit we need to check in the loop`
			`*/`
			`if (max > count)`
			`max = count;`

			`/*`
			`* Do everything aligned. But that means that we`
			`* need to also expand the maximum..`
			`*/`
			`align = (sizeof(long) - 1) & (unsigned long)src;`
			`src -= align;`
			`max += align;`

Use the new batched user accesses in generic user string handling This converts the generic user string functions to use the batched user access functions. It makes a big difference on Skylake, which is the first x86 microarchitecture to implement SMAP. The STAC/CLAC instructions are not very fast, and doing them for each access inside the loop that copies strings from user space (which is what the pathname handling does for every pathname the kernel uses, for example) is very inefficient. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-12-17 21:05:19 +03:00			`if (unlikely(unsafe_get_user(c,(unsigned long __user *)src)))`
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`return 0;`
			`c \|= aligned_byte_mask(align);`

			`for (;;) {`
			`unsigned long data;`
			`if (has_zero(c, &data, &constants)) {`
			`data = prep_zero_mask(c, data, &constants);`
			`data = create_zero_mask(data);`
			`return res + find_zero(data) + 1 - align;`
			`}`
			`res += sizeof(unsigned long);`
lib: Fix strnlen_user() to not touch memory after specified maximum If the specified maximum length of the string is a multiple of unsigned long, we would load one long behind the specified maximum. If that happens to be in a next page, we can hit a page fault although we were not expected to. Fix the off-by-one bug in the test whether we are at the end of the specified range. Signed-off-by: Jan Kara <jack@suse.cz> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-06-02 18:10:28 +03:00			`/* We already handled 'unsigned long' bytes. Did we do it all ? */`
			`if (unlikely(max <= sizeof(unsigned long)))`
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`break;`
			`max -= sizeof(unsigned long);`
Use the new batched user accesses in generic user string handling This converts the generic user string functions to use the batched user access functions. It makes a big difference on Skylake, which is the first x86 microarchitecture to implement SMAP. The STAC/CLAC instructions are not very fast, and doing them for each access inside the loop that copies strings from user space (which is what the pathname handling does for every pathname the kernel uses, for example) is very inefficient. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-12-17 21:05:19 +03:00			`if (unlikely(unsafe_get_user(c,(unsigned long __user *)(src+res))))`
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`return 0;`
			`}`
			`res -= align;`

			`/*`
			`* Uhhuh. We hit 'max'. But was that the user-specified maximum`
			`* too? If so, return the marker for "too long".`
			`*/`
			`if (res >= count)`
			`return count+1;`

			`/*`
			`* Nope: we hit the address space limit, and we still had more`
			`* characters the caller would have wanted. That's 0.`
			`*/`
			`return 0;`
			`}`

			`/**`
			`* strnlen_user: - Get the size of a user string INCLUDING final NUL.`
			`* @str: The string to measure.`
			`* @count: Maximum count (including NUL character)`
			`*`
mm/uaccess, mm/fault: Clarify that uaccess may only sleep if pagefaults are enabled In general, non-atomic variants of user access functions must not sleep if pagefaults are disabled. Let's update all relevant comments in uaccess code. This also reflects the might_sleep() checks in might_fault(). Reviewed-and-tested-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: David.Laight@ACULAB.COM Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: airlied@linux.ie Cc: akpm@linux-foundation.org Cc: benh@kernel.crashing.org Cc: bigeasy@linutronix.de Cc: borntraeger@de.ibm.com Cc: daniel.vetter@intel.com Cc: heiko.carstens@de.ibm.com Cc: herbert@gondor.apana.org.au Cc: hocko@suse.cz Cc: hughd@google.com Cc: mst@redhat.com Cc: paulus@samba.org Cc: ralf@linux-mips.org Cc: schwidefsky@de.ibm.com Cc: yang.shi@windriver.com Link: http://lkml.kernel.org/r/1431359540-32227-4-git-send-email-dahi@linux.vnet.ibm.com Signed-off-by: Ingo Molnar <mingo@kernel.org> 2015-05-11 18:52:08 +03:00			`* Context: User context only. This function may sleep if pagefaults are`
			`* enabled.`
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`*`
			`* Get the size of a NUL-terminated string in user space.`
			`*`
			`* Returns the size of the string INCLUDING the terminating NUL.`
lib: Clarify the return value of strnlen_user() strnlen_user() can return a number in a range 0 to count + sizeof(unsigned long) - 1. Clarify the comment at the top of the function so that users don't think the function returns at most count+1. Signed-off-by: Jan Kara <jack@suse.cz> [ Also added commentary about preferably not using this function ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-06-03 16:50:35 +03:00			`* If the string is too long, returns a number larger than @count. User`
			`* has to check the return value against "> count".`
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`* On exception (or invalid count), returns 0.`
lib: Clarify the return value of strnlen_user() strnlen_user() can return a number in a range 0 to count + sizeof(unsigned long) - 1. Clarify the comment at the top of the function so that users don't think the function returns at most count+1. Signed-off-by: Jan Kara <jack@suse.cz> [ Also added commentary about preferably not using this function ] Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-06-03 16:50:35 +03:00			`*`
			`* NOTE! You should basically never use this function. There is`
			`* almost never any valid case for using the length of a user space`
			`* string, since the string can be changed at any time by other`
			`* threads. Use "strncpy_from_user()" instead to get a stable copy`
			`* of the string.`
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`*/`
			`long strnlen_user(const char __user *str, long count)`
			`{`
			`unsigned long max_addr, src_addr;`

			`if (unlikely(count <= 0))`
			`return 0;`

			`max_addr = user_addr_max();`
			`src_addr = (unsigned long)str;`
			`if (likely(src_addr < max_addr)) {`
			`unsigned long max = max_addr - src_addr;`
Use the new batched user accesses in generic user string handling This converts the generic user string functions to use the batched user access functions. It makes a big difference on Skylake, which is the first x86 microarchitecture to implement SMAP. The STAC/CLAC instructions are not very fast, and doing them for each access inside the loop that copies strings from user space (which is what the pathname handling does for every pathname the kernel uses, for example) is very inefficient. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-12-17 21:05:19 +03:00			`long retval;`

			`user_access_begin();`
			`retval = do_strnlen_user(str, count, max);`
			`user_access_end();`
			`return retval;`
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`}`
			`return 0;`
			`}`
			`EXPORT_SYMBOL(strnlen_user);`

			`/**`
			`* strlen_user: - Get the size of a user string INCLUDING final NUL.`
			`* @str: The string to measure.`
			`*`
mm/uaccess, mm/fault: Clarify that uaccess may only sleep if pagefaults are enabled In general, non-atomic variants of user access functions must not sleep if pagefaults are disabled. Let's update all relevant comments in uaccess code. This also reflects the might_sleep() checks in might_fault(). Reviewed-and-tested-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: David.Laight@ACULAB.COM Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: airlied@linux.ie Cc: akpm@linux-foundation.org Cc: benh@kernel.crashing.org Cc: bigeasy@linutronix.de Cc: borntraeger@de.ibm.com Cc: daniel.vetter@intel.com Cc: heiko.carstens@de.ibm.com Cc: herbert@gondor.apana.org.au Cc: hocko@suse.cz Cc: hughd@google.com Cc: mst@redhat.com Cc: paulus@samba.org Cc: ralf@linux-mips.org Cc: schwidefsky@de.ibm.com Cc: yang.shi@windriver.com Link: http://lkml.kernel.org/r/1431359540-32227-4-git-send-email-dahi@linux.vnet.ibm.com Signed-off-by: Ingo Molnar <mingo@kernel.org> 2015-05-11 18:52:08 +03:00			`* Context: User context only. This function may sleep if pagefaults are`
			`* enabled.`
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`*`
			`* Get the size of a NUL-terminated string in user space.`
			`*`
			`* Returns the size of the string INCLUDING the terminating NUL.`
			`* On exception, returns 0.`
			`*`
			`* If there is a limit on the length of a valid string, you may wish to`
			`* consider using strnlen_user() instead.`
			`*/`
			`long strlen_user(const char __user *str)`
			`{`
			`unsigned long max_addr, src_addr;`

			`max_addr = user_addr_max();`
			`src_addr = (unsigned long)str;`
			`if (likely(src_addr < max_addr)) {`
			`unsigned long max = max_addr - src_addr;`
Use the new batched user accesses in generic user string handling This converts the generic user string functions to use the batched user access functions. It makes a big difference on Skylake, which is the first x86 microarchitecture to implement SMAP. The STAC/CLAC instructions are not very fast, and doing them for each access inside the loop that copies strings from user space (which is what the pathname handling does for every pathname the kernel uses, for example) is very inefficient. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2015-12-17 21:05:19 +03:00			`long retval;`

			`user_access_begin();`
			`retval = do_strnlen_user(str, ~0ul, max);`
			`user_access_end();`
			`return retval;`
lib: add generic strnlen_user() function This adds a new generic optimized strnlen_user() function that uses the <asm/word-at-a-time.h> infrastructure to portably do efficient string handling. In many ways, strnlen is much simpler than strncpy, and in particular we can always pre-align the words we load from memory. That means that all the worries about alignment etc are a non-issue, so this one can easily be used on any architecture. You obviously do have to do the appropriate word-at-a-time.h macros. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-05-26 22:06:38 +04:00			`}`
			`return 0;`
			`}`
			`EXPORT_SYMBOL(strlen_user);`