2017-08-22 22:15:23 +02:00
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2017 Intel Corporation
|
|
|
|
|
*
|
|
|
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#include <kernel.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <misc/printk.h>
|
2017-11-09 01:38:03 +01:00
|
|
|
#include <misc/rb.h>
|
2017-08-22 22:15:23 +02:00
|
|
|
#include <kernel_structs.h>
|
|
|
|
|
#include <sys_io.h>
|
2017-08-30 23:17:44 +02:00
|
|
|
#include <ksched.h>
|
userspace: flesh out internal syscall interface
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-09-14 03:04:21 +02:00
|
|
|
#include <syscall.h>
|
2017-10-10 18:31:32 +02:00
|
|
|
#include <syscall_handler.h>
|
2017-11-09 01:38:03 +01:00
|
|
|
#include <device.h>
|
|
|
|
|
#include <init.h>
|
|
|
|
|
#include <logging/sys_log.h>
|
2017-08-22 22:15:23 +02:00
|
|
|
|
2017-10-17 00:29:30 +02:00
|
|
|
#define MAX_THREAD_BITS (CONFIG_MAX_THREAD_BYTES * 8)
|
|
|
|
|
|
2017-08-22 22:15:23 +02:00
|
|
|
const char *otype_to_str(enum k_objects otype)
|
|
|
|
|
{
|
|
|
|
|
/* -fdata-sections doesn't work right except in very very recent
|
|
|
|
|
* GCC and these literal strings would appear in the binary even if
|
|
|
|
|
* otype_to_str was omitted by the linker
|
|
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_PRINTK
|
|
|
|
|
switch (otype) {
|
2017-09-27 21:59:28 +02:00
|
|
|
/* Core kernel objects */
|
2017-08-22 22:15:23 +02:00
|
|
|
case K_OBJ_ALERT:
|
|
|
|
|
return "k_alert";
|
|
|
|
|
case K_OBJ_MSGQ:
|
|
|
|
|
return "k_msgq";
|
|
|
|
|
case K_OBJ_MUTEX:
|
|
|
|
|
return "k_mutex";
|
|
|
|
|
case K_OBJ_PIPE:
|
|
|
|
|
return "k_pipe";
|
|
|
|
|
case K_OBJ_SEM:
|
|
|
|
|
return "k_sem";
|
|
|
|
|
case K_OBJ_STACK:
|
|
|
|
|
return "k_stack";
|
|
|
|
|
case K_OBJ_THREAD:
|
|
|
|
|
return "k_thread";
|
|
|
|
|
case K_OBJ_TIMER:
|
|
|
|
|
return "k_timer";
|
2017-10-15 23:17:48 +02:00
|
|
|
case K_OBJ__THREAD_STACK_ELEMENT:
|
|
|
|
|
return "k_thread_stack_t";
|
2017-09-27 21:59:28 +02:00
|
|
|
|
|
|
|
|
/* Driver subsystems */
|
|
|
|
|
case K_OBJ_DRIVER_ADC:
|
|
|
|
|
return "adc driver";
|
|
|
|
|
case K_OBJ_DRIVER_AIO_CMP:
|
|
|
|
|
return "aio comparator driver";
|
|
|
|
|
case K_OBJ_DRIVER_COUNTER:
|
|
|
|
|
return "counter driver";
|
|
|
|
|
case K_OBJ_DRIVER_CRYPTO:
|
|
|
|
|
return "crypto driver";
|
2018-02-09 22:58:37 +01:00
|
|
|
case K_OBJ_DRIVER_DMA:
|
|
|
|
|
return "dma driver";
|
2017-09-27 21:59:28 +02:00
|
|
|
case K_OBJ_DRIVER_FLASH:
|
|
|
|
|
return "flash driver";
|
|
|
|
|
case K_OBJ_DRIVER_GPIO:
|
|
|
|
|
return "gpio driver";
|
|
|
|
|
case K_OBJ_DRIVER_I2C:
|
|
|
|
|
return "i2c driver";
|
|
|
|
|
case K_OBJ_DRIVER_I2S:
|
|
|
|
|
return "i2s driver";
|
|
|
|
|
case K_OBJ_DRIVER_IPM:
|
|
|
|
|
return "ipm driver";
|
|
|
|
|
case K_OBJ_DRIVER_PINMUX:
|
|
|
|
|
return "pinmux driver";
|
|
|
|
|
case K_OBJ_DRIVER_PWM:
|
|
|
|
|
return "pwm driver";
|
2017-10-14 01:30:55 +02:00
|
|
|
case K_OBJ_DRIVER_ENTROPY:
|
|
|
|
|
return "entropy driver";
|
2017-09-27 21:59:28 +02:00
|
|
|
case K_OBJ_DRIVER_RTC:
|
|
|
|
|
return "realtime clock driver";
|
|
|
|
|
case K_OBJ_DRIVER_SENSOR:
|
|
|
|
|
return "sensor driver";
|
|
|
|
|
case K_OBJ_DRIVER_SPI:
|
|
|
|
|
return "spi driver";
|
|
|
|
|
case K_OBJ_DRIVER_UART:
|
|
|
|
|
return "uart driver";
|
2017-08-22 22:15:23 +02:00
|
|
|
default:
|
|
|
|
|
return "?";
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
ARG_UNUSED(otype);
|
|
|
|
|
return NULL;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-05 20:11:02 +02:00
|
|
|
struct perm_ctx {
|
|
|
|
|
int parent_id;
|
|
|
|
|
int child_id;
|
|
|
|
|
struct k_thread *parent;
|
|
|
|
|
};
|
|
|
|
|
|
2017-11-09 01:38:03 +01:00
|
|
|
#ifdef CONFIG_DYNAMIC_OBJECTS
|
|
|
|
|
struct dyn_obj {
|
|
|
|
|
struct _k_object kobj;
|
|
|
|
|
struct rbnode node; /* must be immediately before data member */
|
|
|
|
|
u8_t data[]; /* The object itself */
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct visit_ctx {
|
|
|
|
|
_wordlist_cb_func_t func;
|
|
|
|
|
void *original_context;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
extern struct _k_object *_k_object_gperf_find(void *obj);
|
|
|
|
|
extern void _k_object_gperf_wordlist_foreach(_wordlist_cb_func_t func,
|
|
|
|
|
void *context);
|
|
|
|
|
|
|
|
|
|
static int node_lessthan(struct rbnode *a, struct rbnode *b);
|
|
|
|
|
|
|
|
|
|
static struct rbtree obj_rb_tree = {
|
|
|
|
|
.lessthan_fn = node_lessthan
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* TODO: incorporate auto-gen with Leandro's patch */
|
|
|
|
|
static size_t obj_size_get(enum k_objects otype)
|
|
|
|
|
{
|
|
|
|
|
switch (otype) {
|
|
|
|
|
case K_OBJ_ALERT:
|
|
|
|
|
return sizeof(struct k_alert);
|
|
|
|
|
case K_OBJ_MSGQ:
|
|
|
|
|
return sizeof(struct k_msgq);
|
|
|
|
|
case K_OBJ_MUTEX:
|
|
|
|
|
return sizeof(struct k_mutex);
|
|
|
|
|
case K_OBJ_PIPE:
|
|
|
|
|
return sizeof(struct k_pipe);
|
|
|
|
|
case K_OBJ_SEM:
|
|
|
|
|
return sizeof(struct k_sem);
|
|
|
|
|
case K_OBJ_STACK:
|
|
|
|
|
return sizeof(struct k_stack);
|
|
|
|
|
case K_OBJ_THREAD:
|
|
|
|
|
return sizeof(struct k_thread);
|
|
|
|
|
case K_OBJ_TIMER:
|
|
|
|
|
return sizeof(struct k_timer);
|
|
|
|
|
default:
|
|
|
|
|
return sizeof(struct device);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int node_lessthan(struct rbnode *a, struct rbnode *b)
|
|
|
|
|
{
|
|
|
|
|
return a < b;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct dyn_obj *node_to_dyn_obj(struct rbnode *node)
|
|
|
|
|
{
|
|
|
|
|
return CONTAINER_OF(node, struct dyn_obj, node);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct dyn_obj *dyn_object_find(void *obj)
|
|
|
|
|
{
|
|
|
|
|
struct rbnode *node;
|
|
|
|
|
struct dyn_obj *ret;
|
|
|
|
|
int key;
|
|
|
|
|
|
|
|
|
|
/* For any dynamically allocated kernel object, the object
|
|
|
|
|
* pointer is just a member of the conatining struct dyn_obj,
|
|
|
|
|
* so just a little arithmetic is necessary to locate the
|
|
|
|
|
* corresponding struct rbnode
|
|
|
|
|
*/
|
|
|
|
|
node = (struct rbnode *)((char *)obj - sizeof(struct rbnode));
|
|
|
|
|
|
|
|
|
|
key = irq_lock();
|
|
|
|
|
if (rb_contains(&obj_rb_tree, node)) {
|
|
|
|
|
ret = node_to_dyn_obj(node);
|
|
|
|
|
} else {
|
|
|
|
|
ret = NULL;
|
|
|
|
|
}
|
|
|
|
|
irq_unlock(key);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void *k_object_alloc(enum k_objects otype)
|
|
|
|
|
{
|
|
|
|
|
struct dyn_obj *dyn_obj;
|
|
|
|
|
int key;
|
|
|
|
|
|
|
|
|
|
/* Stacks are not supported, we don't yet have mem pool APIs
|
|
|
|
|
* to request memory that is aligned
|
|
|
|
|
*/
|
|
|
|
|
__ASSERT(otype > K_OBJ_ANY && otype < K_OBJ_LAST &&
|
|
|
|
|
otype != K_OBJ__THREAD_STACK_ELEMENT,
|
|
|
|
|
"bad object type requested");
|
|
|
|
|
|
|
|
|
|
dyn_obj = k_malloc(sizeof(*dyn_obj) + obj_size_get(otype));
|
|
|
|
|
if (!dyn_obj) {
|
|
|
|
|
SYS_LOG_WRN("could not allocate kernel object");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dyn_obj->kobj.name = (char *)&dyn_obj->data;
|
|
|
|
|
dyn_obj->kobj.type = otype;
|
|
|
|
|
dyn_obj->kobj.flags = 0;
|
|
|
|
|
memset(dyn_obj->kobj.perms, 0, CONFIG_MAX_THREAD_BYTES);
|
|
|
|
|
|
|
|
|
|
/* The allocating thread implicitly gets permission on kernel objects
|
|
|
|
|
* that it allocates
|
|
|
|
|
*/
|
|
|
|
|
_thread_perms_set(&dyn_obj->kobj, _current);
|
|
|
|
|
|
|
|
|
|
key = irq_lock();
|
|
|
|
|
rb_insert(&obj_rb_tree, &dyn_obj->node);
|
|
|
|
|
irq_unlock(key);
|
|
|
|
|
|
|
|
|
|
return dyn_obj->kobj.name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void k_object_free(void *obj)
|
|
|
|
|
{
|
|
|
|
|
struct dyn_obj *dyn_obj;
|
|
|
|
|
int key;
|
|
|
|
|
|
|
|
|
|
/* This function is intentionally not exposed to user mode.
|
|
|
|
|
* There's currently no robust way to track that an object isn't
|
|
|
|
|
* being used by some other thread
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
key = irq_lock();
|
|
|
|
|
dyn_obj = dyn_object_find(obj);
|
|
|
|
|
if (dyn_obj) {
|
|
|
|
|
rb_remove(&obj_rb_tree, &dyn_obj->node);
|
|
|
|
|
}
|
|
|
|
|
irq_unlock(key);
|
|
|
|
|
|
|
|
|
|
if (dyn_obj) {
|
|
|
|
|
k_free(dyn_obj);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct _k_object *_k_object_find(void *obj)
|
|
|
|
|
{
|
|
|
|
|
struct _k_object *ret;
|
|
|
|
|
|
|
|
|
|
ret = _k_object_gperf_find(obj);
|
|
|
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
|
struct dyn_obj *dyn_obj;
|
|
|
|
|
|
|
|
|
|
dyn_obj = dyn_object_find(obj);
|
|
|
|
|
if (dyn_obj) {
|
|
|
|
|
ret = &dyn_obj->kobj;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void visit_fn(struct rbnode *node, void *context)
|
|
|
|
|
{
|
|
|
|
|
struct visit_ctx *vctx = context;
|
|
|
|
|
|
|
|
|
|
vctx->func(&node_to_dyn_obj(node)->kobj, vctx->original_context);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void _k_object_wordlist_foreach(_wordlist_cb_func_t func, void *context)
|
|
|
|
|
{
|
|
|
|
|
struct visit_ctx vctx;
|
|
|
|
|
int key;
|
|
|
|
|
|
|
|
|
|
_k_object_gperf_wordlist_foreach(func, context);
|
|
|
|
|
|
|
|
|
|
vctx.func = func;
|
|
|
|
|
vctx.original_context = context;
|
|
|
|
|
|
|
|
|
|
key = irq_lock();
|
|
|
|
|
rb_walk(&obj_rb_tree, visit_fn, &vctx);
|
|
|
|
|
irq_unlock(key);
|
|
|
|
|
}
|
|
|
|
|
#endif /* CONFIG_DYNAMIC_OBJECTS */
|
|
|
|
|
|
2017-11-03 17:00:35 +01:00
|
|
|
static int thread_index_get(struct k_thread *t)
|
|
|
|
|
{
|
|
|
|
|
struct _k_object *ko;
|
|
|
|
|
|
|
|
|
|
ko = _k_object_find(t);
|
|
|
|
|
|
|
|
|
|
if (!ko) {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ko->data;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-05 20:11:02 +02:00
|
|
|
static void wordlist_cb(struct _k_object *ko, void *ctx_ptr)
|
|
|
|
|
{
|
|
|
|
|
struct perm_ctx *ctx = (struct perm_ctx *)ctx_ptr;
|
|
|
|
|
|
|
|
|
|
if (sys_bitfield_test_bit((mem_addr_t)&ko->perms, ctx->parent_id) &&
|
|
|
|
|
(struct k_thread *)ko->name != ctx->parent) {
|
|
|
|
|
sys_bitfield_set_bit((mem_addr_t)&ko->perms, ctx->child_id);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void _thread_perms_inherit(struct k_thread *parent, struct k_thread *child)
|
|
|
|
|
{
|
|
|
|
|
struct perm_ctx ctx = {
|
2017-11-03 17:00:35 +01:00
|
|
|
thread_index_get(parent),
|
|
|
|
|
thread_index_get(child),
|
2017-10-05 20:11:02 +02:00
|
|
|
parent
|
|
|
|
|
};
|
|
|
|
|
|
2017-11-03 17:00:35 +01:00
|
|
|
if ((ctx.parent_id != -1) && (ctx.child_id != -1)) {
|
2017-10-05 20:11:02 +02:00
|
|
|
_k_object_wordlist_foreach(wordlist_cb, &ctx);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-10 18:31:32 +02:00
|
|
|
void _thread_perms_set(struct _k_object *ko, struct k_thread *thread)
|
2017-08-22 22:15:23 +02:00
|
|
|
{
|
2017-11-03 17:00:35 +01:00
|
|
|
int index = thread_index_get(thread);
|
|
|
|
|
|
|
|
|
|
if (index != -1) {
|
|
|
|
|
sys_bitfield_set_bit((mem_addr_t)&ko->perms, index);
|
2017-08-30 23:31:03 +02:00
|
|
|
}
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
|
|
|
|
|
2017-10-09 23:47:55 +02:00
|
|
|
void _thread_perms_clear(struct _k_object *ko, struct k_thread *thread)
|
|
|
|
|
{
|
2017-11-03 17:00:35 +01:00
|
|
|
int index = thread_index_get(thread);
|
|
|
|
|
|
|
|
|
|
if (index != -1) {
|
|
|
|
|
sys_bitfield_clear_bit((mem_addr_t)&ko->perms, index);
|
2017-10-09 23:47:55 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-13 22:57:07 +02:00
|
|
|
static void clear_perms_cb(struct _k_object *ko, void *ctx_ptr)
|
|
|
|
|
{
|
|
|
|
|
int id = (int)ctx_ptr;
|
|
|
|
|
|
|
|
|
|
sys_bitfield_clear_bit((mem_addr_t)&ko->perms, id);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void _thread_perms_all_clear(struct k_thread *thread)
|
|
|
|
|
{
|
2017-11-03 17:00:35 +01:00
|
|
|
int index = thread_index_get(thread);
|
|
|
|
|
|
|
|
|
|
if (index != -1) {
|
|
|
|
|
_k_object_wordlist_foreach(clear_perms_cb, (void *)index);
|
2017-10-13 22:57:07 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-10 18:31:32 +02:00
|
|
|
static int thread_perms_test(struct _k_object *ko)
|
2017-08-22 22:15:23 +02:00
|
|
|
{
|
2017-11-03 17:00:35 +01:00
|
|
|
int index;
|
|
|
|
|
|
2017-10-13 22:57:07 +02:00
|
|
|
if (ko->flags & K_OBJ_FLAG_PUBLIC) {
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-03 17:00:35 +01:00
|
|
|
index = thread_index_get(_current);
|
|
|
|
|
if (index != -1) {
|
|
|
|
|
return sys_bitfield_test_bit((mem_addr_t)&ko->perms, index);
|
2017-08-30 23:31:03 +02:00
|
|
|
}
|
|
|
|
|
return 0;
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
|
|
|
|
|
2017-10-10 18:31:32 +02:00
|
|
|
static void dump_permission_error(struct _k_object *ko)
|
|
|
|
|
{
|
2017-11-03 17:00:35 +01:00
|
|
|
int index = thread_index_get(_current);
|
2017-10-10 18:31:32 +02:00
|
|
|
printk("thread %p (%d) does not have permission on %s %p [",
|
2017-11-03 17:00:35 +01:00
|
|
|
_current, index,
|
2017-10-10 18:31:32 +02:00
|
|
|
otype_to_str(ko->type), ko->name);
|
|
|
|
|
for (int i = CONFIG_MAX_THREAD_BYTES - 1; i >= 0; i--) {
|
|
|
|
|
printk("%02x", ko->perms[i]);
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
2017-10-10 18:31:32 +02:00
|
|
|
printk("]\n");
|
|
|
|
|
}
|
2017-08-22 22:15:23 +02:00
|
|
|
|
2017-10-10 18:31:32 +02:00
|
|
|
void _dump_object_error(int retval, void *obj, struct _k_object *ko,
|
|
|
|
|
enum k_objects otype)
|
|
|
|
|
{
|
|
|
|
|
switch (retval) {
|
|
|
|
|
case -EBADF:
|
|
|
|
|
printk("%p is not a valid %s\n", obj, otype_to_str(otype));
|
|
|
|
|
break;
|
|
|
|
|
case -EPERM:
|
|
|
|
|
dump_permission_error(ko);
|
|
|
|
|
break;
|
|
|
|
|
case -EINVAL:
|
|
|
|
|
printk("%p used before initialization\n", obj);
|
|
|
|
|
break;
|
2017-10-15 23:22:08 +02:00
|
|
|
case -EADDRINUSE:
|
|
|
|
|
printk("%p %s in use\n", obj, otype_to_str(otype));
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
2017-10-04 21:10:32 +02:00
|
|
|
}
|
|
|
|
|
|
2017-10-04 21:25:50 +02:00
|
|
|
void _impl_k_object_access_grant(void *object, struct k_thread *thread)
|
2017-10-04 21:10:32 +02:00
|
|
|
{
|
2017-10-10 18:31:32 +02:00
|
|
|
struct _k_object *ko = _k_object_find(object);
|
2017-10-04 21:10:32 +02:00
|
|
|
|
|
|
|
|
if (ko) {
|
2017-10-10 18:31:32 +02:00
|
|
|
_thread_perms_set(ko, thread);
|
2017-10-04 21:10:32 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-09 23:47:55 +02:00
|
|
|
void _impl_k_object_access_revoke(void *object, struct k_thread *thread)
|
|
|
|
|
{
|
|
|
|
|
struct _k_object *ko = _k_object_find(object);
|
|
|
|
|
|
|
|
|
|
if (ko) {
|
|
|
|
|
_thread_perms_clear(ko, thread);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-14 23:42:23 +02:00
|
|
|
void k_object_access_all_grant(void *object)
|
2017-10-04 21:10:32 +02:00
|
|
|
{
|
2017-10-10 18:31:32 +02:00
|
|
|
struct _k_object *ko = _k_object_find(object);
|
2017-10-04 21:10:32 +02:00
|
|
|
|
|
|
|
|
if (ko) {
|
2017-10-13 22:57:07 +02:00
|
|
|
ko->flags |= K_OBJ_FLAG_PUBLIC;
|
2017-10-04 21:10:32 +02:00
|
|
|
}
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
|
|
|
|
|
2017-10-15 23:22:08 +02:00
|
|
|
int _k_object_validate(struct _k_object *ko, enum k_objects otype,
|
|
|
|
|
enum _obj_init_check init)
|
2017-08-22 22:15:23 +02:00
|
|
|
{
|
2017-10-15 23:22:08 +02:00
|
|
|
if (unlikely(!ko || (otype != K_OBJ_ANY && ko->type != otype))) {
|
2017-08-22 22:15:23 +02:00
|
|
|
return -EBADF;
|
|
|
|
|
}
|
|
|
|
|
|
kernel: policy change for uninitailized objects
The old policy was that objects that are not marked as initialized may
be claimed by any thread, user or kernel.
This has some undesirable implications:
- Kernel objects that were initailized at build time via some
_<object name>_INITIALIZER macro, not intended for userspace to ever
use, could be 'stolen' if their memory addresses were figured out and
_k_object_init() was never called on them.
- In general, a malicious thread could initialize all unclaimed objects
it could find, resulting in denial of service for the threads that
these objects were intended for.
Now, performing any operation in user mode on a kernel object,
initialized or not, required that the calling user thread have
permission on it. Such permission would have to be explicitly granted or
inherited from a supervisor thread, as with this change only supervisor
thread will be able to claim uninitialized objects in this way.
If an uninitialized kernel object has permissions granted to multiple
threads, whatever thread actually initializes the object will reset all
permission bits to zero and grant only the calling thread access to that
object.
In other words, granting access to an uninitialized object to several
threads means that "whichever of these threads (or any kernel thread)
who actually initializes this object will obtain exclusive access to
that object, which it then may grant to other threads as it sees fit."
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-10-09 21:46:25 +02:00
|
|
|
/* Manipulation of any kernel objects by a user thread requires that
|
|
|
|
|
* thread be granted access first, even for uninitialized objects
|
2017-08-22 22:15:23 +02:00
|
|
|
*/
|
2017-10-15 23:22:08 +02:00
|
|
|
if (unlikely(!thread_perms_test(ko))) {
|
2017-08-22 22:15:23 +02:00
|
|
|
return -EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-15 23:22:08 +02:00
|
|
|
/* Initialization state checks. _OBJ_INIT_ANY, we don't care */
|
|
|
|
|
if (likely(init == _OBJ_INIT_TRUE)) {
|
|
|
|
|
/* Object MUST be intialized */
|
|
|
|
|
if (unlikely(!(ko->flags & K_OBJ_FLAG_INITIALIZED))) {
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
} else if (init < _OBJ_INIT_TRUE) { /* _OBJ_INIT_FALSE case */
|
|
|
|
|
/* Object MUST NOT be initialized */
|
|
|
|
|
if (unlikely(ko->flags & K_OBJ_FLAG_INITIALIZED)) {
|
|
|
|
|
return -EADDRINUSE;
|
|
|
|
|
}
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void _k_object_init(void *object)
|
|
|
|
|
{
|
|
|
|
|
struct _k_object *ko;
|
|
|
|
|
|
|
|
|
|
/* By the time we get here, if the caller was from userspace, all the
|
|
|
|
|
* necessary checks have been done in _k_object_validate(), which takes
|
|
|
|
|
* place before the object is initialized.
|
|
|
|
|
*
|
|
|
|
|
* This function runs after the object has been initialized and
|
|
|
|
|
* finalizes it
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
ko = _k_object_find(object);
|
|
|
|
|
if (!ko) {
|
|
|
|
|
/* Supervisor threads can ignore rules about kernel objects
|
|
|
|
|
* and may declare them on stacks, etc. Such objects will never
|
|
|
|
|
* be usable from userspace, but we shouldn't explode.
|
|
|
|
|
*/
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-10 18:31:32 +02:00
|
|
|
/* Allows non-initialization system calls to be made on this object */
|
2017-08-22 22:15:23 +02:00
|
|
|
ko->flags |= K_OBJ_FLAG_INITIALIZED;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-05 21:21:36 +02:00
|
|
|
void _k_object_uninit(void *object)
|
|
|
|
|
{
|
|
|
|
|
struct _k_object *ko;
|
|
|
|
|
|
|
|
|
|
/* See comments in _k_object_init() */
|
|
|
|
|
ko = _k_object_find(object);
|
|
|
|
|
if (!ko) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ko->flags &= ~K_OBJ_FLAG_INITIALIZED;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-07 00:08:55 +01:00
|
|
|
static u32_t handler_bad_syscall(u32_t bad_id, u32_t arg2, u32_t arg3,
|
2017-09-19 18:59:42 +02:00
|
|
|
u32_t arg4, u32_t arg5, u32_t arg6, void *ssf)
|
2017-09-08 21:10:12 +02:00
|
|
|
{
|
userspace: flesh out internal syscall interface
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-09-14 03:04:21 +02:00
|
|
|
printk("Bad system call id %u invoked\n", bad_id);
|
|
|
|
|
_arch_syscall_oops(ssf);
|
|
|
|
|
CODE_UNREACHABLE;
|
2017-09-08 21:10:12 +02:00
|
|
|
}
|
|
|
|
|
|
2018-03-07 00:08:55 +01:00
|
|
|
static u32_t handler_no_syscall(u32_t arg1, u32_t arg2, u32_t arg3,
|
2017-09-29 01:54:35 +02:00
|
|
|
u32_t arg4, u32_t arg5, u32_t arg6, void *ssf)
|
|
|
|
|
{
|
|
|
|
|
printk("Unimplemented system call\n");
|
|
|
|
|
_arch_syscall_oops(ssf);
|
|
|
|
|
CODE_UNREACHABLE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#include <syscall_dispatch.c>
|
|
|
|
|
|