2017-08-22 22:15:23 +02:00
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2017 Intel Corporation
|
|
|
|
|
*
|
|
|
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#include <kernel.h>
|
|
|
|
|
#include <string.h>
|
2019-06-26 16:33:45 +02:00
|
|
|
#include <sys/math_extras.h>
|
2019-06-26 16:33:50 +02:00
|
|
|
#include <sys/rb.h>
|
2017-08-22 22:15:23 +02:00
|
|
|
#include <kernel_structs.h>
|
2019-06-25 18:26:23 +02:00
|
|
|
#include <sys/sys_io.h>
|
2017-08-30 23:17:44 +02:00
|
|
|
#include <ksched.h>
|
userspace: flesh out internal syscall interface
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-09-14 03:04:21 +02:00
|
|
|
#include <syscall.h>
|
2017-10-10 18:31:32 +02:00
|
|
|
#include <syscall_handler.h>
|
2017-11-09 01:38:03 +01:00
|
|
|
#include <device.h>
|
|
|
|
|
#include <init.h>
|
2018-12-16 21:39:44 +01:00
|
|
|
#include <stdbool.h>
|
2019-02-21 22:44:54 +01:00
|
|
|
#include <app_memory/app_memdomain.h>
|
2019-06-26 16:33:44 +02:00
|
|
|
#include <sys/libc-hooks.h>
|
2019-06-26 16:33:48 +02:00
|
|
|
#include <sys/mutex.h>
|
2019-11-05 18:27:18 +01:00
|
|
|
#include <inttypes.h>
|
2019-02-21 22:44:54 +01:00
|
|
|
|
2019-02-28 05:12:40 +01:00
|
|
|
#ifdef Z_LIBC_PARTITION_EXISTS
|
2019-02-21 22:44:54 +01:00
|
|
|
K_APPMEM_PARTITION_DEFINE(z_libc_partition);
|
2019-02-28 05:12:40 +01:00
|
|
|
#endif
|
2018-09-17 13:58:09 +02:00
|
|
|
|
2019-02-27 23:41:45 +01:00
|
|
|
/* TODO: Find a better place to put this. Since we pull the entire
|
2019-05-09 14:43:30 +02:00
|
|
|
* lib..__modules__crypto__mbedtls.a globals into app shared memory
|
|
|
|
|
* section, we can't put this in zephyr_init.c of the mbedtls module.
|
2019-02-27 23:41:45 +01:00
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_MBEDTLS
|
|
|
|
|
K_APPMEM_PARTITION_DEFINE(k_mbedtls_partition);
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-09-17 13:58:09 +02:00
|
|
|
#define LOG_LEVEL CONFIG_KERNEL_LOG_LEVEL
|
|
|
|
|
#include <logging/log.h>
|
2019-06-04 19:42:17 +02:00
|
|
|
LOG_MODULE_DECLARE(os);
|
2018-09-17 13:58:09 +02:00
|
|
|
|
2019-02-06 18:10:36 +01:00
|
|
|
/* The originally synchronization strategy made heavy use of recursive
|
|
|
|
|
* irq_locking, which ports poorly to spinlocks which are
|
|
|
|
|
* non-recursive. Rather than try to redesign as part of
|
|
|
|
|
* spinlockification, this uses multiple locks to preserve the
|
|
|
|
|
* original semantics exactly. The locks are named for the data they
|
|
|
|
|
* protect where possible, or just for the code that uses them where
|
|
|
|
|
* not.
|
|
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_DYNAMIC_OBJECTS
|
|
|
|
|
static struct k_spinlock lists_lock; /* kobj rbtree/dlist */
|
|
|
|
|
static struct k_spinlock objfree_lock; /* k_object_free */
|
|
|
|
|
#endif
|
|
|
|
|
static struct k_spinlock obj_lock; /* kobj struct data */
|
|
|
|
|
|
2017-10-17 00:29:30 +02:00
|
|
|
#define MAX_THREAD_BITS (CONFIG_MAX_THREAD_BYTES * 8)
|
|
|
|
|
|
2018-08-08 20:23:16 +02:00
|
|
|
#ifdef CONFIG_DYNAMIC_OBJECTS
|
|
|
|
|
extern u8_t _thread_idx_map[CONFIG_MAX_THREAD_BYTES];
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
static void clear_perms_cb(struct _k_object *ko, void *ctx_ptr);
|
|
|
|
|
|
2017-08-22 22:15:23 +02:00
|
|
|
const char *otype_to_str(enum k_objects otype)
|
|
|
|
|
{
|
2018-09-11 22:14:21 +02:00
|
|
|
const char *ret;
|
2017-08-22 22:15:23 +02:00
|
|
|
/* -fdata-sections doesn't work right except in very very recent
|
|
|
|
|
* GCC and these literal strings would appear in the binary even if
|
|
|
|
|
* otype_to_str was omitted by the linker
|
|
|
|
|
*/
|
2019-10-01 19:28:32 +02:00
|
|
|
#ifdef CONFIG_LOG
|
2017-08-22 22:15:23 +02:00
|
|
|
switch (otype) {
|
2018-04-05 22:59:33 +02:00
|
|
|
/* otype-to-str.h is generated automatically during build by
|
|
|
|
|
* gen_kobject_list.py
|
|
|
|
|
*/
|
|
|
|
|
#include <otype-to-str.h>
|
2017-08-22 22:15:23 +02:00
|
|
|
default:
|
2018-09-11 22:14:21 +02:00
|
|
|
ret = "?";
|
|
|
|
|
break;
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
ARG_UNUSED(otype);
|
|
|
|
|
return NULL;
|
|
|
|
|
#endif
|
2018-09-11 22:14:21 +02:00
|
|
|
return ret;
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
|
|
|
|
|
2017-10-05 20:11:02 +02:00
|
|
|
struct perm_ctx {
|
|
|
|
|
int parent_id;
|
|
|
|
|
int child_id;
|
|
|
|
|
struct k_thread *parent;
|
|
|
|
|
};
|
|
|
|
|
|
2017-11-09 01:38:03 +01:00
|
|
|
#ifdef CONFIG_DYNAMIC_OBJECTS
|
|
|
|
|
struct dyn_obj {
|
|
|
|
|
struct _k_object kobj;
|
2018-04-25 02:01:37 +02:00
|
|
|
sys_dnode_t obj_list;
|
2017-11-09 01:38:03 +01:00
|
|
|
struct rbnode node; /* must be immediately before data member */
|
|
|
|
|
u8_t data[]; /* The object itself */
|
|
|
|
|
};
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
extern struct _k_object *z_object_gperf_find(void *obj);
|
|
|
|
|
extern void z_object_gperf_wordlist_foreach(_wordlist_cb_func_t func,
|
2017-11-09 01:38:03 +01:00
|
|
|
void *context);
|
|
|
|
|
|
2018-09-21 00:43:57 +02:00
|
|
|
static bool node_lessthan(struct rbnode *a, struct rbnode *b);
|
2017-11-09 01:38:03 +01:00
|
|
|
|
2018-04-25 02:01:37 +02:00
|
|
|
/*
|
|
|
|
|
* Red/black tree of allocated kernel objects, for reasonably fast lookups
|
|
|
|
|
* based on object pointer values.
|
|
|
|
|
*/
|
2017-11-09 01:38:03 +01:00
|
|
|
static struct rbtree obj_rb_tree = {
|
|
|
|
|
.lessthan_fn = node_lessthan
|
|
|
|
|
};
|
|
|
|
|
|
2018-04-25 02:01:37 +02:00
|
|
|
/*
|
|
|
|
|
* Linked list of allocated kernel objects, for iteration over all allocated
|
|
|
|
|
* objects (and potentially deleting them during iteration).
|
|
|
|
|
*/
|
|
|
|
|
static sys_dlist_t obj_list = SYS_DLIST_STATIC_INIT(&obj_list);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* TODO: Write some hash table code that will replace both obj_rb_tree
|
|
|
|
|
* and obj_list.
|
|
|
|
|
*/
|
|
|
|
|
|
2017-11-09 01:38:03 +01:00
|
|
|
static size_t obj_size_get(enum k_objects otype)
|
|
|
|
|
{
|
2018-09-11 22:14:21 +02:00
|
|
|
size_t ret;
|
|
|
|
|
|
2017-11-09 01:38:03 +01:00
|
|
|
switch (otype) {
|
2018-05-16 19:11:17 +02:00
|
|
|
#include <otype-to-size.h>
|
2017-11-09 01:38:03 +01:00
|
|
|
default:
|
2018-09-11 22:14:21 +02:00
|
|
|
ret = sizeof(struct device);
|
|
|
|
|
break;
|
2017-11-09 01:38:03 +01:00
|
|
|
}
|
2018-09-11 22:14:21 +02:00
|
|
|
|
|
|
|
|
return ret;
|
2017-11-09 01:38:03 +01:00
|
|
|
}
|
|
|
|
|
|
2018-09-21 00:43:57 +02:00
|
|
|
static bool node_lessthan(struct rbnode *a, struct rbnode *b)
|
2017-11-09 01:38:03 +01:00
|
|
|
{
|
|
|
|
|
return a < b;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct dyn_obj *node_to_dyn_obj(struct rbnode *node)
|
|
|
|
|
{
|
|
|
|
|
return CONTAINER_OF(node, struct dyn_obj, node);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct dyn_obj *dyn_object_find(void *obj)
|
|
|
|
|
{
|
|
|
|
|
struct rbnode *node;
|
|
|
|
|
struct dyn_obj *ret;
|
|
|
|
|
|
|
|
|
|
/* For any dynamically allocated kernel object, the object
|
|
|
|
|
* pointer is just a member of the conatining struct dyn_obj,
|
|
|
|
|
* so just a little arithmetic is necessary to locate the
|
|
|
|
|
* corresponding struct rbnode
|
|
|
|
|
*/
|
|
|
|
|
node = (struct rbnode *)((char *)obj - sizeof(struct rbnode));
|
|
|
|
|
|
2019-02-06 18:10:36 +01:00
|
|
|
k_spinlock_key_t key = k_spin_lock(&lists_lock);
|
2017-11-09 01:38:03 +01:00
|
|
|
if (rb_contains(&obj_rb_tree, node)) {
|
|
|
|
|
ret = node_to_dyn_obj(node);
|
|
|
|
|
} else {
|
|
|
|
|
ret = NULL;
|
|
|
|
|
}
|
2019-02-06 18:10:36 +01:00
|
|
|
k_spin_unlock(&lists_lock, key);
|
2017-11-09 01:38:03 +01:00
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-08 20:23:16 +02:00
|
|
|
/**
|
|
|
|
|
* @internal
|
|
|
|
|
*
|
|
|
|
|
* @brief Allocate a new thread index for a new thread.
|
|
|
|
|
*
|
|
|
|
|
* This finds an unused thread index that can be assigned to a new
|
|
|
|
|
* thread. If too many threads have been allocated, the kernel will
|
|
|
|
|
* run out of indexes and this function will fail.
|
|
|
|
|
*
|
|
|
|
|
* Note that if an unused index is found, that index will be marked as
|
|
|
|
|
* used after return of this function.
|
|
|
|
|
*
|
|
|
|
|
* @param tidx The new thread index if successful
|
|
|
|
|
*
|
2018-12-16 21:39:44 +01:00
|
|
|
* @return true if successful, false if failed
|
2018-08-08 20:23:16 +02:00
|
|
|
**/
|
2019-11-18 19:20:16 +01:00
|
|
|
static bool thread_idx_alloc(uintptr_t *tidx)
|
2018-08-08 20:23:16 +02:00
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
int idx;
|
|
|
|
|
int base;
|
|
|
|
|
|
|
|
|
|
base = 0;
|
|
|
|
|
for (i = 0; i < CONFIG_MAX_THREAD_BYTES; i++) {
|
|
|
|
|
idx = find_lsb_set(_thread_idx_map[i]);
|
|
|
|
|
|
2018-12-16 21:48:29 +01:00
|
|
|
if (idx != 0) {
|
2018-08-08 20:23:16 +02:00
|
|
|
*tidx = base + (idx - 1);
|
|
|
|
|
|
|
|
|
|
sys_bitfield_clear_bit((mem_addr_t)_thread_idx_map,
|
|
|
|
|
*tidx);
|
|
|
|
|
|
|
|
|
|
/* Clear permission from all objects */
|
2019-03-08 22:19:05 +01:00
|
|
|
z_object_wordlist_foreach(clear_perms_cb,
|
2018-08-08 20:23:16 +02:00
|
|
|
(void *)*tidx);
|
|
|
|
|
|
2018-12-16 21:39:44 +01:00
|
|
|
return true;
|
2018-08-08 20:23:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
base += 8;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-16 21:39:44 +01:00
|
|
|
return false;
|
2018-08-08 20:23:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @internal
|
|
|
|
|
*
|
|
|
|
|
* @brief Free a thread index.
|
|
|
|
|
*
|
|
|
|
|
* This frees a thread index so it can be used by another
|
|
|
|
|
* thread.
|
|
|
|
|
*
|
|
|
|
|
* @param tidx The thread index to be freed
|
|
|
|
|
**/
|
2019-11-18 19:20:16 +01:00
|
|
|
static void thread_idx_free(uintptr_t tidx)
|
2018-08-08 20:23:16 +02:00
|
|
|
{
|
|
|
|
|
/* To prevent leaked permission when index is recycled */
|
2019-03-08 22:19:05 +01:00
|
|
|
z_object_wordlist_foreach(clear_perms_cb, (void *)tidx);
|
2018-08-08 20:23:16 +02:00
|
|
|
|
|
|
|
|
sys_bitfield_set_bit((mem_addr_t)_thread_idx_map, tidx);
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void *z_impl_k_object_alloc(enum k_objects otype)
|
2017-11-09 01:38:03 +01:00
|
|
|
{
|
|
|
|
|
struct dyn_obj *dyn_obj;
|
2019-11-18 19:20:16 +01:00
|
|
|
uintptr_t tidx;
|
2017-11-09 01:38:03 +01:00
|
|
|
|
|
|
|
|
/* Stacks are not supported, we don't yet have mem pool APIs
|
|
|
|
|
* to request memory that is aligned
|
|
|
|
|
*/
|
|
|
|
|
__ASSERT(otype > K_OBJ_ANY && otype < K_OBJ_LAST &&
|
|
|
|
|
otype != K_OBJ__THREAD_STACK_ELEMENT,
|
|
|
|
|
"bad object type requested");
|
|
|
|
|
|
2018-04-25 02:01:37 +02:00
|
|
|
dyn_obj = z_thread_malloc(sizeof(*dyn_obj) + obj_size_get(otype));
|
2018-09-17 18:39:51 +02:00
|
|
|
if (dyn_obj == NULL) {
|
2018-09-17 13:58:09 +02:00
|
|
|
LOG_WRN("could not allocate kernel object");
|
2017-11-09 01:38:03 +01:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dyn_obj->kobj.name = (char *)&dyn_obj->data;
|
|
|
|
|
dyn_obj->kobj.type = otype;
|
2018-04-25 02:01:37 +02:00
|
|
|
dyn_obj->kobj.flags = K_OBJ_FLAG_ALLOC;
|
2018-09-12 04:09:03 +02:00
|
|
|
(void)memset(dyn_obj->kobj.perms, 0, CONFIG_MAX_THREAD_BYTES);
|
2017-11-09 01:38:03 +01:00
|
|
|
|
2018-08-08 20:23:16 +02:00
|
|
|
/* Need to grab a new thread index for k_thread */
|
|
|
|
|
if (otype == K_OBJ_THREAD) {
|
2019-03-08 22:19:05 +01:00
|
|
|
if (!thread_idx_alloc(&tidx)) {
|
2018-08-08 20:23:16 +02:00
|
|
|
k_free(dyn_obj);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dyn_obj->kobj.data = tidx;
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-09 01:38:03 +01:00
|
|
|
/* The allocating thread implicitly gets permission on kernel objects
|
|
|
|
|
* that it allocates
|
|
|
|
|
*/
|
2019-03-08 22:19:05 +01:00
|
|
|
z_thread_perms_set(&dyn_obj->kobj, _current);
|
2017-11-09 01:38:03 +01:00
|
|
|
|
2019-02-06 18:10:36 +01:00
|
|
|
k_spinlock_key_t key = k_spin_lock(&lists_lock);
|
|
|
|
|
|
2017-11-09 01:38:03 +01:00
|
|
|
rb_insert(&obj_rb_tree, &dyn_obj->node);
|
2018-04-25 02:01:37 +02:00
|
|
|
sys_dlist_append(&obj_list, &dyn_obj->obj_list);
|
2019-02-06 18:10:36 +01:00
|
|
|
k_spin_unlock(&lists_lock, key);
|
2017-11-09 01:38:03 +01:00
|
|
|
|
|
|
|
|
return dyn_obj->kobj.name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void k_object_free(void *obj)
|
|
|
|
|
{
|
|
|
|
|
struct dyn_obj *dyn_obj;
|
|
|
|
|
|
|
|
|
|
/* This function is intentionally not exposed to user mode.
|
|
|
|
|
* There's currently no robust way to track that an object isn't
|
|
|
|
|
* being used by some other thread
|
|
|
|
|
*/
|
|
|
|
|
|
2019-02-06 18:10:36 +01:00
|
|
|
k_spinlock_key_t key = k_spin_lock(&objfree_lock);
|
|
|
|
|
|
2017-11-09 01:38:03 +01:00
|
|
|
dyn_obj = dyn_object_find(obj);
|
2018-09-17 18:39:51 +02:00
|
|
|
if (dyn_obj != NULL) {
|
2017-11-09 01:38:03 +01:00
|
|
|
rb_remove(&obj_rb_tree, &dyn_obj->node);
|
2018-04-25 02:01:37 +02:00
|
|
|
sys_dlist_remove(&dyn_obj->obj_list);
|
2018-08-08 20:23:16 +02:00
|
|
|
|
|
|
|
|
if (dyn_obj->kobj.type == K_OBJ_THREAD) {
|
2019-03-08 22:19:05 +01:00
|
|
|
thread_idx_free(dyn_obj->kobj.data);
|
2018-08-08 20:23:16 +02:00
|
|
|
}
|
2017-11-09 01:38:03 +01:00
|
|
|
}
|
2019-02-06 18:10:36 +01:00
|
|
|
k_spin_unlock(&objfree_lock, key);
|
2017-11-09 01:38:03 +01:00
|
|
|
|
2018-09-17 18:39:51 +02:00
|
|
|
if (dyn_obj != NULL) {
|
2017-11-09 01:38:03 +01:00
|
|
|
k_free(dyn_obj);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
struct _k_object *z_object_find(void *obj)
|
2017-11-09 01:38:03 +01:00
|
|
|
{
|
|
|
|
|
struct _k_object *ret;
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
ret = z_object_gperf_find(obj);
|
2017-11-09 01:38:03 +01:00
|
|
|
|
2018-09-17 18:39:51 +02:00
|
|
|
if (ret == NULL) {
|
2018-10-05 21:24:09 +02:00
|
|
|
struct dyn_obj *dynamic_obj;
|
2017-11-09 01:38:03 +01:00
|
|
|
|
2018-10-05 21:24:09 +02:00
|
|
|
dynamic_obj = dyn_object_find(obj);
|
|
|
|
|
if (dynamic_obj != NULL) {
|
|
|
|
|
ret = &dynamic_obj->kobj;
|
2017-11-09 01:38:03 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_object_wordlist_foreach(_wordlist_cb_func_t func, void *context)
|
2017-11-09 01:38:03 +01:00
|
|
|
{
|
2018-04-25 02:01:37 +02:00
|
|
|
struct dyn_obj *obj, *next;
|
2017-11-09 01:38:03 +01:00
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
z_object_gperf_wordlist_foreach(func, context);
|
2017-11-09 01:38:03 +01:00
|
|
|
|
2019-02-06 18:10:36 +01:00
|
|
|
k_spinlock_key_t key = k_spin_lock(&lists_lock);
|
|
|
|
|
|
2018-04-25 02:01:37 +02:00
|
|
|
SYS_DLIST_FOR_EACH_CONTAINER_SAFE(&obj_list, obj, next, obj_list) {
|
|
|
|
|
func(&obj->kobj, context);
|
|
|
|
|
}
|
2019-02-06 18:10:36 +01:00
|
|
|
k_spin_unlock(&lists_lock, key);
|
2017-11-09 01:38:03 +01:00
|
|
|
}
|
|
|
|
|
#endif /* CONFIG_DYNAMIC_OBJECTS */
|
|
|
|
|
|
2017-11-03 17:00:35 +01:00
|
|
|
static int thread_index_get(struct k_thread *t)
|
|
|
|
|
{
|
|
|
|
|
struct _k_object *ko;
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
ko = z_object_find(t);
|
2017-11-03 17:00:35 +01:00
|
|
|
|
2018-09-17 18:39:51 +02:00
|
|
|
if (ko == NULL) {
|
2017-11-03 17:00:35 +01:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ko->data;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-18 19:20:16 +01:00
|
|
|
static void unref_check(struct _k_object *ko, uintptr_t index)
|
2018-04-13 23:44:00 +02:00
|
|
|
{
|
2019-02-06 18:10:36 +01:00
|
|
|
k_spinlock_key_t key = k_spin_lock(&obj_lock);
|
2019-01-31 21:09:06 +01:00
|
|
|
|
|
|
|
|
sys_bitfield_clear_bit((mem_addr_t)&ko->perms, index);
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_DYNAMIC_OBJECTS
|
|
|
|
|
struct dyn_obj *dyn_obj =
|
|
|
|
|
CONTAINER_OF(ko, struct dyn_obj, kobj);
|
|
|
|
|
|
2019-03-27 02:57:45 +01:00
|
|
|
if ((ko->flags & K_OBJ_FLAG_ALLOC) == 0U) {
|
2019-01-31 21:09:06 +01:00
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-13 23:44:00 +02:00
|
|
|
for (int i = 0; i < CONFIG_MAX_THREAD_BYTES; i++) {
|
2019-03-27 02:57:45 +01:00
|
|
|
if (ko->perms[i] != 0U) {
|
2019-01-31 21:09:06 +01:00
|
|
|
goto out;
|
2018-04-13 23:44:00 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* This object has no more references. Some objects may have
|
|
|
|
|
* dynamically allocated resources, require cleanup, or need to be
|
|
|
|
|
* marked as uninitailized when all references are gone. What
|
|
|
|
|
* specifically needs to happen depends on the object type.
|
|
|
|
|
*/
|
|
|
|
|
switch (ko->type) {
|
2018-04-13 02:38:12 +02:00
|
|
|
case K_OBJ_PIPE:
|
|
|
|
|
k_pipe_cleanup((struct k_pipe *)ko->name);
|
|
|
|
|
break;
|
2018-04-13 03:35:56 +02:00
|
|
|
case K_OBJ_MSGQ:
|
|
|
|
|
k_msgq_cleanup((struct k_msgq *)ko->name);
|
|
|
|
|
break;
|
2018-05-03 02:44:39 +02:00
|
|
|
case K_OBJ_STACK:
|
|
|
|
|
k_stack_cleanup((struct k_stack *)ko->name);
|
|
|
|
|
break;
|
2018-04-13 23:44:00 +02:00
|
|
|
default:
|
2018-09-11 22:14:21 +02:00
|
|
|
/* Nothing to do */
|
2018-04-13 23:44:00 +02:00
|
|
|
break;
|
|
|
|
|
}
|
2018-04-25 02:01:37 +02:00
|
|
|
|
2019-01-31 21:09:06 +01:00
|
|
|
rb_remove(&obj_rb_tree, &dyn_obj->node);
|
|
|
|
|
sys_dlist_remove(&dyn_obj->obj_list);
|
|
|
|
|
k_free(dyn_obj);
|
|
|
|
|
out:
|
2018-04-25 02:01:37 +02:00
|
|
|
#endif
|
2019-02-06 18:10:36 +01:00
|
|
|
k_spin_unlock(&obj_lock, key);
|
2018-04-13 23:44:00 +02:00
|
|
|
}
|
|
|
|
|
|
2017-10-05 20:11:02 +02:00
|
|
|
static void wordlist_cb(struct _k_object *ko, void *ctx_ptr)
|
|
|
|
|
{
|
|
|
|
|
struct perm_ctx *ctx = (struct perm_ctx *)ctx_ptr;
|
|
|
|
|
|
|
|
|
|
if (sys_bitfield_test_bit((mem_addr_t)&ko->perms, ctx->parent_id) &&
|
|
|
|
|
(struct k_thread *)ko->name != ctx->parent) {
|
|
|
|
|
sys_bitfield_set_bit((mem_addr_t)&ko->perms, ctx->child_id);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_thread_perms_inherit(struct k_thread *parent, struct k_thread *child)
|
2017-10-05 20:11:02 +02:00
|
|
|
{
|
|
|
|
|
struct perm_ctx ctx = {
|
2017-11-03 17:00:35 +01:00
|
|
|
thread_index_get(parent),
|
|
|
|
|
thread_index_get(child),
|
2017-10-05 20:11:02 +02:00
|
|
|
parent
|
|
|
|
|
};
|
|
|
|
|
|
2017-11-03 17:00:35 +01:00
|
|
|
if ((ctx.parent_id != -1) && (ctx.child_id != -1)) {
|
2019-03-08 22:19:05 +01:00
|
|
|
z_object_wordlist_foreach(wordlist_cb, &ctx);
|
2017-10-05 20:11:02 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_thread_perms_set(struct _k_object *ko, struct k_thread *thread)
|
2017-08-22 22:15:23 +02:00
|
|
|
{
|
2017-11-03 17:00:35 +01:00
|
|
|
int index = thread_index_get(thread);
|
|
|
|
|
|
|
|
|
|
if (index != -1) {
|
|
|
|
|
sys_bitfield_set_bit((mem_addr_t)&ko->perms, index);
|
2017-08-30 23:31:03 +02:00
|
|
|
}
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_thread_perms_clear(struct _k_object *ko, struct k_thread *thread)
|
2017-10-09 23:47:55 +02:00
|
|
|
{
|
2017-11-03 17:00:35 +01:00
|
|
|
int index = thread_index_get(thread);
|
|
|
|
|
|
|
|
|
|
if (index != -1) {
|
2019-02-06 18:10:36 +01:00
|
|
|
sys_bitfield_clear_bit((mem_addr_t)&ko->perms, index);
|
2019-01-31 21:09:06 +01:00
|
|
|
unref_check(ko, index);
|
2017-10-09 23:47:55 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-13 22:57:07 +02:00
|
|
|
static void clear_perms_cb(struct _k_object *ko, void *ctx_ptr)
|
|
|
|
|
{
|
2019-11-18 19:20:16 +01:00
|
|
|
uintptr_t id = (uintptr_t)ctx_ptr;
|
2017-10-13 22:57:07 +02:00
|
|
|
|
2019-01-31 21:09:06 +01:00
|
|
|
unref_check(ko, id);
|
2017-10-13 22:57:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_thread_perms_all_clear(struct k_thread *thread)
|
2017-10-13 22:57:07 +02:00
|
|
|
{
|
2019-11-18 19:20:16 +01:00
|
|
|
uintptr_t index = thread_index_get(thread);
|
2017-11-03 17:00:35 +01:00
|
|
|
|
|
|
|
|
if (index != -1) {
|
2019-03-08 22:19:05 +01:00
|
|
|
z_object_wordlist_foreach(clear_perms_cb, (void *)index);
|
2017-10-13 22:57:07 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-10 18:31:32 +02:00
|
|
|
static int thread_perms_test(struct _k_object *ko)
|
2017-08-22 22:15:23 +02:00
|
|
|
{
|
2017-11-03 17:00:35 +01:00
|
|
|
int index;
|
|
|
|
|
|
2019-03-27 02:57:45 +01:00
|
|
|
if ((ko->flags & K_OBJ_FLAG_PUBLIC) != 0U) {
|
2017-10-13 22:57:07 +02:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-03 17:00:35 +01:00
|
|
|
index = thread_index_get(_current);
|
|
|
|
|
if (index != -1) {
|
|
|
|
|
return sys_bitfield_test_bit((mem_addr_t)&ko->perms, index);
|
2017-08-30 23:31:03 +02:00
|
|
|
}
|
|
|
|
|
return 0;
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
|
|
|
|
|
2017-10-10 18:31:32 +02:00
|
|
|
static void dump_permission_error(struct _k_object *ko)
|
|
|
|
|
{
|
2017-11-03 17:00:35 +01:00
|
|
|
int index = thread_index_get(_current);
|
2019-09-30 23:25:23 +02:00
|
|
|
LOG_ERR("thread %p (%d) does not have permission on %s %p",
|
|
|
|
|
_current, index,
|
|
|
|
|
otype_to_str(ko->type), ko->name);
|
|
|
|
|
LOG_HEXDUMP_ERR(ko->perms, sizeof(ko->perms), "permission bitmap");
|
2017-10-10 18:31:32 +02:00
|
|
|
}
|
2017-08-22 22:15:23 +02:00
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_dump_object_error(int retval, void *obj, struct _k_object *ko,
|
2017-10-10 18:31:32 +02:00
|
|
|
enum k_objects otype)
|
|
|
|
|
{
|
|
|
|
|
switch (retval) {
|
|
|
|
|
case -EBADF:
|
2019-09-30 23:25:23 +02:00
|
|
|
LOG_ERR("%p is not a valid %s", obj, otype_to_str(otype));
|
2017-10-10 18:31:32 +02:00
|
|
|
break;
|
|
|
|
|
case -EPERM:
|
|
|
|
|
dump_permission_error(ko);
|
|
|
|
|
break;
|
|
|
|
|
case -EINVAL:
|
2019-09-30 23:25:23 +02:00
|
|
|
LOG_ERR("%p used before initialization", obj);
|
2017-10-10 18:31:32 +02:00
|
|
|
break;
|
2017-10-15 23:22:08 +02:00
|
|
|
case -EADDRINUSE:
|
2019-09-30 23:25:23 +02:00
|
|
|
LOG_ERR("%p %s in use", obj, otype_to_str(otype));
|
2018-09-11 07:54:55 +02:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
/* Not handled error */
|
|
|
|
|
break;
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
2017-10-04 21:10:32 +02:00
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_impl_k_object_access_grant(void *object, struct k_thread *thread)
|
2017-10-04 21:10:32 +02:00
|
|
|
{
|
2019-03-08 22:19:05 +01:00
|
|
|
struct _k_object *ko = z_object_find(object);
|
2017-10-04 21:10:32 +02:00
|
|
|
|
2018-09-17 18:39:51 +02:00
|
|
|
if (ko != NULL) {
|
2019-03-08 22:19:05 +01:00
|
|
|
z_thread_perms_set(ko, thread);
|
2017-10-04 21:10:32 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-13 22:15:28 +02:00
|
|
|
void k_object_access_revoke(void *object, struct k_thread *thread)
|
2017-10-09 23:47:55 +02:00
|
|
|
{
|
2019-03-08 22:19:05 +01:00
|
|
|
struct _k_object *ko = z_object_find(object);
|
2017-10-09 23:47:55 +02:00
|
|
|
|
2018-09-17 18:39:51 +02:00
|
|
|
if (ko != NULL) {
|
2019-03-08 22:19:05 +01:00
|
|
|
z_thread_perms_clear(ko, thread);
|
2017-10-09 23:47:55 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_impl_k_object_release(void *object)
|
2018-04-13 22:15:28 +02:00
|
|
|
{
|
|
|
|
|
k_object_access_revoke(object, _current);
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-14 23:42:23 +02:00
|
|
|
void k_object_access_all_grant(void *object)
|
2017-10-04 21:10:32 +02:00
|
|
|
{
|
2019-03-08 22:19:05 +01:00
|
|
|
struct _k_object *ko = z_object_find(object);
|
2017-10-04 21:10:32 +02:00
|
|
|
|
2018-09-17 18:39:51 +02:00
|
|
|
if (ko != NULL) {
|
2017-10-13 22:57:07 +02:00
|
|
|
ko->flags |= K_OBJ_FLAG_PUBLIC;
|
2017-10-04 21:10:32 +02:00
|
|
|
}
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
int z_object_validate(struct _k_object *ko, enum k_objects otype,
|
2017-10-15 23:22:08 +02:00
|
|
|
enum _obj_init_check init)
|
2017-08-22 22:15:23 +02:00
|
|
|
{
|
2018-09-21 01:30:45 +02:00
|
|
|
if (unlikely((ko == NULL) ||
|
|
|
|
|
(otype != K_OBJ_ANY && ko->type != otype))) {
|
2017-08-22 22:15:23 +02:00
|
|
|
return -EBADF;
|
|
|
|
|
}
|
|
|
|
|
|
kernel: policy change for uninitailized objects
The old policy was that objects that are not marked as initialized may
be claimed by any thread, user or kernel.
This has some undesirable implications:
- Kernel objects that were initailized at build time via some
_<object name>_INITIALIZER macro, not intended for userspace to ever
use, could be 'stolen' if their memory addresses were figured out and
_k_object_init() was never called on them.
- In general, a malicious thread could initialize all unclaimed objects
it could find, resulting in denial of service for the threads that
these objects were intended for.
Now, performing any operation in user mode on a kernel object,
initialized or not, required that the calling user thread have
permission on it. Such permission would have to be explicitly granted or
inherited from a supervisor thread, as with this change only supervisor
thread will be able to claim uninitialized objects in this way.
If an uninitialized kernel object has permissions granted to multiple
threads, whatever thread actually initializes the object will reset all
permission bits to zero and grant only the calling thread access to that
object.
In other words, granting access to an uninitialized object to several
threads means that "whichever of these threads (or any kernel thread)
who actually initializes this object will obtain exclusive access to
that object, which it then may grant to other threads as it sees fit."
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2017-10-09 21:46:25 +02:00
|
|
|
/* Manipulation of any kernel objects by a user thread requires that
|
|
|
|
|
* thread be granted access first, even for uninitialized objects
|
2017-08-22 22:15:23 +02:00
|
|
|
*/
|
2019-03-14 22:32:45 +01:00
|
|
|
if (unlikely(thread_perms_test(ko) == 0)) {
|
2017-08-22 22:15:23 +02:00
|
|
|
return -EPERM;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-15 23:22:08 +02:00
|
|
|
/* Initialization state checks. _OBJ_INIT_ANY, we don't care */
|
|
|
|
|
if (likely(init == _OBJ_INIT_TRUE)) {
|
|
|
|
|
/* Object MUST be intialized */
|
2019-03-28 21:57:54 +01:00
|
|
|
if (unlikely((ko->flags & K_OBJ_FLAG_INITIALIZED) == 0U)) {
|
2017-10-15 23:22:08 +02:00
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
} else if (init < _OBJ_INIT_TRUE) { /* _OBJ_INIT_FALSE case */
|
|
|
|
|
/* Object MUST NOT be initialized */
|
2019-03-28 21:57:54 +01:00
|
|
|
if (unlikely((ko->flags & K_OBJ_FLAG_INITIALIZED) != 0U)) {
|
2017-10-15 23:22:08 +02:00
|
|
|
return -EADDRINUSE;
|
|
|
|
|
}
|
2018-09-25 20:24:28 +02:00
|
|
|
} else {
|
|
|
|
|
/* _OBJ_INIT_ANY */
|
2017-08-22 22:15:23 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_object_init(void *obj)
|
2017-08-22 22:15:23 +02:00
|
|
|
{
|
|
|
|
|
struct _k_object *ko;
|
|
|
|
|
|
|
|
|
|
/* By the time we get here, if the caller was from userspace, all the
|
2019-03-08 22:19:05 +01:00
|
|
|
* necessary checks have been done in z_object_validate(), which takes
|
2017-08-22 22:15:23 +02:00
|
|
|
* place before the object is initialized.
|
|
|
|
|
*
|
|
|
|
|
* This function runs after the object has been initialized and
|
|
|
|
|
* finalizes it
|
|
|
|
|
*/
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
ko = z_object_find(obj);
|
2018-09-17 18:39:51 +02:00
|
|
|
if (ko == NULL) {
|
2017-08-22 22:15:23 +02:00
|
|
|
/* Supervisor threads can ignore rules about kernel objects
|
|
|
|
|
* and may declare them on stacks, etc. Such objects will never
|
|
|
|
|
* be usable from userspace, but we shouldn't explode.
|
|
|
|
|
*/
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-10 18:31:32 +02:00
|
|
|
/* Allows non-initialization system calls to be made on this object */
|
2017-08-22 22:15:23 +02:00
|
|
|
ko->flags |= K_OBJ_FLAG_INITIALIZED;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_object_recycle(void *obj)
|
2018-07-31 23:39:11 +02:00
|
|
|
{
|
2019-03-08 22:19:05 +01:00
|
|
|
struct _k_object *ko = z_object_find(obj);
|
2018-07-31 23:39:11 +02:00
|
|
|
|
2018-09-17 18:39:51 +02:00
|
|
|
if (ko != NULL) {
|
2018-09-12 04:09:03 +02:00
|
|
|
(void)memset(ko->perms, 0, sizeof(ko->perms));
|
2019-03-08 22:19:05 +01:00
|
|
|
z_thread_perms_set(ko, k_current_get());
|
2018-07-31 23:39:11 +02:00
|
|
|
ko->flags |= K_OBJ_FLAG_INITIALIZED;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
void z_object_uninit(void *obj)
|
2017-10-05 21:21:36 +02:00
|
|
|
{
|
|
|
|
|
struct _k_object *ko;
|
|
|
|
|
|
2019-03-08 22:19:05 +01:00
|
|
|
/* See comments in z_object_init() */
|
|
|
|
|
ko = z_object_find(obj);
|
2018-09-17 18:39:51 +02:00
|
|
|
if (ko == NULL) {
|
2017-10-05 21:21:36 +02:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ko->flags &= ~K_OBJ_FLAG_INITIALIZED;
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-22 23:31:51 +02:00
|
|
|
/*
|
|
|
|
|
* Copy to/from helper functions used in syscall handlers
|
|
|
|
|
*/
|
2019-03-28 23:17:31 +01:00
|
|
|
void *z_user_alloc_from_copy(const void *src, size_t size)
|
2018-06-22 23:31:51 +02:00
|
|
|
{
|
|
|
|
|
void *dst = NULL;
|
|
|
|
|
|
|
|
|
|
/* Does the caller in user mode have access to read this memory? */
|
|
|
|
|
if (Z_SYSCALL_MEMORY_READ(src, size)) {
|
|
|
|
|
goto out_err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dst = z_thread_malloc(size);
|
2018-09-17 18:39:51 +02:00
|
|
|
if (dst == NULL) {
|
2019-09-30 23:25:23 +02:00
|
|
|
LOG_ERR("out of thread resource pool memory (%zu)", size);
|
2018-06-22 23:31:51 +02:00
|
|
|
goto out_err;
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-14 00:17:04 +02:00
|
|
|
(void)memcpy(dst, src, size);
|
2018-06-22 23:31:51 +02:00
|
|
|
out_err:
|
|
|
|
|
return dst;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-28 23:17:31 +01:00
|
|
|
static int user_copy(void *dst, const void *src, size_t size, bool to_user)
|
2018-06-22 23:31:51 +02:00
|
|
|
{
|
|
|
|
|
int ret = EFAULT;
|
|
|
|
|
|
|
|
|
|
/* Does the caller in user mode have access to this memory? */
|
|
|
|
|
if (to_user ? Z_SYSCALL_MEMORY_WRITE(dst, size) :
|
|
|
|
|
Z_SYSCALL_MEMORY_READ(src, size)) {
|
|
|
|
|
goto out_err;
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-14 00:17:04 +02:00
|
|
|
(void)memcpy(dst, src, size);
|
2018-06-22 23:31:51 +02:00
|
|
|
ret = 0;
|
|
|
|
|
out_err:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-28 23:17:31 +01:00
|
|
|
int z_user_from_copy(void *dst, const void *src, size_t size)
|
2018-06-22 23:31:51 +02:00
|
|
|
{
|
|
|
|
|
return user_copy(dst, src, size, false);
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-28 23:17:31 +01:00
|
|
|
int z_user_to_copy(void *dst, const void *src, size_t size)
|
2018-06-22 23:31:51 +02:00
|
|
|
{
|
|
|
|
|
return user_copy(dst, src, size, true);
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-28 23:17:31 +01:00
|
|
|
char *z_user_string_alloc_copy(const char *src, size_t maxlen)
|
2018-06-22 23:31:51 +02:00
|
|
|
{
|
2019-05-07 19:17:35 +02:00
|
|
|
size_t actual_len;
|
2018-08-15 02:57:08 +02:00
|
|
|
int err;
|
2018-06-22 23:31:51 +02:00
|
|
|
char *ret = NULL;
|
|
|
|
|
|
|
|
|
|
actual_len = z_user_string_nlen(src, maxlen, &err);
|
2018-12-16 21:48:29 +01:00
|
|
|
if (err != 0) {
|
2018-06-22 23:31:51 +02:00
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
if (actual_len == maxlen) {
|
|
|
|
|
/* Not NULL terminated */
|
2019-09-30 23:25:23 +02:00
|
|
|
LOG_ERR("string too long %p (%zu)", src, actual_len);
|
2018-06-22 23:31:51 +02:00
|
|
|
goto out;
|
|
|
|
|
}
|
2019-05-07 19:17:35 +02:00
|
|
|
if (size_add_overflow(actual_len, 1, &actual_len)) {
|
2019-09-30 23:25:23 +02:00
|
|
|
LOG_ERR("overflow");
|
2018-06-22 23:31:51 +02:00
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = z_user_alloc_from_copy(src, actual_len);
|
userspace: fix copy from user locking
We don't actually need spinlocks here.
For user_copy(), we are checking that the pointer/size passed in
from user mode represents an area that the thread can read or
write to. Then we do a memcpy into the kernel-side buffer,
which is used from then on. It's OK if another thread scribbles
on the buffer contents during the copy, as we have not yet
begun any examination of its contents yet.
For the z_user_string*_copy() functions, it's also possible
that another thread could scribble on the string contents,
but we do no analysis of the string other than to establish
a length. We just need to ensure that when these functions
exit, the copied string is NULL terminated.
For SMP, the spinlocks are removed as they will not prevent a
thread running on another CPU from changing the buffer/string
contents, we just need to safely deal with that possibility.
For UP, the locks do prevent another thread from stepping
in, but it's better to just safely deal with it rather than
affect the interrupt latency of the system.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2019-04-12 21:32:34 +02:00
|
|
|
|
|
|
|
|
/* Someone may have modified the source string during the above
|
|
|
|
|
* checks. Ensure what we actually copied is still terminated
|
|
|
|
|
* properly.
|
|
|
|
|
*/
|
|
|
|
|
if (ret != NULL) {
|
|
|
|
|
ret[actual_len - 1] = '\0';
|
|
|
|
|
}
|
2018-06-22 23:31:51 +02:00
|
|
|
out:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-28 23:17:31 +01:00
|
|
|
int z_user_string_copy(char *dst, const char *src, size_t maxlen)
|
2018-06-22 23:31:51 +02:00
|
|
|
{
|
2019-05-07 19:17:35 +02:00
|
|
|
size_t actual_len;
|
2018-08-15 02:57:08 +02:00
|
|
|
int ret, err;
|
2018-06-22 23:31:51 +02:00
|
|
|
|
|
|
|
|
actual_len = z_user_string_nlen(src, maxlen, &err);
|
2018-12-16 21:48:29 +01:00
|
|
|
if (err != 0) {
|
2018-06-22 23:31:51 +02:00
|
|
|
ret = EFAULT;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
if (actual_len == maxlen) {
|
|
|
|
|
/* Not NULL terminated */
|
2019-09-30 23:25:23 +02:00
|
|
|
LOG_ERR("string too long %p (%zu)", src, actual_len);
|
2018-06-22 23:31:51 +02:00
|
|
|
ret = EINVAL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2019-05-07 19:17:35 +02:00
|
|
|
if (size_add_overflow(actual_len, 1, &actual_len)) {
|
2019-09-30 23:25:23 +02:00
|
|
|
LOG_ERR("overflow");
|
2018-06-22 23:31:51 +02:00
|
|
|
ret = EINVAL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = z_user_from_copy(dst, src, actual_len);
|
userspace: fix copy from user locking
We don't actually need spinlocks here.
For user_copy(), we are checking that the pointer/size passed in
from user mode represents an area that the thread can read or
write to. Then we do a memcpy into the kernel-side buffer,
which is used from then on. It's OK if another thread scribbles
on the buffer contents during the copy, as we have not yet
begun any examination of its contents yet.
For the z_user_string*_copy() functions, it's also possible
that another thread could scribble on the string contents,
but we do no analysis of the string other than to establish
a length. We just need to ensure that when these functions
exit, the copied string is NULL terminated.
For SMP, the spinlocks are removed as they will not prevent a
thread running on another CPU from changing the buffer/string
contents, we just need to safely deal with that possibility.
For UP, the locks do prevent another thread from stepping
in, but it's better to just safely deal with it rather than
affect the interrupt latency of the system.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2019-04-12 21:32:34 +02:00
|
|
|
|
|
|
|
|
/* See comment above in z_user_string_alloc_copy() */
|
|
|
|
|
dst[actual_len - 1] = '\0';
|
2018-06-22 23:31:51 +02:00
|
|
|
out:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-23 01:08:44 +01:00
|
|
|
/*
|
|
|
|
|
* Application memory region initialization
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
extern char __app_shmem_regions_start[];
|
|
|
|
|
extern char __app_shmem_regions_end[];
|
|
|
|
|
|
2019-02-28 02:24:46 +01:00
|
|
|
void z_app_shmem_bss_zero(void)
|
2019-02-23 01:08:44 +01:00
|
|
|
{
|
|
|
|
|
struct z_app_region *region, *end;
|
|
|
|
|
|
|
|
|
|
end = (struct z_app_region *)&__app_shmem_regions_end;
|
|
|
|
|
region = (struct z_app_region *)&__app_shmem_regions_start;
|
|
|
|
|
|
|
|
|
|
for ( ; region < end; region++) {
|
|
|
|
|
(void)memset(region->bss_start, 0, region->bss_size);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-22 23:31:51 +02:00
|
|
|
/*
|
|
|
|
|
* Default handlers if otherwise unimplemented
|
|
|
|
|
*/
|
|
|
|
|
|
2019-11-05 18:27:18 +01:00
|
|
|
static uintptr_t handler_bad_syscall(uintptr_t bad_id, uintptr_t arg2,
|
|
|
|
|
uintptr_t arg3, uintptr_t arg4,
|
|
|
|
|
uintptr_t arg5, uintptr_t arg6,
|
|
|
|
|
void *ssf)
|
2017-09-08 21:10:12 +02:00
|
|
|
{
|
2019-11-05 18:27:18 +01:00
|
|
|
LOG_ERR("Bad system call id %" PRIuPTR " invoked", bad_id);
|
2019-11-07 21:43:29 +01:00
|
|
|
arch_syscall_oops(_current_cpu->syscall_frame);
|
2019-06-24 18:35:55 +02:00
|
|
|
CODE_UNREACHABLE; /* LCOV_EXCL_LINE */
|
2017-09-08 21:10:12 +02:00
|
|
|
}
|
|
|
|
|
|
2019-11-05 18:27:18 +01:00
|
|
|
static uintptr_t handler_no_syscall(uintptr_t arg1, uintptr_t arg2,
|
|
|
|
|
uintptr_t arg3, uintptr_t arg4,
|
|
|
|
|
uintptr_t arg5, uintptr_t arg6, void *ssf)
|
2017-09-29 01:54:35 +02:00
|
|
|
{
|
2019-09-30 23:25:23 +02:00
|
|
|
LOG_ERR("Unimplemented system call");
|
2019-11-07 21:43:29 +01:00
|
|
|
arch_syscall_oops(_current_cpu->syscall_frame);
|
2019-06-24 18:35:55 +02:00
|
|
|
CODE_UNREACHABLE; /* LCOV_EXCL_LINE */
|
2017-09-29 01:54:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#include <syscall_dispatch.c>
|