the-tree/mm/process_vm_access.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /*
0003  * linux/mm/process_vm_access.c
0004  *
0005  * Copyright (C) 2010-2011 Christopher Yeoh <cyeoh@au1.ibm.com>, IBM Corp.
0006  */
0007
0008 #include <linux/compat.h>
0009 #include <linux/mm.h>
0010 #include <linux/uio.h>
0011 #include <linux/sched.h>
0012 #include <linux/sched/mm.h>
0013 #include <linux/highmem.h>
0014 #include <linux/ptrace.h>
0015 #include <linux/slab.h>
0016 #include <linux/syscalls.h>
0017
0018 /**
0019  * process_vm_rw_pages - read/write pages from task specified
0020  * @pages: array of pointers to pages we want to copy
0021  * @offset: offset in page to start copying from/to
0022  * @len: number of bytes to copy
0023  * @iter: where to copy to/from locally
0024  * @vm_write: 0 means copy from, 1 means copy to
0025  * Returns 0 on success, error code otherwise
0026  */
0027 static int process_vm_rw_pages(struct page **pages,
0028                    unsigned offset,
0029                    size_t len,
0030                    struct iov_iter *iter,
0031                    int vm_write)
0032 {
0033     /* Do the copy for each page */
0034     while (len && iov_iter_count(iter)) {
0035         struct page *page = *pages++;
0036         size_t copy = PAGE_SIZE - offset;
0037         size_t copied;
0038
0039         if (copy > len)
0040             copy = len;
0041
0042         if (vm_write)
0043             copied = copy_page_from_iter(page, offset, copy, iter);
0044         else
0045             copied = copy_page_to_iter(page, offset, copy, iter);
0046
0047         len -= copied;
0048         if (copied < copy && iov_iter_count(iter))
0049             return -EFAULT;
0050         offset = 0;
0051     }
0052     return 0;
0053 }
0054
0055 /* Maximum number of pages kmalloc'd to hold struct page's during copy */
0056 #define PVM_MAX_KMALLOC_PAGES (PAGE_SIZE * 2)
0057
0058 /**
0059  * process_vm_rw_single_vec - read/write pages from task specified
0060  * @addr: start memory address of target process
0061  * @len: size of area to copy to/from
0062  * @iter: where to copy to/from locally
0063  * @process_pages: struct pages area that can store at least
0064  *  nr_pages_to_copy struct page pointers
0065  * @mm: mm for task
0066  * @task: task to read/write from
0067  * @vm_write: 0 means copy from, 1 means copy to
0068  * Returns 0 on success or on failure error code
0069  */
0070 static int process_vm_rw_single_vec(unsigned long addr,
0071                     unsigned long len,
0072                     struct iov_iter *iter,
0073                     struct page **process_pages,
0074                     struct mm_struct *mm,
0075                     struct task_struct *task,
0076                     int vm_write)
0077 {
0078     unsigned long pa = addr & PAGE_MASK;
0079     unsigned long start_offset = addr - pa;
0080     unsigned long nr_pages;
0081     ssize_t rc = 0;
0082     unsigned long max_pages_per_loop = PVM_MAX_KMALLOC_PAGES
0083         / sizeof(struct pages *);
0084     unsigned int flags = 0;
0085
0086     /* Work out address and page range required */
0087     if (len == 0)
0088         return 0;
0089     nr_pages = (addr + len - 1) / PAGE_SIZE - addr / PAGE_SIZE + 1;
0090
0091     if (vm_write)
0092         flags |= FOLL_WRITE;
0093
0094     while (!rc && nr_pages && iov_iter_count(iter)) {
0095         int pinned_pages = min(nr_pages, max_pages_per_loop);
0096         int locked = 1;
0097         size_t bytes;
0098
0099         /*
0100          * Get the pages we're interested in.  We must
0101          * access remotely because task/mm might not
0102          * current/current->mm
0103          */
0104         mmap_read_lock(mm);
0105         pinned_pages = pin_user_pages_remote(mm, pa, pinned_pages,
0106                              flags, process_pages,
0107                              NULL, &locked);
0108         if (locked)
0109             mmap_read_unlock(mm);
0110         if (pinned_pages <= 0)
0111             return -EFAULT;
0112
0113         bytes = pinned_pages * PAGE_SIZE - start_offset;
0114         if (bytes > len)
0115             bytes = len;
0116
0117         rc = process_vm_rw_pages(process_pages,
0118                      start_offset, bytes, iter,
0119                      vm_write);
0120         len -= bytes;
0121         start_offset = 0;
0122         nr_pages -= pinned_pages;
0123         pa += pinned_pages * PAGE_SIZE;
0124
0125         /* If vm_write is set, the pages need to be made dirty: */
0126         unpin_user_pages_dirty_lock(process_pages, pinned_pages,
0127                         vm_write);
0128     }
0129
0130     return rc;
0131 }
0132
0133 /* Maximum number of entries for process pages array
0134    which lives on stack */
0135 #define PVM_MAX_PP_ARRAY_COUNT 16
0136
0137 /**
0138  * process_vm_rw_core - core of reading/writing pages from task specified
0139  * @pid: PID of process to read/write from/to
0140  * @iter: where to copy to/from locally
0141  * @rvec: iovec array specifying where to copy to/from in the other process
0142  * @riovcnt: size of rvec array
0143  * @flags: currently unused
0144  * @vm_write: 0 if reading from other process, 1 if writing to other process
0145  *
0146  * Returns the number of bytes read/written or error code. May
0147  *  return less bytes than expected if an error occurs during the copying
0148  *  process.
0149  */
0150 static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
0151                   const struct iovec *rvec,
0152                   unsigned long riovcnt,
0153                   unsigned long flags, int vm_write)
0154 {
0155     struct task_struct *task;
0156     struct page *pp_stack[PVM_MAX_PP_ARRAY_COUNT];
0157     struct page **process_pages = pp_stack;
0158     struct mm_struct *mm;
0159     unsigned long i;
0160     ssize_t rc = 0;
0161     unsigned long nr_pages = 0;
0162     unsigned long nr_pages_iov;
0163     ssize_t iov_len;
0164     size_t total_len = iov_iter_count(iter);
0165
0166     /*
0167      * Work out how many pages of struct pages we're going to need
0168      * when eventually calling get_user_pages
0169      */
0170     for (i = 0; i < riovcnt; i++) {
0171         iov_len = rvec[i].iov_len;
0172         if (iov_len > 0) {
0173             nr_pages_iov = ((unsigned long)rvec[i].iov_base
0174                     + iov_len)
0175                 / PAGE_SIZE - (unsigned long)rvec[i].iov_base
0176                 / PAGE_SIZE + 1;
0177             nr_pages = max(nr_pages, nr_pages_iov);
0178         }
0179     }
0180
0181     if (nr_pages == 0)
0182         return 0;
0183
0184     if (nr_pages > PVM_MAX_PP_ARRAY_COUNT) {
0185         /* For reliability don't try to kmalloc more than
0186            2 pages worth */
0187         process_pages = kmalloc(min_t(size_t, PVM_MAX_KMALLOC_PAGES,
0188                           sizeof(struct pages *)*nr_pages),
0189                     GFP_KERNEL);
0190
0191         if (!process_pages)
0192             return -ENOMEM;
0193     }
0194
0195     /* Get process information */
0196     task = find_get_task_by_vpid(pid);
0197     if (!task) {
0198         rc = -ESRCH;
0199         goto free_proc_pages;
0200     }
0201
0202     mm = mm_access(task, PTRACE_MODE_ATTACH_REALCREDS);
0203     if (!mm || IS_ERR(mm)) {
0204         rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
0205         /*
0206          * Explicitly map EACCES to EPERM as EPERM is a more
0207          * appropriate error code for process_vw_readv/writev
0208          */
0209         if (rc == -EACCES)
0210             rc = -EPERM;
0211         goto put_task_struct;
0212     }
0213
0214     for (i = 0; i < riovcnt && iov_iter_count(iter) && !rc; i++)
0215         rc = process_vm_rw_single_vec(
0216             (unsigned long)rvec[i].iov_base, rvec[i].iov_len,
0217             iter, process_pages, mm, task, vm_write);
0218
0219     /* copied = space before - space after */
0220     total_len -= iov_iter_count(iter);
0221
0222     /* If we have managed to copy any data at all then
0223        we return the number of bytes copied. Otherwise
0224        we return the error code */
0225     if (total_len)
0226         rc = total_len;
0227
0228     mmput(mm);
0229
0230 put_task_struct:
0231     put_task_struct(task);
0232
0233 free_proc_pages:
0234     if (process_pages != pp_stack)
0235         kfree(process_pages);
0236     return rc;
0237 }
0238
0239 /**
0240  * process_vm_rw - check iovecs before calling core routine
0241  * @pid: PID of process to read/write from/to
0242  * @lvec: iovec array specifying where to copy to/from locally
0243  * @liovcnt: size of lvec array
0244  * @rvec: iovec array specifying where to copy to/from in the other process
0245  * @riovcnt: size of rvec array
0246  * @flags: currently unused
0247  * @vm_write: 0 if reading from other process, 1 if writing to other process
0248  *
0249  * Returns the number of bytes read/written or error code. May
0250  *  return less bytes than expected if an error occurs during the copying
0251  *  process.
0252  */
0253 static ssize_t process_vm_rw(pid_t pid,
0254                  const struct iovec __user *lvec,
0255                  unsigned long liovcnt,
0256                  const struct iovec __user *rvec,
0257                  unsigned long riovcnt,
0258                  unsigned long flags, int vm_write)
0259 {
0260     struct iovec iovstack_l[UIO_FASTIOV];
0261     struct iovec iovstack_r[UIO_FASTIOV];
0262     struct iovec *iov_l = iovstack_l;
0263     struct iovec *iov_r;
0264     struct iov_iter iter;
0265     ssize_t rc;
0266     int dir = vm_write ? WRITE : READ;
0267
0268     if (flags != 0)
0269         return -EINVAL;
0270
0271     /* Check iovecs */
0272     rc = import_iovec(dir, lvec, liovcnt, UIO_FASTIOV, &iov_l, &iter);
0273     if (rc < 0)
0274         return rc;
0275     if (!iov_iter_count(&iter))
0276         goto free_iov_l;
0277     iov_r = iovec_from_user(rvec, riovcnt, UIO_FASTIOV, iovstack_r,
0278                 in_compat_syscall());
0279     if (IS_ERR(iov_r)) {
0280         rc = PTR_ERR(iov_r);
0281         goto free_iov_l;
0282     }
0283     rc = process_vm_rw_core(pid, &iter, iov_r, riovcnt, flags, vm_write);
0284     if (iov_r != iovstack_r)
0285         kfree(iov_r);
0286 free_iov_l:
0287     kfree(iov_l);
0288     return rc;
0289 }
0290
0291 SYSCALL_DEFINE6(process_vm_readv, pid_t, pid, const struct iovec __user *, lvec,
0292         unsigned long, liovcnt, const struct iovec __user *, rvec,
0293         unsigned long, riovcnt, unsigned long, flags)
0294 {
0295     return process_vm_rw(pid, lvec, liovcnt, rvec, riovcnt, flags, 0);
0296 }
0297
0298 SYSCALL_DEFINE6(process_vm_writev, pid_t, pid,
0299         const struct iovec __user *, lvec,
0300         unsigned long, liovcnt, const struct iovec __user *, rvec,
0301         unsigned long, riovcnt, unsigned long, flags)
0302 {
0303     return process_vm_rw(pid, lvec, liovcnt, rvec, riovcnt, flags, 1);
0304 }