diff options
| author | Dave Gerlach <d-gerlach@ti.com> | 2017-05-18 11:07:06 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-05-18 11:37:52 -0400 |
| commit | 34cfb106d1f8a746fcccbe61c852f705dcdceaa2 (patch) | |
| tree | 9fcf296a53d1433d8cfa7b2183d6fe23cb9e73bb | |
| parent | a5061d028594a31dbf70f4554e0b7d83e5ce770f (diff) | |
misc: sram-exec: Use aligned fncpy instead of memcpy
Currently the sram-exec functionality, which allows allocation of
executable memory and provides an API to move code to it, is only
selected in configs for the ARM architecture. Based on commit
5756e9dd0de6 ("ARM: 6640/1: Thumb-2: Symbol manipulation macros for
function body copying") simply copying a C function pointer address
using memcpy without consideration of alignment and Thumb is unsafe on
ARM platforms.
The aforementioned patch introduces the fncpy macro which is a safe way
to copy executable code on ARM platforms, so let's make use of that here
rather than the unsafe plain memcpy that was previously used by
sram_exec_copy. Now sram_exec_copy will move the code to "dst" and
return an address that is guaranteed to be safely callable.
In the future, architectures hoping to make use of the sram-exec
functionality must define an fncpy macro just as ARM has done to
guarantee or check for safe copying to executable memory before allowing
the arch to select CONFIG_SRAM_EXEC.
Acked-by: Tony Lindgren <tony@atomide.com>
Acked-by: Russell King <rmk+kernel@armlinux.org.uk>
Reviewed-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/misc/sram-exec.c | 27 | ||||
| -rw-r--r-- | include/linux/sram.h | 8 |
2 files changed, 24 insertions, 11 deletions
diff --git a/drivers/misc/sram-exec.c b/drivers/misc/sram-exec.c index 3d528a13b8fc..426ad912b441 100644 --- a/drivers/misc/sram-exec.c +++ b/drivers/misc/sram-exec.c | |||
| @@ -19,6 +19,7 @@ | |||
| 19 | #include <linux/mm.h> | 19 | #include <linux/mm.h> |
| 20 | #include <linux/sram.h> | 20 | #include <linux/sram.h> |
| 21 | 21 | ||
| 22 | #include <asm/fncpy.h> | ||
| 22 | #include <asm/set_memory.h> | 23 | #include <asm/set_memory.h> |
| 23 | 24 | ||
| 24 | #include "sram.h" | 25 | #include "sram.h" |
| @@ -58,20 +59,32 @@ int sram_add_protect_exec(struct sram_partition *part) | |||
| 58 | * @src: Source address for the data to copy | 59 | * @src: Source address for the data to copy |
| 59 | * @size: Size of copy to perform, which starting from dst, must reside in pool | 60 | * @size: Size of copy to perform, which starting from dst, must reside in pool |
| 60 | * | 61 | * |
| 62 | * Return: Address for copied data that can safely be called through function | ||
| 63 | * pointer, or NULL if problem. | ||
| 64 | * | ||
| 61 | * This helper function allows sram driver to act as central control location | 65 | * This helper function allows sram driver to act as central control location |
| 62 | * of 'protect-exec' pools which are normal sram pools but are always set | 66 | * of 'protect-exec' pools which are normal sram pools but are always set |
| 63 | * read-only and executable except when copying data to them, at which point | 67 | * read-only and executable except when copying data to them, at which point |
| 64 | * they are set to read-write non-executable, to make sure no memory is | 68 | * they are set to read-write non-executable, to make sure no memory is |
| 65 | * writeable and executable at the same time. This region must be page-aligned | 69 | * writeable and executable at the same time. This region must be page-aligned |
| 66 | * and is checked during probe, otherwise page attribute manipulation would | 70 | * and is checked during probe, otherwise page attribute manipulation would |
| 67 | * not be possible. | 71 | * not be possible. Care must be taken to only call the returned address as |
| 72 | * dst address is not guaranteed to be safely callable. | ||
| 73 | * | ||
| 74 | * NOTE: This function uses the fncpy macro to move code to the executable | ||
| 75 | * region. Some architectures have strict requirements for relocating | ||
| 76 | * executable code, so fncpy is a macro that must be defined by any arch | ||
| 77 | * making use of this functionality that guarantees a safe copy of exec | ||
| 78 | * data and returns a safe address that can be called as a C function | ||
| 79 | * pointer. | ||
| 68 | */ | 80 | */ |
| 69 | int sram_exec_copy(struct gen_pool *pool, void *dst, void *src, | 81 | void *sram_exec_copy(struct gen_pool *pool, void *dst, void *src, |
| 70 | size_t size) | 82 | size_t size) |
| 71 | { | 83 | { |
| 72 | struct sram_partition *part = NULL, *p; | 84 | struct sram_partition *part = NULL, *p; |
| 73 | unsigned long base; | 85 | unsigned long base; |
| 74 | int pages; | 86 | int pages; |
| 87 | void *dst_cpy; | ||
| 75 | 88 | ||
| 76 | mutex_lock(&exec_pool_list_mutex); | 89 | mutex_lock(&exec_pool_list_mutex); |
| 77 | list_for_each_entry(p, &exec_pool_list, list) { | 90 | list_for_each_entry(p, &exec_pool_list, list) { |
| @@ -81,10 +94,10 @@ int sram_exec_copy(struct gen_pool *pool, void *dst, void *src, | |||
| 81 | mutex_unlock(&exec_pool_list_mutex); | 94 | mutex_unlock(&exec_pool_list_mutex); |
| 82 | 95 | ||
| 83 | if (!part) | 96 | if (!part) |
| 84 | return -EINVAL; | 97 | return NULL; |
| 85 | 98 | ||
| 86 | if (!addr_in_gen_pool(pool, (unsigned long)dst, size)) | 99 | if (!addr_in_gen_pool(pool, (unsigned long)dst, size)) |
| 87 | return -EINVAL; | 100 | return NULL; |
| 88 | 101 | ||
| 89 | base = (unsigned long)part->base; | 102 | base = (unsigned long)part->base; |
| 90 | pages = PAGE_ALIGN(size) / PAGE_SIZE; | 103 | pages = PAGE_ALIGN(size) / PAGE_SIZE; |
| @@ -94,13 +107,13 @@ int sram_exec_copy(struct gen_pool *pool, void *dst, void *src, | |||
| 94 | set_memory_nx((unsigned long)base, pages); | 107 | set_memory_nx((unsigned long)base, pages); |
| 95 | set_memory_rw((unsigned long)base, pages); | 108 | set_memory_rw((unsigned long)base, pages); |
| 96 | 109 | ||
| 97 | memcpy(dst, src, size); | 110 | dst_cpy = fncpy(dst, src, size); |
| 98 | 111 | ||
| 99 | set_memory_ro((unsigned long)base, pages); | 112 | set_memory_ro((unsigned long)base, pages); |
| 100 | set_memory_x((unsigned long)base, pages); | 113 | set_memory_x((unsigned long)base, pages); |
| 101 | 114 | ||
| 102 | mutex_unlock(&part->lock); | 115 | mutex_unlock(&part->lock); |
| 103 | 116 | ||
| 104 | return 0; | 117 | return dst_cpy; |
| 105 | } | 118 | } |
| 106 | EXPORT_SYMBOL_GPL(sram_exec_copy); | 119 | EXPORT_SYMBOL_GPL(sram_exec_copy); |
diff --git a/include/linux/sram.h b/include/linux/sram.h index c97dcbe8ce25..4fb405fb0480 100644 --- a/include/linux/sram.h +++ b/include/linux/sram.h | |||
| @@ -16,12 +16,12 @@ | |||
| 16 | struct gen_pool; | 16 | struct gen_pool; |
| 17 | 17 | ||
| 18 | #ifdef CONFIG_SRAM_EXEC | 18 | #ifdef CONFIG_SRAM_EXEC |
| 19 | int sram_exec_copy(struct gen_pool *pool, void *dst, void *src, size_t size); | 19 | void *sram_exec_copy(struct gen_pool *pool, void *dst, void *src, size_t size); |
| 20 | #else | 20 | #else |
| 21 | static inline int sram_exec_copy(struct gen_pool *pool, void *dst, void *src, | 21 | static inline void *sram_exec_copy(struct gen_pool *pool, void *dst, void *src, |
| 22 | size_t size) | 22 | size_t size) |
| 23 | { | 23 | { |
| 24 | return -ENODEV; | 24 | return NULL; |
| 25 | } | 25 | } |
| 26 | #endif /* CONFIG_SRAM_EXEC */ | 26 | #endif /* CONFIG_SRAM_EXEC */ |
| 27 | #endif /* __LINUX_SRAM_H__ */ | 27 | #endif /* __LINUX_SRAM_H__ */ |