Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 | /* * Copyright (c) 2017 Intel Corporation * * SPDX-License-Identifier: Apache-2.0 */ #include <kernel.h> #include <string.h> #include <sys/math_extras.h> #include <sys/rb.h> #include <kernel_structs.h> #include <sys/sys_io.h> #include <ksched.h> #include <syscall.h> #include <syscall_handler.h> #include <device.h> #include <init.h> #include <stdbool.h> #include <app_memory/app_memdomain.h> #include <sys/libc-hooks.h> #include <sys/mutex.h> #include <inttypes.h> #ifdef Z_LIBC_PARTITION_EXISTS K_APPMEM_PARTITION_DEFINE(z_libc_partition); #endif /* TODO: Find a better place to put this. Since we pull the entire * lib..__modules__crypto__mbedtls.a globals into app shared memory * section, we can't put this in zephyr_init.c of the mbedtls module. */ #ifdef CONFIG_MBEDTLS K_APPMEM_PARTITION_DEFINE(k_mbedtls_partition); #endif #define LOG_LEVEL CONFIG_KERNEL_LOG_LEVEL #include <logging/log.h> LOG_MODULE_DECLARE(os); /* The originally synchronization strategy made heavy use of recursive * irq_locking, which ports poorly to spinlocks which are * non-recursive. Rather than try to redesign as part of * spinlockification, this uses multiple locks to preserve the * original semantics exactly. The locks are named for the data they * protect where possible, or just for the code that uses them where * not. */ #ifdef CONFIG_DYNAMIC_OBJECTS static struct k_spinlock lists_lock; /* kobj rbtree/dlist */ static struct k_spinlock objfree_lock; /* k_object_free */ #endif static struct k_spinlock obj_lock; /* kobj struct data */ #define MAX_THREAD_BITS (CONFIG_MAX_THREAD_BYTES * 8) #ifdef CONFIG_DYNAMIC_OBJECTS extern u8_t _thread_idx_map[CONFIG_MAX_THREAD_BYTES]; #endif static void clear_perms_cb(struct _k_object *ko, void *ctx_ptr); const char *otype_to_str(enum k_objects otype) { const char *ret; /* -fdata-sections doesn't work right except in very very recent * GCC and these literal strings would appear in the binary even if * otype_to_str was omitted by the linker */ #ifdef CONFIG_LOG switch (otype) { /* otype-to-str.h is generated automatically during build by * gen_kobject_list.py */ #include <otype-to-str.h> default: ret = "?"; break; } #else ARG_UNUSED(otype); return NULL; #endif return ret; } struct perm_ctx { int parent_id; int child_id; struct k_thread *parent; }; #ifdef CONFIG_DYNAMIC_OBJECTS struct dyn_obj { struct _k_object kobj; sys_dnode_t obj_list; struct rbnode node; /* must be immediately before data member */ u8_t data[]; /* The object itself */ }; extern struct _k_object *z_object_gperf_find(void *obj); extern void z_object_gperf_wordlist_foreach(_wordlist_cb_func_t func, void *context); static bool node_lessthan(struct rbnode *a, struct rbnode *b); /* * Red/black tree of allocated kernel objects, for reasonably fast lookups * based on object pointer values. */ static struct rbtree obj_rb_tree = { .lessthan_fn = node_lessthan }; /* * Linked list of allocated kernel objects, for iteration over all allocated * objects (and potentially deleting them during iteration). */ static sys_dlist_t obj_list = SYS_DLIST_STATIC_INIT(&obj_list); /* * TODO: Write some hash table code that will replace both obj_rb_tree * and obj_list. */ static size_t obj_size_get(enum k_objects otype) { size_t ret; switch (otype) { #include <otype-to-size.h> default: ret = sizeof(struct device); break; } return ret; } static bool node_lessthan(struct rbnode *a, struct rbnode *b) { return a < b; } static inline struct dyn_obj *node_to_dyn_obj(struct rbnode *node) { return CONTAINER_OF(node, struct dyn_obj, node); } static struct dyn_obj *dyn_object_find(void *obj) { struct rbnode *node; struct dyn_obj *ret; /* For any dynamically allocated kernel object, the object * pointer is just a member of the conatining struct dyn_obj, * so just a little arithmetic is necessary to locate the * corresponding struct rbnode */ node = (struct rbnode *)((char *)obj - sizeof(struct rbnode)); k_spinlock_key_t key = k_spin_lock(&lists_lock); if (rb_contains(&obj_rb_tree, node)) { ret = node_to_dyn_obj(node); } else { ret = NULL; } k_spin_unlock(&lists_lock, key); return ret; } /** * @internal * * @brief Allocate a new thread index for a new thread. * * This finds an unused thread index that can be assigned to a new * thread. If too many threads have been allocated, the kernel will * run out of indexes and this function will fail. * * Note that if an unused index is found, that index will be marked as * used after return of this function. * * @param tidx The new thread index if successful * * @return true if successful, false if failed **/ static bool thread_idx_alloc(uintptr_t *tidx) { int i; int idx; int base; base = 0; for (i = 0; i < CONFIG_MAX_THREAD_BYTES; i++) { idx = find_lsb_set(_thread_idx_map[i]); if (idx != 0) { *tidx = base + (idx - 1); sys_bitfield_clear_bit((mem_addr_t)_thread_idx_map, *tidx); /* Clear permission from all objects */ z_object_wordlist_foreach(clear_perms_cb, (void *)*tidx); return true; } base += 8; } return false; } /** * @internal * * @brief Free a thread index. * * This frees a thread index so it can be used by another * thread. * * @param tidx The thread index to be freed **/ static void thread_idx_free(uintptr_t tidx) { /* To prevent leaked permission when index is recycled */ z_object_wordlist_foreach(clear_perms_cb, (void *)tidx); sys_bitfield_set_bit((mem_addr_t)_thread_idx_map, tidx); } void *z_impl_k_object_alloc(enum k_objects otype) { struct dyn_obj *dyn_obj; uintptr_t tidx; /* Stacks are not supported, we don't yet have mem pool APIs * to request memory that is aligned */ __ASSERT(otype > K_OBJ_ANY && otype < K_OBJ_LAST && otype != K_OBJ__THREAD_STACK_ELEMENT, "bad object type requested"); dyn_obj = z_thread_malloc(sizeof(*dyn_obj) + obj_size_get(otype)); if (dyn_obj == NULL) { LOG_WRN("could not allocate kernel object"); return NULL; } dyn_obj->kobj.name = (char *)&dyn_obj->data; dyn_obj->kobj.type = otype; dyn_obj->kobj.flags = K_OBJ_FLAG_ALLOC; (void)memset(dyn_obj->kobj.perms, 0, CONFIG_MAX_THREAD_BYTES); /* Need to grab a new thread index for k_thread */ if (otype == K_OBJ_THREAD) { if (!thread_idx_alloc(&tidx)) { k_free(dyn_obj); return NULL; } dyn_obj->kobj.data = tidx; } /* The allocating thread implicitly gets permission on kernel objects * that it allocates */ z_thread_perms_set(&dyn_obj->kobj, _current); k_spinlock_key_t key = k_spin_lock(&lists_lock); rb_insert(&obj_rb_tree, &dyn_obj->node); sys_dlist_append(&obj_list, &dyn_obj->obj_list); k_spin_unlock(&lists_lock, key); return dyn_obj->kobj.name; } void k_object_free(void *obj) { struct dyn_obj *dyn_obj; /* This function is intentionally not exposed to user mode. * There's currently no robust way to track that an object isn't * being used by some other thread */ k_spinlock_key_t key = k_spin_lock(&objfree_lock); dyn_obj = dyn_object_find(obj); if (dyn_obj != NULL) { rb_remove(&obj_rb_tree, &dyn_obj->node); sys_dlist_remove(&dyn_obj->obj_list); if (dyn_obj->kobj.type == K_OBJ_THREAD) { thread_idx_free(dyn_obj->kobj.data); } } k_spin_unlock(&objfree_lock, key); if (dyn_obj != NULL) { k_free(dyn_obj); } } struct _k_object *z_object_find(void *obj) { struct _k_object *ret; ret = z_object_gperf_find(obj); if (ret == NULL) { struct dyn_obj *dynamic_obj; dynamic_obj = dyn_object_find(obj); if (dynamic_obj != NULL) { ret = &dynamic_obj->kobj; } } return ret; } void z_object_wordlist_foreach(_wordlist_cb_func_t func, void *context) { struct dyn_obj *obj, *next; z_object_gperf_wordlist_foreach(func, context); k_spinlock_key_t key = k_spin_lock(&lists_lock); SYS_DLIST_FOR_EACH_CONTAINER_SAFE(&obj_list, obj, next, obj_list) { func(&obj->kobj, context); } k_spin_unlock(&lists_lock, key); } #endif /* CONFIG_DYNAMIC_OBJECTS */ static int thread_index_get(struct k_thread *thread) { struct _k_object *ko; ko = z_object_find(thread); if (ko == NULL) { return -1; } return ko->data; } static void unref_check(struct _k_object *ko, uintptr_t index) { k_spinlock_key_t key = k_spin_lock(&obj_lock); sys_bitfield_clear_bit((mem_addr_t)&ko->perms, index); #ifdef CONFIG_DYNAMIC_OBJECTS struct dyn_obj *dyn_obj = CONTAINER_OF(ko, struct dyn_obj, kobj); if ((ko->flags & K_OBJ_FLAG_ALLOC) == 0U) { goto out; } for (int i = 0; i < CONFIG_MAX_THREAD_BYTES; i++) { if (ko->perms[i] != 0U) { goto out; } } /* This object has no more references. Some objects may have * dynamically allocated resources, require cleanup, or need to be * marked as uninitailized when all references are gone. What * specifically needs to happen depends on the object type. */ switch (ko->type) { case K_OBJ_PIPE: k_pipe_cleanup((struct k_pipe *)ko->name); break; case K_OBJ_MSGQ: k_msgq_cleanup((struct k_msgq *)ko->name); break; case K_OBJ_STACK: k_stack_cleanup((struct k_stack *)ko->name); break; default: /* Nothing to do */ break; } rb_remove(&obj_rb_tree, &dyn_obj->node); sys_dlist_remove(&dyn_obj->obj_list); k_free(dyn_obj); out: #endif k_spin_unlock(&obj_lock, key); } static void wordlist_cb(struct _k_object *ko, void *ctx_ptr) { struct perm_ctx *ctx = (struct perm_ctx *)ctx_ptr; if (sys_bitfield_test_bit((mem_addr_t)&ko->perms, ctx->parent_id) && (struct k_thread *)ko->name != ctx->parent) { sys_bitfield_set_bit((mem_addr_t)&ko->perms, ctx->child_id); } } void z_thread_perms_inherit(struct k_thread *parent, struct k_thread *child) { struct perm_ctx ctx = { thread_index_get(parent), thread_index_get(child), parent }; if ((ctx.parent_id != -1) && (ctx.child_id != -1)) { z_object_wordlist_foreach(wordlist_cb, &ctx); } } void z_thread_perms_set(struct _k_object *ko, struct k_thread *thread) { int index = thread_index_get(thread); if (index != -1) { sys_bitfield_set_bit((mem_addr_t)&ko->perms, index); } } void z_thread_perms_clear(struct _k_object *ko, struct k_thread *thread) { int index = thread_index_get(thread); if (index != -1) { sys_bitfield_clear_bit((mem_addr_t)&ko->perms, index); unref_check(ko, index); } } static void clear_perms_cb(struct _k_object *ko, void *ctx_ptr) { uintptr_t id = (uintptr_t)ctx_ptr; unref_check(ko, id); } void z_thread_perms_all_clear(struct k_thread *thread) { uintptr_t index = thread_index_get(thread); if (index != -1) { z_object_wordlist_foreach(clear_perms_cb, (void *)index); } } static int thread_perms_test(struct _k_object *ko) { int index; if ((ko->flags & K_OBJ_FLAG_PUBLIC) != 0U) { return 1; } index = thread_index_get(_current); if (index != -1) { return sys_bitfield_test_bit((mem_addr_t)&ko->perms, index); } return 0; } static void dump_permission_error(struct _k_object *ko) { int index = thread_index_get(_current); LOG_ERR("thread %p (%d) does not have permission on %s %p", _current, index, otype_to_str(ko->type), ko->name); LOG_HEXDUMP_ERR(ko->perms, sizeof(ko->perms), "permission bitmap"); } void z_dump_object_error(int retval, void *obj, struct _k_object *ko, enum k_objects otype) { switch (retval) { case -EBADF: LOG_ERR("%p is not a valid %s", obj, otype_to_str(otype)); break; case -EPERM: dump_permission_error(ko); break; case -EINVAL: LOG_ERR("%p used before initialization", obj); break; case -EADDRINUSE: LOG_ERR("%p %s in use", obj, otype_to_str(otype)); break; default: /* Not handled error */ break; } } void z_impl_k_object_access_grant(void *object, struct k_thread *thread) { struct _k_object *ko = z_object_find(object); if (ko != NULL) { z_thread_perms_set(ko, thread); } } void k_object_access_revoke(void *object, struct k_thread *thread) { struct _k_object *ko = z_object_find(object); if (ko != NULL) { z_thread_perms_clear(ko, thread); } } void z_impl_k_object_release(void *object) { k_object_access_revoke(object, _current); } void k_object_access_all_grant(void *object) { struct _k_object *ko = z_object_find(object); if (ko != NULL) { ko->flags |= K_OBJ_FLAG_PUBLIC; } } int z_object_validate(struct _k_object *ko, enum k_objects otype, enum _obj_init_check init) { if (unlikely((ko == NULL) || (otype != K_OBJ_ANY && ko->type != otype))) { return -EBADF; } /* Manipulation of any kernel objects by a user thread requires that * thread be granted access first, even for uninitialized objects */ if (unlikely(thread_perms_test(ko) == 0)) { return -EPERM; } /* Initialization state checks. _OBJ_INIT_ANY, we don't care */ if (likely(init == _OBJ_INIT_TRUE)) { /* Object MUST be intialized */ if (unlikely((ko->flags & K_OBJ_FLAG_INITIALIZED) == 0U)) { return -EINVAL; } } else if (init < _OBJ_INIT_TRUE) { /* _OBJ_INIT_FALSE case */ /* Object MUST NOT be initialized */ if (unlikely((ko->flags & K_OBJ_FLAG_INITIALIZED) != 0U)) { return -EADDRINUSE; } } else { /* _OBJ_INIT_ANY */ } return 0; } void z_object_init(void *obj) { struct _k_object *ko; /* By the time we get here, if the caller was from userspace, all the * necessary checks have been done in z_object_validate(), which takes * place before the object is initialized. * * This function runs after the object has been initialized and * finalizes it */ ko = z_object_find(obj); if (ko == NULL) { /* Supervisor threads can ignore rules about kernel objects * and may declare them on stacks, etc. Such objects will never * be usable from userspace, but we shouldn't explode. */ return; } /* Allows non-initialization system calls to be made on this object */ ko->flags |= K_OBJ_FLAG_INITIALIZED; } void z_object_recycle(void *obj) { struct _k_object *ko = z_object_find(obj); if (ko != NULL) { (void)memset(ko->perms, 0, sizeof(ko->perms)); z_thread_perms_set(ko, k_current_get()); ko->flags |= K_OBJ_FLAG_INITIALIZED; } } void z_object_uninit(void *obj) { struct _k_object *ko; /* See comments in z_object_init() */ ko = z_object_find(obj); if (ko == NULL) { return; } ko->flags &= ~K_OBJ_FLAG_INITIALIZED; } /* * Copy to/from helper functions used in syscall handlers */ void *z_user_alloc_from_copy(const void *src, size_t size) { void *dst = NULL; /* Does the caller in user mode have access to read this memory? */ if (Z_SYSCALL_MEMORY_READ(src, size)) { goto out_err; } dst = z_thread_malloc(size); if (dst == NULL) { LOG_ERR("out of thread resource pool memory (%zu)", size); goto out_err; } (void)memcpy(dst, src, size); out_err: return dst; } static int user_copy(void *dst, const void *src, size_t size, bool to_user) { int ret = EFAULT; /* Does the caller in user mode have access to this memory? */ if (to_user ? Z_SYSCALL_MEMORY_WRITE(dst, size) : Z_SYSCALL_MEMORY_READ(src, size)) { goto out_err; } (void)memcpy(dst, src, size); ret = 0; out_err: return ret; } int z_user_from_copy(void *dst, const void *src, size_t size) { return user_copy(dst, src, size, false); } int z_user_to_copy(void *dst, const void *src, size_t size) { return user_copy(dst, src, size, true); } char *z_user_string_alloc_copy(const char *src, size_t maxlen) { size_t actual_len; int err; char *ret = NULL; actual_len = z_user_string_nlen(src, maxlen, &err); if (err != 0) { goto out; } if (actual_len == maxlen) { /* Not NULL terminated */ LOG_ERR("string too long %p (%zu)", src, actual_len); goto out; } if (size_add_overflow(actual_len, 1, &actual_len)) { LOG_ERR("overflow"); goto out; } ret = z_user_alloc_from_copy(src, actual_len); /* Someone may have modified the source string during the above * checks. Ensure what we actually copied is still terminated * properly. */ if (ret != NULL) { ret[actual_len - 1] = '\0'; } out: return ret; } int z_user_string_copy(char *dst, const char *src, size_t maxlen) { size_t actual_len; int ret, err; actual_len = z_user_string_nlen(src, maxlen, &err); if (err != 0) { ret = EFAULT; goto out; } if (actual_len == maxlen) { /* Not NULL terminated */ LOG_ERR("string too long %p (%zu)", src, actual_len); ret = EINVAL; goto out; } if (size_add_overflow(actual_len, 1, &actual_len)) { LOG_ERR("overflow"); ret = EINVAL; goto out; } ret = z_user_from_copy(dst, src, actual_len); /* See comment above in z_user_string_alloc_copy() */ dst[actual_len - 1] = '\0'; out: return ret; } /* * Application memory region initialization */ extern char __app_shmem_regions_start[]; extern char __app_shmem_regions_end[]; void z_app_shmem_bss_zero(void) { struct z_app_region *region, *end; end = (struct z_app_region *)&__app_shmem_regions_end; region = (struct z_app_region *)&__app_shmem_regions_start; for ( ; region < end; region++) { (void)memset(region->bss_start, 0, region->bss_size); } } /* * Default handlers if otherwise unimplemented */ static uintptr_t handler_bad_syscall(uintptr_t bad_id, uintptr_t arg2, uintptr_t arg3, uintptr_t arg4, uintptr_t arg5, uintptr_t arg6, void *ssf) { LOG_ERR("Bad system call id %" PRIuPTR " invoked", bad_id); arch_syscall_oops(_current->syscall_frame); CODE_UNREACHABLE; /* LCOV_EXCL_LINE */ } static uintptr_t handler_no_syscall(uintptr_t arg1, uintptr_t arg2, uintptr_t arg3, uintptr_t arg4, uintptr_t arg5, uintptr_t arg6, void *ssf) { LOG_ERR("Unimplemented system call"); arch_syscall_oops(_current->syscall_frame); CODE_UNREACHABLE; /* LCOV_EXCL_LINE */ } #include <syscall_dispatch.c> |