1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 *  linux/drivers/char/mem.c
4
 *
5
 *  Copyright (C) 1991, 1992  Linus Torvalds
6
 *
7
 *  Added devfs support.
8
 *    Jan-11-1998, C. Scott Ananian <[email protected]>
9
 *  Shared /dev/zero mmapping support, Feb 2000, Kanoj Sarcar <[email protected]>
10
 */
11

12
#include <linux/mm.h>
13
#include <linux/miscdevice.h>
14
#include <linux/slab.h>
15
#include <linux/vmalloc.h>
16
#include <linux/mman.h>
17
#include <linux/random.h>
18
#include <linux/init.h>
19
#include <linux/tty.h>
20
#include <linux/capability.h>
21
#include <linux/ptrace.h>
22
#include <linux/device.h>
23
#include <linux/highmem.h>
24
#include <linux/backing-dev.h>
25
#include <linux/shmem_fs.h>
26
#include <linux/splice.h>
27
#include <linux/pfn.h>
28
#include <linux/export.h>
29
#include <linux/io.h>
30
#include <linux/uio.h>
31
#include <linux/uaccess.h>
32
#include <linux/security.h>
33

34
#define DEVMEM_MINOR	1
35
#define DEVPORT_MINOR	4
36

37
static inline unsigned long size_inside_page(unsigned long start,
38
					     unsigned long size)
39
{
40
	unsigned long sz;
41

42
	sz = PAGE_SIZE - (start & (PAGE_SIZE - 1));
43

44
	return min(sz, size);
45
}
46

47
#ifndef ARCH_HAS_VALID_PHYS_ADDR_RANGE
48
static inline int valid_phys_addr_range(phys_addr_t addr, size_t count)
49
{
50
	return addr + count <= __pa(high_memory);
51
}
52

53
static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t size)
54
{
55
	return 1;
56
}
57
#endif
58

59
#ifdef CONFIG_STRICT_DEVMEM
60
static inline int page_is_allowed(unsigned long pfn)
61
{
62
	return devmem_is_allowed(pfn);
63
}
64
#else
65
static inline int page_is_allowed(unsigned long pfn)
66
{
67
	return 1;
68
}
69
#endif
70

71
static inline bool should_stop_iteration(void)
72
{
73
	if (need_resched())
74
		cond_resched();
75
	return signal_pending(current);
76
}
77

78
/*
79
 * This funcion reads the *physical* memory. The f_pos points directly to the
80
 * memory location.
81
 */
82
static ssize_t read_mem(struct file *file, char __user *buf,
83
			size_t count, loff_t *ppos)
84
{
85
	phys_addr_t p = *ppos;
86
	ssize_t read, sz;
87
	void *ptr;
88
	char *bounce;
89
	int err;
90

91
	if (p != *ppos)
92
		return 0;
93

94
	if (!valid_phys_addr_range(p, count))
95
		return -EFAULT;
96
	read = 0;
97
#ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
98
	/* we don't have page 0 mapped on sparc and m68k.. */
99
	if (p < PAGE_SIZE) {
100
		sz = size_inside_page(p, count);
101
		if (sz > 0) {
102
			if (clear_user(buf, sz))
103
				return -EFAULT;
104
			buf += sz;
105
			p += sz;
106
			count -= sz;
107
			read += sz;
108
		}
109
	}
110
#endif
111

112
	bounce = kmalloc(PAGE_SIZE, GFP_KERNEL);
113
	if (!bounce)
114
		return -ENOMEM;
115

116
	while (count > 0) {
117
		unsigned long remaining;
118
		int allowed, probe;
119

120
		sz = size_inside_page(p, count);
121

122
		err = -EPERM;
123
		allowed = page_is_allowed(p >> PAGE_SHIFT);
124
		if (!allowed)
125
			goto failed;
126

127
		err = -EFAULT;
128
		if (allowed == 2) {
129
			/* Show zeros for restricted memory. */
130
			remaining = clear_user(buf, sz);
131
		} else {
132
			/*
133
			 * On ia64 if a page has been mapped somewhere as
134
			 * uncached, then it must also be accessed uncached
135
			 * by the kernel or data corruption may occur.
136
			 */
137
			ptr = xlate_dev_mem_ptr(p);
138
			if (!ptr)
139
				goto failed;
140

141
			probe = copy_from_kernel_nofault(bounce, ptr, sz);
142
			unxlate_dev_mem_ptr(p, ptr);
143
			if (probe)
144
				goto failed;
145

146
			remaining = copy_to_user(buf, bounce, sz);
147
		}
148

149
		if (remaining)
150
			goto failed;
151

152
		buf += sz;
153
		p += sz;
154
		count -= sz;
155
		read += sz;
156
		if (should_stop_iteration())
157
			break;
158
	}
159
	kfree(bounce);
160

161
	*ppos += read;
162
	return read;
163

164
failed:
165
	kfree(bounce);
166
	return err;
167
}
168

169
static ssize_t write_mem(struct file *file, const char __user *buf,
170
			 size_t count, loff_t *ppos)
171
{
172
	phys_addr_t p = *ppos;
173
	ssize_t written, sz;
174
	unsigned long copied;
175
	void *ptr;
176

177
	if (p != *ppos)
178
		return -EFBIG;
179

180
	if (!valid_phys_addr_range(p, count))
181
		return -EFAULT;
182

183
	written = 0;
184

185
#ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
186
	/* we don't have page 0 mapped on sparc and m68k.. */
187
	if (p < PAGE_SIZE) {
188
		sz = size_inside_page(p, count);
189
		/* Hmm. Do something? */
190
		buf += sz;
191
		p += sz;
192
		count -= sz;
193
		written += sz;
194
	}
195
#endif
196

197
	while (count > 0) {
198
		int allowed;
199

200
		sz = size_inside_page(p, count);
201

202
		allowed = page_is_allowed(p >> PAGE_SHIFT);
203
		if (!allowed)
204
			return -EPERM;
205

206
		/* Skip actual writing when a page is marked as restricted. */
207
		if (allowed == 1) {
208
			/*
209
			 * On ia64 if a page has been mapped somewhere as
210
			 * uncached, then it must also be accessed uncached
211
			 * by the kernel or data corruption may occur.
212
			 */
213
			ptr = xlate_dev_mem_ptr(p);
214
			if (!ptr) {
215
				if (written)
216
					break;
217
				return -EFAULT;
218
			}
219

220
			copied = copy_from_user(ptr, buf, sz);
221
			unxlate_dev_mem_ptr(p, ptr);
222
			if (copied) {
223
				written += sz - copied;
224
				if (written)
225
					break;
226
				return -EFAULT;
227
			}
228
		}
229

230
		buf += sz;
231
		p += sz;
232
		count -= sz;
233
		written += sz;
234
		if (should_stop_iteration())
235
			break;
236
	}
237

238
	*ppos += written;
239
	return written;
240
}
241

242
int __weak phys_mem_access_prot_allowed(struct file *file,
243
	unsigned long pfn, unsigned long size, pgprot_t *vma_prot)
244
{
245
	return 1;
246
}
247

248
#ifndef __HAVE_PHYS_MEM_ACCESS_PROT
249

250
/*
251
 * Architectures vary in how they handle caching for addresses
252
 * outside of main memory.
253
 *
254
 */
255
#ifdef pgprot_noncached
256
static int uncached_access(struct file *file, phys_addr_t addr)
257
{
258
	/*
259
	 * Accessing memory above the top the kernel knows about or through a
260
	 * file pointer
261
	 * that was marked O_DSYNC will be done non-cached.
262
	 */
263
	if (file->f_flags & O_DSYNC)
264
		return 1;
265
	return addr >= __pa(high_memory);
266
}
267
#endif
268

269
static pgprot_t phys_mem_access_prot(struct file *file, unsigned long pfn,
270
				     unsigned long size, pgprot_t vma_prot)
271
{
272
#ifdef pgprot_noncached
273
	phys_addr_t offset = pfn << PAGE_SHIFT;
274

275
	if (uncached_access(file, offset))
276
		return pgprot_noncached(vma_prot);
277
#endif
278
	return vma_prot;
279
}
280
#endif
281

282
#ifndef CONFIG_MMU
283
static unsigned long get_unmapped_area_mem(struct file *file,
284
					   unsigned long addr,
285
					   unsigned long len,
286
					   unsigned long pgoff,
287
					   unsigned long flags)
288
{
289
	if (!valid_mmap_phys_addr_range(pgoff, len))
290
		return (unsigned long) -EINVAL;
291
	return pgoff << PAGE_SHIFT;
292
}
293

294
/* permit direct mmap, for read, write or exec */
295
static unsigned memory_mmap_capabilities(struct file *file)
296
{
297
	return NOMMU_MAP_DIRECT |
298
		NOMMU_MAP_READ | NOMMU_MAP_WRITE | NOMMU_MAP_EXEC;
299
}
300

301
static unsigned zero_mmap_capabilities(struct file *file)
302
{
303
	return NOMMU_MAP_COPY;
304
}
305

306
/* can't do an in-place private mapping if there's no MMU */
307
static inline int private_mapping_ok(struct vm_area_struct *vma)
308
{
309
	return is_nommu_shared_mapping(vma->vm_flags);
310
}
311
#else
312

313
static inline int private_mapping_ok(struct vm_area_struct *vma)
314
{
315
	return 1;
316
}
317
#endif
318

319
static const struct vm_operations_struct mmap_mem_ops = {
320
#ifdef CONFIG_HAVE_IOREMAP_PROT
321
	.access = generic_access_phys
322
#endif
323
};
324

325
static int mmap_mem(struct file *file, struct vm_area_struct *vma)
326
{
327
	size_t size = vma->vm_end - vma->vm_start;
328
	phys_addr_t offset = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT;
329

330
	/* Does it even fit in phys_addr_t? */
331
	if (offset >> PAGE_SHIFT != vma->vm_pgoff)
332
		return -EINVAL;
333

334
	/* It's illegal to wrap around the end of the physical address space. */
335
	if (offset + (phys_addr_t)size - 1 < offset)
336
		return -EINVAL;
337

338
	if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size))
339
		return -EINVAL;
340

341
	if (!private_mapping_ok(vma))
342
		return -ENOSYS;
343

344
	if (!range_is_allowed(vma->vm_pgoff, size))
345
		return -EPERM;
346

347
	if (!phys_mem_access_prot_allowed(file, vma->vm_pgoff, size,
348
						&vma->vm_page_prot))
349
		return -EINVAL;
350

351
	vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
352
						 size,
353
						 vma->vm_page_prot);
354

355
	vma->vm_ops = &mmap_mem_ops;
356

357
	/* Remap-pfn-range will mark the range VM_IO */
358
	if (remap_pfn_range(vma,
359
			    vma->vm_start,
360
			    vma->vm_pgoff,
361
			    size,
362
			    vma->vm_page_prot)) {
363
		return -EAGAIN;
364
	}
365
	return 0;
366
}
367

368
#ifdef CONFIG_DEVPORT
369
static ssize_t read_port(struct file *file, char __user *buf,
370
			 size_t count, loff_t *ppos)
371
{
372
	unsigned long i = *ppos;
373
	char __user *tmp = buf;
374

375
	if (!access_ok(buf, count))
376
		return -EFAULT;
377
	while (count-- > 0 && i < 65536) {
378
		if (__put_user(inb(i), tmp) < 0)
379
			return -EFAULT;
380
		i++;
381
		tmp++;
382
	}
383
	*ppos = i;
384
	return tmp-buf;
385
}
386

387
static ssize_t write_port(struct file *file, const char __user *buf,
388
			  size_t count, loff_t *ppos)
389
{
390
	unsigned long i = *ppos;
391
	const char __user *tmp = buf;
392

393
	if (!access_ok(buf, count))
394
		return -EFAULT;
395
	while (count-- > 0 && i < 65536) {
396
		char c;
397

398
		if (__get_user(c, tmp)) {
399
			if (tmp > buf)
400
				break;
401
			return -EFAULT;
402
		}
403
		outb(c, i);
404
		i++;
405
		tmp++;
406
	}
407
	*ppos = i;
408
	return tmp-buf;
409
}
410
#endif
411

412
static ssize_t read_null(struct file *file, char __user *buf,
413
			 size_t count, loff_t *ppos)
414
{
415
	return 0;
416
}
417

418
static ssize_t write_null(struct file *file, const char __user *buf,
419
			  size_t count, loff_t *ppos)
420
{
421
	return count;
422
}
423

424
static ssize_t read_iter_null(struct kiocb *iocb, struct iov_iter *to)
425
{
426
	return 0;
427
}
428

429
static ssize_t write_iter_null(struct kiocb *iocb, struct iov_iter *from)
430
{
431
	size_t count = iov_iter_count(from);
432
	iov_iter_advance(from, count);
433
	return count;
434
}
435

436
static int pipe_to_null(struct pipe_inode_info *info, struct pipe_buffer *buf,
437
			struct splice_desc *sd)
438
{
439
	return sd->len;
440
}
441

442
static ssize_t splice_write_null(struct pipe_inode_info *pipe, struct file *out,
443
				 loff_t *ppos, size_t len, unsigned int flags)
444
{
445
	return splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_null);
446
}
447

448
static int uring_cmd_null(struct io_uring_cmd *ioucmd, unsigned int issue_flags)
449
{
450
	return 0;
451
}
452

453
static ssize_t read_iter_zero(struct kiocb *iocb, struct iov_iter *iter)
454
{
455
	size_t written = 0;
456

457
	while (iov_iter_count(iter)) {
458
		size_t chunk = iov_iter_count(iter), n;
459

460
		if (chunk > PAGE_SIZE)
461
			chunk = PAGE_SIZE;	/* Just for latency reasons */
462
		n = iov_iter_zero(chunk, iter);
463
		if (!n && iov_iter_count(iter))
464
			return written ? written : -EFAULT;
465
		written += n;
466
		if (signal_pending(current))
467
			return written ? written : -ERESTARTSYS;
468
		if (!need_resched())
469
			continue;
470
		if (iocb->ki_flags & IOCB_NOWAIT)
471
			return written ? written : -EAGAIN;
472
		cond_resched();
473
	}
474
	return written;
475
}
476

477
static ssize_t read_zero(struct file *file, char __user *buf,
478
			 size_t count, loff_t *ppos)
479
{
480
	size_t cleared = 0;
481

482
	while (count) {
483
		size_t chunk = min_t(size_t, count, PAGE_SIZE);
484
		size_t left;
485

486
		left = clear_user(buf + cleared, chunk);
487
		if (unlikely(left)) {
488
			cleared += (chunk - left);
489
			if (!cleared)
490
				return -EFAULT;
491
			break;
492
		}
493
		cleared += chunk;
494
		count -= chunk;
495

496
		if (signal_pending(current))
497
			break;
498
		cond_resched();
499
	}
500

501
	return cleared;
502
}
503

504
static int mmap_zero(struct file *file, struct vm_area_struct *vma)
505
{
506
#ifndef CONFIG_MMU
507
	return -ENOSYS;
508
#endif
509
	if (vma->vm_flags & VM_SHARED)
510
		return shmem_zero_setup(vma);
511
	vma_set_anonymous(vma);
512
	return 0;
513
}
514

515
static unsigned long get_unmapped_area_zero(struct file *file,
516
				unsigned long addr, unsigned long len,
517
				unsigned long pgoff, unsigned long flags)
518
{
519
#ifdef CONFIG_MMU
520
	if (flags & MAP_SHARED) {
521
		/*
522
		 * mmap_zero() will call shmem_zero_setup() to create a file,
523
		 * so use shmem's get_unmapped_area in case it can be huge;
524
		 * and pass NULL for file as in mmap.c's get_unmapped_area(),
525
		 * so as not to confuse shmem with our handle on "/dev/zero".
526
		 */
527
		return shmem_get_unmapped_area(NULL, addr, len, pgoff, flags);
528
	}
529

530
	/* Otherwise flags & MAP_PRIVATE: with no shmem object beneath it */
531
	return mm_get_unmapped_area(current->mm, file, addr, len, pgoff, flags);
532
#else
533
	return -ENOSYS;
534
#endif
535
}
536

537
static ssize_t write_full(struct file *file, const char __user *buf,
538
			  size_t count, loff_t *ppos)
539
{
540
	return -ENOSPC;
541
}
542

543
/*
544
 * Special lseek() function for /dev/null and /dev/zero.  Most notably, you
545
 * can fopen() both devices with "a" now.  This was previously impossible.
546
 * -- SRB.
547
 */
548
static loff_t null_lseek(struct file *file, loff_t offset, int orig)
549
{
550
	return file->f_pos = 0;
551
}
552

553
/*
554
 * The memory devices use the full 32/64 bits of the offset, and so we cannot
555
 * check against negative addresses: they are ok. The return value is weird,
556
 * though, in that case (0).
557
 *
558
 * also note that seeking relative to the "end of file" isn't supported:
559
 * it has no meaning, so it returns -EINVAL.
560
 */
561
static loff_t memory_lseek(struct file *file, loff_t offset, int orig)
562
{
563
	loff_t ret;
564

565
	inode_lock(file_inode(file));
566
	switch (orig) {
567
	case SEEK_CUR:
568
		offset += file->f_pos;
569
		fallthrough;
570
	case SEEK_SET:
571
		/* to avoid userland mistaking f_pos=-9 as -EBADF=-9 */
572
		if ((unsigned long long)offset >= -MAX_ERRNO) {
573
			ret = -EOVERFLOW;
574
			break;
575
		}
576
		file->f_pos = offset;
577
		ret = file->f_pos;
578
		force_successful_syscall_return();
579
		break;
580
	default:
581
		ret = -EINVAL;
582
	}
583
	inode_unlock(file_inode(file));
584
	return ret;
585
}
586

587
static int open_port(struct inode *inode, struct file *filp)
588
{
589
	int rc;
590

591
	if (!capable(CAP_SYS_RAWIO))
592
		return -EPERM;
593

594
	rc = security_locked_down(LOCKDOWN_DEV_MEM);
595
	if (rc)
596
		return rc;
597

598
	if (iminor(inode) != DEVMEM_MINOR)
599
		return 0;
600

601
	/*
602
	 * Use a unified address space to have a single point to manage
603
	 * revocations when drivers want to take over a /dev/mem mapped
604
	 * range.
605
	 */
606
	filp->f_mapping = iomem_get_mapping();
607

608
	return 0;
609
}
610

611
#define zero_lseek	null_lseek
612
#define full_lseek      null_lseek
613
#define write_zero	write_null
614
#define write_iter_zero	write_iter_null
615
#define splice_write_zero	splice_write_null
616
#define open_mem	open_port
617

618
static const struct file_operations __maybe_unused mem_fops = {
619
	.llseek		= memory_lseek,
620
	.read		= read_mem,
621
	.write		= write_mem,
622
	.mmap		= mmap_mem,
623
	.open		= open_mem,
624
#ifndef CONFIG_MMU
625
	.get_unmapped_area = get_unmapped_area_mem,
626
	.mmap_capabilities = memory_mmap_capabilities,
627
#endif
628
	.fop_flags	= FOP_UNSIGNED_OFFSET,
629
};
630

631
static const struct file_operations null_fops = {
632
	.llseek		= null_lseek,
633
	.read		= read_null,
634
	.write		= write_null,
635
	.read_iter	= read_iter_null,
636
	.write_iter	= write_iter_null,
637
	.splice_write	= splice_write_null,
638
	.uring_cmd	= uring_cmd_null,
639
};
640

641
#ifdef CONFIG_DEVPORT
642
static const struct file_operations port_fops = {
643
	.llseek		= memory_lseek,
644
	.read		= read_port,
645
	.write		= write_port,
646
	.open		= open_port,
647
};
648
#endif
649

650
static const struct file_operations zero_fops = {
651
	.llseek		= zero_lseek,
652
	.write		= write_zero,
653
	.read_iter	= read_iter_zero,
654
	.read		= read_zero,
655
	.write_iter	= write_iter_zero,
656
	.splice_read	= copy_splice_read,
657
	.splice_write	= splice_write_zero,
658
	.mmap		= mmap_zero,
659
	.get_unmapped_area = get_unmapped_area_zero,
660
#ifndef CONFIG_MMU
661
	.mmap_capabilities = zero_mmap_capabilities,
662
#endif
663
};
664

665
static const struct file_operations full_fops = {
666
	.llseek		= full_lseek,
667
	.read_iter	= read_iter_zero,
668
	.write		= write_full,
669
	.splice_read	= copy_splice_read,
670
};
671

672
static const struct memdev {
673
	const char *name;
674
	const struct file_operations *fops;
675
	fmode_t fmode;
676
	umode_t mode;
677
} devlist[] = {
678
#ifdef CONFIG_DEVMEM
679
	[DEVMEM_MINOR] = { "mem", &mem_fops, 0, 0 },
680
#endif
681
	[3] = { "null", &null_fops, FMODE_NOWAIT, 0666 },
682
#ifdef CONFIG_DEVPORT
683
	[4] = { "port", &port_fops, 0, 0 },
684
#endif
685
	[5] = { "zero", &zero_fops, FMODE_NOWAIT, 0666 },
686
	[7] = { "full", &full_fops, 0, 0666 },
687
	[8] = { "random", &random_fops, FMODE_NOWAIT, 0666 },
688
	[9] = { "urandom", &urandom_fops, FMODE_NOWAIT, 0666 },
689
#ifdef CONFIG_PRINTK
690
	[11] = { "kmsg", &kmsg_fops, 0, 0644 },
691
#endif
692
};
693

694
static int memory_open(struct inode *inode, struct file *filp)
695
{
696
	int minor;
697
	const struct memdev *dev;
698

699
	minor = iminor(inode);
700
	if (minor >= ARRAY_SIZE(devlist))
701
		return -ENXIO;
702

703
	dev = &devlist[minor];
704
	if (!dev->fops)
705
		return -ENXIO;
706

707
	filp->f_op = dev->fops;
708
	filp->f_mode |= dev->fmode;
709

710
	if (dev->fops->open)
711
		return dev->fops->open(inode, filp);
712

713
	return 0;
714
}
715

716
static const struct file_operations memory_fops = {
717
	.open = memory_open,
718
	.llseek = noop_llseek,
719
};
720

721
static char *mem_devnode(const struct device *dev, umode_t *mode)
722
{
723
	if (mode && devlist[MINOR(dev->devt)].mode)
724
		*mode = devlist[MINOR(dev->devt)].mode;
725
	return NULL;
726
}
727

728
static const struct class mem_class = {
729
	.name		= "mem",
730
	.devnode	= mem_devnode,
731
};
732

733
static int __init chr_dev_init(void)
734
{
735
	int retval;
736
	int minor;
737

738
	if (register_chrdev(MEM_MAJOR, "mem", &memory_fops))
739
		printk("unable to get major %d for memory devs\n", MEM_MAJOR);
740

741
	retval = class_register(&mem_class);
742
	if (retval)
743
		return retval;
744

745
	for (minor = 1; minor < ARRAY_SIZE(devlist); minor++) {
746
		if (!devlist[minor].name)
747
			continue;
748

749
		/*
750
		 * Create /dev/port?
751
		 */
752
		if ((minor == DEVPORT_MINOR) && !arch_has_dev_port())
753
			continue;
754

755
		device_create(&mem_class, NULL, MKDEV(MEM_MAJOR, minor),
756
			      NULL, devlist[minor].name);
757
	}
758

759
	return tty_init();
760
}
761

762
fs_initcall(chr_dev_init);
763

764