Hi Richard, I think this commit is the cause of CID 1446711.
There is no concistancy between the various declarations of unlock_user(): bsd-user/qemu.h static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, long len) include/exec/softmmu-semi.h static void softmmu_unlock_user(CPUArchState *env, void *p, target_ulong addr, target_ulong len) ... #define unlock_user(s, args, len) softmmu_unlock_user(env, s, args, len) linux-user/qemu.h #ifndef DEBUG_REMAP static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len) { } #else void unlock_user(void *host_ptr, abi_ulong guest_addr, long len); #endif To take a signed long here allows to unconditionnaly call the unlock_user() function after the syscall and not to copy the buffer if the value is negative. Thanks, Laurent Le 16/02/2021 à 17:16, Peter Maydell a écrit : > From: Richard Henderson <richard.hender...@linaro.org> > > For copy_*_user, only 0 and -TARGET_EFAULT are returned; no need > to involve abi_long. Use size_t for lengths. Use bool for the > lock_user copy argument. Use ssize_t for target_strlen, because > we can't overflow the host memory space. > > Reviewed-by: Peter Maydell <peter.mayd...@linaro.org> > Signed-off-by: Richard Henderson <richard.hender...@linaro.org> > Reviewed-by: Philippe Mathieu-Daudé <f4...@amsat.org> > Message-id: 20210212184902.1251044-19-richard.hender...@linaro.org > [PMM: moved fix for ifdef error to previous commit] > Signed-off-by: Peter Maydell <peter.mayd...@linaro.org> > --- > linux-user/qemu.h | 12 +++++------- > linux-user/uaccess.c | 45 ++++++++++++++++++++++---------------------- > 2 files changed, 28 insertions(+), 29 deletions(-) > > diff --git a/linux-user/qemu.h b/linux-user/qemu.h > index 971af97a2fb..d25a5dafc0f 100644 > --- a/linux-user/qemu.h > +++ b/linux-user/qemu.h > @@ -7,8 +7,6 @@ > #include "exec/cpu_ldst.h" > > #undef DEBUG_REMAP > -#ifdef DEBUG_REMAP > -#endif /* DEBUG_REMAP */ > > #include "exec/user/abitypes.h" > > @@ -629,8 +627,8 @@ static inline bool access_ok(CPUState *cpu, int type, > * buffers between the target and host. These internally perform > * locking/unlocking of the memory. > */ > -abi_long copy_from_user(void *hptr, abi_ulong gaddr, size_t len); > -abi_long copy_to_user(abi_ulong gaddr, void *hptr, size_t len); > +int copy_from_user(void *hptr, abi_ulong gaddr, size_t len); > +int copy_to_user(abi_ulong gaddr, void *hptr, size_t len); > > /* Functions for accessing guest memory. The tget and tput functions > read/write single values, byteswapping as necessary. The lock_user > function > @@ -640,13 +638,13 @@ abi_long copy_to_user(abi_ulong gaddr, void *hptr, > size_t len); > > /* Lock an area of guest memory into the host. If copy is true then the > host area will have the same contents as the guest. */ > -void *lock_user(int type, abi_ulong guest_addr, long len, int copy); > +void *lock_user(int type, abi_ulong guest_addr, size_t len, bool copy); > > /* Unlock an area of guest memory. The first LEN bytes must be > flushed back to guest memory. host_ptr = NULL is explicitly > allowed and does nothing. */ > #ifndef DEBUG_REMAP > -static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, long > len) > +static inline void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t > len) > { } > #else > void unlock_user(void *host_ptr, abi_ulong guest_addr, long len); > @@ -654,7 +652,7 @@ void unlock_user(void *host_ptr, abi_ulong guest_addr, > long len); > > /* Return the length of a string in target memory or -TARGET_EFAULT if > access error. */ > -abi_long target_strlen(abi_ulong gaddr); > +ssize_t target_strlen(abi_ulong gaddr); > > /* Like lock_user but for null terminated strings. */ > void *lock_user_string(abi_ulong guest_addr); > diff --git a/linux-user/uaccess.c b/linux-user/uaccess.c > index bba012ed159..76af6a92b11 100644 > --- a/linux-user/uaccess.c > +++ b/linux-user/uaccess.c > @@ -4,7 +4,7 @@ > > #include "qemu.h" > > -void *lock_user(int type, abi_ulong guest_addr, long len, int copy) > +void *lock_user(int type, abi_ulong guest_addr, size_t len, bool copy) > { > if (!access_ok_untagged(type, guest_addr, len)) { > return NULL; > @@ -26,7 +26,7 @@ void *lock_user(int type, abi_ulong guest_addr, long len, > int copy) > } > > #ifdef DEBUG_REMAP > -void unlock_user(void *host_ptr, abi_ulong guest_addr, long len); > +void unlock_user(void *host_ptr, abi_ulong guest_addr, size_t len); > { > if (!host_ptr) { > return; > @@ -34,7 +34,7 @@ void unlock_user(void *host_ptr, abi_ulong guest_addr, long > len); > if (host_ptr == g2h_untagged(guest_addr)) { > return; > } > - if (len > 0) { > + if (len != 0) { > memcpy(g2h_untagged(guest_addr), host_ptr, len); > } > g_free(host_ptr); > @@ -43,53 +43,53 @@ void unlock_user(void *host_ptr, abi_ulong guest_addr, > long len); > > void *lock_user_string(abi_ulong guest_addr) > { > - abi_long len = target_strlen(guest_addr); > + ssize_t len = target_strlen(guest_addr); > if (len < 0) { > return NULL; > } > - return lock_user(VERIFY_READ, guest_addr, (long)(len + 1), 1); > + return lock_user(VERIFY_READ, guest_addr, (size_t)len + 1, 1); > } > > /* copy_from_user() and copy_to_user() are usually used to copy data > * buffers between the target and host. These internally perform > * locking/unlocking of the memory. > */ > -abi_long copy_from_user(void *hptr, abi_ulong gaddr, size_t len) > +int copy_from_user(void *hptr, abi_ulong gaddr, size_t len) > { > - abi_long ret = 0; > - void *ghptr; > + int ret = 0; > + void *ghptr = lock_user(VERIFY_READ, gaddr, len, 1); > > - if ((ghptr = lock_user(VERIFY_READ, gaddr, len, 1))) { > + if (ghptr) { > memcpy(hptr, ghptr, len); > unlock_user(ghptr, gaddr, 0); > - } else > + } else { > ret = -TARGET_EFAULT; > - > + } > return ret; > } > > - > -abi_long copy_to_user(abi_ulong gaddr, void *hptr, size_t len) > +int copy_to_user(abi_ulong gaddr, void *hptr, size_t len) > { > - abi_long ret = 0; > - void *ghptr; > + int ret = 0; > + void *ghptr = lock_user(VERIFY_WRITE, gaddr, len, 0); > > - if ((ghptr = lock_user(VERIFY_WRITE, gaddr, len, 0))) { > + if (ghptr) { > memcpy(ghptr, hptr, len); > unlock_user(ghptr, gaddr, len); > - } else > + } else { > ret = -TARGET_EFAULT; > + } > > return ret; > } > > /* Return the length of a string in target memory or -TARGET_EFAULT if > access error */ > -abi_long target_strlen(abi_ulong guest_addr1) > +ssize_t target_strlen(abi_ulong guest_addr1) > { > uint8_t *ptr; > abi_ulong guest_addr; > - int max_len, len; > + size_t max_len, len; > > guest_addr = guest_addr1; > for(;;) { > @@ -101,11 +101,12 @@ abi_long target_strlen(abi_ulong guest_addr1) > unlock_user(ptr, guest_addr, 0); > guest_addr += len; > /* we don't allow wrapping or integer overflow */ > - if (guest_addr == 0 || > - (guest_addr - guest_addr1) > 0x7fffffff) > + if (guest_addr == 0 || (guest_addr - guest_addr1) > 0x7fffffff) { > return -TARGET_EFAULT; > - if (len != max_len) > + } > + if (len != max_len) { > break; > + } > } > return guest_addr - guest_addr1; > } >