copy_from_user函数的目的是从用户空间拷贝数据到内核空间,失败返回没有被拷贝的字节数,成功返回0.
这么简单的一个函数却含盖了许多关于内核方面的知识,比如内核关于异常出错的处理.从用户空间拷贝
数据到内核中时必须很小心,假如用户空间的数据地址是个非法的地址,或是超出用户空间的范围,或是
那些地址还没有被映射到,都可能对内核产生很大的影响,如oops,或被造成系统安全的影响.所以
copy_from_user函数的功能就不只是从用户空间拷贝数据那样简单了,他还要做一些指针检查连同处理这些
问题的方法.下面我们来仔细分析下这个函数.函数原型在[arch/i386/lib/usercopy.c]中
unsigned long
copy_from_user(void *to, const void __user *from, unsigned long n)
{
<wbr><wbr>might_sleep(); <wbr><wbr><br><wbr><wbr>if (access_ok(VERIFY_READ, from, n))<br><wbr><wbr><wbr><wbr><wbr><wbr>n = __copy_from_user(to, from, n);<br><wbr><wbr>else<br><wbr><wbr><wbr><wbr><wbr><wbr>memset(to, 0, n);<br><wbr><wbr>return n;<br> }<br> 首先这个函数是能够睡眠的,他调用might_sleep()来处理,他在include/linux/kernel.h中定义,<br> 本质也就是调用schedule(),转到其他进程.接下来就要验证用户空间地址的有效性.他在<br> [/include/asm-i386/uaccess.h]中定义.<br> #define access_ok(type,addr,size) (likely(__range_ok(addr,size) == 0)),进一步调用__rang_ok<br> 函数来处理,他所做的测试很简单,就是比较addr+size这个地址的大小是否超出了用户进程空间的大小,<br> 也就是0xbfffffff.可能有读者会问,只做地址范围检查,怎么不做指针合法性的检查呢,假如出现前面<br> 提到过的问题怎么办?这个会在下面的函数中处理,我们慢慢看.在做完地址范围检查后,假如成功则调用<br> __copy_from_user函数开始拷贝数据了,假如失败的话,就把从to指针指向的内核空间地址到to+size范围<br> 填充为0.__copy_from_user也在uaceess.h中定义,<br> static inline unsigned long<br> __copy_from_user(void *to, const void __user *from, unsigned long n)<br> {<br><wbr><wbr><wbr><wbr>might_sleep();<br><wbr><wbr><wbr><wbr>return __copy_from_user_inatomic(to, from, n);<br> }<br> 这里继续调用__copy_from_user_inatomic.<br> static inline unsigned long<br> __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)<br> {<br><wbr><wbr>if (__builtin_constant_p(n)) {<br><wbr><wbr><wbr><wbr><wbr><wbr>unsigned long ret;<br><wbr><wbr><wbr><wbr><wbr><wbr>switch (n) {<br><wbr><wbr><wbr><wbr><wbr><wbr>case 1:<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>__get_user_size(*(u8 *)to, from, 1, ret, 1);<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>return ret;<br><wbr><wbr><wbr><wbr><wbr><wbr>case 2:<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>__get_user_size(*(u16 *)to, from, 2, ret, 2);<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>return ret;<br><wbr><wbr><wbr><wbr><wbr><wbr>case 4:<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>__get_user_size(*(u32 *)to, from, 4, ret, 4);<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>return ret;<br><wbr><wbr><wbr><wbr><wbr><wbr>}<br><wbr><wbr>}<br><wbr><wbr>return __copy_from_user_ll(to, from, n);<br> }<br> 这里先判断要拷贝的字节大小,假如是8,16,32大小的话,则调用__get_user_size来拷贝数据.<br> 这样做是一种程式设计上的优化了。<br> #define __get_user_size(x,ptr,size,retval,errret) <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br> do { <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br><wbr><wbr>retval = 0; <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br><wbr><wbr>__chk_user_ptr(ptr); <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br><wbr><wbr>switch (size) { <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br><wbr><wbr>case 1: __get_user_asm(x,ptr,retval,"b","b","=q",errret);break; <wbr><wbr>\<br><wbr><wbr>case 2: __get_user_asm(x,ptr,retval,"w","w","=r",errret);break; <wbr><wbr>\<br><wbr><wbr>case 4: __get_user_asm(x,ptr,retval,"l","","=r",errret);break; <wbr><wbr>\<br><wbr><wbr>default: (x) = __get_user_bad(); <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br><wbr><wbr>} <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>
这么简单的一个函数却含盖了许多关于内核方面的知识,比如内核关于异常出错的处理.从用户空间拷贝
数据到内核中时必须很小心,假如用户空间的数据地址是个非法的地址,或是超出用户空间的范围,或是
那些地址还没有被映射到,都可能对内核产生很大的影响,如oops,或被造成系统安全的影响.所以
copy_from_user函数的功能就不只是从用户空间拷贝数据那样简单了,他还要做一些指针检查连同处理这些
问题的方法.下面我们来仔细分析下这个函数.函数原型在[arch/i386/lib/usercopy.c]中
unsigned long
copy_from_user(void *to, const void __user *from, unsigned long n)
{
<wbr><wbr>might_sleep(); <wbr><wbr><br><wbr><wbr>if (access_ok(VERIFY_READ, from, n))<br><wbr><wbr><wbr><wbr><wbr><wbr>n = __copy_from_user(to, from, n);<br><wbr><wbr>else<br><wbr><wbr><wbr><wbr><wbr><wbr>memset(to, 0, n);<br><wbr><wbr>return n;<br> }<br> 首先这个函数是能够睡眠的,他调用might_sleep()来处理,他在include/linux/kernel.h中定义,<br> 本质也就是调用schedule(),转到其他进程.接下来就要验证用户空间地址的有效性.他在<br> [/include/asm-i386/uaccess.h]中定义.<br> #define access_ok(type,addr,size) (likely(__range_ok(addr,size) == 0)),进一步调用__rang_ok<br> 函数来处理,他所做的测试很简单,就是比较addr+size这个地址的大小是否超出了用户进程空间的大小,<br> 也就是0xbfffffff.可能有读者会问,只做地址范围检查,怎么不做指针合法性的检查呢,假如出现前面<br> 提到过的问题怎么办?这个会在下面的函数中处理,我们慢慢看.在做完地址范围检查后,假如成功则调用<br> __copy_from_user函数开始拷贝数据了,假如失败的话,就把从to指针指向的内核空间地址到to+size范围<br> 填充为0.__copy_from_user也在uaceess.h中定义,<br> static inline unsigned long<br> __copy_from_user(void *to, const void __user *from, unsigned long n)<br> {<br><wbr><wbr><wbr><wbr>might_sleep();<br><wbr><wbr><wbr><wbr>return __copy_from_user_inatomic(to, from, n);<br> }<br> 这里继续调用__copy_from_user_inatomic.<br> static inline unsigned long<br> __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)<br> {<br><wbr><wbr>if (__builtin_constant_p(n)) {<br><wbr><wbr><wbr><wbr><wbr><wbr>unsigned long ret;<br><wbr><wbr><wbr><wbr><wbr><wbr>switch (n) {<br><wbr><wbr><wbr><wbr><wbr><wbr>case 1:<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>__get_user_size(*(u8 *)to, from, 1, ret, 1);<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>return ret;<br><wbr><wbr><wbr><wbr><wbr><wbr>case 2:<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>__get_user_size(*(u16 *)to, from, 2, ret, 2);<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>return ret;<br><wbr><wbr><wbr><wbr><wbr><wbr>case 4:<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>__get_user_size(*(u32 *)to, from, 4, ret, 4);<br><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>return ret;<br><wbr><wbr><wbr><wbr><wbr><wbr>}<br><wbr><wbr>}<br><wbr><wbr>return __copy_from_user_ll(to, from, n);<br> }<br> 这里先判断要拷贝的字节大小,假如是8,16,32大小的话,则调用__get_user_size来拷贝数据.<br> 这样做是一种程式设计上的优化了。<br> #define __get_user_size(x,ptr,size,retval,errret) <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br> do { <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br><wbr><wbr>retval = 0; <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br><wbr><wbr>__chk_user_ptr(ptr); <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br><wbr><wbr>switch (size) { <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br><wbr><wbr>case 1: __get_user_asm(x,ptr,retval,"b","b","=q",errret);break; <wbr><wbr>\<br><wbr><wbr>case 2: __get_user_asm(x,ptr,retval,"w","w","=r",errret);break; <wbr><wbr>\<br><wbr><wbr>case 4: __get_user_asm(x,ptr,retval,"l","","=r",errret);break; <wbr><wbr>\<br><wbr><wbr>default: (x) = __get_user_bad(); <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr>\<br><wbr><wbr>} <wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr><wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
