1 /* 2 * arch/arm/include/asm/uaccess.h 3 * 4 * This program is free software; you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License version 2 as 6 * published by the Free Software Foundation. 7 */ 8 #ifndef _ASMARM_UACCESS_H 9 #define _ASMARM_UACCESS_H 10 11 /* 12 * User space memory access functions 13 */ 14 #include <linux/string.h> 15 #include <asm/memory.h> 16 #include <asm/domain.h> 17 #include <asm/unified.h> 18 #include <asm/compiler.h> 19 20 #include <asm/extable.h> 21 22 /* 23 * These two functions allow hooking accesses to userspace to increase 24 * system integrity by ensuring that the kernel can not inadvertantly 25 * perform such accesses (eg, via list poison values) which could then 26 * be exploited for priviledge escalation. 27 */ 28 static inline unsigned int uaccess_save_and_enable(void) 29 { 30 #ifdef CONFIG_CPU_SW_DOMAIN_PAN 31 unsigned int old_domain = get_domain(); 32 33 /* Set the current domain access to permit user accesses */ 34 set_domain((old_domain & ~domain_mask(DOMAIN_USER)) | 35 domain_val(DOMAIN_USER, DOMAIN_CLIENT)); 36 37 return old_domain; 38 #else 39 return 0; 40 #endif 41 } 42 43 static inline void uaccess_restore(unsigned int flags) 44 { 45 #ifdef CONFIG_CPU_SW_DOMAIN_PAN 46 /* Restore the user access mask */ 47 set_domain(flags); 48 #endif 49 } 50 51 /* 52 * These two are intentionally not defined anywhere - if the kernel 53 * code generates any references to them, that's a bug. 54 */ 55 extern int __get_user_bad(void); 56 extern int __put_user_bad(void); 57 58 /* 59 * Note that this is actually 0x1,0000,0000 60 */ 61 #define KERNEL_DS 0x00000000 62 63 #ifdef CONFIG_MMU 64 65 #define USER_DS TASK_SIZE 66 #define get_fs() (current_thread_info()->addr_limit) 67 68 static inline void set_fs(mm_segment_t fs) 69 { 70 current_thread_info()->addr_limit = fs; 71 72 /* 73 * Prevent a mispredicted conditional call to set_fs from forwarding 74 * the wrong address limit to access_ok under speculation. 75 */ 76 dsb(nsh); 77 isb(); 78 79 modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER); 80 } 81 82 #define segment_eq(a, b) ((a) == (b)) 83 84 /* We use 33-bit arithmetic here... */ 85 #define __range_ok(addr, size) ({ \ 86 unsigned long flag, roksum; \ 87 __chk_user_ptr(addr); \ 88 __asm__(".syntax unified\n" \ 89 "adds %1, %2, %3; sbcscc %1, %1, %0; movcc %0, #0" \ 90 : "=&r" (flag), "=&r" (roksum) \ 91 : "r" (addr), "Ir" (size), "0" (current_thread_info()->addr_limit) \ 92 : "cc"); \ 93 flag; }) 94 95 /* 96 * This is a type: either unsigned long, if the argument fits into 97 * that type, or otherwise unsigned long long. 98 */ 99 #define __inttype(x) \ 100 __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) 101 102 /* 103 * Sanitise a uaccess pointer such that it becomes NULL if addr+size 104 * is above the current addr_limit. 105 */ 106 #define uaccess_mask_range_ptr(ptr, size) \ 107 ((__typeof__(ptr))__uaccess_mask_range_ptr(ptr, size)) 108 static inline void __user *__uaccess_mask_range_ptr(const void __user *ptr, 109 size_t size) 110 { 111 void __user *safe_ptr = (void __user *)ptr; 112 unsigned long tmp; 113 114 asm volatile( 115 " sub %1, %3, #1\n" 116 " subs %1, %1, %0\n" 117 " addhs %1, %1, #1\n" 118 " subhss %1, %1, %2\n" 119 " movlo %0, #0\n" 120 : "+r" (safe_ptr), "=&r" (tmp) 121 : "r" (size), "r" (current_thread_info()->addr_limit) 122 : "cc"); 123 124 csdb(); 125 return safe_ptr; 126 } 127 128 /* 129 * Single-value transfer routines. They automatically use the right 130 * size if we just have the right pointer type. Note that the functions 131 * which read from user space (*get_*) need to take care not to leak 132 * kernel data even if the calling code is buggy and fails to check 133 * the return value. This means zeroing out the destination variable 134 * or buffer on error. Normally this is done out of line by the 135 * fixup code, but there are a few places where it intrudes on the 136 * main code path. When we only write to user space, there is no 137 * problem. 138 */ 139 extern int __get_user_1(void *); 140 extern int __get_user_2(void *); 141 extern int __get_user_4(void *); 142 extern int __get_user_32t_8(void *); 143 extern int __get_user_8(void *); 144 extern int __get_user_64t_1(void *); 145 extern int __get_user_64t_2(void *); 146 extern int __get_user_64t_4(void *); 147 148 #define __GUP_CLOBBER_1 "lr", "cc" 149 #ifdef CONFIG_CPU_USE_DOMAINS 150 #define __GUP_CLOBBER_2 "ip", "lr", "cc" 151 #else 152 #define __GUP_CLOBBER_2 "lr", "cc" 153 #endif 154 #define __GUP_CLOBBER_4 "lr", "cc" 155 #define __GUP_CLOBBER_32t_8 "lr", "cc" 156 #define __GUP_CLOBBER_8 "lr", "cc" 157 158 #define __get_user_x(__r2, __p, __e, __l, __s) \ 159 __asm__ __volatile__ ( \ 160 __asmeq("%0", "r0") __asmeq("%1", "r2") \ 161 __asmeq("%3", "r1") \ 162 "bl __get_user_" #__s \ 163 : "=&r" (__e), "=r" (__r2) \ 164 : "0" (__p), "r" (__l) \ 165 : __GUP_CLOBBER_##__s) 166 167 /* narrowing a double-word get into a single 32bit word register: */ 168 #ifdef __ARMEB__ 169 #define __get_user_x_32t(__r2, __p, __e, __l, __s) \ 170 __get_user_x(__r2, __p, __e, __l, 32t_8) 171 #else 172 #define __get_user_x_32t __get_user_x 173 #endif 174 175 /* 176 * storing result into proper least significant word of 64bit target var, 177 * different only for big endian case where 64 bit __r2 lsw is r3: 178 */ 179 #ifdef __ARMEB__ 180 #define __get_user_x_64t(__r2, __p, __e, __l, __s) \ 181 __asm__ __volatile__ ( \ 182 __asmeq("%0", "r0") __asmeq("%1", "r2") \ 183 __asmeq("%3", "r1") \ 184 "bl __get_user_64t_" #__s \ 185 : "=&r" (__e), "=r" (__r2) \ 186 : "0" (__p), "r" (__l) \ 187 : __GUP_CLOBBER_##__s) 188 #else 189 #define __get_user_x_64t __get_user_x 190 #endif 191 192 193 #define __get_user_check(x, p) \ 194 ({ \ 195 unsigned long __limit = current_thread_info()->addr_limit - 1; \ 196 register typeof(*(p)) __user *__p asm("r0") = (p); \ 197 register __inttype(x) __r2 asm("r2"); \ 198 register unsigned long __l asm("r1") = __limit; \ 199 register int __e asm("r0"); \ 200 unsigned int __ua_flags = uaccess_save_and_enable(); \ 201 switch (sizeof(*(__p))) { \ 202 case 1: \ 203 if (sizeof((x)) >= 8) \ 204 __get_user_x_64t(__r2, __p, __e, __l, 1); \ 205 else \ 206 __get_user_x(__r2, __p, __e, __l, 1); \ 207 break; \ 208 case 2: \ 209 if (sizeof((x)) >= 8) \ 210 __get_user_x_64t(__r2, __p, __e, __l, 2); \ 211 else \ 212 __get_user_x(__r2, __p, __e, __l, 2); \ 213 break; \ 214 case 4: \ 215 if (sizeof((x)) >= 8) \ 216 __get_user_x_64t(__r2, __p, __e, __l, 4); \ 217 else \ 218 __get_user_x(__r2, __p, __e, __l, 4); \ 219 break; \ 220 case 8: \ 221 if (sizeof((x)) < 8) \ 222 __get_user_x_32t(__r2, __p, __e, __l, 4); \ 223 else \ 224 __get_user_x(__r2, __p, __e, __l, 8); \ 225 break; \ 226 default: __e = __get_user_bad(); break; \ 227 } \ 228 uaccess_restore(__ua_flags); \ 229 x = (typeof(*(p))) __r2; \ 230 __e; \ 231 }) 232 233 #define get_user(x, p) \ 234 ({ \ 235 might_fault(); \ 236 __get_user_check(x, p); \ 237 }) 238 239 extern int __put_user_1(void *, unsigned int); 240 extern int __put_user_2(void *, unsigned int); 241 extern int __put_user_4(void *, unsigned int); 242 extern int __put_user_8(void *, unsigned long long); 243 244 #define __put_user_check(__pu_val, __ptr, __err, __s) \ 245 ({ \ 246 unsigned long __limit = current_thread_info()->addr_limit - 1; \ 247 register typeof(__pu_val) __r2 asm("r2") = __pu_val; \ 248 register const void __user *__p asm("r0") = __ptr; \ 249 register unsigned long __l asm("r1") = __limit; \ 250 register int __e asm("r0"); \ 251 __asm__ __volatile__ ( \ 252 __asmeq("%0", "r0") __asmeq("%2", "r2") \ 253 __asmeq("%3", "r1") \ 254 "bl __put_user_" #__s \ 255 : "=&r" (__e) \ 256 : "0" (__p), "r" (__r2), "r" (__l) \ 257 : "ip", "lr", "cc"); \ 258 __err = __e; \ 259 }) 260 261 #else /* CONFIG_MMU */ 262 263 /* 264 * uClinux has only one addr space, so has simplified address limits. 265 */ 266 #define USER_DS KERNEL_DS 267 268 #define segment_eq(a, b) (1) 269 #define __addr_ok(addr) ((void)(addr), 1) 270 #define __range_ok(addr, size) ((void)(addr), 0) 271 #define get_fs() (KERNEL_DS) 272 273 static inline void set_fs(mm_segment_t fs) 274 { 275 } 276 277 #define get_user(x, p) __get_user(x, p) 278 #define __put_user_check __put_user_nocheck 279 280 #endif /* CONFIG_MMU */ 281 282 #define access_ok(addr, size) (__range_ok(addr, size) == 0) 283 284 #define user_addr_max() \ 285 (uaccess_kernel() ? ~0UL : get_fs()) 286 287 #ifdef CONFIG_CPU_SPECTRE 288 /* 289 * When mitigating Spectre variant 1, it is not worth fixing the non- 290 * verifying accessors, because we need to add verification of the 291 * address space there. Force these to use the standard get_user() 292 * version instead. 293 */ 294 #define __get_user(x, ptr) get_user(x, ptr) 295 #else 296 297 /* 298 * The "__xxx" versions of the user access functions do not verify the 299 * address space - it must have been done previously with a separate 300 * "access_ok()" call. 301 * 302 * The "xxx_error" versions set the third argument to EFAULT if an 303 * error occurs, and leave it unchanged on success. Note that these 304 * versions are void (ie, don't return a value as such). 305 */ 306 #define __get_user(x, ptr) \ 307 ({ \ 308 long __gu_err = 0; \ 309 __get_user_err((x), (ptr), __gu_err); \ 310 __gu_err; \ 311 }) 312 313 #define __get_user_err(x, ptr, err) \ 314 do { \ 315 unsigned long __gu_addr = (unsigned long)(ptr); \ 316 unsigned long __gu_val; \ 317 unsigned int __ua_flags; \ 318 __chk_user_ptr(ptr); \ 319 might_fault(); \ 320 __ua_flags = uaccess_save_and_enable(); \ 321 switch (sizeof(*(ptr))) { \ 322 case 1: __get_user_asm_byte(__gu_val, __gu_addr, err); break; \ 323 case 2: __get_user_asm_half(__gu_val, __gu_addr, err); break; \ 324 case 4: __get_user_asm_word(__gu_val, __gu_addr, err); break; \ 325 default: (__gu_val) = __get_user_bad(); \ 326 } \ 327 uaccess_restore(__ua_flags); \ 328 (x) = (__typeof__(*(ptr)))__gu_val; \ 329 } while (0) 330 331 #define __get_user_asm(x, addr, err, instr) \ 332 __asm__ __volatile__( \ 333 "1: " TUSER(instr) " %1, [%2], #0\n" \ 334 "2:\n" \ 335 " .pushsection .text.fixup,\"ax\"\n" \ 336 " .align 2\n" \ 337 "3: mov %0, %3\n" \ 338 " mov %1, #0\n" \ 339 " b 2b\n" \ 340 " .popsection\n" \ 341 " .pushsection __ex_table,\"a\"\n" \ 342 " .align 3\n" \ 343 " .long 1b, 3b\n" \ 344 " .popsection" \ 345 : "+r" (err), "=&r" (x) \ 346 : "r" (addr), "i" (-EFAULT) \ 347 : "cc") 348 349 #define __get_user_asm_byte(x, addr, err) \ 350 __get_user_asm(x, addr, err, ldrb) 351 352 #if __LINUX_ARM_ARCH__ >= 6 353 354 #define __get_user_asm_half(x, addr, err) \ 355 __get_user_asm(x, addr, err, ldrh) 356 357 #else 358 359 #ifndef __ARMEB__ 360 #define __get_user_asm_half(x, __gu_addr, err) \ 361 ({ \ 362 unsigned long __b1, __b2; \ 363 __get_user_asm_byte(__b1, __gu_addr, err); \ 364 __get_user_asm_byte(__b2, __gu_addr + 1, err); \ 365 (x) = __b1 | (__b2 << 8); \ 366 }) 367 #else 368 #define __get_user_asm_half(x, __gu_addr, err) \ 369 ({ \ 370 unsigned long __b1, __b2; \ 371 __get_user_asm_byte(__b1, __gu_addr, err); \ 372 __get_user_asm_byte(__b2, __gu_addr + 1, err); \ 373 (x) = (__b1 << 8) | __b2; \ 374 }) 375 #endif 376 377 #endif /* __LINUX_ARM_ARCH__ >= 6 */ 378 379 #define __get_user_asm_word(x, addr, err) \ 380 __get_user_asm(x, addr, err, ldr) 381 #endif 382 383 384 #define __put_user_switch(x, ptr, __err, __fn) \ 385 do { \ 386 const __typeof__(*(ptr)) __user *__pu_ptr = (ptr); \ 387 __typeof__(*(ptr)) __pu_val = (x); \ 388 unsigned int __ua_flags; \ 389 might_fault(); \ 390 __ua_flags = uaccess_save_and_enable(); \ 391 switch (sizeof(*(ptr))) { \ 392 case 1: __fn(__pu_val, __pu_ptr, __err, 1); break; \ 393 case 2: __fn(__pu_val, __pu_ptr, __err, 2); break; \ 394 case 4: __fn(__pu_val, __pu_ptr, __err, 4); break; \ 395 case 8: __fn(__pu_val, __pu_ptr, __err, 8); break; \ 396 default: __err = __put_user_bad(); break; \ 397 } \ 398 uaccess_restore(__ua_flags); \ 399 } while (0) 400 401 #define put_user(x, ptr) \ 402 ({ \ 403 int __pu_err = 0; \ 404 __put_user_switch((x), (ptr), __pu_err, __put_user_check); \ 405 __pu_err; \ 406 }) 407 408 #ifdef CONFIG_CPU_SPECTRE 409 /* 410 * When mitigating Spectre variant 1.1, all accessors need to include 411 * verification of the address space. 412 */ 413 #define __put_user(x, ptr) put_user(x, ptr) 414 415 #else 416 #define __put_user(x, ptr) \ 417 ({ \ 418 long __pu_err = 0; \ 419 __put_user_switch((x), (ptr), __pu_err, __put_user_nocheck); \ 420 __pu_err; \ 421 }) 422 423 #define __put_user_nocheck(x, __pu_ptr, __err, __size) \ 424 do { \ 425 unsigned long __pu_addr = (unsigned long)__pu_ptr; \ 426 __put_user_nocheck_##__size(x, __pu_addr, __err); \ 427 } while (0) 428 429 #define __put_user_nocheck_1 __put_user_asm_byte 430 #define __put_user_nocheck_2 __put_user_asm_half 431 #define __put_user_nocheck_4 __put_user_asm_word 432 #define __put_user_nocheck_8 __put_user_asm_dword 433 434 #define __put_user_asm(x, __pu_addr, err, instr) \ 435 __asm__ __volatile__( \ 436 "1: " TUSER(instr) " %1, [%2], #0\n" \ 437 "2:\n" \ 438 " .pushsection .text.fixup,\"ax\"\n" \ 439 " .align 2\n" \ 440 "3: mov %0, %3\n" \ 441 " b 2b\n" \ 442 " .popsection\n" \ 443 " .pushsection __ex_table,\"a\"\n" \ 444 " .align 3\n" \ 445 " .long 1b, 3b\n" \ 446 " .popsection" \ 447 : "+r" (err) \ 448 : "r" (x), "r" (__pu_addr), "i" (-EFAULT) \ 449 : "cc") 450 451 #define __put_user_asm_byte(x, __pu_addr, err) \ 452 __put_user_asm(x, __pu_addr, err, strb) 453 454 #if __LINUX_ARM_ARCH__ >= 6 455 456 #define __put_user_asm_half(x, __pu_addr, err) \ 457 __put_user_asm(x, __pu_addr, err, strh) 458 459 #else 460 461 #ifndef __ARMEB__ 462 #define __put_user_asm_half(x, __pu_addr, err) \ 463 ({ \ 464 unsigned long __temp = (__force unsigned long)(x); \ 465 __put_user_asm_byte(__temp, __pu_addr, err); \ 466 __put_user_asm_byte(__temp >> 8, __pu_addr + 1, err); \ 467 }) 468 #else 469 #define __put_user_asm_half(x, __pu_addr, err) \ 470 ({ \ 471 unsigned long __temp = (__force unsigned long)(x); \ 472 __put_user_asm_byte(__temp >> 8, __pu_addr, err); \ 473 __put_user_asm_byte(__temp, __pu_addr + 1, err); \ 474 }) 475 #endif 476 477 #endif /* __LINUX_ARM_ARCH__ >= 6 */ 478 479 #define __put_user_asm_word(x, __pu_addr, err) \ 480 __put_user_asm(x, __pu_addr, err, str) 481 482 #ifndef __ARMEB__ 483 #define __reg_oper0 "%R2" 484 #define __reg_oper1 "%Q2" 485 #else 486 #define __reg_oper0 "%Q2" 487 #define __reg_oper1 "%R2" 488 #endif 489 490 #define __put_user_asm_dword(x, __pu_addr, err) \ 491 __asm__ __volatile__( \ 492 ARM( "1: " TUSER(str) " " __reg_oper1 ", [%1], #4\n" ) \ 493 ARM( "2: " TUSER(str) " " __reg_oper0 ", [%1]\n" ) \ 494 THUMB( "1: " TUSER(str) " " __reg_oper1 ", [%1]\n" ) \ 495 THUMB( "2: " TUSER(str) " " __reg_oper0 ", [%1, #4]\n" ) \ 496 "3:\n" \ 497 " .pushsection .text.fixup,\"ax\"\n" \ 498 " .align 2\n" \ 499 "4: mov %0, %3\n" \ 500 " b 3b\n" \ 501 " .popsection\n" \ 502 " .pushsection __ex_table,\"a\"\n" \ 503 " .align 3\n" \ 504 " .long 1b, 4b\n" \ 505 " .long 2b, 4b\n" \ 506 " .popsection" \ 507 : "+r" (err), "+r" (__pu_addr) \ 508 : "r" (x), "i" (-EFAULT) \ 509 : "cc") 510 511 #endif /* !CONFIG_CPU_SPECTRE */ 512 513 #ifdef CONFIG_MMU 514 extern unsigned long __must_check 515 arm_copy_from_user(void *to, const void __user *from, unsigned long n); 516 517 static inline unsigned long __must_check 518 raw_copy_from_user(void *to, const void __user *from, unsigned long n) 519 { 520 unsigned int __ua_flags; 521 522 __ua_flags = uaccess_save_and_enable(); 523 n = arm_copy_from_user(to, from, n); 524 uaccess_restore(__ua_flags); 525 return n; 526 } 527 528 extern unsigned long __must_check 529 arm_copy_to_user(void __user *to, const void *from, unsigned long n); 530 extern unsigned long __must_check 531 __copy_to_user_std(void __user *to, const void *from, unsigned long n); 532 533 static inline unsigned long __must_check 534 raw_copy_to_user(void __user *to, const void *from, unsigned long n) 535 { 536 #ifndef CONFIG_UACCESS_WITH_MEMCPY 537 unsigned int __ua_flags; 538 __ua_flags = uaccess_save_and_enable(); 539 n = arm_copy_to_user(to, from, n); 540 uaccess_restore(__ua_flags); 541 return n; 542 #else 543 return arm_copy_to_user(to, from, n); 544 #endif 545 } 546 547 extern unsigned long __must_check 548 arm_clear_user(void __user *addr, unsigned long n); 549 extern unsigned long __must_check 550 __clear_user_std(void __user *addr, unsigned long n); 551 552 static inline unsigned long __must_check 553 __clear_user(void __user *addr, unsigned long n) 554 { 555 unsigned int __ua_flags = uaccess_save_and_enable(); 556 n = arm_clear_user(addr, n); 557 uaccess_restore(__ua_flags); 558 return n; 559 } 560 561 #else 562 static inline unsigned long 563 raw_copy_from_user(void *to, const void __user *from, unsigned long n) 564 { 565 memcpy(to, (const void __force *)from, n); 566 return 0; 567 } 568 static inline unsigned long 569 raw_copy_to_user(void __user *to, const void *from, unsigned long n) 570 { 571 memcpy((void __force *)to, from, n); 572 return 0; 573 } 574 #define __clear_user(addr, n) (memset((void __force *)addr, 0, n), 0) 575 #endif 576 #define INLINE_COPY_TO_USER 577 #define INLINE_COPY_FROM_USER 578 579 static inline unsigned long __must_check clear_user(void __user *to, unsigned long n) 580 { 581 if (access_ok(to, n)) 582 n = __clear_user(to, n); 583 return n; 584 } 585 586 /* These are from lib/ code, and use __get_user() and friends */ 587 extern long strncpy_from_user(char *dest, const char __user *src, long count); 588 589 extern __must_check long strnlen_user(const char __user *str, long n); 590 591 #endif /* _ASMARM_UACCESS_H */ 592