xref: /openbmc/linux/arch/arm64/include/asm/uaccess.h (revision 22f01029)
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * Based on arch/arm/include/asm/uaccess.h
4  *
5  * Copyright (C) 2012 ARM Ltd.
6  */
7 #ifndef __ASM_UACCESS_H
8 #define __ASM_UACCESS_H
9 
10 #include <asm/alternative.h>
11 #include <asm/kernel-pgtable.h>
12 #include <asm/sysreg.h>
13 
14 /*
15  * User space memory access functions
16  */
17 #include <linux/bitops.h>
18 #include <linux/kasan-checks.h>
19 #include <linux/string.h>
20 
21 #include <asm/asm-extable.h>
22 #include <asm/cpufeature.h>
23 #include <asm/mmu.h>
24 #include <asm/mte.h>
25 #include <asm/ptrace.h>
26 #include <asm/memory.h>
27 #include <asm/extable.h>
28 
29 #define HAVE_GET_KERNEL_NOFAULT
30 
31 /*
32  * Test whether a block of memory is a valid user space address.
33  * Returns 1 if the range is valid, 0 otherwise.
34  *
35  * This is equivalent to the following test:
36  * (u65)addr + (u65)size <= (u65)TASK_SIZE_MAX
37  */
38 static inline unsigned long __range_ok(const void __user *addr, unsigned long size)
39 {
40 	unsigned long ret, limit = TASK_SIZE_MAX - 1;
41 
42 	/*
43 	 * Asynchronous I/O running in a kernel thread does not have the
44 	 * TIF_TAGGED_ADDR flag of the process owning the mm, so always untag
45 	 * the user address before checking.
46 	 */
47 	if (IS_ENABLED(CONFIG_ARM64_TAGGED_ADDR_ABI) &&
48 	    (current->flags & PF_KTHREAD || test_thread_flag(TIF_TAGGED_ADDR)))
49 		addr = untagged_addr(addr);
50 
51 	__chk_user_ptr(addr);
52 	asm volatile(
53 	// A + B <= C + 1 for all A,B,C, in four easy steps:
54 	// 1: X = A + B; X' = X % 2^64
55 	"	adds	%0, %3, %2\n"
56 	// 2: Set C = 0 if X > 2^64, to guarantee X' > C in step 4
57 	"	csel	%1, xzr, %1, hi\n"
58 	// 3: Set X' = ~0 if X >= 2^64. For X == 2^64, this decrements X'
59 	//    to compensate for the carry flag being set in step 4. For
60 	//    X > 2^64, X' merely has to remain nonzero, which it does.
61 	"	csinv	%0, %0, xzr, cc\n"
62 	// 4: For X < 2^64, this gives us X' - C - 1 <= 0, where the -1
63 	//    comes from the carry in being clear. Otherwise, we are
64 	//    testing X' - C == 0, subject to the previous adjustments.
65 	"	sbcs	xzr, %0, %1\n"
66 	"	cset	%0, ls\n"
67 	: "=&r" (ret), "+r" (limit) : "Ir" (size), "0" (addr) : "cc");
68 
69 	return ret;
70 }
71 
72 #define access_ok(addr, size)	__range_ok(addr, size)
73 
74 /*
75  * User access enabling/disabling.
76  */
77 #ifdef CONFIG_ARM64_SW_TTBR0_PAN
78 static inline void __uaccess_ttbr0_disable(void)
79 {
80 	unsigned long flags, ttbr;
81 
82 	local_irq_save(flags);
83 	ttbr = read_sysreg(ttbr1_el1);
84 	ttbr &= ~TTBR_ASID_MASK;
85 	/* reserved_pg_dir placed before swapper_pg_dir */
86 	write_sysreg(ttbr - RESERVED_SWAPPER_OFFSET, ttbr0_el1);
87 	isb();
88 	/* Set reserved ASID */
89 	write_sysreg(ttbr, ttbr1_el1);
90 	isb();
91 	local_irq_restore(flags);
92 }
93 
94 static inline void __uaccess_ttbr0_enable(void)
95 {
96 	unsigned long flags, ttbr0, ttbr1;
97 
98 	/*
99 	 * Disable interrupts to avoid preemption between reading the 'ttbr0'
100 	 * variable and the MSR. A context switch could trigger an ASID
101 	 * roll-over and an update of 'ttbr0'.
102 	 */
103 	local_irq_save(flags);
104 	ttbr0 = READ_ONCE(current_thread_info()->ttbr0);
105 
106 	/* Restore active ASID */
107 	ttbr1 = read_sysreg(ttbr1_el1);
108 	ttbr1 &= ~TTBR_ASID_MASK;		/* safety measure */
109 	ttbr1 |= ttbr0 & TTBR_ASID_MASK;
110 	write_sysreg(ttbr1, ttbr1_el1);
111 	isb();
112 
113 	/* Restore user page table */
114 	write_sysreg(ttbr0, ttbr0_el1);
115 	isb();
116 	local_irq_restore(flags);
117 }
118 
119 static inline bool uaccess_ttbr0_disable(void)
120 {
121 	if (!system_uses_ttbr0_pan())
122 		return false;
123 	__uaccess_ttbr0_disable();
124 	return true;
125 }
126 
127 static inline bool uaccess_ttbr0_enable(void)
128 {
129 	if (!system_uses_ttbr0_pan())
130 		return false;
131 	__uaccess_ttbr0_enable();
132 	return true;
133 }
134 #else
135 static inline bool uaccess_ttbr0_disable(void)
136 {
137 	return false;
138 }
139 
140 static inline bool uaccess_ttbr0_enable(void)
141 {
142 	return false;
143 }
144 #endif
145 
146 static inline void __uaccess_disable_hw_pan(void)
147 {
148 	asm(ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN,
149 			CONFIG_ARM64_PAN));
150 }
151 
152 static inline void __uaccess_enable_hw_pan(void)
153 {
154 	asm(ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN,
155 			CONFIG_ARM64_PAN));
156 }
157 
158 /*
159  * The Tag Check Flag (TCF) mode for MTE is per EL, hence TCF0
160  * affects EL0 and TCF affects EL1 irrespective of which TTBR is
161  * used.
162  * The kernel accesses TTBR0 usually with LDTR/STTR instructions
163  * when UAO is available, so these would act as EL0 accesses using
164  * TCF0.
165  * However futex.h code uses exclusives which would be executed as
166  * EL1, this can potentially cause a tag check fault even if the
167  * user disables TCF0.
168  *
169  * To address the problem we set the PSTATE.TCO bit in uaccess_enable()
170  * and reset it in uaccess_disable().
171  *
172  * The Tag check override (TCO) bit disables temporarily the tag checking
173  * preventing the issue.
174  */
175 static inline void __uaccess_disable_tco(void)
176 {
177 	asm volatile(ALTERNATIVE("nop", SET_PSTATE_TCO(0),
178 				 ARM64_MTE, CONFIG_KASAN_HW_TAGS));
179 }
180 
181 static inline void __uaccess_enable_tco(void)
182 {
183 	asm volatile(ALTERNATIVE("nop", SET_PSTATE_TCO(1),
184 				 ARM64_MTE, CONFIG_KASAN_HW_TAGS));
185 }
186 
187 /*
188  * These functions disable tag checking only if in MTE async mode
189  * since the sync mode generates exceptions synchronously and the
190  * nofault or load_unaligned_zeropad can handle them.
191  */
192 static inline void __uaccess_disable_tco_async(void)
193 {
194 	if (system_uses_mte_async_or_asymm_mode())
195 		 __uaccess_disable_tco();
196 }
197 
198 static inline void __uaccess_enable_tco_async(void)
199 {
200 	if (system_uses_mte_async_or_asymm_mode())
201 		__uaccess_enable_tco();
202 }
203 
204 static inline void uaccess_disable_privileged(void)
205 {
206 	__uaccess_disable_tco();
207 
208 	if (uaccess_ttbr0_disable())
209 		return;
210 
211 	__uaccess_enable_hw_pan();
212 }
213 
214 static inline void uaccess_enable_privileged(void)
215 {
216 	__uaccess_enable_tco();
217 
218 	if (uaccess_ttbr0_enable())
219 		return;
220 
221 	__uaccess_disable_hw_pan();
222 }
223 
224 /*
225  * Sanitise a uaccess pointer such that it becomes NULL if above the maximum
226  * user address. In case the pointer is tagged (has the top byte set), untag
227  * the pointer before checking.
228  */
229 #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr)
230 static inline void __user *__uaccess_mask_ptr(const void __user *ptr)
231 {
232 	void __user *safe_ptr;
233 
234 	asm volatile(
235 	"	bics	xzr, %3, %2\n"
236 	"	csel	%0, %1, xzr, eq\n"
237 	: "=&r" (safe_ptr)
238 	: "r" (ptr), "r" (TASK_SIZE_MAX - 1),
239 	  "r" (untagged_addr(ptr))
240 	: "cc");
241 
242 	csdb();
243 	return safe_ptr;
244 }
245 
246 /*
247  * The "__xxx" versions of the user access functions do not verify the address
248  * space - it must have been done previously with a separate "access_ok()"
249  * call.
250  *
251  * The "__xxx_error" versions set the third argument to -EFAULT if an error
252  * occurs, and leave it unchanged on success.
253  */
254 #define __get_mem_asm(load, reg, x, addr, err)				\
255 	asm volatile(							\
256 	"1:	" load "	" reg "1, [%2]\n"			\
257 	"2:\n"								\
258 	_ASM_EXTABLE_UACCESS_ERR_ZERO(1b, 2b, %w0, %w1)			\
259 	: "+r" (err), "=&r" (x)						\
260 	: "r" (addr))
261 
262 #define __raw_get_mem(ldr, x, ptr, err)					\
263 do {									\
264 	unsigned long __gu_val;						\
265 	switch (sizeof(*(ptr))) {					\
266 	case 1:								\
267 		__get_mem_asm(ldr "b", "%w", __gu_val, (ptr), (err));	\
268 		break;							\
269 	case 2:								\
270 		__get_mem_asm(ldr "h", "%w", __gu_val, (ptr), (err));	\
271 		break;							\
272 	case 4:								\
273 		__get_mem_asm(ldr, "%w", __gu_val, (ptr), (err));	\
274 		break;							\
275 	case 8:								\
276 		__get_mem_asm(ldr, "%x",  __gu_val, (ptr), (err));	\
277 		break;							\
278 	default:							\
279 		BUILD_BUG();						\
280 	}								\
281 	(x) = (__force __typeof__(*(ptr)))__gu_val;			\
282 } while (0)
283 
284 /*
285  * We must not call into the scheduler between uaccess_ttbr0_enable() and
286  * uaccess_ttbr0_disable(). As `x` and `ptr` could contain blocking functions,
287  * we must evaluate these outside of the critical section.
288  */
289 #define __raw_get_user(x, ptr, err)					\
290 do {									\
291 	__typeof__(*(ptr)) __user *__rgu_ptr = (ptr);			\
292 	__typeof__(x) __rgu_val;					\
293 	__chk_user_ptr(ptr);						\
294 									\
295 	uaccess_ttbr0_enable();						\
296 	__raw_get_mem("ldtr", __rgu_val, __rgu_ptr, err);		\
297 	uaccess_ttbr0_disable();					\
298 									\
299 	(x) = __rgu_val;						\
300 } while (0)
301 
302 #define __get_user_error(x, ptr, err)					\
303 do {									\
304 	__typeof__(*(ptr)) __user *__p = (ptr);				\
305 	might_fault();							\
306 	if (access_ok(__p, sizeof(*__p))) {				\
307 		__p = uaccess_mask_ptr(__p);				\
308 		__raw_get_user((x), __p, (err));			\
309 	} else {							\
310 		(x) = (__force __typeof__(x))0; (err) = -EFAULT;	\
311 	}								\
312 } while (0)
313 
314 #define __get_user(x, ptr)						\
315 ({									\
316 	int __gu_err = 0;						\
317 	__get_user_error((x), (ptr), __gu_err);				\
318 	__gu_err;							\
319 })
320 
321 #define get_user	__get_user
322 
323 /*
324  * We must not call into the scheduler between __uaccess_enable_tco_async() and
325  * __uaccess_disable_tco_async(). As `dst` and `src` may contain blocking
326  * functions, we must evaluate these outside of the critical section.
327  */
328 #define __get_kernel_nofault(dst, src, type, err_label)			\
329 do {									\
330 	__typeof__(dst) __gkn_dst = (dst);				\
331 	__typeof__(src) __gkn_src = (src);				\
332 	int __gkn_err = 0;						\
333 									\
334 	__uaccess_enable_tco_async();					\
335 	__raw_get_mem("ldr", *((type *)(__gkn_dst)),			\
336 		      (__force type *)(__gkn_src), __gkn_err);		\
337 	__uaccess_disable_tco_async();					\
338 									\
339 	if (unlikely(__gkn_err))					\
340 		goto err_label;						\
341 } while (0)
342 
343 #define __put_mem_asm(store, reg, x, addr, err)				\
344 	asm volatile(							\
345 	"1:	" store "	" reg "1, [%2]\n"			\
346 	"2:\n"								\
347 	_ASM_EXTABLE_UACCESS_ERR(1b, 2b, %w0)				\
348 	: "+r" (err)							\
349 	: "r" (x), "r" (addr))
350 
351 #define __raw_put_mem(str, x, ptr, err)					\
352 do {									\
353 	__typeof__(*(ptr)) __pu_val = (x);				\
354 	switch (sizeof(*(ptr))) {					\
355 	case 1:								\
356 		__put_mem_asm(str "b", "%w", __pu_val, (ptr), (err));	\
357 		break;							\
358 	case 2:								\
359 		__put_mem_asm(str "h", "%w", __pu_val, (ptr), (err));	\
360 		break;							\
361 	case 4:								\
362 		__put_mem_asm(str, "%w", __pu_val, (ptr), (err));	\
363 		break;							\
364 	case 8:								\
365 		__put_mem_asm(str, "%x", __pu_val, (ptr), (err));	\
366 		break;							\
367 	default:							\
368 		BUILD_BUG();						\
369 	}								\
370 } while (0)
371 
372 /*
373  * We must not call into the scheduler between uaccess_ttbr0_enable() and
374  * uaccess_ttbr0_disable(). As `x` and `ptr` could contain blocking functions,
375  * we must evaluate these outside of the critical section.
376  */
377 #define __raw_put_user(x, ptr, err)					\
378 do {									\
379 	__typeof__(*(ptr)) __user *__rpu_ptr = (ptr);			\
380 	__typeof__(*(ptr)) __rpu_val = (x);				\
381 	__chk_user_ptr(__rpu_ptr);					\
382 									\
383 	uaccess_ttbr0_enable();						\
384 	__raw_put_mem("sttr", __rpu_val, __rpu_ptr, err);		\
385 	uaccess_ttbr0_disable();					\
386 } while (0)
387 
388 #define __put_user_error(x, ptr, err)					\
389 do {									\
390 	__typeof__(*(ptr)) __user *__p = (ptr);				\
391 	might_fault();							\
392 	if (access_ok(__p, sizeof(*__p))) {				\
393 		__p = uaccess_mask_ptr(__p);				\
394 		__raw_put_user((x), __p, (err));			\
395 	} else	{							\
396 		(err) = -EFAULT;					\
397 	}								\
398 } while (0)
399 
400 #define __put_user(x, ptr)						\
401 ({									\
402 	int __pu_err = 0;						\
403 	__put_user_error((x), (ptr), __pu_err);				\
404 	__pu_err;							\
405 })
406 
407 #define put_user	__put_user
408 
409 /*
410  * We must not call into the scheduler between __uaccess_enable_tco_async() and
411  * __uaccess_disable_tco_async(). As `dst` and `src` may contain blocking
412  * functions, we must evaluate these outside of the critical section.
413  */
414 #define __put_kernel_nofault(dst, src, type, err_label)			\
415 do {									\
416 	__typeof__(dst) __pkn_dst = (dst);				\
417 	__typeof__(src) __pkn_src = (src);				\
418 	int __pkn_err = 0;						\
419 									\
420 	__uaccess_enable_tco_async();					\
421 	__raw_put_mem("str", *((type *)(__pkn_src)),			\
422 		      (__force type *)(__pkn_dst), __pkn_err);		\
423 	__uaccess_disable_tco_async();					\
424 									\
425 	if (unlikely(__pkn_err))					\
426 		goto err_label;						\
427 } while(0)
428 
429 extern unsigned long __must_check __arch_copy_from_user(void *to, const void __user *from, unsigned long n);
430 #define raw_copy_from_user(to, from, n)					\
431 ({									\
432 	unsigned long __acfu_ret;					\
433 	uaccess_ttbr0_enable();						\
434 	__acfu_ret = __arch_copy_from_user((to),			\
435 				      __uaccess_mask_ptr(from), (n));	\
436 	uaccess_ttbr0_disable();					\
437 	__acfu_ret;							\
438 })
439 
440 extern unsigned long __must_check __arch_copy_to_user(void __user *to, const void *from, unsigned long n);
441 #define raw_copy_to_user(to, from, n)					\
442 ({									\
443 	unsigned long __actu_ret;					\
444 	uaccess_ttbr0_enable();						\
445 	__actu_ret = __arch_copy_to_user(__uaccess_mask_ptr(to),	\
446 				    (from), (n));			\
447 	uaccess_ttbr0_disable();					\
448 	__actu_ret;							\
449 })
450 
451 #define INLINE_COPY_TO_USER
452 #define INLINE_COPY_FROM_USER
453 
454 extern unsigned long __must_check __arch_clear_user(void __user *to, unsigned long n);
455 static inline unsigned long __must_check __clear_user(void __user *to, unsigned long n)
456 {
457 	if (access_ok(to, n)) {
458 		uaccess_ttbr0_enable();
459 		n = __arch_clear_user(__uaccess_mask_ptr(to), n);
460 		uaccess_ttbr0_disable();
461 	}
462 	return n;
463 }
464 #define clear_user	__clear_user
465 
466 extern long strncpy_from_user(char *dest, const char __user *src, long count);
467 
468 extern __must_check long strnlen_user(const char __user *str, long n);
469 
470 #ifdef CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE
471 struct page;
472 void memcpy_page_flushcache(char *to, struct page *page, size_t offset, size_t len);
473 extern unsigned long __must_check __copy_user_flushcache(void *to, const void __user *from, unsigned long n);
474 
475 static inline int __copy_from_user_flushcache(void *dst, const void __user *src, unsigned size)
476 {
477 	kasan_check_write(dst, size);
478 	return __copy_user_flushcache(dst, __uaccess_mask_ptr(src), size);
479 }
480 #endif
481 
482 #endif /* __ASM_UACCESS_H */
483