1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * Based on arch/arm/include/asm/uaccess.h 4 * 5 * Copyright (C) 2012 ARM Ltd. 6 */ 7 #ifndef __ASM_UACCESS_H 8 #define __ASM_UACCESS_H 9 10 #include <asm/alternative.h> 11 #include <asm/kernel-pgtable.h> 12 #include <asm/sysreg.h> 13 14 /* 15 * User space memory access functions 16 */ 17 #include <linux/bitops.h> 18 #include <linux/kasan-checks.h> 19 #include <linux/string.h> 20 21 #include <asm/asm-extable.h> 22 #include <asm/cpufeature.h> 23 #include <asm/mmu.h> 24 #include <asm/mte.h> 25 #include <asm/ptrace.h> 26 #include <asm/memory.h> 27 #include <asm/extable.h> 28 29 #define HAVE_GET_KERNEL_NOFAULT 30 31 /* 32 * Test whether a block of memory is a valid user space address. 33 * Returns 1 if the range is valid, 0 otherwise. 34 * 35 * This is equivalent to the following test: 36 * (u65)addr + (u65)size <= (u65)TASK_SIZE_MAX 37 */ 38 static inline unsigned long __range_ok(const void __user *addr, unsigned long size) 39 { 40 unsigned long ret, limit = TASK_SIZE_MAX - 1; 41 42 /* 43 * Asynchronous I/O running in a kernel thread does not have the 44 * TIF_TAGGED_ADDR flag of the process owning the mm, so always untag 45 * the user address before checking. 46 */ 47 if (IS_ENABLED(CONFIG_ARM64_TAGGED_ADDR_ABI) && 48 (current->flags & PF_KTHREAD || test_thread_flag(TIF_TAGGED_ADDR))) 49 addr = untagged_addr(addr); 50 51 __chk_user_ptr(addr); 52 asm volatile( 53 // A + B <= C + 1 for all A,B,C, in four easy steps: 54 // 1: X = A + B; X' = X % 2^64 55 " adds %0, %3, %2\n" 56 // 2: Set C = 0 if X > 2^64, to guarantee X' > C in step 4 57 " csel %1, xzr, %1, hi\n" 58 // 3: Set X' = ~0 if X >= 2^64. For X == 2^64, this decrements X' 59 // to compensate for the carry flag being set in step 4. For 60 // X > 2^64, X' merely has to remain nonzero, which it does. 61 " csinv %0, %0, xzr, cc\n" 62 // 4: For X < 2^64, this gives us X' - C - 1 <= 0, where the -1 63 // comes from the carry in being clear. Otherwise, we are 64 // testing X' - C == 0, subject to the previous adjustments. 65 " sbcs xzr, %0, %1\n" 66 " cset %0, ls\n" 67 : "=&r" (ret), "+r" (limit) : "Ir" (size), "0" (addr) : "cc"); 68 69 return ret; 70 } 71 72 #define access_ok(addr, size) __range_ok(addr, size) 73 74 /* 75 * User access enabling/disabling. 76 */ 77 #ifdef CONFIG_ARM64_SW_TTBR0_PAN 78 static inline void __uaccess_ttbr0_disable(void) 79 { 80 unsigned long flags, ttbr; 81 82 local_irq_save(flags); 83 ttbr = read_sysreg(ttbr1_el1); 84 ttbr &= ~TTBR_ASID_MASK; 85 /* reserved_pg_dir placed before swapper_pg_dir */ 86 write_sysreg(ttbr - RESERVED_SWAPPER_OFFSET, ttbr0_el1); 87 isb(); 88 /* Set reserved ASID */ 89 write_sysreg(ttbr, ttbr1_el1); 90 isb(); 91 local_irq_restore(flags); 92 } 93 94 static inline void __uaccess_ttbr0_enable(void) 95 { 96 unsigned long flags, ttbr0, ttbr1; 97 98 /* 99 * Disable interrupts to avoid preemption between reading the 'ttbr0' 100 * variable and the MSR. A context switch could trigger an ASID 101 * roll-over and an update of 'ttbr0'. 102 */ 103 local_irq_save(flags); 104 ttbr0 = READ_ONCE(current_thread_info()->ttbr0); 105 106 /* Restore active ASID */ 107 ttbr1 = read_sysreg(ttbr1_el1); 108 ttbr1 &= ~TTBR_ASID_MASK; /* safety measure */ 109 ttbr1 |= ttbr0 & TTBR_ASID_MASK; 110 write_sysreg(ttbr1, ttbr1_el1); 111 isb(); 112 113 /* Restore user page table */ 114 write_sysreg(ttbr0, ttbr0_el1); 115 isb(); 116 local_irq_restore(flags); 117 } 118 119 static inline bool uaccess_ttbr0_disable(void) 120 { 121 if (!system_uses_ttbr0_pan()) 122 return false; 123 __uaccess_ttbr0_disable(); 124 return true; 125 } 126 127 static inline bool uaccess_ttbr0_enable(void) 128 { 129 if (!system_uses_ttbr0_pan()) 130 return false; 131 __uaccess_ttbr0_enable(); 132 return true; 133 } 134 #else 135 static inline bool uaccess_ttbr0_disable(void) 136 { 137 return false; 138 } 139 140 static inline bool uaccess_ttbr0_enable(void) 141 { 142 return false; 143 } 144 #endif 145 146 static inline void __uaccess_disable_hw_pan(void) 147 { 148 asm(ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN, 149 CONFIG_ARM64_PAN)); 150 } 151 152 static inline void __uaccess_enable_hw_pan(void) 153 { 154 asm(ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN, 155 CONFIG_ARM64_PAN)); 156 } 157 158 /* 159 * The Tag Check Flag (TCF) mode for MTE is per EL, hence TCF0 160 * affects EL0 and TCF affects EL1 irrespective of which TTBR is 161 * used. 162 * The kernel accesses TTBR0 usually with LDTR/STTR instructions 163 * when UAO is available, so these would act as EL0 accesses using 164 * TCF0. 165 * However futex.h code uses exclusives which would be executed as 166 * EL1, this can potentially cause a tag check fault even if the 167 * user disables TCF0. 168 * 169 * To address the problem we set the PSTATE.TCO bit in uaccess_enable() 170 * and reset it in uaccess_disable(). 171 * 172 * The Tag check override (TCO) bit disables temporarily the tag checking 173 * preventing the issue. 174 */ 175 static inline void __uaccess_disable_tco(void) 176 { 177 asm volatile(ALTERNATIVE("nop", SET_PSTATE_TCO(0), 178 ARM64_MTE, CONFIG_KASAN_HW_TAGS)); 179 } 180 181 static inline void __uaccess_enable_tco(void) 182 { 183 asm volatile(ALTERNATIVE("nop", SET_PSTATE_TCO(1), 184 ARM64_MTE, CONFIG_KASAN_HW_TAGS)); 185 } 186 187 /* 188 * These functions disable tag checking only if in MTE async mode 189 * since the sync mode generates exceptions synchronously and the 190 * nofault or load_unaligned_zeropad can handle them. 191 */ 192 static inline void __uaccess_disable_tco_async(void) 193 { 194 if (system_uses_mte_async_or_asymm_mode()) 195 __uaccess_disable_tco(); 196 } 197 198 static inline void __uaccess_enable_tco_async(void) 199 { 200 if (system_uses_mte_async_or_asymm_mode()) 201 __uaccess_enable_tco(); 202 } 203 204 static inline void uaccess_disable_privileged(void) 205 { 206 __uaccess_disable_tco(); 207 208 if (uaccess_ttbr0_disable()) 209 return; 210 211 __uaccess_enable_hw_pan(); 212 } 213 214 static inline void uaccess_enable_privileged(void) 215 { 216 __uaccess_enable_tco(); 217 218 if (uaccess_ttbr0_enable()) 219 return; 220 221 __uaccess_disable_hw_pan(); 222 } 223 224 /* 225 * Sanitise a uaccess pointer such that it becomes NULL if above the maximum 226 * user address. In case the pointer is tagged (has the top byte set), untag 227 * the pointer before checking. 228 */ 229 #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) 230 static inline void __user *__uaccess_mask_ptr(const void __user *ptr) 231 { 232 void __user *safe_ptr; 233 234 asm volatile( 235 " bics xzr, %3, %2\n" 236 " csel %0, %1, xzr, eq\n" 237 : "=&r" (safe_ptr) 238 : "r" (ptr), "r" (TASK_SIZE_MAX - 1), 239 "r" (untagged_addr(ptr)) 240 : "cc"); 241 242 csdb(); 243 return safe_ptr; 244 } 245 246 /* 247 * The "__xxx" versions of the user access functions do not verify the address 248 * space - it must have been done previously with a separate "access_ok()" 249 * call. 250 * 251 * The "__xxx_error" versions set the third argument to -EFAULT if an error 252 * occurs, and leave it unchanged on success. 253 */ 254 #define __get_mem_asm(load, reg, x, addr, err) \ 255 asm volatile( \ 256 "1: " load " " reg "1, [%2]\n" \ 257 "2:\n" \ 258 _ASM_EXTABLE_UACCESS_ERR_ZERO(1b, 2b, %w0, %w1) \ 259 : "+r" (err), "=&r" (x) \ 260 : "r" (addr)) 261 262 #define __raw_get_mem(ldr, x, ptr, err) \ 263 do { \ 264 unsigned long __gu_val; \ 265 switch (sizeof(*(ptr))) { \ 266 case 1: \ 267 __get_mem_asm(ldr "b", "%w", __gu_val, (ptr), (err)); \ 268 break; \ 269 case 2: \ 270 __get_mem_asm(ldr "h", "%w", __gu_val, (ptr), (err)); \ 271 break; \ 272 case 4: \ 273 __get_mem_asm(ldr, "%w", __gu_val, (ptr), (err)); \ 274 break; \ 275 case 8: \ 276 __get_mem_asm(ldr, "%x", __gu_val, (ptr), (err)); \ 277 break; \ 278 default: \ 279 BUILD_BUG(); \ 280 } \ 281 (x) = (__force __typeof__(*(ptr)))__gu_val; \ 282 } while (0) 283 284 /* 285 * We must not call into the scheduler between uaccess_ttbr0_enable() and 286 * uaccess_ttbr0_disable(). As `x` and `ptr` could contain blocking functions, 287 * we must evaluate these outside of the critical section. 288 */ 289 #define __raw_get_user(x, ptr, err) \ 290 do { \ 291 __typeof__(*(ptr)) __user *__rgu_ptr = (ptr); \ 292 __typeof__(x) __rgu_val; \ 293 __chk_user_ptr(ptr); \ 294 \ 295 uaccess_ttbr0_enable(); \ 296 __raw_get_mem("ldtr", __rgu_val, __rgu_ptr, err); \ 297 uaccess_ttbr0_disable(); \ 298 \ 299 (x) = __rgu_val; \ 300 } while (0) 301 302 #define __get_user_error(x, ptr, err) \ 303 do { \ 304 __typeof__(*(ptr)) __user *__p = (ptr); \ 305 might_fault(); \ 306 if (access_ok(__p, sizeof(*__p))) { \ 307 __p = uaccess_mask_ptr(__p); \ 308 __raw_get_user((x), __p, (err)); \ 309 } else { \ 310 (x) = (__force __typeof__(x))0; (err) = -EFAULT; \ 311 } \ 312 } while (0) 313 314 #define __get_user(x, ptr) \ 315 ({ \ 316 int __gu_err = 0; \ 317 __get_user_error((x), (ptr), __gu_err); \ 318 __gu_err; \ 319 }) 320 321 #define get_user __get_user 322 323 /* 324 * We must not call into the scheduler between __uaccess_enable_tco_async() and 325 * __uaccess_disable_tco_async(). As `dst` and `src` may contain blocking 326 * functions, we must evaluate these outside of the critical section. 327 */ 328 #define __get_kernel_nofault(dst, src, type, err_label) \ 329 do { \ 330 __typeof__(dst) __gkn_dst = (dst); \ 331 __typeof__(src) __gkn_src = (src); \ 332 int __gkn_err = 0; \ 333 \ 334 __uaccess_enable_tco_async(); \ 335 __raw_get_mem("ldr", *((type *)(__gkn_dst)), \ 336 (__force type *)(__gkn_src), __gkn_err); \ 337 __uaccess_disable_tco_async(); \ 338 \ 339 if (unlikely(__gkn_err)) \ 340 goto err_label; \ 341 } while (0) 342 343 #define __put_mem_asm(store, reg, x, addr, err) \ 344 asm volatile( \ 345 "1: " store " " reg "1, [%2]\n" \ 346 "2:\n" \ 347 _ASM_EXTABLE_UACCESS_ERR(1b, 2b, %w0) \ 348 : "+r" (err) \ 349 : "r" (x), "r" (addr)) 350 351 #define __raw_put_mem(str, x, ptr, err) \ 352 do { \ 353 __typeof__(*(ptr)) __pu_val = (x); \ 354 switch (sizeof(*(ptr))) { \ 355 case 1: \ 356 __put_mem_asm(str "b", "%w", __pu_val, (ptr), (err)); \ 357 break; \ 358 case 2: \ 359 __put_mem_asm(str "h", "%w", __pu_val, (ptr), (err)); \ 360 break; \ 361 case 4: \ 362 __put_mem_asm(str, "%w", __pu_val, (ptr), (err)); \ 363 break; \ 364 case 8: \ 365 __put_mem_asm(str, "%x", __pu_val, (ptr), (err)); \ 366 break; \ 367 default: \ 368 BUILD_BUG(); \ 369 } \ 370 } while (0) 371 372 /* 373 * We must not call into the scheduler between uaccess_ttbr0_enable() and 374 * uaccess_ttbr0_disable(). As `x` and `ptr` could contain blocking functions, 375 * we must evaluate these outside of the critical section. 376 */ 377 #define __raw_put_user(x, ptr, err) \ 378 do { \ 379 __typeof__(*(ptr)) __user *__rpu_ptr = (ptr); \ 380 __typeof__(*(ptr)) __rpu_val = (x); \ 381 __chk_user_ptr(__rpu_ptr); \ 382 \ 383 uaccess_ttbr0_enable(); \ 384 __raw_put_mem("sttr", __rpu_val, __rpu_ptr, err); \ 385 uaccess_ttbr0_disable(); \ 386 } while (0) 387 388 #define __put_user_error(x, ptr, err) \ 389 do { \ 390 __typeof__(*(ptr)) __user *__p = (ptr); \ 391 might_fault(); \ 392 if (access_ok(__p, sizeof(*__p))) { \ 393 __p = uaccess_mask_ptr(__p); \ 394 __raw_put_user((x), __p, (err)); \ 395 } else { \ 396 (err) = -EFAULT; \ 397 } \ 398 } while (0) 399 400 #define __put_user(x, ptr) \ 401 ({ \ 402 int __pu_err = 0; \ 403 __put_user_error((x), (ptr), __pu_err); \ 404 __pu_err; \ 405 }) 406 407 #define put_user __put_user 408 409 /* 410 * We must not call into the scheduler between __uaccess_enable_tco_async() and 411 * __uaccess_disable_tco_async(). As `dst` and `src` may contain blocking 412 * functions, we must evaluate these outside of the critical section. 413 */ 414 #define __put_kernel_nofault(dst, src, type, err_label) \ 415 do { \ 416 __typeof__(dst) __pkn_dst = (dst); \ 417 __typeof__(src) __pkn_src = (src); \ 418 int __pkn_err = 0; \ 419 \ 420 __uaccess_enable_tco_async(); \ 421 __raw_put_mem("str", *((type *)(__pkn_src)), \ 422 (__force type *)(__pkn_dst), __pkn_err); \ 423 __uaccess_disable_tco_async(); \ 424 \ 425 if (unlikely(__pkn_err)) \ 426 goto err_label; \ 427 } while(0) 428 429 extern unsigned long __must_check __arch_copy_from_user(void *to, const void __user *from, unsigned long n); 430 #define raw_copy_from_user(to, from, n) \ 431 ({ \ 432 unsigned long __acfu_ret; \ 433 uaccess_ttbr0_enable(); \ 434 __acfu_ret = __arch_copy_from_user((to), \ 435 __uaccess_mask_ptr(from), (n)); \ 436 uaccess_ttbr0_disable(); \ 437 __acfu_ret; \ 438 }) 439 440 extern unsigned long __must_check __arch_copy_to_user(void __user *to, const void *from, unsigned long n); 441 #define raw_copy_to_user(to, from, n) \ 442 ({ \ 443 unsigned long __actu_ret; \ 444 uaccess_ttbr0_enable(); \ 445 __actu_ret = __arch_copy_to_user(__uaccess_mask_ptr(to), \ 446 (from), (n)); \ 447 uaccess_ttbr0_disable(); \ 448 __actu_ret; \ 449 }) 450 451 #define INLINE_COPY_TO_USER 452 #define INLINE_COPY_FROM_USER 453 454 extern unsigned long __must_check __arch_clear_user(void __user *to, unsigned long n); 455 static inline unsigned long __must_check __clear_user(void __user *to, unsigned long n) 456 { 457 if (access_ok(to, n)) { 458 uaccess_ttbr0_enable(); 459 n = __arch_clear_user(__uaccess_mask_ptr(to), n); 460 uaccess_ttbr0_disable(); 461 } 462 return n; 463 } 464 #define clear_user __clear_user 465 466 extern long strncpy_from_user(char *dest, const char __user *src, long count); 467 468 extern __must_check long strnlen_user(const char __user *str, long n); 469 470 #ifdef CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE 471 struct page; 472 void memcpy_page_flushcache(char *to, struct page *page, size_t offset, size_t len); 473 extern unsigned long __must_check __copy_user_flushcache(void *to, const void __user *from, unsigned long n); 474 475 static inline int __copy_from_user_flushcache(void *dst, const void __user *src, unsigned size) 476 { 477 kasan_check_write(dst, size); 478 return __copy_user_flushcache(dst, __uaccess_mask_ptr(src), size); 479 } 480 #endif 481 482 #endif /* __ASM_UACCESS_H */ 483