1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef _ASM_X86_UACCESS_H 3 #define _ASM_X86_UACCESS_H 4 /* 5 * User space memory access functions 6 */ 7 #include <linux/compiler.h> 8 #include <linux/kasan-checks.h> 9 #include <linux/string.h> 10 #include <asm/asm.h> 11 #include <asm/page.h> 12 #include <asm/smap.h> 13 #include <asm/extable.h> 14 15 #ifdef CONFIG_DEBUG_ATOMIC_SLEEP 16 static inline bool pagefault_disabled(void); 17 # define WARN_ON_IN_IRQ() \ 18 WARN_ON_ONCE(!in_task() && !pagefault_disabled()) 19 #else 20 # define WARN_ON_IN_IRQ() 21 #endif 22 23 /** 24 * access_ok - Checks if a user space pointer is valid 25 * @addr: User space pointer to start of block to check 26 * @size: Size of block to check 27 * 28 * Context: User context only. This function may sleep if pagefaults are 29 * enabled. 30 * 31 * Checks if a pointer to a block of memory in user space is valid. 32 * 33 * Note that, depending on architecture, this function probably just 34 * checks that the pointer is in the user space range - after calling 35 * this function, memory access functions may still return -EFAULT. 36 * 37 * Return: true (nonzero) if the memory block may be valid, false (zero) 38 * if it is definitely invalid. 39 */ 40 #define access_ok(addr, size) \ 41 ({ \ 42 WARN_ON_IN_IRQ(); \ 43 likely(__access_ok(addr, size)); \ 44 }) 45 46 #include <asm-generic/access_ok.h> 47 48 extern int __get_user_1(void); 49 extern int __get_user_2(void); 50 extern int __get_user_4(void); 51 extern int __get_user_8(void); 52 extern int __get_user_nocheck_1(void); 53 extern int __get_user_nocheck_2(void); 54 extern int __get_user_nocheck_4(void); 55 extern int __get_user_nocheck_8(void); 56 extern int __get_user_bad(void); 57 58 #define __uaccess_begin() stac() 59 #define __uaccess_end() clac() 60 #define __uaccess_begin_nospec() \ 61 ({ \ 62 stac(); \ 63 barrier_nospec(); \ 64 }) 65 66 /* 67 * This is the smallest unsigned integer type that can fit a value 68 * (up to 'long long') 69 */ 70 #define __inttype(x) __typeof__( \ 71 __typefits(x,char, \ 72 __typefits(x,short, \ 73 __typefits(x,int, \ 74 __typefits(x,long,0ULL))))) 75 76 #define __typefits(x,type,not) \ 77 __builtin_choose_expr(sizeof(x)<=sizeof(type),(unsigned type)0,not) 78 79 /* 80 * This is used for both get_user() and __get_user() to expand to 81 * the proper special function call that has odd calling conventions 82 * due to returning both a value and an error, and that depends on 83 * the size of the pointer passed in. 84 * 85 * Careful: we have to cast the result to the type of the pointer 86 * for sign reasons. 87 * 88 * The use of _ASM_DX as the register specifier is a bit of a 89 * simplification, as gcc only cares about it as the starting point 90 * and not size: for a 64-bit value it will use %ecx:%edx on 32 bits 91 * (%ecx being the next register in gcc's x86 register sequence), and 92 * %rdx on 64 bits. 93 * 94 * Clang/LLVM cares about the size of the register, but still wants 95 * the base register for something that ends up being a pair. 96 */ 97 #define do_get_user_call(fn,x,ptr) \ 98 ({ \ 99 int __ret_gu; \ 100 register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \ 101 __chk_user_ptr(ptr); \ 102 asm volatile("call __" #fn "_%P4" \ 103 : "=a" (__ret_gu), "=r" (__val_gu), \ 104 ASM_CALL_CONSTRAINT \ 105 : "0" (ptr), "i" (sizeof(*(ptr)))); \ 106 (x) = (__force __typeof__(*(ptr))) __val_gu; \ 107 __builtin_expect(__ret_gu, 0); \ 108 }) 109 110 /** 111 * get_user - Get a simple variable from user space. 112 * @x: Variable to store result. 113 * @ptr: Source address, in user space. 114 * 115 * Context: User context only. This function may sleep if pagefaults are 116 * enabled. 117 * 118 * This macro copies a single simple variable from user space to kernel 119 * space. It supports simple types like char and int, but not larger 120 * data types like structures or arrays. 121 * 122 * @ptr must have pointer-to-simple-variable type, and the result of 123 * dereferencing @ptr must be assignable to @x without a cast. 124 * 125 * Return: zero on success, or -EFAULT on error. 126 * On error, the variable @x is set to zero. 127 */ 128 #define get_user(x,ptr) ({ might_fault(); do_get_user_call(get_user,x,ptr); }) 129 130 /** 131 * __get_user - Get a simple variable from user space, with less checking. 132 * @x: Variable to store result. 133 * @ptr: Source address, in user space. 134 * 135 * Context: User context only. This function may sleep if pagefaults are 136 * enabled. 137 * 138 * This macro copies a single simple variable from user space to kernel 139 * space. It supports simple types like char and int, but not larger 140 * data types like structures or arrays. 141 * 142 * @ptr must have pointer-to-simple-variable type, and the result of 143 * dereferencing @ptr must be assignable to @x without a cast. 144 * 145 * Caller must check the pointer with access_ok() before calling this 146 * function. 147 * 148 * Return: zero on success, or -EFAULT on error. 149 * On error, the variable @x is set to zero. 150 */ 151 #define __get_user(x,ptr) do_get_user_call(get_user_nocheck,x,ptr) 152 153 154 #ifdef CONFIG_X86_32 155 #define __put_user_goto_u64(x, addr, label) \ 156 asm_volatile_goto("\n" \ 157 "1: movl %%eax,0(%1)\n" \ 158 "2: movl %%edx,4(%1)\n" \ 159 _ASM_EXTABLE_UA(1b, %l2) \ 160 _ASM_EXTABLE_UA(2b, %l2) \ 161 : : "A" (x), "r" (addr) \ 162 : : label) 163 164 #else 165 #define __put_user_goto_u64(x, ptr, label) \ 166 __put_user_goto(x, ptr, "q", "er", label) 167 #endif 168 169 extern void __put_user_bad(void); 170 171 /* 172 * Strange magic calling convention: pointer in %ecx, 173 * value in %eax(:%edx), return value in %ecx. clobbers %rbx 174 */ 175 extern void __put_user_1(void); 176 extern void __put_user_2(void); 177 extern void __put_user_4(void); 178 extern void __put_user_8(void); 179 extern void __put_user_nocheck_1(void); 180 extern void __put_user_nocheck_2(void); 181 extern void __put_user_nocheck_4(void); 182 extern void __put_user_nocheck_8(void); 183 184 /* 185 * ptr must be evaluated and assigned to the temporary __ptr_pu before 186 * the assignment of x to __val_pu, to avoid any function calls 187 * involved in the ptr expression (possibly implicitly generated due 188 * to KASAN) from clobbering %ax. 189 */ 190 #define do_put_user_call(fn,x,ptr) \ 191 ({ \ 192 int __ret_pu; \ 193 void __user *__ptr_pu; \ 194 register __typeof__(*(ptr)) __val_pu asm("%"_ASM_AX); \ 195 __chk_user_ptr(ptr); \ 196 __ptr_pu = (ptr); \ 197 __val_pu = (x); \ 198 asm volatile("call __" #fn "_%P[size]" \ 199 : "=c" (__ret_pu), \ 200 ASM_CALL_CONSTRAINT \ 201 : "0" (__ptr_pu), \ 202 "r" (__val_pu), \ 203 [size] "i" (sizeof(*(ptr))) \ 204 :"ebx"); \ 205 __builtin_expect(__ret_pu, 0); \ 206 }) 207 208 /** 209 * put_user - Write a simple value into user space. 210 * @x: Value to copy to user space. 211 * @ptr: Destination address, in user space. 212 * 213 * Context: User context only. This function may sleep if pagefaults are 214 * enabled. 215 * 216 * This macro copies a single simple value from kernel space to user 217 * space. It supports simple types like char and int, but not larger 218 * data types like structures or arrays. 219 * 220 * @ptr must have pointer-to-simple-variable type, and @x must be assignable 221 * to the result of dereferencing @ptr. 222 * 223 * Return: zero on success, or -EFAULT on error. 224 */ 225 #define put_user(x, ptr) ({ might_fault(); do_put_user_call(put_user,x,ptr); }) 226 227 /** 228 * __put_user - Write a simple value into user space, with less checking. 229 * @x: Value to copy to user space. 230 * @ptr: Destination address, in user space. 231 * 232 * Context: User context only. This function may sleep if pagefaults are 233 * enabled. 234 * 235 * This macro copies a single simple value from kernel space to user 236 * space. It supports simple types like char and int, but not larger 237 * data types like structures or arrays. 238 * 239 * @ptr must have pointer-to-simple-variable type, and @x must be assignable 240 * to the result of dereferencing @ptr. 241 * 242 * Caller must check the pointer with access_ok() before calling this 243 * function. 244 * 245 * Return: zero on success, or -EFAULT on error. 246 */ 247 #define __put_user(x, ptr) do_put_user_call(put_user_nocheck,x,ptr) 248 249 #define __put_user_size(x, ptr, size, label) \ 250 do { \ 251 __chk_user_ptr(ptr); \ 252 switch (size) { \ 253 case 1: \ 254 __put_user_goto(x, ptr, "b", "iq", label); \ 255 break; \ 256 case 2: \ 257 __put_user_goto(x, ptr, "w", "ir", label); \ 258 break; \ 259 case 4: \ 260 __put_user_goto(x, ptr, "l", "ir", label); \ 261 break; \ 262 case 8: \ 263 __put_user_goto_u64(x, ptr, label); \ 264 break; \ 265 default: \ 266 __put_user_bad(); \ 267 } \ 268 } while (0) 269 270 #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT 271 272 #ifdef CONFIG_X86_32 273 #define __get_user_asm_u64(x, ptr, label) do { \ 274 unsigned int __gu_low, __gu_high; \ 275 const unsigned int __user *__gu_ptr; \ 276 __gu_ptr = (const void __user *)(ptr); \ 277 __get_user_asm(__gu_low, __gu_ptr, "l", "=r", label); \ 278 __get_user_asm(__gu_high, __gu_ptr+1, "l", "=r", label); \ 279 (x) = ((unsigned long long)__gu_high << 32) | __gu_low; \ 280 } while (0) 281 #else 282 #define __get_user_asm_u64(x, ptr, label) \ 283 __get_user_asm(x, ptr, "q", "=r", label) 284 #endif 285 286 #define __get_user_size(x, ptr, size, label) \ 287 do { \ 288 __chk_user_ptr(ptr); \ 289 switch (size) { \ 290 case 1: { \ 291 unsigned char x_u8__; \ 292 __get_user_asm(x_u8__, ptr, "b", "=q", label); \ 293 (x) = x_u8__; \ 294 break; \ 295 } \ 296 case 2: \ 297 __get_user_asm(x, ptr, "w", "=r", label); \ 298 break; \ 299 case 4: \ 300 __get_user_asm(x, ptr, "l", "=r", label); \ 301 break; \ 302 case 8: \ 303 __get_user_asm_u64(x, ptr, label); \ 304 break; \ 305 default: \ 306 (x) = __get_user_bad(); \ 307 } \ 308 } while (0) 309 310 #define __get_user_asm(x, addr, itype, ltype, label) \ 311 asm_volatile_goto("\n" \ 312 "1: mov"itype" %[umem],%[output]\n" \ 313 _ASM_EXTABLE_UA(1b, %l2) \ 314 : [output] ltype(x) \ 315 : [umem] "m" (__m(addr)) \ 316 : : label) 317 318 #else // !CONFIG_CC_HAS_ASM_GOTO_OUTPUT 319 320 #ifdef CONFIG_X86_32 321 #define __get_user_asm_u64(x, ptr, retval) \ 322 ({ \ 323 __typeof__(ptr) __ptr = (ptr); \ 324 asm volatile("\n" \ 325 "1: movl %[lowbits],%%eax\n" \ 326 "2: movl %[highbits],%%edx\n" \ 327 "3:\n" \ 328 _ASM_EXTABLE_TYPE_REG(1b, 3b, EX_TYPE_EFAULT_REG | \ 329 EX_FLAG_CLEAR_AX_DX, \ 330 %[errout]) \ 331 _ASM_EXTABLE_TYPE_REG(2b, 3b, EX_TYPE_EFAULT_REG | \ 332 EX_FLAG_CLEAR_AX_DX, \ 333 %[errout]) \ 334 : [errout] "=r" (retval), \ 335 [output] "=&A"(x) \ 336 : [lowbits] "m" (__m(__ptr)), \ 337 [highbits] "m" __m(((u32 __user *)(__ptr)) + 1), \ 338 "0" (retval)); \ 339 }) 340 341 #else 342 #define __get_user_asm_u64(x, ptr, retval) \ 343 __get_user_asm(x, ptr, retval, "q") 344 #endif 345 346 #define __get_user_size(x, ptr, size, retval) \ 347 do { \ 348 unsigned char x_u8__; \ 349 \ 350 retval = 0; \ 351 __chk_user_ptr(ptr); \ 352 switch (size) { \ 353 case 1: \ 354 __get_user_asm(x_u8__, ptr, retval, "b"); \ 355 (x) = x_u8__; \ 356 break; \ 357 case 2: \ 358 __get_user_asm(x, ptr, retval, "w"); \ 359 break; \ 360 case 4: \ 361 __get_user_asm(x, ptr, retval, "l"); \ 362 break; \ 363 case 8: \ 364 __get_user_asm_u64(x, ptr, retval); \ 365 break; \ 366 default: \ 367 (x) = __get_user_bad(); \ 368 } \ 369 } while (0) 370 371 #define __get_user_asm(x, addr, err, itype) \ 372 asm volatile("\n" \ 373 "1: mov"itype" %[umem],%[output]\n" \ 374 "2:\n" \ 375 _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG | \ 376 EX_FLAG_CLEAR_AX, \ 377 %[errout]) \ 378 : [errout] "=r" (err), \ 379 [output] "=a" (x) \ 380 : [umem] "m" (__m(addr)), \ 381 "0" (err)) 382 383 #endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT 384 385 /* FIXME: this hack is definitely wrong -AK */ 386 struct __large_struct { unsigned long buf[100]; }; 387 #define __m(x) (*(struct __large_struct __user *)(x)) 388 389 /* 390 * Tell gcc we read from memory instead of writing: this is because 391 * we do not write to any memory gcc knows about, so there are no 392 * aliasing issues. 393 */ 394 #define __put_user_goto(x, addr, itype, ltype, label) \ 395 asm_volatile_goto("\n" \ 396 "1: mov"itype" %0,%1\n" \ 397 _ASM_EXTABLE_UA(1b, %l2) \ 398 : : ltype(x), "m" (__m(addr)) \ 399 : : label) 400 401 extern unsigned long 402 copy_from_user_nmi(void *to, const void __user *from, unsigned long n); 403 extern __must_check long 404 strncpy_from_user(char *dst, const char __user *src, long count); 405 406 extern __must_check long strnlen_user(const char __user *str, long n); 407 408 unsigned long __must_check clear_user(void __user *mem, unsigned long len); 409 unsigned long __must_check __clear_user(void __user *mem, unsigned long len); 410 411 #ifdef CONFIG_ARCH_HAS_COPY_MC 412 unsigned long __must_check 413 copy_mc_to_kernel(void *to, const void *from, unsigned len); 414 #define copy_mc_to_kernel copy_mc_to_kernel 415 416 unsigned long __must_check 417 copy_mc_to_user(void *to, const void *from, unsigned len); 418 #endif 419 420 /* 421 * movsl can be slow when source and dest are not both 8-byte aligned 422 */ 423 #ifdef CONFIG_X86_INTEL_USERCOPY 424 extern struct movsl_mask { 425 int mask; 426 } ____cacheline_aligned_in_smp movsl_mask; 427 #endif 428 429 #define ARCH_HAS_NOCACHE_UACCESS 1 430 431 #ifdef CONFIG_X86_32 432 # include <asm/uaccess_32.h> 433 #else 434 # include <asm/uaccess_64.h> 435 #endif 436 437 /* 438 * The "unsafe" user accesses aren't really "unsafe", but the naming 439 * is a big fat warning: you have to not only do the access_ok() 440 * checking before using them, but you have to surround them with the 441 * user_access_begin/end() pair. 442 */ 443 static __must_check __always_inline bool user_access_begin(const void __user *ptr, size_t len) 444 { 445 if (unlikely(!access_ok(ptr,len))) 446 return 0; 447 __uaccess_begin_nospec(); 448 return 1; 449 } 450 #define user_access_begin(a,b) user_access_begin(a,b) 451 #define user_access_end() __uaccess_end() 452 453 #define user_access_save() smap_save() 454 #define user_access_restore(x) smap_restore(x) 455 456 #define unsafe_put_user(x, ptr, label) \ 457 __put_user_size((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)), label) 458 459 #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT 460 #define unsafe_get_user(x, ptr, err_label) \ 461 do { \ 462 __inttype(*(ptr)) __gu_val; \ 463 __get_user_size(__gu_val, (ptr), sizeof(*(ptr)), err_label); \ 464 (x) = (__force __typeof__(*(ptr)))__gu_val; \ 465 } while (0) 466 #else // !CONFIG_CC_HAS_ASM_GOTO_OUTPUT 467 #define unsafe_get_user(x, ptr, err_label) \ 468 do { \ 469 int __gu_err; \ 470 __inttype(*(ptr)) __gu_val; \ 471 __get_user_size(__gu_val, (ptr), sizeof(*(ptr)), __gu_err); \ 472 (x) = (__force __typeof__(*(ptr)))__gu_val; \ 473 if (unlikely(__gu_err)) goto err_label; \ 474 } while (0) 475 #endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT 476 477 /* 478 * We want the unsafe accessors to always be inlined and use 479 * the error labels - thus the macro games. 480 */ 481 #define unsafe_copy_loop(dst, src, len, type, label) \ 482 while (len >= sizeof(type)) { \ 483 unsafe_put_user(*(type *)(src),(type __user *)(dst),label); \ 484 dst += sizeof(type); \ 485 src += sizeof(type); \ 486 len -= sizeof(type); \ 487 } 488 489 #define unsafe_copy_to_user(_dst,_src,_len,label) \ 490 do { \ 491 char __user *__ucu_dst = (_dst); \ 492 const char *__ucu_src = (_src); \ 493 size_t __ucu_len = (_len); \ 494 unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u64, label); \ 495 unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u32, label); \ 496 unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u16, label); \ 497 unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u8, label); \ 498 } while (0) 499 500 #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT 501 #define __get_kernel_nofault(dst, src, type, err_label) \ 502 __get_user_size(*((type *)(dst)), (__force type __user *)(src), \ 503 sizeof(type), err_label) 504 #else // !CONFIG_CC_HAS_ASM_GOTO_OUTPUT 505 #define __get_kernel_nofault(dst, src, type, err_label) \ 506 do { \ 507 int __kr_err; \ 508 \ 509 __get_user_size(*((type *)(dst)), (__force type __user *)(src), \ 510 sizeof(type), __kr_err); \ 511 if (unlikely(__kr_err)) \ 512 goto err_label; \ 513 } while (0) 514 #endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT 515 516 #define __put_kernel_nofault(dst, src, type, err_label) \ 517 __put_user_size(*((type *)(src)), (__force type __user *)(dst), \ 518 sizeof(type), err_label) 519 520 #endif /* _ASM_X86_UACCESS_H */ 521 522