xref: /openbmc/linux/arch/x86/include/asm/uaccess.h (revision 47010c04)
1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _ASM_X86_UACCESS_H
3 #define _ASM_X86_UACCESS_H
4 /*
5  * User space memory access functions
6  */
7 #include <linux/compiler.h>
8 #include <linux/kasan-checks.h>
9 #include <linux/string.h>
10 #include <asm/asm.h>
11 #include <asm/page.h>
12 #include <asm/smap.h>
13 #include <asm/extable.h>
14 
15 #ifdef CONFIG_DEBUG_ATOMIC_SLEEP
16 static inline bool pagefault_disabled(void);
17 # define WARN_ON_IN_IRQ()	\
18 	WARN_ON_ONCE(!in_task() && !pagefault_disabled())
19 #else
20 # define WARN_ON_IN_IRQ()
21 #endif
22 
23 /**
24  * access_ok - Checks if a user space pointer is valid
25  * @addr: User space pointer to start of block to check
26  * @size: Size of block to check
27  *
28  * Context: User context only. This function may sleep if pagefaults are
29  *          enabled.
30  *
31  * Checks if a pointer to a block of memory in user space is valid.
32  *
33  * Note that, depending on architecture, this function probably just
34  * checks that the pointer is in the user space range - after calling
35  * this function, memory access functions may still return -EFAULT.
36  *
37  * Return: true (nonzero) if the memory block may be valid, false (zero)
38  * if it is definitely invalid.
39  */
40 #define access_ok(addr, size)					\
41 ({									\
42 	WARN_ON_IN_IRQ();						\
43 	likely(__access_ok(addr, size));				\
44 })
45 
46 #include <asm-generic/access_ok.h>
47 
48 extern int __get_user_1(void);
49 extern int __get_user_2(void);
50 extern int __get_user_4(void);
51 extern int __get_user_8(void);
52 extern int __get_user_nocheck_1(void);
53 extern int __get_user_nocheck_2(void);
54 extern int __get_user_nocheck_4(void);
55 extern int __get_user_nocheck_8(void);
56 extern int __get_user_bad(void);
57 
58 #define __uaccess_begin() stac()
59 #define __uaccess_end()   clac()
60 #define __uaccess_begin_nospec()	\
61 ({					\
62 	stac();				\
63 	barrier_nospec();		\
64 })
65 
66 /*
67  * This is the smallest unsigned integer type that can fit a value
68  * (up to 'long long')
69  */
70 #define __inttype(x) __typeof__(		\
71 	__typefits(x,char,			\
72 	  __typefits(x,short,			\
73 	    __typefits(x,int,			\
74 	      __typefits(x,long,0ULL)))))
75 
76 #define __typefits(x,type,not) \
77 	__builtin_choose_expr(sizeof(x)<=sizeof(type),(unsigned type)0,not)
78 
79 /*
80  * This is used for both get_user() and __get_user() to expand to
81  * the proper special function call that has odd calling conventions
82  * due to returning both a value and an error, and that depends on
83  * the size of the pointer passed in.
84  *
85  * Careful: we have to cast the result to the type of the pointer
86  * for sign reasons.
87  *
88  * The use of _ASM_DX as the register specifier is a bit of a
89  * simplification, as gcc only cares about it as the starting point
90  * and not size: for a 64-bit value it will use %ecx:%edx on 32 bits
91  * (%ecx being the next register in gcc's x86 register sequence), and
92  * %rdx on 64 bits.
93  *
94  * Clang/LLVM cares about the size of the register, but still wants
95  * the base register for something that ends up being a pair.
96  */
97 #define do_get_user_call(fn,x,ptr)					\
98 ({									\
99 	int __ret_gu;							\
100 	register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX);		\
101 	__chk_user_ptr(ptr);						\
102 	asm volatile("call __" #fn "_%P4"				\
103 		     : "=a" (__ret_gu), "=r" (__val_gu),		\
104 			ASM_CALL_CONSTRAINT				\
105 		     : "0" (ptr), "i" (sizeof(*(ptr))));		\
106 	(x) = (__force __typeof__(*(ptr))) __val_gu;			\
107 	__builtin_expect(__ret_gu, 0);					\
108 })
109 
110 /**
111  * get_user - Get a simple variable from user space.
112  * @x:   Variable to store result.
113  * @ptr: Source address, in user space.
114  *
115  * Context: User context only. This function may sleep if pagefaults are
116  *          enabled.
117  *
118  * This macro copies a single simple variable from user space to kernel
119  * space.  It supports simple types like char and int, but not larger
120  * data types like structures or arrays.
121  *
122  * @ptr must have pointer-to-simple-variable type, and the result of
123  * dereferencing @ptr must be assignable to @x without a cast.
124  *
125  * Return: zero on success, or -EFAULT on error.
126  * On error, the variable @x is set to zero.
127  */
128 #define get_user(x,ptr) ({ might_fault(); do_get_user_call(get_user,x,ptr); })
129 
130 /**
131  * __get_user - Get a simple variable from user space, with less checking.
132  * @x:   Variable to store result.
133  * @ptr: Source address, in user space.
134  *
135  * Context: User context only. This function may sleep if pagefaults are
136  *          enabled.
137  *
138  * This macro copies a single simple variable from user space to kernel
139  * space.  It supports simple types like char and int, but not larger
140  * data types like structures or arrays.
141  *
142  * @ptr must have pointer-to-simple-variable type, and the result of
143  * dereferencing @ptr must be assignable to @x without a cast.
144  *
145  * Caller must check the pointer with access_ok() before calling this
146  * function.
147  *
148  * Return: zero on success, or -EFAULT on error.
149  * On error, the variable @x is set to zero.
150  */
151 #define __get_user(x,ptr) do_get_user_call(get_user_nocheck,x,ptr)
152 
153 
154 #ifdef CONFIG_X86_32
155 #define __put_user_goto_u64(x, addr, label)			\
156 	asm_volatile_goto("\n"					\
157 		     "1:	movl %%eax,0(%1)\n"		\
158 		     "2:	movl %%edx,4(%1)\n"		\
159 		     _ASM_EXTABLE_UA(1b, %l2)			\
160 		     _ASM_EXTABLE_UA(2b, %l2)			\
161 		     : : "A" (x), "r" (addr)			\
162 		     : : label)
163 
164 #else
165 #define __put_user_goto_u64(x, ptr, label) \
166 	__put_user_goto(x, ptr, "q", "er", label)
167 #endif
168 
169 extern void __put_user_bad(void);
170 
171 /*
172  * Strange magic calling convention: pointer in %ecx,
173  * value in %eax(:%edx), return value in %ecx. clobbers %rbx
174  */
175 extern void __put_user_1(void);
176 extern void __put_user_2(void);
177 extern void __put_user_4(void);
178 extern void __put_user_8(void);
179 extern void __put_user_nocheck_1(void);
180 extern void __put_user_nocheck_2(void);
181 extern void __put_user_nocheck_4(void);
182 extern void __put_user_nocheck_8(void);
183 
184 /*
185  * ptr must be evaluated and assigned to the temporary __ptr_pu before
186  * the assignment of x to __val_pu, to avoid any function calls
187  * involved in the ptr expression (possibly implicitly generated due
188  * to KASAN) from clobbering %ax.
189  */
190 #define do_put_user_call(fn,x,ptr)					\
191 ({									\
192 	int __ret_pu;							\
193 	void __user *__ptr_pu;						\
194 	register __typeof__(*(ptr)) __val_pu asm("%"_ASM_AX);		\
195 	__chk_user_ptr(ptr);						\
196 	__ptr_pu = (ptr);						\
197 	__val_pu = (x);							\
198 	asm volatile("call __" #fn "_%P[size]"				\
199 		     : "=c" (__ret_pu),					\
200 			ASM_CALL_CONSTRAINT				\
201 		     : "0" (__ptr_pu),					\
202 		       "r" (__val_pu),					\
203 		       [size] "i" (sizeof(*(ptr)))			\
204 		     :"ebx");						\
205 	__builtin_expect(__ret_pu, 0);					\
206 })
207 
208 /**
209  * put_user - Write a simple value into user space.
210  * @x:   Value to copy to user space.
211  * @ptr: Destination address, in user space.
212  *
213  * Context: User context only. This function may sleep if pagefaults are
214  *          enabled.
215  *
216  * This macro copies a single simple value from kernel space to user
217  * space.  It supports simple types like char and int, but not larger
218  * data types like structures or arrays.
219  *
220  * @ptr must have pointer-to-simple-variable type, and @x must be assignable
221  * to the result of dereferencing @ptr.
222  *
223  * Return: zero on success, or -EFAULT on error.
224  */
225 #define put_user(x, ptr) ({ might_fault(); do_put_user_call(put_user,x,ptr); })
226 
227 /**
228  * __put_user - Write a simple value into user space, with less checking.
229  * @x:   Value to copy to user space.
230  * @ptr: Destination address, in user space.
231  *
232  * Context: User context only. This function may sleep if pagefaults are
233  *          enabled.
234  *
235  * This macro copies a single simple value from kernel space to user
236  * space.  It supports simple types like char and int, but not larger
237  * data types like structures or arrays.
238  *
239  * @ptr must have pointer-to-simple-variable type, and @x must be assignable
240  * to the result of dereferencing @ptr.
241  *
242  * Caller must check the pointer with access_ok() before calling this
243  * function.
244  *
245  * Return: zero on success, or -EFAULT on error.
246  */
247 #define __put_user(x, ptr) do_put_user_call(put_user_nocheck,x,ptr)
248 
249 #define __put_user_size(x, ptr, size, label)				\
250 do {									\
251 	__chk_user_ptr(ptr);						\
252 	switch (size) {							\
253 	case 1:								\
254 		__put_user_goto(x, ptr, "b", "iq", label);		\
255 		break;							\
256 	case 2:								\
257 		__put_user_goto(x, ptr, "w", "ir", label);		\
258 		break;							\
259 	case 4:								\
260 		__put_user_goto(x, ptr, "l", "ir", label);		\
261 		break;							\
262 	case 8:								\
263 		__put_user_goto_u64(x, ptr, label);			\
264 		break;							\
265 	default:							\
266 		__put_user_bad();					\
267 	}								\
268 } while (0)
269 
270 #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT
271 
272 #ifdef CONFIG_X86_32
273 #define __get_user_asm_u64(x, ptr, label) do {				\
274 	unsigned int __gu_low, __gu_high;				\
275 	const unsigned int __user *__gu_ptr;				\
276 	__gu_ptr = (const void __user *)(ptr);				\
277 	__get_user_asm(__gu_low, __gu_ptr, "l", "=r", label);		\
278 	__get_user_asm(__gu_high, __gu_ptr+1, "l", "=r", label);	\
279 	(x) = ((unsigned long long)__gu_high << 32) | __gu_low;		\
280 } while (0)
281 #else
282 #define __get_user_asm_u64(x, ptr, label)				\
283 	__get_user_asm(x, ptr, "q", "=r", label)
284 #endif
285 
286 #define __get_user_size(x, ptr, size, label)				\
287 do {									\
288 	__chk_user_ptr(ptr);						\
289 	switch (size) {							\
290 	case 1:	{							\
291 		unsigned char x_u8__;					\
292 		__get_user_asm(x_u8__, ptr, "b", "=q", label);		\
293 		(x) = x_u8__;						\
294 		break;							\
295 	}								\
296 	case 2:								\
297 		__get_user_asm(x, ptr, "w", "=r", label);		\
298 		break;							\
299 	case 4:								\
300 		__get_user_asm(x, ptr, "l", "=r", label);		\
301 		break;							\
302 	case 8:								\
303 		__get_user_asm_u64(x, ptr, label);			\
304 		break;							\
305 	default:							\
306 		(x) = __get_user_bad();					\
307 	}								\
308 } while (0)
309 
310 #define __get_user_asm(x, addr, itype, ltype, label)			\
311 	asm_volatile_goto("\n"						\
312 		     "1:	mov"itype" %[umem],%[output]\n"		\
313 		     _ASM_EXTABLE_UA(1b, %l2)				\
314 		     : [output] ltype(x)				\
315 		     : [umem] "m" (__m(addr))				\
316 		     : : label)
317 
318 #else // !CONFIG_CC_HAS_ASM_GOTO_OUTPUT
319 
320 #ifdef CONFIG_X86_32
321 #define __get_user_asm_u64(x, ptr, retval)				\
322 ({									\
323 	__typeof__(ptr) __ptr = (ptr);					\
324 	asm volatile("\n"						\
325 		     "1:	movl %[lowbits],%%eax\n"		\
326 		     "2:	movl %[highbits],%%edx\n"		\
327 		     "3:\n"						\
328 		     _ASM_EXTABLE_TYPE_REG(1b, 3b, EX_TYPE_EFAULT_REG |	\
329 					   EX_FLAG_CLEAR_AX_DX,		\
330 					   %[errout])			\
331 		     _ASM_EXTABLE_TYPE_REG(2b, 3b, EX_TYPE_EFAULT_REG |	\
332 					   EX_FLAG_CLEAR_AX_DX,		\
333 					   %[errout])			\
334 		     : [errout] "=r" (retval),				\
335 		       [output] "=&A"(x)				\
336 		     : [lowbits] "m" (__m(__ptr)),			\
337 		       [highbits] "m" __m(((u32 __user *)(__ptr)) + 1),	\
338 		       "0" (retval));					\
339 })
340 
341 #else
342 #define __get_user_asm_u64(x, ptr, retval) \
343 	 __get_user_asm(x, ptr, retval, "q")
344 #endif
345 
346 #define __get_user_size(x, ptr, size, retval)				\
347 do {									\
348 	unsigned char x_u8__;						\
349 									\
350 	retval = 0;							\
351 	__chk_user_ptr(ptr);						\
352 	switch (size) {							\
353 	case 1:								\
354 		__get_user_asm(x_u8__, ptr, retval, "b");		\
355 		(x) = x_u8__;						\
356 		break;							\
357 	case 2:								\
358 		__get_user_asm(x, ptr, retval, "w");			\
359 		break;							\
360 	case 4:								\
361 		__get_user_asm(x, ptr, retval, "l");			\
362 		break;							\
363 	case 8:								\
364 		__get_user_asm_u64(x, ptr, retval);			\
365 		break;							\
366 	default:							\
367 		(x) = __get_user_bad();					\
368 	}								\
369 } while (0)
370 
371 #define __get_user_asm(x, addr, err, itype)				\
372 	asm volatile("\n"						\
373 		     "1:	mov"itype" %[umem],%[output]\n"		\
374 		     "2:\n"						\
375 		     _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG | \
376 					   EX_FLAG_CLEAR_AX,		\
377 					   %[errout])			\
378 		     : [errout] "=r" (err),				\
379 		       [output] "=a" (x)				\
380 		     : [umem] "m" (__m(addr)),				\
381 		       "0" (err))
382 
383 #endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT
384 
385 /* FIXME: this hack is definitely wrong -AK */
386 struct __large_struct { unsigned long buf[100]; };
387 #define __m(x) (*(struct __large_struct __user *)(x))
388 
389 /*
390  * Tell gcc we read from memory instead of writing: this is because
391  * we do not write to any memory gcc knows about, so there are no
392  * aliasing issues.
393  */
394 #define __put_user_goto(x, addr, itype, ltype, label)			\
395 	asm_volatile_goto("\n"						\
396 		"1:	mov"itype" %0,%1\n"				\
397 		_ASM_EXTABLE_UA(1b, %l2)				\
398 		: : ltype(x), "m" (__m(addr))				\
399 		: : label)
400 
401 extern unsigned long
402 copy_from_user_nmi(void *to, const void __user *from, unsigned long n);
403 extern __must_check long
404 strncpy_from_user(char *dst, const char __user *src, long count);
405 
406 extern __must_check long strnlen_user(const char __user *str, long n);
407 
408 unsigned long __must_check clear_user(void __user *mem, unsigned long len);
409 unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
410 
411 #ifdef CONFIG_ARCH_HAS_COPY_MC
412 unsigned long __must_check
413 copy_mc_to_kernel(void *to, const void *from, unsigned len);
414 #define copy_mc_to_kernel copy_mc_to_kernel
415 
416 unsigned long __must_check
417 copy_mc_to_user(void *to, const void *from, unsigned len);
418 #endif
419 
420 /*
421  * movsl can be slow when source and dest are not both 8-byte aligned
422  */
423 #ifdef CONFIG_X86_INTEL_USERCOPY
424 extern struct movsl_mask {
425 	int mask;
426 } ____cacheline_aligned_in_smp movsl_mask;
427 #endif
428 
429 #define ARCH_HAS_NOCACHE_UACCESS 1
430 
431 #ifdef CONFIG_X86_32
432 # include <asm/uaccess_32.h>
433 #else
434 # include <asm/uaccess_64.h>
435 #endif
436 
437 /*
438  * The "unsafe" user accesses aren't really "unsafe", but the naming
439  * is a big fat warning: you have to not only do the access_ok()
440  * checking before using them, but you have to surround them with the
441  * user_access_begin/end() pair.
442  */
443 static __must_check __always_inline bool user_access_begin(const void __user *ptr, size_t len)
444 {
445 	if (unlikely(!access_ok(ptr,len)))
446 		return 0;
447 	__uaccess_begin_nospec();
448 	return 1;
449 }
450 #define user_access_begin(a,b)	user_access_begin(a,b)
451 #define user_access_end()	__uaccess_end()
452 
453 #define user_access_save()	smap_save()
454 #define user_access_restore(x)	smap_restore(x)
455 
456 #define unsafe_put_user(x, ptr, label)	\
457 	__put_user_size((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)), label)
458 
459 #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT
460 #define unsafe_get_user(x, ptr, err_label)					\
461 do {										\
462 	__inttype(*(ptr)) __gu_val;						\
463 	__get_user_size(__gu_val, (ptr), sizeof(*(ptr)), err_label);		\
464 	(x) = (__force __typeof__(*(ptr)))__gu_val;				\
465 } while (0)
466 #else // !CONFIG_CC_HAS_ASM_GOTO_OUTPUT
467 #define unsafe_get_user(x, ptr, err_label)					\
468 do {										\
469 	int __gu_err;								\
470 	__inttype(*(ptr)) __gu_val;						\
471 	__get_user_size(__gu_val, (ptr), sizeof(*(ptr)), __gu_err);		\
472 	(x) = (__force __typeof__(*(ptr)))__gu_val;				\
473 	if (unlikely(__gu_err)) goto err_label;					\
474 } while (0)
475 #endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT
476 
477 /*
478  * We want the unsafe accessors to always be inlined and use
479  * the error labels - thus the macro games.
480  */
481 #define unsafe_copy_loop(dst, src, len, type, label)				\
482 	while (len >= sizeof(type)) {						\
483 		unsafe_put_user(*(type *)(src),(type __user *)(dst),label);	\
484 		dst += sizeof(type);						\
485 		src += sizeof(type);						\
486 		len -= sizeof(type);						\
487 	}
488 
489 #define unsafe_copy_to_user(_dst,_src,_len,label)			\
490 do {									\
491 	char __user *__ucu_dst = (_dst);				\
492 	const char *__ucu_src = (_src);					\
493 	size_t __ucu_len = (_len);					\
494 	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u64, label);	\
495 	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u32, label);	\
496 	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u16, label);	\
497 	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u8, label);	\
498 } while (0)
499 
500 #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT
501 #define __get_kernel_nofault(dst, src, type, err_label)			\
502 	__get_user_size(*((type *)(dst)), (__force type __user *)(src),	\
503 			sizeof(type), err_label)
504 #else // !CONFIG_CC_HAS_ASM_GOTO_OUTPUT
505 #define __get_kernel_nofault(dst, src, type, err_label)			\
506 do {									\
507 	int __kr_err;							\
508 									\
509 	__get_user_size(*((type *)(dst)), (__force type __user *)(src),	\
510 			sizeof(type), __kr_err);			\
511 	if (unlikely(__kr_err))						\
512 		goto err_label;						\
513 } while (0)
514 #endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT
515 
516 #define __put_kernel_nofault(dst, src, type, err_label)			\
517 	__put_user_size(*((type *)(src)), (__force type __user *)(dst),	\
518 			sizeof(type), err_label)
519 
520 #endif /* _ASM_X86_UACCESS_H */
521 
522