Line data Source code
1 : /* SPDX-License-Identifier: GPL-2.0-only */
2 : /*
3 : * Based on arch/arm/include/asm/uaccess.h
4 : *
5 : * Copyright (C) 2012 ARM Ltd.
6 : */
7 : #ifndef __ASM_UACCESS_H
8 : #define __ASM_UACCESS_H
9 :
10 : #include <asm/alternative.h>
11 : #include <asm/kernel-pgtable.h>
12 : #include <asm/sysreg.h>
13 :
14 : /*
15 : * User space memory access functions
16 : */
17 : #include <linux/bitops.h>
18 : #include <linux/kasan-checks.h>
19 : #include <linux/string.h>
20 :
21 : #include <asm/asm-extable.h>
22 : #include <asm/cpufeature.h>
23 : #include <asm/mmu.h>
24 : #include <asm/mte.h>
25 : #include <asm/ptrace.h>
26 : #include <asm/memory.h>
27 : #include <asm/extable.h>
28 :
29 : static inline int __access_ok(const void __user *ptr, unsigned long size);
30 :
31 : /*
32 : * Test whether a block of memory is a valid user space address.
33 : * Returns 1 if the range is valid, 0 otherwise.
34 : *
35 : * This is equivalent to the following test:
36 : * (u65)addr + (u65)size <= (u65)TASK_SIZE_MAX
37 : */
38 >23099*10^7 : static inline int access_ok(const void __user *addr, unsigned long size)
39 : {
40 : /*
41 : * Asynchronous I/O running in a kernel thread does not have the
42 : * TIF_TAGGED_ADDR flag of the process owning the mm, so always untag
43 : * the user address before checking.
44 : */
45 >45002*10^7 : if (IS_ENABLED(CONFIG_ARM64_TAGGED_ADDR_ABI) &&
46 >23099*10^7 : (current->flags & PF_KTHREAD || test_thread_flag(TIF_TAGGED_ADDR)))
47 6706526725 : addr = untagged_addr(addr);
48 :
49 >22573*10^7 : return likely(__access_ok(addr, size));
50 : }
51 : #define access_ok access_ok
52 :
53 : #include <asm-generic/access_ok.h>
54 :
55 : /*
56 : * User access enabling/disabling.
57 : */
58 : #ifdef CONFIG_ARM64_SW_TTBR0_PAN
59 : static inline void __uaccess_ttbr0_disable(void)
60 : {
61 : unsigned long flags, ttbr;
62 :
63 : local_irq_save(flags);
64 : ttbr = read_sysreg(ttbr1_el1);
65 : ttbr &= ~TTBR_ASID_MASK;
66 : /* reserved_pg_dir placed before swapper_pg_dir */
67 : write_sysreg(ttbr - RESERVED_SWAPPER_OFFSET, ttbr0_el1);
68 : /* Set reserved ASID */
69 : write_sysreg(ttbr, ttbr1_el1);
70 : isb();
71 : local_irq_restore(flags);
72 : }
73 :
74 : static inline void __uaccess_ttbr0_enable(void)
75 : {
76 : unsigned long flags, ttbr0, ttbr1;
77 :
78 : /*
79 : * Disable interrupts to avoid preemption between reading the 'ttbr0'
80 : * variable and the MSR. A context switch could trigger an ASID
81 : * roll-over and an update of 'ttbr0'.
82 : */
83 : local_irq_save(flags);
84 : ttbr0 = READ_ONCE(current_thread_info()->ttbr0);
85 :
86 : /* Restore active ASID */
87 : ttbr1 = read_sysreg(ttbr1_el1);
88 : ttbr1 &= ~TTBR_ASID_MASK; /* safety measure */
89 : ttbr1 |= ttbr0 & TTBR_ASID_MASK;
90 : write_sysreg(ttbr1, ttbr1_el1);
91 :
92 : /* Restore user page table */
93 : write_sysreg(ttbr0, ttbr0_el1);
94 : isb();
95 : local_irq_restore(flags);
96 : }
97 :
98 : static inline bool uaccess_ttbr0_disable(void)
99 : {
100 : if (!system_uses_ttbr0_pan())
101 : return false;
102 : __uaccess_ttbr0_disable();
103 : return true;
104 : }
105 :
106 : static inline bool uaccess_ttbr0_enable(void)
107 : {
108 : if (!system_uses_ttbr0_pan())
109 : return false;
110 : __uaccess_ttbr0_enable();
111 : return true;
112 : }
113 : #else
114 : static inline bool uaccess_ttbr0_disable(void)
115 : {
116 : return false;
117 : }
118 :
119 : static inline bool uaccess_ttbr0_enable(void)
120 : {
121 : return false;
122 : }
123 : #endif
124 :
125 : static inline void __uaccess_disable_hw_pan(void)
126 : {
127 : asm(ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN,
128 : CONFIG_ARM64_PAN));
129 : }
130 :
131 : static inline void __uaccess_enable_hw_pan(void)
132 : {
133 : asm(ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN,
134 : CONFIG_ARM64_PAN));
135 : }
136 :
137 : static inline void uaccess_disable_privileged(void)
138 : {
139 : mte_disable_tco();
140 :
141 : if (uaccess_ttbr0_disable())
142 : return;
143 :
144 : __uaccess_enable_hw_pan();
145 : }
146 :
147 : static inline void uaccess_enable_privileged(void)
148 : {
149 : mte_enable_tco();
150 :
151 : if (uaccess_ttbr0_enable())
152 : return;
153 :
154 : __uaccess_disable_hw_pan();
155 : }
156 :
157 : /*
158 : * Sanitize a uaccess pointer such that it cannot reach any kernel address.
159 : *
160 : * Clearing bit 55 ensures the pointer cannot address any portion of the TTBR1
161 : * address range (i.e. any kernel address), and either the pointer falls within
162 : * the TTBR0 address range or must cause a fault.
163 : */
164 : #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr)
165 : static inline void __user *__uaccess_mask_ptr(const void __user *ptr)
166 : {
167 >23012*10^7 : void __user *safe_ptr;
168 :
169 >23009*10^7 : asm volatile(
170 : " bic %0, %1, %2\n"
171 : : "=r" (safe_ptr)
172 : : "r" (ptr),
173 : "i" (BIT(55))
174 : );
175 :
176 >23121*10^7 : return safe_ptr;
177 : }
178 :
179 : /*
180 : * The "__xxx" versions of the user access functions do not verify the address
181 : * space - it must have been done previously with a separate "access_ok()"
182 : * call.
183 : *
184 : * The "__xxx_error" versions set the third argument to -EFAULT if an error
185 : * occurs, and leave it unchanged on success.
186 : */
187 : #define __get_mem_asm(load, reg, x, addr, err, type) \
188 : asm volatile( \
189 : "1: " load " " reg "1, [%2]\n" \
190 : "2:\n" \
191 : _ASM_EXTABLE_##type##ACCESS_ERR_ZERO(1b, 2b, %w0, %w1) \
192 : : "+r" (err), "=r" (x) \
193 : : "r" (addr))
194 :
195 : #define __raw_get_mem(ldr, x, ptr, err, type) \
196 : do { \
197 : unsigned long __gu_val; \
198 : switch (sizeof(*(ptr))) { \
199 : case 1: \
200 : __get_mem_asm(ldr "b", "%w", __gu_val, (ptr), (err), type); \
201 : break; \
202 : case 2: \
203 : __get_mem_asm(ldr "h", "%w", __gu_val, (ptr), (err), type); \
204 : break; \
205 : case 4: \
206 : __get_mem_asm(ldr, "%w", __gu_val, (ptr), (err), type); \
207 : break; \
208 : case 8: \
209 : __get_mem_asm(ldr, "%x", __gu_val, (ptr), (err), type); \
210 : break; \
211 : default: \
212 : BUILD_BUG(); \
213 : } \
214 : (x) = (__force __typeof__(*(ptr)))__gu_val; \
215 : } while (0)
216 :
217 : /*
218 : * We must not call into the scheduler between uaccess_ttbr0_enable() and
219 : * uaccess_ttbr0_disable(). As `x` and `ptr` could contain blocking functions,
220 : * we must evaluate these outside of the critical section.
221 : */
222 : #define __raw_get_user(x, ptr, err) \
223 : do { \
224 : __typeof__(*(ptr)) __user *__rgu_ptr = (ptr); \
225 : __typeof__(x) __rgu_val; \
226 : __chk_user_ptr(ptr); \
227 : \
228 : uaccess_ttbr0_enable(); \
229 : __raw_get_mem("ldtr", __rgu_val, __rgu_ptr, err, U); \
230 : uaccess_ttbr0_disable(); \
231 : \
232 : (x) = __rgu_val; \
233 : } while (0)
234 :
235 : #define __get_user_error(x, ptr, err) \
236 : do { \
237 : __typeof__(*(ptr)) __user *__p = (ptr); \
238 : might_fault(); \
239 : if (access_ok(__p, sizeof(*__p))) { \
240 : __p = uaccess_mask_ptr(__p); \
241 : __raw_get_user((x), __p, (err)); \
242 : } else { \
243 : (x) = (__force __typeof__(x))0; (err) = -EFAULT; \
244 : } \
245 : } while (0)
246 :
247 : #define __get_user(x, ptr) \
248 : ({ \
249 : int __gu_err = 0; \
250 : __get_user_error((x), (ptr), __gu_err); \
251 : __gu_err; \
252 : })
253 :
254 : #define get_user __get_user
255 :
256 : /*
257 : * We must not call into the scheduler between __mte_enable_tco_async() and
258 : * __mte_disable_tco_async(). As `dst` and `src` may contain blocking
259 : * functions, we must evaluate these outside of the critical section.
260 : */
261 : #define __get_kernel_nofault(dst, src, type, err_label) \
262 : do { \
263 : __typeof__(dst) __gkn_dst = (dst); \
264 : __typeof__(src) __gkn_src = (src); \
265 : int __gkn_err = 0; \
266 : \
267 : __mte_enable_tco_async(); \
268 : __raw_get_mem("ldr", *((type *)(__gkn_dst)), \
269 : (__force type *)(__gkn_src), __gkn_err, K); \
270 : __mte_disable_tco_async(); \
271 : \
272 : if (unlikely(__gkn_err)) \
273 : goto err_label; \
274 : } while (0)
275 :
276 : #define __put_mem_asm(store, reg, x, addr, err, type) \
277 : asm volatile( \
278 : "1: " store " " reg "1, [%2]\n" \
279 : "2:\n" \
280 : _ASM_EXTABLE_##type##ACCESS_ERR(1b, 2b, %w0) \
281 : : "+r" (err) \
282 : : "rZ" (x), "r" (addr))
283 :
284 : #define __raw_put_mem(str, x, ptr, err, type) \
285 : do { \
286 : __typeof__(*(ptr)) __pu_val = (x); \
287 : switch (sizeof(*(ptr))) { \
288 : case 1: \
289 : __put_mem_asm(str "b", "%w", __pu_val, (ptr), (err), type); \
290 : break; \
291 : case 2: \
292 : __put_mem_asm(str "h", "%w", __pu_val, (ptr), (err), type); \
293 : break; \
294 : case 4: \
295 : __put_mem_asm(str, "%w", __pu_val, (ptr), (err), type); \
296 : break; \
297 : case 8: \
298 : __put_mem_asm(str, "%x", __pu_val, (ptr), (err), type); \
299 : break; \
300 : default: \
301 : BUILD_BUG(); \
302 : } \
303 : } while (0)
304 :
305 : /*
306 : * We must not call into the scheduler between uaccess_ttbr0_enable() and
307 : * uaccess_ttbr0_disable(). As `x` and `ptr` could contain blocking functions,
308 : * we must evaluate these outside of the critical section.
309 : */
310 : #define __raw_put_user(x, ptr, err) \
311 : do { \
312 : __typeof__(*(ptr)) __user *__rpu_ptr = (ptr); \
313 : __typeof__(*(ptr)) __rpu_val = (x); \
314 : __chk_user_ptr(__rpu_ptr); \
315 : \
316 : uaccess_ttbr0_enable(); \
317 : __raw_put_mem("sttr", __rpu_val, __rpu_ptr, err, U); \
318 : uaccess_ttbr0_disable(); \
319 : } while (0)
320 :
321 : #define __put_user_error(x, ptr, err) \
322 : do { \
323 : __typeof__(*(ptr)) __user *__p = (ptr); \
324 : might_fault(); \
325 : if (access_ok(__p, sizeof(*__p))) { \
326 : __p = uaccess_mask_ptr(__p); \
327 : __raw_put_user((x), __p, (err)); \
328 : } else { \
329 : (err) = -EFAULT; \
330 : } \
331 : } while (0)
332 :
333 : #define __put_user(x, ptr) \
334 : ({ \
335 : int __pu_err = 0; \
336 : __put_user_error((x), (ptr), __pu_err); \
337 : __pu_err; \
338 : })
339 :
340 : #define put_user __put_user
341 :
342 : /*
343 : * We must not call into the scheduler between __mte_enable_tco_async() and
344 : * __mte_disable_tco_async(). As `dst` and `src` may contain blocking
345 : * functions, we must evaluate these outside of the critical section.
346 : */
347 : #define __put_kernel_nofault(dst, src, type, err_label) \
348 : do { \
349 : __typeof__(dst) __pkn_dst = (dst); \
350 : __typeof__(src) __pkn_src = (src); \
351 : int __pkn_err = 0; \
352 : \
353 : __mte_enable_tco_async(); \
354 : __raw_put_mem("str", *((type *)(__pkn_src)), \
355 : (__force type *)(__pkn_dst), __pkn_err, K); \
356 : __mte_disable_tco_async(); \
357 : \
358 : if (unlikely(__pkn_err)) \
359 : goto err_label; \
360 : } while(0)
361 :
362 : extern unsigned long __must_check __arch_copy_from_user(void *to, const void __user *from, unsigned long n);
363 : #define raw_copy_from_user(to, from, n) \
364 : ({ \
365 : unsigned long __acfu_ret; \
366 : uaccess_ttbr0_enable(); \
367 : __acfu_ret = __arch_copy_from_user((to), \
368 : __uaccess_mask_ptr(from), (n)); \
369 : uaccess_ttbr0_disable(); \
370 : __acfu_ret; \
371 : })
372 :
373 : extern unsigned long __must_check __arch_copy_to_user(void __user *to, const void *from, unsigned long n);
374 : #define raw_copy_to_user(to, from, n) \
375 : ({ \
376 : unsigned long __actu_ret; \
377 : uaccess_ttbr0_enable(); \
378 : __actu_ret = __arch_copy_to_user(__uaccess_mask_ptr(to), \
379 : (from), (n)); \
380 : uaccess_ttbr0_disable(); \
381 : __actu_ret; \
382 : })
383 :
384 : #define INLINE_COPY_TO_USER
385 : #define INLINE_COPY_FROM_USER
386 :
387 : extern unsigned long __must_check __arch_clear_user(void __user *to, unsigned long n);
388 30915556 : static inline unsigned long __must_check __clear_user(void __user *to, unsigned long n)
389 : {
390 30915556 : if (access_ok(to, n)) {
391 30916408 : uaccess_ttbr0_enable();
392 30916408 : n = __arch_clear_user(__uaccess_mask_ptr(to), n);
393 30911935 : uaccess_ttbr0_disable();
394 : }
395 30926231 : return n;
396 : }
397 : #define clear_user __clear_user
398 :
399 : extern long strncpy_from_user(char *dest, const char __user *src, long count);
400 :
401 : extern __must_check long strnlen_user(const char __user *str, long n);
402 :
403 : #ifdef CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE
404 : extern unsigned long __must_check __copy_user_flushcache(void *to, const void __user *from, unsigned long n);
405 :
406 : static inline int __copy_from_user_flushcache(void *dst, const void __user *src, unsigned size)
407 : {
408 : kasan_check_write(dst, size);
409 : return __copy_user_flushcache(dst, __uaccess_mask_ptr(src), size);
410 : }
411 : #endif
412 :
413 : #ifdef CONFIG_ARCH_HAS_SUBPAGE_FAULTS
414 :
415 : /*
416 : * Return 0 on success, the number of bytes not probed otherwise.
417 : */
418 : static inline size_t probe_subpage_writeable(const char __user *uaddr,
419 : size_t size)
420 : {
421 : if (!system_supports_mte())
422 : return 0;
423 : return mte_probe_user_range(uaddr, size);
424 : }
425 :
426 : #endif /* CONFIG_ARCH_HAS_SUBPAGE_FAULTS */
427 :
428 : #endif /* __ASM_UACCESS_H */
|
