TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / hafnium / third_party / linux.git / b4b6d4a02fa8aa8187d426b508fb7f3b69df0dcc / . / arch / arm64 / include / asm / uaccess.h
blob: e66b0fca99c2f9e500788db6fa2e24693ade11c3 [file] [log] [blame]
Andrew Scullb4b6d4a2019-01-02 15:54:55 +0000[diff] [blame^]1/*
2 * Based on arch/arm/include/asm/uaccess.h
3 *
4 * Copyright (C) 2012 ARM Ltd.
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
17 */
18#ifndef __ASM_UACCESS_H
19#define __ASM_UACCESS_H
20
21#include <asm/alternative.h>
22#include <asm/kernel-pgtable.h>
23#include <asm/sysreg.h>
24
25/*
26 * User space memory access functions
27 */
28#include <linux/bitops.h>
29#include <linux/kasan-checks.h>
30#include <linux/string.h>
31
32#include <asm/cpufeature.h>
33#include <asm/ptrace.h>
34#include <asm/memory.h>
35#include <asm/compiler.h>
36#include <asm/extable.h>
37
38#define get_ds() (KERNEL_DS)
39#define get_fs() (current_thread_info()->addr_limit)
40
41static inline void set_fs(mm_segment_t fs)
42{
43 current_thread_info()->addr_limit = fs;
44
45 /*
46 * Prevent a mispredicted conditional call to set_fs from forwarding
47 * the wrong address limit to access_ok under speculation.
48 */
49 dsb(nsh);
50 isb();
51
52 /* On user-mode return, check fs is correct */
53 set_thread_flag(TIF_FSCHECK);
54
55 /*
56 * Enable/disable UAO so that copy_to_user() etc can access
57 * kernel memory with the unprivileged instructions.
58 */
59 if (IS_ENABLED(CONFIG_ARM64_UAO) && fs == KERNEL_DS)
60 asm(ALTERNATIVE("nop", SET_PSTATE_UAO(1), ARM64_HAS_UAO));
61 else
62 asm(ALTERNATIVE("nop", SET_PSTATE_UAO(0), ARM64_HAS_UAO,
63 CONFIG_ARM64_UAO));
64}
65
66#define segment_eq(a, b) ((a) == (b))
67
68/*
69 * Test whether a block of memory is a valid user space address.
70 * Returns 1 if the range is valid, 0 otherwise.
71 *
72 * This is equivalent to the following test:
73 * (u65)addr + (u65)size <= (u65)current->addr_limit + 1
74 */
75static inline unsigned long __range_ok(const void __user *addr, unsigned long size)
76{
77 unsigned long ret, limit = current_thread_info()->addr_limit;
78
79 __chk_user_ptr(addr);
80 asm volatile(
81 // A + B <= C + 1 for all A,B,C, in four easy steps:
82 // 1: X = A + B; X' = X % 2^64
83 " adds %0, %3, %2\n"
84 // 2: Set C = 0 if X > 2^64, to guarantee X' > C in step 4
85 " csel %1, xzr, %1, hi\n"
86 // 3: Set X' = ~0 if X >= 2^64. For X == 2^64, this decrements X'
87 // to compensate for the carry flag being set in step 4. For
88 // X > 2^64, X' merely has to remain nonzero, which it does.
89 " csinv %0, %0, xzr, cc\n"
90 // 4: For X < 2^64, this gives us X' - C - 1 <= 0, where the -1
91 // comes from the carry in being clear. Otherwise, we are
92 // testing X' - C == 0, subject to the previous adjustments.
93 " sbcs xzr, %0, %1\n"
94 " cset %0, ls\n"
95 : "=&r" (ret), "+r" (limit) : "Ir" (size), "0" (addr) : "cc");
96
97 return ret;
98}
99
100/*
101 * When dealing with data aborts, watchpoints, or instruction traps we may end
102 * up with a tagged userland pointer. Clear the tag to get a sane pointer to
103 * pass on to access_ok(), for instance.
104 */
105#define untagged_addr(addr) sign_extend64(addr, 55)
106
107#define access_ok(type, addr, size) __range_ok(addr, size)
108#define user_addr_max get_fs
109
110#define _ASM_EXTABLE(from, to) \
111 " .pushsection __ex_table, \"a\"\n" \
112 " .align 3\n" \
113 " .long (" #from " - .), (" #to " - .)\n" \
114 " .popsection\n"
115
116/*
117 * User access enabling/disabling.
118 */
119#ifdef CONFIG_ARM64_SW_TTBR0_PAN
120static inline void __uaccess_ttbr0_disable(void)
121{
122 unsigned long flags, ttbr;
123
124 local_irq_save(flags);
125 ttbr = read_sysreg(ttbr1_el1);
126 ttbr &= ~TTBR_ASID_MASK;
127 /* reserved_ttbr0 placed before swapper_pg_dir */
128 write_sysreg(ttbr - RESERVED_TTBR0_SIZE, ttbr0_el1);
129 isb();
130 /* Set reserved ASID */
131 write_sysreg(ttbr, ttbr1_el1);
132 isb();
133 local_irq_restore(flags);
134}
135
136static inline void __uaccess_ttbr0_enable(void)
137{
138 unsigned long flags, ttbr0, ttbr1;
139
140 /*
141 * Disable interrupts to avoid preemption between reading the 'ttbr0'
142 * variable and the MSR. A context switch could trigger an ASID
143 * roll-over and an update of 'ttbr0'.
144 */
145 local_irq_save(flags);
146 ttbr0 = READ_ONCE(current_thread_info()->ttbr0);
147
148 /* Restore active ASID */
149 ttbr1 = read_sysreg(ttbr1_el1);
150 ttbr1 &= ~TTBR_ASID_MASK; /* safety measure */
151 ttbr1 |= ttbr0 & TTBR_ASID_MASK;
152 write_sysreg(ttbr1, ttbr1_el1);
153 isb();
154
155 /* Restore user page table */
156 write_sysreg(ttbr0, ttbr0_el1);
157 isb();
158 local_irq_restore(flags);
159}
160
161static inline bool uaccess_ttbr0_disable(void)
162{
163 if (!system_uses_ttbr0_pan())
164 return false;
165 __uaccess_ttbr0_disable();
166 return true;
167}
168
169static inline bool uaccess_ttbr0_enable(void)
170{
171 if (!system_uses_ttbr0_pan())
172 return false;
173 __uaccess_ttbr0_enable();
174 return true;
175}
176#else
177static inline bool uaccess_ttbr0_disable(void)
178{
179 return false;
180}
181
182static inline bool uaccess_ttbr0_enable(void)
183{
184 return false;
185}
186#endif
187
188static inline void __uaccess_disable_hw_pan(void)
189{
190 asm(ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN,
191 CONFIG_ARM64_PAN));
192}
193
194static inline void __uaccess_enable_hw_pan(void)
195{
196 asm(ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN,
197 CONFIG_ARM64_PAN));
198}
199
200#define __uaccess_disable(alt) \
201do { \
202 if (!uaccess_ttbr0_disable()) \
203 asm(ALTERNATIVE("nop", SET_PSTATE_PAN(1), alt, \
204 CONFIG_ARM64_PAN)); \
205} while (0)
206
207#define __uaccess_enable(alt) \
208do { \
209 if (!uaccess_ttbr0_enable()) \
210 asm(ALTERNATIVE("nop", SET_PSTATE_PAN(0), alt, \
211 CONFIG_ARM64_PAN)); \
212} while (0)
213
214static inline void uaccess_disable(void)
215{
216 __uaccess_disable(ARM64_HAS_PAN);
217}
218
219static inline void uaccess_enable(void)
220{
221 __uaccess_enable(ARM64_HAS_PAN);
222}
223
224/*
225 * These functions are no-ops when UAO is present.
226 */
227static inline void uaccess_disable_not_uao(void)
228{
229 __uaccess_disable(ARM64_ALT_PAN_NOT_UAO);
230}
231
232static inline void uaccess_enable_not_uao(void)
233{
234 __uaccess_enable(ARM64_ALT_PAN_NOT_UAO);
235}
236
237/*
238 * Sanitise a uaccess pointer such that it becomes NULL if above the
239 * current addr_limit.
240 */
241#define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr)
242static inline void __user *__uaccess_mask_ptr(const void __user *ptr)
243{
244 void __user *safe_ptr;
245
246 asm volatile(
247 " bics xzr, %1, %2\n"
248 " csel %0, %1, xzr, eq\n"
249 : "=&r" (safe_ptr)
250 : "r" (ptr), "r" (current_thread_info()->addr_limit)
251 : "cc");
252
253 csdb();
254 return safe_ptr;
255}
256
257/*
258 * The "__xxx" versions of the user access functions do not verify the address
259 * space - it must have been done previously with a separate "access_ok()"
260 * call.
261 *
262 * The "__xxx_error" versions set the third argument to -EFAULT if an error
263 * occurs, and leave it unchanged on success.
264 */
265#define __get_user_asm(instr, alt_instr, reg, x, addr, err, feature) \
266 asm volatile( \
267 "1:"ALTERNATIVE(instr " " reg "1, [%2]\n", \
268 alt_instr " " reg "1, [%2]\n", feature) \
269 "2:\n" \
270 " .section .fixup, \"ax\"\n" \
271 " .align 2\n" \
272 "3: mov %w0, %3\n" \
273 " mov %1, #0\n" \
274 " b 2b\n" \
275 " .previous\n" \
276 _ASM_EXTABLE(1b, 3b) \
277 : "+r" (err), "=&r" (x) \
278 : "r" (addr), "i" (-EFAULT))
279
280#define __get_user_err(x, ptr, err) \
281do { \
282 unsigned long __gu_val; \
283 __chk_user_ptr(ptr); \
284 uaccess_enable_not_uao(); \
285 switch (sizeof(*(ptr))) { \
286 case 1: \
287 __get_user_asm("ldrb", "ldtrb", "%w", __gu_val, (ptr), \
288 (err), ARM64_HAS_UAO); \
289 break; \
290 case 2: \
291 __get_user_asm("ldrh", "ldtrh", "%w", __gu_val, (ptr), \
292 (err), ARM64_HAS_UAO); \
293 break; \
294 case 4: \
295 __get_user_asm("ldr", "ldtr", "%w", __gu_val, (ptr), \
296 (err), ARM64_HAS_UAO); \
297 break; \
298 case 8: \
299 __get_user_asm("ldr", "ldtr", "%x", __gu_val, (ptr), \
300 (err), ARM64_HAS_UAO); \
301 break; \
302 default: \
303 BUILD_BUG(); \
304 } \
305 uaccess_disable_not_uao(); \
306 (x) = (__force __typeof__(*(ptr)))__gu_val; \
307} while (0)
308
309#define __get_user_check(x, ptr, err) \
310({ \
311 __typeof__(*(ptr)) __user *__p = (ptr); \
312 might_fault(); \
313 if (access_ok(VERIFY_READ, __p, sizeof(*__p))) { \
314 __p = uaccess_mask_ptr(__p); \
315 __get_user_err((x), __p, (err)); \
316 } else { \
317 (x) = 0; (err) = -EFAULT; \
318 } \
319})
320
321#define __get_user_error(x, ptr, err) \
322({ \
323 __get_user_check((x), (ptr), (err)); \
324 (void)0; \
325})
326
327#define __get_user(x, ptr) \
328({ \
329 int __gu_err = 0; \
330 __get_user_check((x), (ptr), __gu_err); \
331 __gu_err; \
332})
333
334#define get_user __get_user
335
336#define __put_user_asm(instr, alt_instr, reg, x, addr, err, feature) \
337 asm volatile( \
338 "1:"ALTERNATIVE(instr " " reg "1, [%2]\n", \
339 alt_instr " " reg "1, [%2]\n", feature) \
340 "2:\n" \
341 " .section .fixup,\"ax\"\n" \
342 " .align 2\n" \
343 "3: mov %w0, %3\n" \
344 " b 2b\n" \
345 " .previous\n" \
346 _ASM_EXTABLE(1b, 3b) \
347 : "+r" (err) \
348 : "r" (x), "r" (addr), "i" (-EFAULT))
349
350#define __put_user_err(x, ptr, err) \
351do { \
352 __typeof__(*(ptr)) __pu_val = (x); \
353 __chk_user_ptr(ptr); \
354 uaccess_enable_not_uao(); \
355 switch (sizeof(*(ptr))) { \
356 case 1: \
357 __put_user_asm("strb", "sttrb", "%w", __pu_val, (ptr), \
358 (err), ARM64_HAS_UAO); \
359 break; \
360 case 2: \
361 __put_user_asm("strh", "sttrh", "%w", __pu_val, (ptr), \
362 (err), ARM64_HAS_UAO); \
363 break; \
364 case 4: \
365 __put_user_asm("str", "sttr", "%w", __pu_val, (ptr), \
366 (err), ARM64_HAS_UAO); \
367 break; \
368 case 8: \
369 __put_user_asm("str", "sttr", "%x", __pu_val, (ptr), \
370 (err), ARM64_HAS_UAO); \
371 break; \
372 default: \
373 BUILD_BUG(); \
374 } \
375 uaccess_disable_not_uao(); \
376} while (0)
377
378#define __put_user_check(x, ptr, err) \
379({ \
380 __typeof__(*(ptr)) __user *__p = (ptr); \
381 might_fault(); \
382 if (access_ok(VERIFY_WRITE, __p, sizeof(*__p))) { \
383 __p = uaccess_mask_ptr(__p); \
384 __put_user_err((x), __p, (err)); \
385 } else { \
386 (err) = -EFAULT; \
387 } \
388})
389
390#define __put_user_error(x, ptr, err) \
391({ \
392 __put_user_check((x), (ptr), (err)); \
393 (void)0; \
394})
395
396#define __put_user(x, ptr) \
397({ \
398 int __pu_err = 0; \
399 __put_user_check((x), (ptr), __pu_err); \
400 __pu_err; \
401})
402
403#define put_user __put_user
404
405extern unsigned long __must_check __arch_copy_from_user(void *to, const void __user *from, unsigned long n);
406#define raw_copy_from_user(to, from, n) \
407({ \
408 __arch_copy_from_user((to), __uaccess_mask_ptr(from), (n)); \
409})
410
411extern unsigned long __must_check __arch_copy_to_user(void __user *to, const void *from, unsigned long n);
412#define raw_copy_to_user(to, from, n) \
413({ \
414 __arch_copy_to_user(__uaccess_mask_ptr(to), (from), (n)); \
415})
416
417extern unsigned long __must_check __arch_copy_in_user(void __user *to, const void __user *from, unsigned long n);
418#define raw_copy_in_user(to, from, n) \
419({ \
420 __arch_copy_in_user(__uaccess_mask_ptr(to), \
421 __uaccess_mask_ptr(from), (n)); \
422})
423
424#define INLINE_COPY_TO_USER
425#define INLINE_COPY_FROM_USER
426
427extern unsigned long __must_check __arch_clear_user(void __user *to, unsigned long n);
428static inline unsigned long __must_check __clear_user(void __user *to, unsigned long n)
429{
430 if (access_ok(VERIFY_WRITE, to, n))
431 n = __arch_clear_user(__uaccess_mask_ptr(to), n);
432 return n;
433}
434#define clear_user __clear_user
435
436extern long strncpy_from_user(char *dest, const char __user *src, long count);
437
438extern __must_check long strnlen_user(const char __user *str, long n);
439
440#ifdef CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE
441struct page;
442void memcpy_page_flushcache(char *to, struct page *page, size_t offset, size_t len);
443extern unsigned long __must_check __copy_user_flushcache(void *to, const void __user *from, unsigned long n);
444
445static inline int __copy_from_user_flushcache(void *dst, const void __user *src, unsigned size)
446{
447 kasan_check_write(dst, size);
448 return __copy_user_flushcache(dst, __uaccess_mask_ptr(src), size);
449}
450#endif
451
452#endif /* __ASM_UACCESS_H */