1 /*
2 * arch/arm/include/asm/uaccess.h
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
7 */
8 #ifndef _ASMARM_UACCESS_H
9 #define _ASMARM_UACCESS_H
10
11 /*
12 * User space memory access functions
13 */
14 #include <linux/string.h>
15 #include <linux/thread_info.h>
16 #include <asm/errno.h>
17 #include <asm/memory.h>
18 #include <asm/domain.h>
19 #include <asm/unified.h>
20 #include <asm/compiler.h>
21
22 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
23 #include <asm-generic/uaccess-unaligned.h>
24 #else
25 #define __get_user_unaligned __get_user
26 #define __put_user_unaligned __put_user
27 #endif
28
29 #define VERIFY_READ 0
30 #define VERIFY_WRITE 1
31
32 /*
33 * The exception table consists of pairs of addresses: the first is the
34 * address of an instruction that is allowed to fault, and the second is
35 * the address at which the program should continue. No registers are
36 * modified, so it is entirely up to the continuation code to figure out
37 * what to do.
38 *
39 * All the routines below use bits of fixup code that are out of line
40 * with the main instruction path. This means when everything is well,
41 * we don't even have to jump over them. Further, they do not intrude
42 * on our cache or tlb entries.
43 */
44
45 struct exception_table_entry
46 {
47 unsigned long insn, fixup;
48 };
49
50 extern int fixup_exception(struct pt_regs *regs);
51
52 /*
53 * These two functions allow hooking accesses to userspace to increase
54 * system integrity by ensuring that the kernel can not inadvertantly
55 * perform such accesses (eg, via list poison values) which could then
56 * be exploited for priviledge escalation.
57 */
uaccess_save_and_enable(void)58 static inline unsigned int uaccess_save_and_enable(void)
59 {
60 #ifdef CONFIG_CPU_SW_DOMAIN_PAN
61 unsigned int old_domain = get_domain();
62
63 /* Set the current domain access to permit user accesses */
64 set_domain((old_domain & ~domain_mask(DOMAIN_USER)) |
65 domain_val(DOMAIN_USER, DOMAIN_CLIENT));
66
67 return old_domain;
68 #else
69 return 0;
70 #endif
71 }
72
uaccess_restore(unsigned int flags)73 static inline void uaccess_restore(unsigned int flags)
74 {
75 #ifdef CONFIG_CPU_SW_DOMAIN_PAN
76 /* Restore the user access mask */
77 set_domain(flags);
78 #endif
79 }
80
81 /*
82 * These two are intentionally not defined anywhere - if the kernel
83 * code generates any references to them, that's a bug.
84 */
85 extern int __get_user_bad(void);
86 extern int __put_user_bad(void);
87
88 /*
89 * Note that this is actually 0x1,0000,0000
90 */
91 #define KERNEL_DS 0x00000000
92 #define get_ds() (KERNEL_DS)
93
94 #ifdef CONFIG_MMU
95
96 #define USER_DS TASK_SIZE
97 #define get_fs() (current_thread_info()->addr_limit)
98
set_fs(mm_segment_t fs)99 static inline void set_fs(mm_segment_t fs)
100 {
101 current_thread_info()->addr_limit = fs;
102
103 /*
104 * Prevent a mispredicted conditional call to set_fs from forwarding
105 * the wrong address limit to access_ok under speculation.
106 */
107 dsb(nsh);
108 isb();
109
110 modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
111 }
112
113 #define segment_eq(a, b) ((a) == (b))
114
115 #define __addr_ok(addr) ({ \
116 unsigned long flag; \
117 __asm__("cmp %2, %0; movlo %0, #0" \
118 : "=&r" (flag) \
119 : "0" (current_thread_info()->addr_limit), "r" (addr) \
120 : "cc"); \
121 (flag == 0); })
122
123 /* We use 33-bit arithmetic here... */
124 #define __range_ok(addr, size) ({ \
125 unsigned long flag, roksum; \
126 __chk_user_ptr(addr); \
127 __asm__("adds %1, %2, %3; sbcccs %1, %1, %0; movcc %0, #0" \
128 : "=&r" (flag), "=&r" (roksum) \
129 : "r" (addr), "Ir" (size), "0" (current_thread_info()->addr_limit) \
130 : "cc"); \
131 flag; })
132
133 /*
134 * This is a type: either unsigned long, if the argument fits into
135 * that type, or otherwise unsigned long long.
136 */
137 #define __inttype(x) \
138 __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
139
140 /*
141 * Sanitise a uaccess pointer such that it becomes NULL if addr+size
142 * is above the current addr_limit.
143 */
144 #define uaccess_mask_range_ptr(ptr, size) \
145 ((__typeof__(ptr))__uaccess_mask_range_ptr(ptr, size))
__uaccess_mask_range_ptr(const void __user * ptr,size_t size)146 static inline void __user *__uaccess_mask_range_ptr(const void __user *ptr,
147 size_t size)
148 {
149 void __user *safe_ptr = (void __user *)ptr;
150 unsigned long tmp;
151
152 asm volatile(
153 " sub %1, %3, #1\n"
154 " subs %1, %1, %0\n"
155 " addhs %1, %1, #1\n"
156 " subhss %1, %1, %2\n"
157 " movlo %0, #0\n"
158 : "+r" (safe_ptr), "=&r" (tmp)
159 : "r" (size), "r" (current_thread_info()->addr_limit)
160 : "cc");
161
162 csdb();
163 return safe_ptr;
164 }
165
166 /*
167 * Single-value transfer routines. They automatically use the right
168 * size if we just have the right pointer type. Note that the functions
169 * which read from user space (*get_*) need to take care not to leak
170 * kernel data even if the calling code is buggy and fails to check
171 * the return value. This means zeroing out the destination variable
172 * or buffer on error. Normally this is done out of line by the
173 * fixup code, but there are a few places where it intrudes on the
174 * main code path. When we only write to user space, there is no
175 * problem.
176 */
177 extern int __get_user_1(void *);
178 extern int __get_user_2(void *);
179 extern int __get_user_4(void *);
180 extern int __get_user_32t_8(void *);
181 extern int __get_user_8(void *);
182 extern int __get_user_64t_1(void *);
183 extern int __get_user_64t_2(void *);
184 extern int __get_user_64t_4(void *);
185
186 #define __GUP_CLOBBER_1 "lr", "cc"
187 #ifdef CONFIG_CPU_USE_DOMAINS
188 #define __GUP_CLOBBER_2 "ip", "lr", "cc"
189 #else
190 #define __GUP_CLOBBER_2 "lr", "cc"
191 #endif
192 #define __GUP_CLOBBER_4 "lr", "cc"
193 #define __GUP_CLOBBER_32t_8 "lr", "cc"
194 #define __GUP_CLOBBER_8 "lr", "cc"
195
196 #define __get_user_x(__r2, __p, __e, __l, __s) \
197 __asm__ __volatile__ ( \
198 __asmeq("%0", "r0") __asmeq("%1", "r2") \
199 __asmeq("%3", "r1") \
200 "bl __get_user_" #__s \
201 : "=&r" (__e), "=r" (__r2) \
202 : "0" (__p), "r" (__l) \
203 : __GUP_CLOBBER_##__s)
204
205 /* narrowing a double-word get into a single 32bit word register: */
206 #ifdef __ARMEB__
207 #define __get_user_x_32t(__r2, __p, __e, __l, __s) \
208 __get_user_x(__r2, __p, __e, __l, 32t_8)
209 #else
210 #define __get_user_x_32t __get_user_x
211 #endif
212
213 /*
214 * storing result into proper least significant word of 64bit target var,
215 * different only for big endian case where 64 bit __r2 lsw is r3:
216 */
217 #ifdef __ARMEB__
218 #define __get_user_x_64t(__r2, __p, __e, __l, __s) \
219 __asm__ __volatile__ ( \
220 __asmeq("%0", "r0") __asmeq("%1", "r2") \
221 __asmeq("%3", "r1") \
222 "bl __get_user_64t_" #__s \
223 : "=&r" (__e), "=r" (__r2) \
224 : "0" (__p), "r" (__l) \
225 : __GUP_CLOBBER_##__s)
226 #else
227 #define __get_user_x_64t __get_user_x
228 #endif
229
230
231 #define __get_user_check(x, p) \
232 ({ \
233 unsigned long __limit = current_thread_info()->addr_limit - 1; \
234 register const typeof(*(p)) __user *__p asm("r0") = (p);\
235 register __inttype(x) __r2 asm("r2"); \
236 register unsigned long __l asm("r1") = __limit; \
237 register int __e asm("r0"); \
238 unsigned int __ua_flags = uaccess_save_and_enable(); \
239 switch (sizeof(*(__p))) { \
240 case 1: \
241 if (sizeof((x)) >= 8) \
242 __get_user_x_64t(__r2, __p, __e, __l, 1); \
243 else \
244 __get_user_x(__r2, __p, __e, __l, 1); \
245 break; \
246 case 2: \
247 if (sizeof((x)) >= 8) \
248 __get_user_x_64t(__r2, __p, __e, __l, 2); \
249 else \
250 __get_user_x(__r2, __p, __e, __l, 2); \
251 break; \
252 case 4: \
253 if (sizeof((x)) >= 8) \
254 __get_user_x_64t(__r2, __p, __e, __l, 4); \
255 else \
256 __get_user_x(__r2, __p, __e, __l, 4); \
257 break; \
258 case 8: \
259 if (sizeof((x)) < 8) \
260 __get_user_x_32t(__r2, __p, __e, __l, 4); \
261 else \
262 __get_user_x(__r2, __p, __e, __l, 8); \
263 break; \
264 default: __e = __get_user_bad(); break; \
265 } \
266 uaccess_restore(__ua_flags); \
267 x = (typeof(*(p))) __r2; \
268 __e; \
269 })
270
271 #define get_user(x, p) \
272 ({ \
273 might_fault(); \
274 __get_user_check(x, p); \
275 })
276
277 extern int __put_user_1(void *, unsigned int);
278 extern int __put_user_2(void *, unsigned int);
279 extern int __put_user_4(void *, unsigned int);
280 extern int __put_user_8(void *, unsigned long long);
281
282 #define __put_user_check(__pu_val, __ptr, __err, __s) \
283 ({ \
284 unsigned long __limit = current_thread_info()->addr_limit - 1; \
285 register typeof(__pu_val) __r2 asm("r2") = __pu_val; \
286 register const void __user *__p asm("r0") = __ptr; \
287 register unsigned long __l asm("r1") = __limit; \
288 register int __e asm("r0"); \
289 __asm__ __volatile__ ( \
290 __asmeq("%0", "r0") __asmeq("%2", "r2") \
291 __asmeq("%3", "r1") \
292 "bl __put_user_" #__s \
293 : "=&r" (__e) \
294 : "0" (__p), "r" (__r2), "r" (__l) \
295 : "ip", "lr", "cc"); \
296 __err = __e; \
297 })
298
299 #else /* CONFIG_MMU */
300
301 /*
302 * uClinux has only one addr space, so has simplified address limits.
303 */
304 #define USER_DS KERNEL_DS
305
306 #define segment_eq(a, b) (1)
307 #define __addr_ok(addr) ((void)(addr), 1)
308 #define __range_ok(addr, size) ((void)(addr), 0)
309 #define get_fs() (KERNEL_DS)
310
set_fs(mm_segment_t fs)311 static inline void set_fs(mm_segment_t fs)
312 {
313 }
314
315 #define get_user(x, p) __get_user(x, p)
316 #define __put_user_check __put_user_nocheck
317
318 #endif /* CONFIG_MMU */
319
320 #define access_ok(type, addr, size) (__range_ok(addr, size) == 0)
321
322 #define user_addr_max() \
323 (segment_eq(get_fs(), KERNEL_DS) ? ~0UL : get_fs())
324
325 #ifdef CONFIG_CPU_SPECTRE
326 /*
327 * When mitigating Spectre variant 1, it is not worth fixing the non-
328 * verifying accessors, because we need to add verification of the
329 * address space there. Force these to use the standard get_user()
330 * version instead.
331 */
332 #define __get_user(x, ptr) get_user(x, ptr)
333 #else
334
335 /*
336 * The "__xxx" versions of the user access functions do not verify the
337 * address space - it must have been done previously with a separate
338 * "access_ok()" call.
339 *
340 * The "xxx_error" versions set the third argument to EFAULT if an
341 * error occurs, and leave it unchanged on success. Note that these
342 * versions are void (ie, don't return a value as such).
343 */
344 #define __get_user(x, ptr) \
345 ({ \
346 long __gu_err = 0; \
347 __get_user_err((x), (ptr), __gu_err); \
348 __gu_err; \
349 })
350
351 #define __get_user_err(x, ptr, err) \
352 do { \
353 unsigned long __gu_addr = (unsigned long)(ptr); \
354 unsigned long __gu_val; \
355 unsigned int __ua_flags; \
356 __chk_user_ptr(ptr); \
357 might_fault(); \
358 __ua_flags = uaccess_save_and_enable(); \
359 switch (sizeof(*(ptr))) { \
360 case 1: __get_user_asm_byte(__gu_val, __gu_addr, err); break; \
361 case 2: __get_user_asm_half(__gu_val, __gu_addr, err); break; \
362 case 4: __get_user_asm_word(__gu_val, __gu_addr, err); break; \
363 default: (__gu_val) = __get_user_bad(); \
364 } \
365 uaccess_restore(__ua_flags); \
366 (x) = (__typeof__(*(ptr)))__gu_val; \
367 } while (0)
368
369 #define __get_user_asm(x, addr, err, instr) \
370 __asm__ __volatile__( \
371 "1: " TUSER(instr) " %1, [%2], #0\n" \
372 "2:\n" \
373 " .pushsection .text.fixup,\"ax\"\n" \
374 " .align 2\n" \
375 "3: mov %0, %3\n" \
376 " mov %1, #0\n" \
377 " b 2b\n" \
378 " .popsection\n" \
379 " .pushsection __ex_table,\"a\"\n" \
380 " .align 3\n" \
381 " .long 1b, 3b\n" \
382 " .popsection" \
383 : "+r" (err), "=&r" (x) \
384 : "r" (addr), "i" (-EFAULT) \
385 : "cc")
386
387 #define __get_user_asm_byte(x, addr, err) \
388 __get_user_asm(x, addr, err, ldrb)
389
390 #if __LINUX_ARM_ARCH__ >= 6
391
392 #define __get_user_asm_half(x, addr, err) \
393 __get_user_asm(x, addr, err, ldrh)
394
395 #else
396
397 #ifndef __ARMEB__
398 #define __get_user_asm_half(x, __gu_addr, err) \
399 ({ \
400 unsigned long __b1, __b2; \
401 __get_user_asm_byte(__b1, __gu_addr, err); \
402 __get_user_asm_byte(__b2, __gu_addr + 1, err); \
403 (x) = __b1 | (__b2 << 8); \
404 })
405 #else
406 #define __get_user_asm_half(x, __gu_addr, err) \
407 ({ \
408 unsigned long __b1, __b2; \
409 __get_user_asm_byte(__b1, __gu_addr, err); \
410 __get_user_asm_byte(__b2, __gu_addr + 1, err); \
411 (x) = (__b1 << 8) | __b2; \
412 })
413 #endif
414
415 #endif /* __LINUX_ARM_ARCH__ >= 6 */
416
417 #define __get_user_asm_word(x, addr, err) \
418 __get_user_asm(x, addr, err, ldr)
419 #endif
420
421
422 #define __put_user_switch(x, ptr, __err, __fn) \
423 do { \
424 const __typeof__(*(ptr)) __user *__pu_ptr = (ptr); \
425 __typeof__(*(ptr)) __pu_val = (x); \
426 unsigned int __ua_flags; \
427 might_fault(); \
428 __ua_flags = uaccess_save_and_enable(); \
429 switch (sizeof(*(ptr))) { \
430 case 1: __fn(__pu_val, __pu_ptr, __err, 1); break; \
431 case 2: __fn(__pu_val, __pu_ptr, __err, 2); break; \
432 case 4: __fn(__pu_val, __pu_ptr, __err, 4); break; \
433 case 8: __fn(__pu_val, __pu_ptr, __err, 8); break; \
434 default: __err = __put_user_bad(); break; \
435 } \
436 uaccess_restore(__ua_flags); \
437 } while (0)
438
439 #define put_user(x, ptr) \
440 ({ \
441 int __pu_err = 0; \
442 __put_user_switch((x), (ptr), __pu_err, __put_user_check); \
443 __pu_err; \
444 })
445
446 #ifdef CONFIG_CPU_SPECTRE
447 /*
448 * When mitigating Spectre variant 1.1, all accessors need to include
449 * verification of the address space.
450 */
451 #define __put_user(x, ptr) put_user(x, ptr)
452
453 #else
454 #define __put_user(x, ptr) \
455 ({ \
456 long __pu_err = 0; \
457 __put_user_switch((x), (ptr), __pu_err, __put_user_nocheck); \
458 __pu_err; \
459 })
460
461 #define __put_user_nocheck(x, __pu_ptr, __err, __size) \
462 do { \
463 unsigned long __pu_addr = (unsigned long)__pu_ptr; \
464 __put_user_nocheck_##__size(x, __pu_addr, __err); \
465 } while (0)
466
467 #define __put_user_nocheck_1 __put_user_asm_byte
468 #define __put_user_nocheck_2 __put_user_asm_half
469 #define __put_user_nocheck_4 __put_user_asm_word
470 #define __put_user_nocheck_8 __put_user_asm_dword
471
472 #define __put_user_asm(x, __pu_addr, err, instr) \
473 __asm__ __volatile__( \
474 "1: " TUSER(instr) " %1, [%2], #0\n" \
475 "2:\n" \
476 " .pushsection .text.fixup,\"ax\"\n" \
477 " .align 2\n" \
478 "3: mov %0, %3\n" \
479 " b 2b\n" \
480 " .popsection\n" \
481 " .pushsection __ex_table,\"a\"\n" \
482 " .align 3\n" \
483 " .long 1b, 3b\n" \
484 " .popsection" \
485 : "+r" (err) \
486 : "r" (x), "r" (__pu_addr), "i" (-EFAULT) \
487 : "cc")
488
489 #define __put_user_asm_byte(x, __pu_addr, err) \
490 __put_user_asm(x, __pu_addr, err, strb)
491
492 #if __LINUX_ARM_ARCH__ >= 6
493
494 #define __put_user_asm_half(x, __pu_addr, err) \
495 __put_user_asm(x, __pu_addr, err, strh)
496
497 #else
498
499 #ifndef __ARMEB__
500 #define __put_user_asm_half(x, __pu_addr, err) \
501 ({ \
502 unsigned long __temp = (__force unsigned long)(x); \
503 __put_user_asm_byte(__temp, __pu_addr, err); \
504 __put_user_asm_byte(__temp >> 8, __pu_addr + 1, err); \
505 })
506 #else
507 #define __put_user_asm_half(x, __pu_addr, err) \
508 ({ \
509 unsigned long __temp = (__force unsigned long)(x); \
510 __put_user_asm_byte(__temp >> 8, __pu_addr, err); \
511 __put_user_asm_byte(__temp, __pu_addr + 1, err); \
512 })
513 #endif
514
515 #endif /* __LINUX_ARM_ARCH__ >= 6 */
516
517 #define __put_user_asm_word(x, __pu_addr, err) \
518 __put_user_asm(x, __pu_addr, err, str)
519
520 #ifndef __ARMEB__
521 #define __reg_oper0 "%R2"
522 #define __reg_oper1 "%Q2"
523 #else
524 #define __reg_oper0 "%Q2"
525 #define __reg_oper1 "%R2"
526 #endif
527
528 #define __put_user_asm_dword(x, __pu_addr, err) \
529 __asm__ __volatile__( \
530 ARM( "1: " TUSER(str) " " __reg_oper1 ", [%1], #4\n" ) \
531 ARM( "2: " TUSER(str) " " __reg_oper0 ", [%1]\n" ) \
532 THUMB( "1: " TUSER(str) " " __reg_oper1 ", [%1]\n" ) \
533 THUMB( "2: " TUSER(str) " " __reg_oper0 ", [%1, #4]\n" ) \
534 "3:\n" \
535 " .pushsection .text.fixup,\"ax\"\n" \
536 " .align 2\n" \
537 "4: mov %0, %3\n" \
538 " b 3b\n" \
539 " .popsection\n" \
540 " .pushsection __ex_table,\"a\"\n" \
541 " .align 3\n" \
542 " .long 1b, 4b\n" \
543 " .long 2b, 4b\n" \
544 " .popsection" \
545 : "+r" (err), "+r" (__pu_addr) \
546 : "r" (x), "i" (-EFAULT) \
547 : "cc")
548
549 #endif /* !CONFIG_CPU_SPECTRE */
550
551 #ifdef CONFIG_MMU
552 extern unsigned long __must_check
553 arm_copy_from_user(void *to, const void __user *from, unsigned long n);
554
555 static inline unsigned long __must_check
__copy_from_user(void * to,const void __user * from,unsigned long n)556 __copy_from_user(void *to, const void __user *from, unsigned long n)
557 {
558 unsigned int __ua_flags;
559
560 check_object_size(to, n, false);
561 __ua_flags = uaccess_save_and_enable();
562 n = arm_copy_from_user(to, from, n);
563 uaccess_restore(__ua_flags);
564 return n;
565 }
566
567 extern unsigned long __must_check
568 arm_copy_to_user(void __user *to, const void *from, unsigned long n);
569 extern unsigned long __must_check
570 __copy_to_user_std(void __user *to, const void *from, unsigned long n);
571
572 static inline unsigned long __must_check
__copy_to_user(void __user * to,const void * from,unsigned long n)573 __copy_to_user(void __user *to, const void *from, unsigned long n)
574 {
575 #ifndef CONFIG_UACCESS_WITH_MEMCPY
576 unsigned int __ua_flags;
577
578 check_object_size(from, n, true);
579 __ua_flags = uaccess_save_and_enable();
580 n = arm_copy_to_user(to, from, n);
581 uaccess_restore(__ua_flags);
582 return n;
583 #else
584 check_object_size(from, n, true);
585 return arm_copy_to_user(to, from, n);
586 #endif
587 }
588
589 extern unsigned long __must_check
590 arm_clear_user(void __user *addr, unsigned long n);
591 extern unsigned long __must_check
592 __clear_user_std(void __user *addr, unsigned long n);
593
594 static inline unsigned long __must_check
__clear_user(void __user * addr,unsigned long n)595 __clear_user(void __user *addr, unsigned long n)
596 {
597 unsigned int __ua_flags = uaccess_save_and_enable();
598 n = arm_clear_user(addr, n);
599 uaccess_restore(__ua_flags);
600 return n;
601 }
602
603 #else
604 #define __copy_from_user(to, from, n) (memcpy(to, (void __force *)from, n), 0)
605 #define __copy_to_user(to, from, n) (memcpy((void __force *)to, from, n), 0)
606 #define __clear_user(addr, n) (memset((void __force *)addr, 0, n), 0)
607 #endif
608
copy_from_user(void * to,const void __user * from,unsigned long n)609 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
610 {
611 if (access_ok(VERIFY_READ, from, n))
612 n = __copy_from_user(to, from, n);
613 else /* security hole - plug it */
614 memset(to, 0, n);
615 return n;
616 }
617
copy_to_user(void __user * to,const void * from,unsigned long n)618 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
619 {
620 if (access_ok(VERIFY_WRITE, to, n))
621 n = __copy_to_user(to, from, n);
622 return n;
623 }
624
625 #define __copy_to_user_inatomic __copy_to_user
626 #define __copy_from_user_inatomic __copy_from_user
627
clear_user(void __user * to,unsigned long n)628 static inline unsigned long __must_check clear_user(void __user *to, unsigned long n)
629 {
630 if (access_ok(VERIFY_WRITE, to, n))
631 n = __clear_user(to, n);
632 return n;
633 }
634
635 /* These are from lib/ code, and use __get_user() and friends */
636 extern long strncpy_from_user(char *dest, const char __user *src, long count);
637
638 extern __must_check long strlen_user(const char __user *str);
639 extern __must_check long strnlen_user(const char __user *str, long n);
640
641 #endif /* _ASMARM_UACCESS_H */
642