]> git.ipfire.org Git - thirdparty/linux.git/blob - arch/arm64/include/asm/uaccess.h
projects / thirdparty / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'mm-stable-2023-04-27-15-30' of git://git.kernel.org/pub/scm/linux/kernel...
[thirdparty/linux.git] / arch / arm64 / include / asm / uaccess.h
1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3 * Based on arch/arm/include/asm/uaccess.h
4 *
5 * Copyright (C) 2012 ARM Ltd.
6 */
7 #ifndef __ASM_UACCESS_H
8 #define __ASM_UACCESS_H
9
10 #include <asm/alternative.h>
11 #include <asm/kernel-pgtable.h>
12 #include <asm/sysreg.h>
13
14 /*
15 * User space memory access functions
16 */
17 #include <linux/bitops.h>
18 #include <linux/kasan-checks.h>
19 #include <linux/string.h>
20
21 #include <asm/asm-extable.h>
22 #include <asm/cpufeature.h>
23 #include <asm/mmu.h>
24 #include <asm/mte.h>
25 #include <asm/ptrace.h>
26 #include <asm/memory.h>
27 #include <asm/extable.h>
28
29 static inline int __access_ok(const void __user *ptr, unsigned long size);
30
31 /*
32 * Test whether a block of memory is a valid user space address.
33 * Returns 1 if the range is valid, 0 otherwise.
34 *
35 * This is equivalent to the following test:
36 * (u65)addr + (u65)size <= (u65)TASK_SIZE_MAX
37 */
38 static inline int access_ok(const void __user *addr, unsigned long size)
39 {
40 /*
41 * Asynchronous I/O running in a kernel thread does not have the
42 * TIF_TAGGED_ADDR flag of the process owning the mm, so always untag
43 * the user address before checking.
44 */
45 if (IS_ENABLED(CONFIG_ARM64_TAGGED_ADDR_ABI) &&
46 (current->flags & PF_KTHREAD || test_thread_flag(TIF_TAGGED_ADDR)))
47 addr = untagged_addr(addr);
48
49 return likely(__access_ok(addr, size));
50 }
51 #define access_ok access_ok
52
53 #include <asm-generic/access_ok.h>
54
55 /*
56 * User access enabling/disabling.
57 */
58 #ifdef CONFIG_ARM64_SW_TTBR0_PAN
59 static inline void __uaccess_ttbr0_disable(void)
60 {
61 unsigned long flags, ttbr;
62
63 local_irq_save(flags);
64 ttbr = read_sysreg(ttbr1_el1);
65 ttbr &= ~TTBR_ASID_MASK;
66 /* reserved_pg_dir placed before swapper_pg_dir */
67 write_sysreg(ttbr - RESERVED_SWAPPER_OFFSET, ttbr0_el1);
68 isb();
69 /* Set reserved ASID */
70 write_sysreg(ttbr, ttbr1_el1);
71 isb();
72 local_irq_restore(flags);
73 }
74
75 static inline void __uaccess_ttbr0_enable(void)
76 {
77 unsigned long flags, ttbr0, ttbr1;
78
79 /*
80 * Disable interrupts to avoid preemption between reading the 'ttbr0'
81 * variable and the MSR. A context switch could trigger an ASID
82 * roll-over and an update of 'ttbr0'.
83 */
84 local_irq_save(flags);
85 ttbr0 = READ_ONCE(current_thread_info()->ttbr0);
86
87 /* Restore active ASID */
88 ttbr1 = read_sysreg(ttbr1_el1);
89 ttbr1 &= ~TTBR_ASID_MASK; /* safety measure */
90 ttbr1 |= ttbr0 & TTBR_ASID_MASK;
91 write_sysreg(ttbr1, ttbr1_el1);
92 isb();
93
94 /* Restore user page table */
95 write_sysreg(ttbr0, ttbr0_el1);
96 isb();
97 local_irq_restore(flags);
98 }
99
100 static inline bool uaccess_ttbr0_disable(void)
101 {
102 if (!system_uses_ttbr0_pan())
103 return false;
104 __uaccess_ttbr0_disable();
105 return true;
106 }
107
108 static inline bool uaccess_ttbr0_enable(void)
109 {
110 if (!system_uses_ttbr0_pan())
111 return false;
112 __uaccess_ttbr0_enable();
113 return true;
114 }
115 #else
116 static inline bool uaccess_ttbr0_disable(void)
117 {
118 return false;
119 }
120
121 static inline bool uaccess_ttbr0_enable(void)
122 {
123 return false;
124 }
125 #endif
126
127 static inline void __uaccess_disable_hw_pan(void)
128 {
129 asm(ALTERNATIVE("nop", SET_PSTATE_PAN(0), ARM64_HAS_PAN,
130 CONFIG_ARM64_PAN));
131 }
132
133 static inline void __uaccess_enable_hw_pan(void)
134 {
135 asm(ALTERNATIVE("nop", SET_PSTATE_PAN(1), ARM64_HAS_PAN,
136 CONFIG_ARM64_PAN));
137 }
138
139 static inline void uaccess_disable_privileged(void)
140 {
141 mte_disable_tco();
142
143 if (uaccess_ttbr0_disable())
144 return;
145
146 __uaccess_enable_hw_pan();
147 }
148
149 static inline void uaccess_enable_privileged(void)
150 {
151 mte_enable_tco();
152
153 if (uaccess_ttbr0_enable())
154 return;
155
156 __uaccess_disable_hw_pan();
157 }
158
159 /*
160 * Sanitize a uaccess pointer such that it cannot reach any kernel address.
161 *
162 * Clearing bit 55 ensures the pointer cannot address any portion of the TTBR1
163 * address range (i.e. any kernel address), and either the pointer falls within
164 * the TTBR0 address range or must cause a fault.
165 */
166 #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr)
167 static inline void __user *__uaccess_mask_ptr(const void __user *ptr)
168 {
169 void __user *safe_ptr;
170
171 asm volatile(
172 " bic %0, %1, %2\n"
173 : "=r" (safe_ptr)
174 : "r" (ptr),
175 "i" (BIT(55))
176 );
177
178 return safe_ptr;
179 }
180
181 /*
182 * The "__xxx" versions of the user access functions do not verify the address
183 * space - it must have been done previously with a separate "access_ok()"
184 * call.
185 *
186 * The "__xxx_error" versions set the third argument to -EFAULT if an error
187 * occurs, and leave it unchanged on success.
188 */
189 #define __get_mem_asm(load, reg, x, addr, err, type) \
190 asm volatile( \
191 "1: " load " " reg "1, [%2]\n" \
192 "2:\n" \
193 _ASM_EXTABLE_##type##ACCESS_ERR_ZERO(1b, 2b, %w0, %w1) \
194 : "+r" (err), "=r" (x) \
195 : "r" (addr))
196
197 #define __raw_get_mem(ldr, x, ptr, err, type) \
198 do { \
199 unsigned long __gu_val; \
200 switch (sizeof(*(ptr))) { \
201 case 1: \
202 __get_mem_asm(ldr "b", "%w", __gu_val, (ptr), (err), type); \
203 break; \
204 case 2: \
205 __get_mem_asm(ldr "h", "%w", __gu_val, (ptr), (err), type); \
206 break; \
207 case 4: \
208 __get_mem_asm(ldr, "%w", __gu_val, (ptr), (err), type); \
209 break; \
210 case 8: \
211 __get_mem_asm(ldr, "%x", __gu_val, (ptr), (err), type); \
212 break; \
213 default: \
214 BUILD_BUG(); \
215 } \
216 (x) = (__force __typeof__(*(ptr)))__gu_val; \
217 } while (0)
218
219 /*
220 * We must not call into the scheduler between uaccess_ttbr0_enable() and
221 * uaccess_ttbr0_disable(). As `x` and `ptr` could contain blocking functions,
222 * we must evaluate these outside of the critical section.
223 */
224 #define __raw_get_user(x, ptr, err) \
225 do { \
226 __typeof__(*(ptr)) __user *__rgu_ptr = (ptr); \
227 __typeof__(x) __rgu_val; \
228 __chk_user_ptr(ptr); \
229 \
230 uaccess_ttbr0_enable(); \
231 __raw_get_mem("ldtr", __rgu_val, __rgu_ptr, err, U); \
232 uaccess_ttbr0_disable(); \
233 \
234 (x) = __rgu_val; \
235 } while (0)
236
237 #define __get_user_error(x, ptr, err) \
238 do { \
239 __typeof__(*(ptr)) __user *__p = (ptr); \
240 might_fault(); \
241 if (access_ok(__p, sizeof(*__p))) { \
242 __p = uaccess_mask_ptr(__p); \
243 __raw_get_user((x), __p, (err)); \
244 } else { \
245 (x) = (__force __typeof__(x))0; (err) = -EFAULT; \
246 } \
247 } while (0)
248
249 #define __get_user(x, ptr) \
250 ({ \
251 int __gu_err = 0; \
252 __get_user_error((x), (ptr), __gu_err); \
253 __gu_err; \
254 })
255
256 #define get_user __get_user
257
258 /*
259 * We must not call into the scheduler between __mte_enable_tco_async() and
260 * __mte_disable_tco_async(). As `dst` and `src` may contain blocking
261 * functions, we must evaluate these outside of the critical section.
262 */
263 #define __get_kernel_nofault(dst, src, type, err_label) \
264 do { \
265 __typeof__(dst) __gkn_dst = (dst); \
266 __typeof__(src) __gkn_src = (src); \
267 int __gkn_err = 0; \
268 \
269 __mte_enable_tco_async(); \
270 __raw_get_mem("ldr", *((type *)(__gkn_dst)), \
271 (__force type *)(__gkn_src), __gkn_err, K); \
272 __mte_disable_tco_async(); \
273 \
274 if (unlikely(__gkn_err)) \
275 goto err_label; \
276 } while (0)
277
278 #define __put_mem_asm(store, reg, x, addr, err, type) \
279 asm volatile( \
280 "1: " store " " reg "1, [%2]\n" \
281 "2:\n" \
282 _ASM_EXTABLE_##type##ACCESS_ERR(1b, 2b, %w0) \
283 : "+r" (err) \
284 : "rZ" (x), "r" (addr))
285
286 #define __raw_put_mem(str, x, ptr, err, type) \
287 do { \
288 __typeof__(*(ptr)) __pu_val = (x); \
289 switch (sizeof(*(ptr))) { \
290 case 1: \
291 __put_mem_asm(str "b", "%w", __pu_val, (ptr), (err), type); \
292 break; \
293 case 2: \
294 __put_mem_asm(str "h", "%w", __pu_val, (ptr), (err), type); \
295 break; \
296 case 4: \
297 __put_mem_asm(str, "%w", __pu_val, (ptr), (err), type); \
298 break; \
299 case 8: \
300 __put_mem_asm(str, "%x", __pu_val, (ptr), (err), type); \
301 break; \
302 default: \
303 BUILD_BUG(); \
304 } \
305 } while (0)
306
307 /*
308 * We must not call into the scheduler between uaccess_ttbr0_enable() and
309 * uaccess_ttbr0_disable(). As `x` and `ptr` could contain blocking functions,
310 * we must evaluate these outside of the critical section.
311 */
312 #define __raw_put_user(x, ptr, err) \
313 do { \
314 __typeof__(*(ptr)) __user *__rpu_ptr = (ptr); \
315 __typeof__(*(ptr)) __rpu_val = (x); \
316 __chk_user_ptr(__rpu_ptr); \
317 \
318 uaccess_ttbr0_enable(); \
319 __raw_put_mem("sttr", __rpu_val, __rpu_ptr, err, U); \
320 uaccess_ttbr0_disable(); \
321 } while (0)
322
323 #define __put_user_error(x, ptr, err) \
324 do { \
325 __typeof__(*(ptr)) __user *__p = (ptr); \
326 might_fault(); \
327 if (access_ok(__p, sizeof(*__p))) { \
328 __p = uaccess_mask_ptr(__p); \
329 __raw_put_user((x), __p, (err)); \
330 } else { \
331 (err) = -EFAULT; \
332 } \
333 } while (0)
334
335 #define __put_user(x, ptr) \
336 ({ \
337 int __pu_err = 0; \
338 __put_user_error((x), (ptr), __pu_err); \
339 __pu_err; \
340 })
341
342 #define put_user __put_user
343
344 /*
345 * We must not call into the scheduler between __mte_enable_tco_async() and
346 * __mte_disable_tco_async(). As `dst` and `src` may contain blocking
347 * functions, we must evaluate these outside of the critical section.
348 */
349 #define __put_kernel_nofault(dst, src, type, err_label) \
350 do { \
351 __typeof__(dst) __pkn_dst = (dst); \
352 __typeof__(src) __pkn_src = (src); \
353 int __pkn_err = 0; \
354 \
355 __mte_enable_tco_async(); \
356 __raw_put_mem("str", *((type *)(__pkn_src)), \
357 (__force type *)(__pkn_dst), __pkn_err, K); \
358 __mte_disable_tco_async(); \
359 \
360 if (unlikely(__pkn_err)) \
361 goto err_label; \
362 } while(0)
363
364 extern unsigned long __must_check __arch_copy_from_user(void *to, const void __user *from, unsigned long n);
365 #define raw_copy_from_user(to, from, n) \
366 ({ \
367 unsigned long __acfu_ret; \
368 uaccess_ttbr0_enable(); \
369 __acfu_ret = __arch_copy_from_user((to), \
370 __uaccess_mask_ptr(from), (n)); \
371 uaccess_ttbr0_disable(); \
372 __acfu_ret; \
373 })
374
375 extern unsigned long __must_check __arch_copy_to_user(void __user *to, const void *from, unsigned long n);
376 #define raw_copy_to_user(to, from, n) \
377 ({ \
378 unsigned long __actu_ret; \
379 uaccess_ttbr0_enable(); \
380 __actu_ret = __arch_copy_to_user(__uaccess_mask_ptr(to), \
381 (from), (n)); \
382 uaccess_ttbr0_disable(); \
383 __actu_ret; \
384 })
385
386 #define INLINE_COPY_TO_USER
387 #define INLINE_COPY_FROM_USER
388
389 extern unsigned long __must_check __arch_clear_user(void __user *to, unsigned long n);
390 static inline unsigned long __must_check __clear_user(void __user *to, unsigned long n)
391 {
392 if (access_ok(to, n)) {
393 uaccess_ttbr0_enable();
394 n = __arch_clear_user(__uaccess_mask_ptr(to), n);
395 uaccess_ttbr0_disable();
396 }
397 return n;
398 }
399 #define clear_user __clear_user
400
401 extern long strncpy_from_user(char *dest, const char __user *src, long count);
402
403 extern __must_check long strnlen_user(const char __user *str, long n);
404
405 #ifdef CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE
406 extern unsigned long __must_check __copy_user_flushcache(void *to, const void __user *from, unsigned long n);
407
408 static inline int __copy_from_user_flushcache(void *dst, const void __user *src, unsigned size)
409 {
410 kasan_check_write(dst, size);
411 return __copy_user_flushcache(dst, __uaccess_mask_ptr(src), size);
412 }
413 #endif
414
415 #ifdef CONFIG_ARCH_HAS_SUBPAGE_FAULTS
416
417 /*
418 * Return 0 on success, the number of bytes not probed otherwise.
419 */
420 static inline size_t probe_subpage_writeable(const char __user *uaddr,
421 size_t size)
422 {
423 if (!system_supports_mte())
424 return 0;
425 return mte_probe_user_range(uaddr, size);
426 }
427
428 #endif /* CONFIG_ARCH_HAS_SUBPAGE_FAULTS */
429
430 #endif /* __ASM_UACCESS_H */
A mirror of Linus' kernel repository