2 * arch/arm/include/asm/uaccess.h
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 #ifndef _ASMARM_UACCESS_H
9 #define _ASMARM_UACCESS_H
12 * User space memory access functions
14 #include <linux/string.h>
15 #include <linux/thread_info.h>
16 #include <asm/errno.h>
17 #include <asm/memory.h>
18 #include <asm/domain.h>
19 #include <asm/unified.h>
20 #include <asm/compiler.h>
22 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
23 #include <asm-generic/uaccess-unaligned.h>
25 #define __get_user_unaligned __get_user
26 #define __put_user_unaligned __put_user
30 #define VERIFY_WRITE 1
33 * The exception table consists of pairs of addresses: the first is the
34 * address of an instruction that is allowed to fault, and the second is
35 * the address at which the program should continue. No registers are
36 * modified, so it is entirely up to the continuation code to figure out
39 * All the routines below use bits of fixup code that are out of line
40 * with the main instruction path. This means when everything is well,
41 * we don't even have to jump over them. Further, they do not intrude
42 * on our cache or tlb entries.
45 struct exception_table_entry
47 unsigned long insn, fixup;
50 extern int fixup_exception(struct pt_regs *regs);
53 * These two functions allow hooking accesses to userspace to increase
54 * system integrity by ensuring that the kernel can not inadvertantly
55 * perform such accesses (eg, via list poison values) which could then
56 * be exploited for priviledge escalation.
58 static inline unsigned int uaccess_save_and_enable(void)
60 #ifdef CONFIG_CPU_SW_DOMAIN_PAN
61 unsigned int old_domain = get_domain();
63 /* Set the current domain access to permit user accesses */
64 set_domain((old_domain & ~domain_mask(DOMAIN_USER)) |
65 domain_val(DOMAIN_USER, DOMAIN_CLIENT));
73 static inline void uaccess_restore(unsigned int flags)
75 #ifdef CONFIG_CPU_SW_DOMAIN_PAN
76 /* Restore the user access mask */
82 * These two are intentionally not defined anywhere - if the kernel
83 * code generates any references to them, that's a bug.
85 extern int __get_user_bad(void);
86 extern int __put_user_bad(void);
89 * Note that this is actually 0x1,0000,0000
91 #define KERNEL_DS 0x00000000
92 #define get_ds() (KERNEL_DS)
96 #define USER_DS TASK_SIZE
97 #define get_fs() (current_thread_info()->addr_limit)
99 static inline void set_fs(mm_segment_t fs)
101 current_thread_info()->addr_limit = fs;
104 * Prevent a mispredicted conditional call to set_fs from forwarding
105 * the wrong address limit to access_ok under speculation.
110 modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
113 #define segment_eq(a, b) ((a) == (b))
115 #define __addr_ok(addr) ({ \
116 unsigned long flag; \
117 __asm__("cmp %2, %0; movlo %0, #0" \
119 : "0" (current_thread_info()->addr_limit), "r" (addr) \
123 /* We use 33-bit arithmetic here... */
124 #define __range_ok(addr, size) ({ \
125 unsigned long flag, roksum; \
126 __chk_user_ptr(addr); \
127 __asm__("adds %1, %2, %3; sbcccs %1, %1, %0; movcc %0, #0" \
128 : "=&r" (flag), "=&r" (roksum) \
129 : "r" (addr), "Ir" (size), "0" (current_thread_info()->addr_limit) \
134 * This is a type: either unsigned long, if the argument fits into
135 * that type, or otherwise unsigned long long.
137 #define __inttype(x) \
138 __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
141 * Sanitise a uaccess pointer such that it becomes NULL if addr+size
142 * is above the current addr_limit.
144 #define uaccess_mask_range_ptr(ptr, size) \
145 ((__typeof__(ptr))__uaccess_mask_range_ptr(ptr, size))
146 static inline void __user *__uaccess_mask_range_ptr(const void __user *ptr,
149 void __user *safe_ptr = (void __user *)ptr;
155 " addhs %1, %1, #1\n"
156 " subhss %1, %1, %2\n"
158 : "+r" (safe_ptr), "=&r" (tmp)
159 : "r" (size), "r" (current_thread_info()->addr_limit)
167 * Single-value transfer routines. They automatically use the right
168 * size if we just have the right pointer type. Note that the functions
169 * which read from user space (*get_*) need to take care not to leak
170 * kernel data even if the calling code is buggy and fails to check
171 * the return value. This means zeroing out the destination variable
172 * or buffer on error. Normally this is done out of line by the
173 * fixup code, but there are a few places where it intrudes on the
174 * main code path. When we only write to user space, there is no
177 extern int __get_user_1(void *);
178 extern int __get_user_2(void *);
179 extern int __get_user_4(void *);
180 extern int __get_user_32t_8(void *);
181 extern int __get_user_8(void *);
182 extern int __get_user_64t_1(void *);
183 extern int __get_user_64t_2(void *);
184 extern int __get_user_64t_4(void *);
186 #define __GUP_CLOBBER_1 "lr", "cc"
187 #ifdef CONFIG_CPU_USE_DOMAINS
188 #define __GUP_CLOBBER_2 "ip", "lr", "cc"
190 #define __GUP_CLOBBER_2 "lr", "cc"
192 #define __GUP_CLOBBER_4 "lr", "cc"
193 #define __GUP_CLOBBER_32t_8 "lr", "cc"
194 #define __GUP_CLOBBER_8 "lr", "cc"
196 #define __get_user_x(__r2, __p, __e, __l, __s) \
197 __asm__ __volatile__ ( \
198 __asmeq("%0", "r0") __asmeq("%1", "r2") \
199 __asmeq("%3", "r1") \
200 "bl __get_user_" #__s \
201 : "=&r" (__e), "=r" (__r2) \
202 : "0" (__p), "r" (__l) \
203 : __GUP_CLOBBER_##__s)
205 /* narrowing a double-word get into a single 32bit word register: */
207 #define __get_user_x_32t(__r2, __p, __e, __l, __s) \
208 __get_user_x(__r2, __p, __e, __l, 32t_8)
210 #define __get_user_x_32t __get_user_x
214 * storing result into proper least significant word of 64bit target var,
215 * different only for big endian case where 64 bit __r2 lsw is r3:
218 #define __get_user_x_64t(__r2, __p, __e, __l, __s) \
219 __asm__ __volatile__ ( \
220 __asmeq("%0", "r0") __asmeq("%1", "r2") \
221 __asmeq("%3", "r1") \
222 "bl __get_user_64t_" #__s \
223 : "=&r" (__e), "=r" (__r2) \
224 : "0" (__p), "r" (__l) \
225 : __GUP_CLOBBER_##__s)
227 #define __get_user_x_64t __get_user_x
231 #define __get_user_check(x, p) \
233 unsigned long __limit = current_thread_info()->addr_limit - 1; \
234 register const typeof(*(p)) __user *__p asm("r0") = (p);\
235 register __inttype(x) __r2 asm("r2"); \
236 register unsigned long __l asm("r1") = __limit; \
237 register int __e asm("r0"); \
238 unsigned int __ua_flags = uaccess_save_and_enable(); \
239 switch (sizeof(*(__p))) { \
241 if (sizeof((x)) >= 8) \
242 __get_user_x_64t(__r2, __p, __e, __l, 1); \
244 __get_user_x(__r2, __p, __e, __l, 1); \
247 if (sizeof((x)) >= 8) \
248 __get_user_x_64t(__r2, __p, __e, __l, 2); \
250 __get_user_x(__r2, __p, __e, __l, 2); \
253 if (sizeof((x)) >= 8) \
254 __get_user_x_64t(__r2, __p, __e, __l, 4); \
256 __get_user_x(__r2, __p, __e, __l, 4); \
259 if (sizeof((x)) < 8) \
260 __get_user_x_32t(__r2, __p, __e, __l, 4); \
262 __get_user_x(__r2, __p, __e, __l, 8); \
264 default: __e = __get_user_bad(); break; \
266 uaccess_restore(__ua_flags); \
267 x = (typeof(*(p))) __r2; \
271 #define get_user(x, p) \
274 __get_user_check(x, p); \
277 extern int __put_user_1(void *, unsigned int);
278 extern int __put_user_2(void *, unsigned int);
279 extern int __put_user_4(void *, unsigned int);
280 extern int __put_user_8(void *, unsigned long long);
282 #define __put_user_check(__pu_val, __ptr, __err, __s) \
284 unsigned long __limit = current_thread_info()->addr_limit - 1; \
285 register typeof(__pu_val) __r2 asm("r2") = __pu_val; \
286 register const void __user *__p asm("r0") = __ptr; \
287 register unsigned long __l asm("r1") = __limit; \
288 register int __e asm("r0"); \
289 __asm__ __volatile__ ( \
290 __asmeq("%0", "r0") __asmeq("%2", "r2") \
291 __asmeq("%3", "r1") \
292 "bl __put_user_" #__s \
294 : "0" (__p), "r" (__r2), "r" (__l) \
295 : "ip", "lr", "cc"); \
299 #else /* CONFIG_MMU */
302 * uClinux has only one addr space, so has simplified address limits.
304 #define USER_DS KERNEL_DS
306 #define segment_eq(a, b) (1)
307 #define __addr_ok(addr) ((void)(addr), 1)
308 #define __range_ok(addr, size) ((void)(addr), 0)
309 #define get_fs() (KERNEL_DS)
311 static inline void set_fs(mm_segment_t fs)
315 #define get_user(x, p) __get_user(x, p)
316 #define __put_user_check __put_user_nocheck
318 #endif /* CONFIG_MMU */
320 #define access_ok(type, addr, size) (__range_ok(addr, size) == 0)
322 #define user_addr_max() \
323 (segment_eq(get_fs(), KERNEL_DS) ? ~0UL : get_fs())
325 #ifdef CONFIG_CPU_SPECTRE
327 * When mitigating Spectre variant 1, it is not worth fixing the non-
328 * verifying accessors, because we need to add verification of the
329 * address space there. Force these to use the standard get_user()
332 #define __get_user(x, ptr) get_user(x, ptr)
336 * The "__xxx" versions of the user access functions do not verify the
337 * address space - it must have been done previously with a separate
338 * "access_ok()" call.
340 * The "xxx_error" versions set the third argument to EFAULT if an
341 * error occurs, and leave it unchanged on success. Note that these
342 * versions are void (ie, don't return a value as such).
344 #define __get_user(x, ptr) \
347 __get_user_err((x), (ptr), __gu_err); \
351 #define __get_user_err(x, ptr, err) \
353 unsigned long __gu_addr = (unsigned long)(ptr); \
354 unsigned long __gu_val; \
355 unsigned int __ua_flags; \
356 __chk_user_ptr(ptr); \
358 __ua_flags = uaccess_save_and_enable(); \
359 switch (sizeof(*(ptr))) { \
360 case 1: __get_user_asm_byte(__gu_val, __gu_addr, err); break; \
361 case 2: __get_user_asm_half(__gu_val, __gu_addr, err); break; \
362 case 4: __get_user_asm_word(__gu_val, __gu_addr, err); break; \
363 default: (__gu_val) = __get_user_bad(); \
365 uaccess_restore(__ua_flags); \
366 (x) = (__typeof__(*(ptr)))__gu_val; \
369 #define __get_user_asm(x, addr, err, instr) \
370 __asm__ __volatile__( \
371 "1: " TUSER(instr) " %1, [%2], #0\n" \
373 " .pushsection .text.fixup,\"ax\"\n" \
379 " .pushsection __ex_table,\"a\"\n" \
383 : "+r" (err), "=&r" (x) \
384 : "r" (addr), "i" (-EFAULT) \
387 #define __get_user_asm_byte(x, addr, err) \
388 __get_user_asm(x, addr, err, ldrb)
390 #if __LINUX_ARM_ARCH__ >= 6
392 #define __get_user_asm_half(x, addr, err) \
393 __get_user_asm(x, addr, err, ldrh)
398 #define __get_user_asm_half(x, __gu_addr, err) \
400 unsigned long __b1, __b2; \
401 __get_user_asm_byte(__b1, __gu_addr, err); \
402 __get_user_asm_byte(__b2, __gu_addr + 1, err); \
403 (x) = __b1 | (__b2 << 8); \
406 #define __get_user_asm_half(x, __gu_addr, err) \
408 unsigned long __b1, __b2; \
409 __get_user_asm_byte(__b1, __gu_addr, err); \
410 __get_user_asm_byte(__b2, __gu_addr + 1, err); \
411 (x) = (__b1 << 8) | __b2; \
415 #endif /* __LINUX_ARM_ARCH__ >= 6 */
417 #define __get_user_asm_word(x, addr, err) \
418 __get_user_asm(x, addr, err, ldr)
422 #define __put_user_switch(x, ptr, __err, __fn) \
424 const __typeof__(*(ptr)) __user *__pu_ptr = (ptr); \
425 __typeof__(*(ptr)) __pu_val = (x); \
426 unsigned int __ua_flags; \
428 __ua_flags = uaccess_save_and_enable(); \
429 switch (sizeof(*(ptr))) { \
430 case 1: __fn(__pu_val, __pu_ptr, __err, 1); break; \
431 case 2: __fn(__pu_val, __pu_ptr, __err, 2); break; \
432 case 4: __fn(__pu_val, __pu_ptr, __err, 4); break; \
433 case 8: __fn(__pu_val, __pu_ptr, __err, 8); break; \
434 default: __err = __put_user_bad(); break; \
436 uaccess_restore(__ua_flags); \
439 #define put_user(x, ptr) \
442 __put_user_switch((x), (ptr), __pu_err, __put_user_check); \
446 #ifdef CONFIG_CPU_SPECTRE
448 * When mitigating Spectre variant 1.1, all accessors need to include
449 * verification of the address space.
451 #define __put_user(x, ptr) put_user(x, ptr)
454 #define __put_user(x, ptr) \
457 __put_user_switch((x), (ptr), __pu_err, __put_user_nocheck); \
461 #define __put_user_nocheck(x, __pu_ptr, __err, __size) \
463 unsigned long __pu_addr = (unsigned long)__pu_ptr; \
464 __put_user_nocheck_##__size(x, __pu_addr, __err); \
467 #define __put_user_nocheck_1 __put_user_asm_byte
468 #define __put_user_nocheck_2 __put_user_asm_half
469 #define __put_user_nocheck_4 __put_user_asm_word
470 #define __put_user_nocheck_8 __put_user_asm_dword
472 #define __put_user_asm(x, __pu_addr, err, instr) \
473 __asm__ __volatile__( \
474 "1: " TUSER(instr) " %1, [%2], #0\n" \
476 " .pushsection .text.fixup,\"ax\"\n" \
481 " .pushsection __ex_table,\"a\"\n" \
486 : "r" (x), "r" (__pu_addr), "i" (-EFAULT) \
489 #define __put_user_asm_byte(x, __pu_addr, err) \
490 __put_user_asm(x, __pu_addr, err, strb)
492 #if __LINUX_ARM_ARCH__ >= 6
494 #define __put_user_asm_half(x, __pu_addr, err) \
495 __put_user_asm(x, __pu_addr, err, strh)
500 #define __put_user_asm_half(x, __pu_addr, err) \
502 unsigned long __temp = (__force unsigned long)(x); \
503 __put_user_asm_byte(__temp, __pu_addr, err); \
504 __put_user_asm_byte(__temp >> 8, __pu_addr + 1, err); \
507 #define __put_user_asm_half(x, __pu_addr, err) \
509 unsigned long __temp = (__force unsigned long)(x); \
510 __put_user_asm_byte(__temp >> 8, __pu_addr, err); \
511 __put_user_asm_byte(__temp, __pu_addr + 1, err); \
515 #endif /* __LINUX_ARM_ARCH__ >= 6 */
517 #define __put_user_asm_word(x, __pu_addr, err) \
518 __put_user_asm(x, __pu_addr, err, str)
521 #define __reg_oper0 "%R2"
522 #define __reg_oper1 "%Q2"
524 #define __reg_oper0 "%Q2"
525 #define __reg_oper1 "%R2"
528 #define __put_user_asm_dword(x, __pu_addr, err) \
529 __asm__ __volatile__( \
530 ARM( "1: " TUSER(str) " " __reg_oper1 ", [%1], #4\n" ) \
531 ARM( "2: " TUSER(str) " " __reg_oper0 ", [%1]\n" ) \
532 THUMB( "1: " TUSER(str) " " __reg_oper1 ", [%1]\n" ) \
533 THUMB( "2: " TUSER(str) " " __reg_oper0 ", [%1, #4]\n" ) \
535 " .pushsection .text.fixup,\"ax\"\n" \
540 " .pushsection __ex_table,\"a\"\n" \
545 : "+r" (err), "+r" (__pu_addr) \
546 : "r" (x), "i" (-EFAULT) \
549 #endif /* !CONFIG_CPU_SPECTRE */
552 extern unsigned long __must_check
553 arm_copy_from_user(void *to, const void __user *from, unsigned long n);
555 static inline unsigned long __must_check
556 __copy_from_user(void *to, const void __user *from, unsigned long n)
558 unsigned int __ua_flags = uaccess_save_and_enable();
559 n = arm_copy_from_user(to, from, n);
560 uaccess_restore(__ua_flags);
564 extern unsigned long __must_check
565 arm_copy_to_user(void __user *to, const void *from, unsigned long n);
566 extern unsigned long __must_check
567 __copy_to_user_std(void __user *to, const void *from, unsigned long n);
569 static inline unsigned long __must_check
570 __copy_to_user(void __user *to, const void *from, unsigned long n)
572 #ifndef CONFIG_UACCESS_WITH_MEMCPY
573 unsigned int __ua_flags = uaccess_save_and_enable();
574 n = arm_copy_to_user(to, from, n);
575 uaccess_restore(__ua_flags);
578 return arm_copy_to_user(to, from, n);
582 extern unsigned long __must_check
583 arm_clear_user(void __user *addr, unsigned long n);
584 extern unsigned long __must_check
585 __clear_user_std(void __user *addr, unsigned long n);
587 static inline unsigned long __must_check
588 __clear_user(void __user *addr, unsigned long n)
590 unsigned int __ua_flags = uaccess_save_and_enable();
591 n = arm_clear_user(addr, n);
592 uaccess_restore(__ua_flags);
597 #define __copy_from_user(to, from, n) (memcpy(to, (void __force *)from, n), 0)
598 #define __copy_to_user(to, from, n) (memcpy((void __force *)to, from, n), 0)
599 #define __clear_user(addr, n) (memset((void __force *)addr, 0, n), 0)
602 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
604 if (access_ok(VERIFY_READ, from, n))
605 n = __copy_from_user(to, from, n);
606 else /* security hole - plug it */
611 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
613 if (access_ok(VERIFY_WRITE, to, n))
614 n = __copy_to_user(to, from, n);
618 #define __copy_to_user_inatomic __copy_to_user
619 #define __copy_from_user_inatomic __copy_from_user
621 static inline unsigned long __must_check clear_user(void __user *to, unsigned long n)
623 if (access_ok(VERIFY_WRITE, to, n))
624 n = __clear_user(to, n);
628 /* These are from lib/ code, and use __get_user() and friends */
629 extern long strncpy_from_user(char *dest, const char __user *src, long count);
631 extern __must_check long strlen_user(const char __user *str);
632 extern __must_check long strnlen_user(const char __user *str, long n);
634 #endif /* _ASMARM_UACCESS_H */