include/linux/uaccess.h at 4563243edeeb3dc17355a80ec16bbfdc675702cb · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / include / linux / uaccess.h
at 4563243edeeb3dc17355a80ec16bbfdc675702cb 470 lines 15 kB view raw
  1/* SPDX-License-Identifier: GPL-2.0 */
  2#ifndef __LINUX_UACCESS_H__
  3#define __LINUX_UACCESS_H__
  4
  5#include <linux/fault-inject-usercopy.h>
  6#include <linux/instrumented.h>
  7#include <linux/minmax.h>
  8#include <linux/nospec.h>
  9#include <linux/sched.h>
 10#include <linux/thread_info.h>
 11
 12#include <asm/uaccess.h>
 13
 14/*
 15 * Architectures that support memory tagging (assigning tags to memory regions,
 16 * embedding these tags into addresses that point to these memory regions, and
 17 * checking that the memory and the pointer tags match on memory accesses)
 18 * redefine this macro to strip tags from pointers.
 19 *
 20 * Passing down mm_struct allows to define untagging rules on per-process
 21 * basis.
 22 *
 23 * It's defined as noop for architectures that don't support memory tagging.
 24 */
 25#ifndef untagged_addr
 26#define untagged_addr(addr) (addr)
 27#endif
 28
 29#ifndef untagged_addr_remote
 30#define untagged_addr_remote(mm, addr)	({		\
 31	mmap_assert_locked(mm);				\
 32	untagged_addr(addr);				\
 33})
 34#endif
 35
 36#ifdef masked_user_access_begin
 37 #define can_do_masked_user_access() 1
 38#else
 39 #define can_do_masked_user_access() 0
 40 #define masked_user_access_begin(src) NULL
 41#endif
 42
 43/*
 44 * Architectures should provide two primitives (raw_copy_{to,from}_user())
 45 * and get rid of their private instances of copy_{to,from}_user() and
 46 * __copy_{to,from}_user{,_inatomic}().
 47 *
 48 * raw_copy_{to,from}_user(to, from, size) should copy up to size bytes and
 49 * return the amount left to copy.  They should assume that access_ok() has
 50 * already been checked (and succeeded); they should *not* zero-pad anything.
 51 * No KASAN or object size checks either - those belong here.
 52 *
 53 * Both of these functions should attempt to copy size bytes starting at from
 54 * into the area starting at to.  They must not fetch or store anything
 55 * outside of those areas.  Return value must be between 0 (everything
 56 * copied successfully) and size (nothing copied).
 57 *
 58 * If raw_copy_{to,from}_user(to, from, size) returns N, size - N bytes starting
 59 * at to must become equal to the bytes fetched from the corresponding area
 60 * starting at from.  All data past to + size - N must be left unmodified.
 61 *
 62 * If copying succeeds, the return value must be 0.  If some data cannot be
 63 * fetched, it is permitted to copy less than had been fetched; the only
 64 * hard requirement is that not storing anything at all (i.e. returning size)
 65 * should happen only when nothing could be copied.  In other words, you don't
 66 * have to squeeze as much as possible - it is allowed, but not necessary.
 67 *
 68 * For raw_copy_from_user() to always points to kernel memory and no faults
 69 * on store should happen.  Interpretation of from is affected by set_fs().
 70 * For raw_copy_to_user() it's the other way round.
 71 *
 72 * Both can be inlined - it's up to architectures whether it wants to bother
 73 * with that.  They should not be used directly; they are used to implement
 74 * the 6 functions (copy_{to,from}_user(), __copy_{to,from}_user_inatomic())
 75 * that are used instead.  Out of those, __... ones are inlined.  Plain
 76 * copy_{to,from}_user() might or might not be inlined.  If you want them
 77 * inlined, have asm/uaccess.h define INLINE_COPY_{TO,FROM}_USER.
 78 *
 79 * NOTE: only copy_from_user() zero-pads the destination in case of short copy.
 80 * Neither __copy_from_user() nor __copy_from_user_inatomic() zero anything
 81 * at all; their callers absolutely must check the return value.
 82 *
 83 * Biarch ones should also provide raw_copy_in_user() - similar to the above,
 84 * but both source and destination are __user pointers (affected by set_fs()
 85 * as usual) and both source and destination can trigger faults.
 86 */
 87
 88static __always_inline __must_check unsigned long
 89__copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
 90{
 91	unsigned long res;
 92
 93	instrument_copy_from_user_before(to, from, n);
 94	check_object_size(to, n, false);
 95	res = raw_copy_from_user(to, from, n);
 96	instrument_copy_from_user_after(to, from, n, res);
 97	return res;
 98}
 99
100static __always_inline __must_check unsigned long
101__copy_from_user(void *to, const void __user *from, unsigned long n)
102{
103	unsigned long res;
104
105	might_fault();
106	instrument_copy_from_user_before(to, from, n);
107	if (should_fail_usercopy())
108		return n;
109	check_object_size(to, n, false);
110	res = raw_copy_from_user(to, from, n);
111	instrument_copy_from_user_after(to, from, n, res);
112	return res;
113}
114
115/**
116 * __copy_to_user_inatomic: - Copy a block of data into user space, with less checking.
117 * @to:   Destination address, in user space.
118 * @from: Source address, in kernel space.
119 * @n:    Number of bytes to copy.
120 *
121 * Context: User context only.
122 *
123 * Copy data from kernel space to user space.  Caller must check
124 * the specified block with access_ok() before calling this function.
125 * The caller should also make sure he pins the user space address
126 * so that we don't result in page fault and sleep.
127 */
128static __always_inline __must_check unsigned long
129__copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
130{
131	if (should_fail_usercopy())
132		return n;
133	instrument_copy_to_user(to, from, n);
134	check_object_size(from, n, true);
135	return raw_copy_to_user(to, from, n);
136}
137
138static __always_inline __must_check unsigned long
139__copy_to_user(void __user *to, const void *from, unsigned long n)
140{
141	might_fault();
142	if (should_fail_usercopy())
143		return n;
144	instrument_copy_to_user(to, from, n);
145	check_object_size(from, n, true);
146	return raw_copy_to_user(to, from, n);
147}
148
149/*
150 * Architectures that #define INLINE_COPY_TO_USER use this function
151 * directly in the normal copy_to/from_user(), the other ones go
152 * through an extern _copy_to/from_user(), which expands the same code
153 * here.
154 *
155 * Rust code always uses the extern definition.
156 */
157static inline __must_check unsigned long
158_inline_copy_from_user(void *to, const void __user *from, unsigned long n)
159{
160	unsigned long res = n;
161	might_fault();
162	if (!should_fail_usercopy() && likely(access_ok(from, n))) {
163		/*
164		 * Ensure that bad access_ok() speculation will not
165		 * lead to nasty side effects *after* the copy is
166		 * finished:
167		 */
168		barrier_nospec();
169		instrument_copy_from_user_before(to, from, n);
170		res = raw_copy_from_user(to, from, n);
171		instrument_copy_from_user_after(to, from, n, res);
172	}
173	if (unlikely(res))
174		memset(to + (n - res), 0, res);
175	return res;
176}
177extern __must_check unsigned long
178_copy_from_user(void *, const void __user *, unsigned long);
179
180static inline __must_check unsigned long
181_inline_copy_to_user(void __user *to, const void *from, unsigned long n)
182{
183	might_fault();
184	if (should_fail_usercopy())
185		return n;
186	if (access_ok(to, n)) {
187		instrument_copy_to_user(to, from, n);
188		n = raw_copy_to_user(to, from, n);
189	}
190	return n;
191}
192extern __must_check unsigned long
193_copy_to_user(void __user *, const void *, unsigned long);
194
195static __always_inline unsigned long __must_check
196copy_from_user(void *to, const void __user *from, unsigned long n)
197{
198	if (!check_copy_size(to, n, false))
199		return n;
200#ifdef INLINE_COPY_FROM_USER
201	return _inline_copy_from_user(to, from, n);
202#else
203	return _copy_from_user(to, from, n);
204#endif
205}
206
207static __always_inline unsigned long __must_check
208copy_to_user(void __user *to, const void *from, unsigned long n)
209{
210	if (!check_copy_size(from, n, true))
211		return n;
212
213#ifdef INLINE_COPY_TO_USER
214	return _inline_copy_to_user(to, from, n);
215#else
216	return _copy_to_user(to, from, n);
217#endif
218}
219
220#ifndef copy_mc_to_kernel
221/*
222 * Without arch opt-in this generic copy_mc_to_kernel() will not handle
223 * #MC (or arch equivalent) during source read.
224 */
225static inline unsigned long __must_check
226copy_mc_to_kernel(void *dst, const void *src, size_t cnt)
227{
228	memcpy(dst, src, cnt);
229	return 0;
230}
231#endif
232
233static __always_inline void pagefault_disabled_inc(void)
234{
235	current->pagefault_disabled++;
236}
237
238static __always_inline void pagefault_disabled_dec(void)
239{
240	current->pagefault_disabled--;
241}
242
243/*
244 * These routines enable/disable the pagefault handler. If disabled, it will
245 * not take any locks and go straight to the fixup table.
246 *
247 * User access methods will not sleep when called from a pagefault_disabled()
248 * environment.
249 */
250static inline void pagefault_disable(void)
251{
252	pagefault_disabled_inc();
253	/*
254	 * make sure to have issued the store before a pagefault
255	 * can hit.
256	 */
257	barrier();
258}
259
260static inline void pagefault_enable(void)
261{
262	/*
263	 * make sure to issue those last loads/stores before enabling
264	 * the pagefault handler again.
265	 */
266	barrier();
267	pagefault_disabled_dec();
268}
269
270/*
271 * Is the pagefault handler disabled? If so, user access methods will not sleep.
272 */
273static inline bool pagefault_disabled(void)
274{
275	return current->pagefault_disabled != 0;
276}
277
278/*
279 * The pagefault handler is in general disabled by pagefault_disable() or
280 * when in irq context (via in_atomic()).
281 *
282 * This function should only be used by the fault handlers. Other users should
283 * stick to pagefault_disabled().
284 * Please NEVER use preempt_disable() to disable the fault handler. With
285 * !CONFIG_PREEMPT_COUNT, this is like a NOP. So the handler won't be disabled.
286 * in_atomic() will report different values based on !CONFIG_PREEMPT_COUNT.
287 */
288#define faulthandler_disabled() (pagefault_disabled() || in_atomic())
289
290#ifndef CONFIG_ARCH_HAS_SUBPAGE_FAULTS
291
292/**
293 * probe_subpage_writeable: probe the user range for write faults at sub-page
294 *			    granularity (e.g. arm64 MTE)
295 * @uaddr: start of address range
296 * @size: size of address range
297 *
298 * Returns 0 on success, the number of bytes not probed on fault.
299 *
300 * It is expected that the caller checked for the write permission of each
301 * page in the range either by put_user() or GUP. The architecture port can
302 * implement a more efficient get_user() probing if the same sub-page faults
303 * are triggered by either a read or a write.
304 */
305static inline size_t probe_subpage_writeable(char __user *uaddr, size_t size)
306{
307	return 0;
308}
309
310#endif /* CONFIG_ARCH_HAS_SUBPAGE_FAULTS */
311
312#ifndef ARCH_HAS_NOCACHE_UACCESS
313
314static inline __must_check unsigned long
315__copy_from_user_inatomic_nocache(void *to, const void __user *from,
316				  unsigned long n)
317{
318	return __copy_from_user_inatomic(to, from, n);
319}
320
321#endif		/* ARCH_HAS_NOCACHE_UACCESS */
322
323extern __must_check int check_zeroed_user(const void __user *from, size_t size);
324
325/**
326 * copy_struct_from_user: copy a struct from userspace
327 * @dst:   Destination address, in kernel space. This buffer must be @ksize
328 *         bytes long.
329 * @ksize: Size of @dst struct.
330 * @src:   Source address, in userspace.
331 * @usize: (Alleged) size of @src struct.
332 *
333 * Copies a struct from userspace to kernel space, in a way that guarantees
334 * backwards-compatibility for struct syscall arguments (as long as future
335 * struct extensions are made such that all new fields are *appended* to the
336 * old struct, and zeroed-out new fields have the same meaning as the old
337 * struct).
338 *
339 * @ksize is just sizeof(*dst), and @usize should've been passed by userspace.
340 * The recommended usage is something like the following:
341 *
342 *   SYSCALL_DEFINE2(foobar, const struct foo __user *, uarg, size_t, usize)
343 *   {
344 *      int err;
345 *      struct foo karg = {};
346 *
347 *      if (usize > PAGE_SIZE)
348 *        return -E2BIG;
349 *      if (usize < FOO_SIZE_VER0)
350 *        return -EINVAL;
351 *
352 *      err = copy_struct_from_user(&karg, sizeof(karg), uarg, usize);
353 *      if (err)
354 *        return err;
355 *
356 *      // ...
357 *   }
358 *
359 * There are three cases to consider:
360 *  * If @usize == @ksize, then it's copied verbatim.
361 *  * If @usize < @ksize, then the userspace has passed an old struct to a
362 *    newer kernel. The rest of the trailing bytes in @dst (@ksize - @usize)
363 *    are to be zero-filled.
364 *  * If @usize > @ksize, then the userspace has passed a new struct to an
365 *    older kernel. The trailing bytes unknown to the kernel (@usize - @ksize)
366 *    are checked to ensure they are zeroed, otherwise -E2BIG is returned.
367 *
368 * Returns (in all cases, some data may have been copied):
369 *  * -E2BIG:  (@usize > @ksize) and there are non-zero trailing bytes in @src.
370 *  * -EFAULT: access to userspace failed.
371 */
372static __always_inline __must_check int
373copy_struct_from_user(void *dst, size_t ksize, const void __user *src,
374		      size_t usize)
375{
376	size_t size = min(ksize, usize);
377	size_t rest = max(ksize, usize) - size;
378
379	/* Double check if ksize is larger than a known object size. */
380	if (WARN_ON_ONCE(ksize > __builtin_object_size(dst, 1)))
381		return -E2BIG;
382
383	/* Deal with trailing bytes. */
384	if (usize < ksize) {
385		memset(dst + size, 0, rest);
386	} else if (usize > ksize) {
387		int ret = check_zeroed_user(src + size, rest);
388		if (ret <= 0)
389			return ret ?: -E2BIG;
390	}
391	/* Copy the interoperable parts of the struct. */
392	if (copy_from_user(dst, src, size))
393		return -EFAULT;
394	return 0;
395}
396
397bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size);
398
399long copy_from_kernel_nofault(void *dst, const void *src, size_t size);
400long notrace copy_to_kernel_nofault(void *dst, const void *src, size_t size);
401
402long copy_from_user_nofault(void *dst, const void __user *src, size_t size);
403long notrace copy_to_user_nofault(void __user *dst, const void *src,
404		size_t size);
405
406long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr,
407		long count);
408
409long strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
410		long count);
411long strnlen_user_nofault(const void __user *unsafe_addr, long count);
412
413#ifndef __get_kernel_nofault
414#define __get_kernel_nofault(dst, src, type, label)	\
415do {							\
416	type __user *p = (type __force __user *)(src);	\
417	type data;					\
418	if (__get_user(data, p))			\
419		goto label;				\
420	*(type *)dst = data;				\
421} while (0)
422
423#define __put_kernel_nofault(dst, src, type, label)	\
424do {							\
425	type __user *p = (type __force __user *)(dst);	\
426	type data = *(type *)src;			\
427	if (__put_user(data, p))			\
428		goto label;				\
429} while (0)
430#endif
431
432/**
433 * get_kernel_nofault(): safely attempt to read from a location
434 * @val: read into this variable
435 * @ptr: address to read from
436 *
437 * Returns 0 on success, or -EFAULT.
438 */
439#define get_kernel_nofault(val, ptr) ({				\
440	const typeof(val) *__gk_ptr = (ptr);			\
441	copy_from_kernel_nofault(&(val), __gk_ptr, sizeof(val));\
442})
443
444#ifndef user_access_begin
445#define user_access_begin(ptr,len) access_ok(ptr, len)
446#define user_access_end() do { } while (0)
447#define unsafe_op_wrap(op, err) do { if (unlikely(op)) goto err; } while (0)
448#define unsafe_get_user(x,p,e) unsafe_op_wrap(__get_user(x,p),e)
449#define unsafe_put_user(x,p,e) unsafe_op_wrap(__put_user(x,p),e)
450#define unsafe_copy_to_user(d,s,l,e) unsafe_op_wrap(__copy_to_user(d,s,l),e)
451#define unsafe_copy_from_user(d,s,l,e) unsafe_op_wrap(__copy_from_user(d,s,l),e)
452static inline unsigned long user_access_save(void) { return 0UL; }
453static inline void user_access_restore(unsigned long flags) { }
454#endif
455#ifndef user_write_access_begin
456#define user_write_access_begin user_access_begin
457#define user_write_access_end user_access_end
458#endif
459#ifndef user_read_access_begin
460#define user_read_access_begin user_access_begin
461#define user_read_access_end user_access_end
462#endif
463
464#ifdef CONFIG_HARDENED_USERCOPY
465void __noreturn usercopy_abort(const char *name, const char *detail,
466			       bool to_user, unsigned long offset,
467			       unsigned long len);
468#endif
469
470#endif		/* __LINUX_UACCESS_H__ */